Loading container/readme.md +10 −25 Original line number Diff line number Diff line Loading @@ -36,17 +36,12 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b syft:subdir_b: extends: .syft trivy:image:subdir_b: extends: .trivy:image variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b - image:build:subdir_b ``` ### Two Dockerfiles in two subdirectories Loading @@ -64,7 +59,7 @@ monorepo_subdir The first `Dockerfile`'s context can be set with just the variable. For every subsequent `Dockerfile`, you need to create jobs which extend `.kaniko` and `.syft`. The example below shows how. `.trivy:image`. The example below shows how. ```yaml --- Loading @@ -81,17 +76,12 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b syft:subdir_b: extends: .syft trivy:image:subdir_b: extends: .trivy:image variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b - image:build:subdir_b ``` You can have as many subdirectories and Dockerfiles as you want. They can even Loading Loading @@ -122,17 +112,12 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b syft:subdir_b: extends: .syft trivy:image:subdir_b: extends: .trivy:image variables: IMAGE_NAME: subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b - image:build:subdir_b ``` ## Multiple architectures Loading container/syft.ymldeleted 100644 → 0 +0 −38 Original line number Diff line number Diff line --- include: - local: security/trivy.yml variables: SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD} .syft: image: docker.io/alpine:3 stage: test script: - | TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} echo "[*] Target image: ${TARGET_IMAGE}" - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - syft packages ${TARGET_IMAGE} -o cyclonedx-json > ${CI_PROJECT_DIR}/syft.json artifacts: paths: - syft.json reports: cyclonedx: - syft.json syft: extends: .syft needs: - image:build trivy:image: extends: .trivy:sbom variables: TRIVY_TARGET: syft.json needs: - syft pipelines/container.yml +4 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,7 @@ include: - local: container/kaniko.yml - local: container/buildah.yml - local: container/docker.yml - local: container/syft.yml - local: security/trivy.yml # set the project container dev image to the image for all jobs without a job-level default image image: Loading @@ -12,4 +12,7 @@ image: entrypoint: [""] trivy:image: extends: .trivy:image needs: - image:build allow_failure: true security/trivy.yml +8 −0 Original line number Diff line number Diff line --- variables: TRIVY_SEVERITIES: HIGH,CRITICAL # comma-separated list of severities to fail on (LOW,MEDIUM,HIGH,CRITICAL) TRIVY_USERNAME: ${CI_REGISTRY} # Needed for images only TRIVY_PASSWORD: ${CI_REGISTRY_USER} # Needed for images only .trivy: image: Loading @@ -10,6 +12,12 @@ variables: .trivy:image: extends: .trivy script: - | if [ -z $TRIVY_TARGET ]; then TRIVY_TARGET=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} fi - > echo "[*] Target image: ${TRIVY_TARGET}" - trivy image $TRIVY_IMAGE_ARGS $TRIVY_TARGET --output ${CI_PROJECT_DIR}/trivy.txt - cat ${CI_PROJECT_DIR}/trivy.txt Loading tests/jobs/container.yml +1 −1 Original line number Diff line number Diff line Loading @@ -5,5 +5,5 @@ include: variables: IMAGE_CONTEXT: tests/mockup_projects/container/polyrepo syft: trivy:image: allow_failure: false Loading
container/readme.md +10 −25 Original line number Diff line number Diff line Loading @@ -36,17 +36,12 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b syft:subdir_b: extends: .syft trivy:image:subdir_b: extends: .trivy:image variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b - image:build:subdir_b ``` ### Two Dockerfiles in two subdirectories Loading @@ -64,7 +59,7 @@ monorepo_subdir The first `Dockerfile`'s context can be set with just the variable. For every subsequent `Dockerfile`, you need to create jobs which extend `.kaniko` and `.syft`. The example below shows how. `.trivy:image`. The example below shows how. ```yaml --- Loading @@ -81,17 +76,12 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b syft:subdir_b: extends: .syft trivy:image:subdir_b: extends: .trivy:image variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b - image:build:subdir_b ``` You can have as many subdirectories and Dockerfiles as you want. They can even Loading Loading @@ -122,17 +112,12 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b syft:subdir_b: extends: .syft trivy:image:subdir_b: extends: .trivy:image variables: IMAGE_NAME: subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b - image:build:subdir_b ``` ## Multiple architectures Loading
container/syft.ymldeleted 100644 → 0 +0 −38 Original line number Diff line number Diff line --- include: - local: security/trivy.yml variables: SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD} .syft: image: docker.io/alpine:3 stage: test script: - | TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} echo "[*] Target image: ${TARGET_IMAGE}" - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - syft packages ${TARGET_IMAGE} -o cyclonedx-json > ${CI_PROJECT_DIR}/syft.json artifacts: paths: - syft.json reports: cyclonedx: - syft.json syft: extends: .syft needs: - image:build trivy:image: extends: .trivy:sbom variables: TRIVY_TARGET: syft.json needs: - syft
pipelines/container.yml +4 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,7 @@ include: - local: container/kaniko.yml - local: container/buildah.yml - local: container/docker.yml - local: container/syft.yml - local: security/trivy.yml # set the project container dev image to the image for all jobs without a job-level default image image: Loading @@ -12,4 +12,7 @@ image: entrypoint: [""] trivy:image: extends: .trivy:image needs: - image:build allow_failure: true
security/trivy.yml +8 −0 Original line number Diff line number Diff line --- variables: TRIVY_SEVERITIES: HIGH,CRITICAL # comma-separated list of severities to fail on (LOW,MEDIUM,HIGH,CRITICAL) TRIVY_USERNAME: ${CI_REGISTRY} # Needed for images only TRIVY_PASSWORD: ${CI_REGISTRY_USER} # Needed for images only .trivy: image: Loading @@ -10,6 +12,12 @@ variables: .trivy:image: extends: .trivy script: - | if [ -z $TRIVY_TARGET ]; then TRIVY_TARGET=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} fi - > echo "[*] Target image: ${TRIVY_TARGET}" - trivy image $TRIVY_IMAGE_ARGS $TRIVY_TARGET --output ${CI_PROJECT_DIR}/trivy.txt - cat ${CI_PROJECT_DIR}/trivy.txt Loading
tests/jobs/container.yml +1 −1 Original line number Diff line number Diff line Loading @@ -5,5 +5,5 @@ include: variables: IMAGE_CONTEXT: tests/mockup_projects/container/polyrepo syft: trivy:image: allow_failure: false
