Merge branch 'feat/tbc-default-for-global-dependencies' into 'main' (32c5319b) · Commits · to be continuous... / Docker

README.md

+10 −10

Original line number	Diff line number	Diff line
		@@ -70,10 +70,10 @@ The Docker template uses some global configuration used throughout all jobs.
		\| Input / Variable \| Description \| Default value \|
		\| ---------------------------------------- \| ---------------------------------------------------------------------------------------------------------------------------------------------- \| ----------------------------------------------------------------------------------- \|
		\| `build-tool` / `DOCKER_BUILD_TOOL` \| The build tool to use for building container image, possible values are `kaniko`, `buildah`, `dind`, `external` or `default` \| `default` uses `$TBC_DEFAULT_DOCKER_BUILD_TOOL` value (`buildah` by default) \|
		\| `kaniko-image` / `DOCKER_KANIKO_IMAGE` \| The image used to run `kaniko` - _for kaniko build only_ \| `registry.gitlab.com/to-be-continuous/tools/kaniko:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)\|
		\| `buildah-image` / `DOCKER_BUILDAH_IMAGE` \| The image used to run `buildah` - _for buildah build only_ \| `quay.io/containers/buildah:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:dind`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `kaniko-image` / `DOCKER_KANIKO_IMAGE` \| The image used to run `kaniko` - _for kaniko build only_ \| `registry.gitlab.com/to-be-continuous/tools/kaniko:latest` (from `$TBC_DEFAULT_DOCKER_KANIKO_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)\|
		\| `buildah-image` / `DOCKER_BUILDAH_IMAGE` \| The image used to run `buildah` - _for buildah build only_ \| `quay.io/containers/buildah:latest` (from `$TBC_DEFAULT_DOCKER_BUILDAH_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:latest` (from `$TBC_DEFAULT_DOCKER_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:dind` (from `$TBC_DEFAULT_DOCKER_DIND_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `file` / `DOCKER_FILE` \| The path to your `Dockerfile` \| `Dockerfile` \|
		\| `context-path` / `DOCKER_CONTEXT_PATH` \| The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) \| _none_ _only set if you want a context path different from the Dockerfile location_ \|
		\| `artifacts-namespace` / `DOCKER_ARTIFACTS_NAMESPACE` \| Output artifacts namespace _(only required when deploying [multiple environments](#multiple-environments-support))_ \| _none_ \|
		@@ -258,7 +258,7 @@ The signing process can be configured with the following variables:
		\| `cosign-attest-opts` / `DOCKER_COSIGN_ATTEST_OPTS` \| Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command
		\| `--tlog-upload=false` \|
		\| `cosign-annotations` / `DOCKER_COSIGN_ANNOTATIONS` \| Additional annotations to add to the signature \| GitLab build provenance data \|
		\| `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL` \| Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)<br/>_When unset, the latest version will be used_ \| _none_ \|
		\| `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL` \| Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)<br/>_When unset, the latest version will be used_ \| _none_ (from `$TBC_DEFAULT_DOCKER_COSIGN_DIST_URL`) \|
		\| :lock: `DOCKER_COSIGN_PRIVATE_KEY` \| Private key used for signing the Docker image and the attestation \| _none_ \|
		\| :lock: `COSIGN_PASSWORD` \| Password of the private key \| _none_ \|

		@@ -327,7 +327,7 @@ It is bound to the `build` stage, and uses the following variables:
		\| Input / Variable \| Description \| Default value \|
		\| ------------------------------------------------ \| --------------------------------- \| --------------------------------------------------------- \|
		\| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` \| Set to `true` to disable Hadolint \| _(none: enabled by default)_ \|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `docker.io/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `docker.io/hadolint/hadolint:latest-alpine` (from `$TBC_DEFAULT_DOCKER_HADOLINT_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-args` / `DOCKER_HADOLINT_ARGS` \| Additional `hadolint` arguments \| _(none)_ \|

		In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
		@@ -482,7 +482,7 @@ It is bound to the `package-test` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| -------------------------------------------------------------------------- \| ---------------------------------------------------------------------------------------------------------------------- \| ------------------------------------------------------------------- \|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `docker.io/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `docker.io/aquasec/trivy:latest` (from `$TBC_DEFAULT_DOCKER_TRIVY_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` \| Set to `true` to disable Trivy analysis \| _(none)_ \|
		\| `trivy-args` / `DOCKER_TRIVY_ARGS` \| Additional [`trivy image` options](https://trivy.dev/docs/latest/references/configuration/cli/trivy_image/#options) \| `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive --disable-telemetry --skip-version-check` \|

		@@ -514,7 +514,7 @@ It is bound to the `package-test` stage, and uses the following variables:
		\| ---------------------------------------- \| --------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------- \|
		\| `sbom-disabled` / `DOCKER_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `docker.io/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `docker.io/anchore/syft:debug` (from `$TBC_DEFAULT_DOCKER_SBOM_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-opts` / `DOCKER_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` \|

		### `docker-publish` job
		@@ -523,10 +523,10 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt

		\| Input / Variable \| Description \| Default value \|
		\| ------------------------------------------------------------------ \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` \| The Docker image used to run [skopeo](https://github.com/containers/skopeo) \| `quay.io/containers/skopeo:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SKOPEO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SKOPEO_IMAGE)\|
		\| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` \| The Docker image used to run [skopeo](https://github.com/containers/skopeo) \| `quay.io/containers/skopeo:latest` (from `$TBC_DEFAULT_DOCKER_SKOPEO_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SKOPEO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SKOPEO_IMAGE)\|
		\| `publish-args` / `DOCKER_PUBLISH_ARGS` \| Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) \| _(none)_ \|
		\| `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` \| Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). \| `manual` \|
		\| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` \| Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) \| `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ \|
		\| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` \| Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) \| `^v?(?P<major>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\.]+)?(?P<build>\+[0-9A-Za-z-\.]+)?)$` _(SemVer pattern)_ \|
		\| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` \| Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) \| _(none)_ \|
		\| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` \| Set to `true` to disable [semantic-release integration](#semantic-release-integration) \| _none_ (enabled) \|

kicker.json

+17 −7

Original line number	Diff line number	Diff line
		@@ -16,27 +16,32 @@
		{
		"name": "DOCKER_KANIKO_IMAGE",
		"description": "The image used to run kaniko\n\n_for kaniko build only_",
		"default": "registry.gitlab.com/to-be-continuous/tools/kaniko:latest"
		"default": "registry.gitlab.com/to-be-continuous/tools/kaniko:latest",
		"has_default": true
		},
		{
		"name": "DOCKER_BUILDAH_IMAGE",
		"description": "The image used to run buildah\n\n_for buildah build only_",
		"default": "quay.io/containers/buildah:latest"
		"default": "quay.io/containers/buildah:latest",
		"has_default": true
		},
		{
		"name": "DOCKER_IMAGE",
		"description": "The image used to run the docker client\n\n_for Docker-in-Docker(dind) build only_",
		"default": "docker.io/library/docker:latest"
		"default": "docker.io/library/docker:latest",
		"has_default": true
		},
		{
		"name": "DOCKER_DIND_IMAGE",
		"description": "The image used to run the Docker daemon\n\n_for Docker-in-Docker(dind) build only_",
		"default": "docker.io/library/docker:dind"
		"default": "docker.io/library/docker:dind",
		"has_default": true
		},
		{
		"name": "DOCKER_SKOPEO_IMAGE",
		"description": "The image used to publish docker image with Skopeo",
		"default": "quay.io/containers/skopeo:latest"
		"default": "quay.io/containers/skopeo:latest",
		"has_default": true
		},
		{
		"name": "DOCKER_FILE",
		@@ -142,7 +147,8 @@
		{
		"name": "DOCKER_HADOLINT_IMAGE",
		"description": "The docker image to lint your Dockerfile with Hadolint",
		"default": "docker.io/hadolint/hadolint:latest-alpine"
		"default": "docker.io/hadolint/hadolint:latest-alpine",
		"has_default": true
		},
		{
		"name": "DOCKER_HADOLINT_ARGS",
		@@ -186,6 +192,7 @@
		"name": "DOCKER_TRIVY_IMAGE",
		"description": "The docker image used to scan images with Trivy",
		"default": "docker.io/aquasec/trivy:latest",
		"has_default": true,
		"advanced": true
		},
		{
		@@ -212,7 +219,8 @@
		},
		{
		"name": "DOCKER_SBOM_IMAGE",
		"default": "docker.io/anchore/syft:debug"
		"default": "docker.io/anchore/syft:debug",
		"has_default": true
		},
		{
		"name": "DOCKER_SBOM_OPTS",
		@@ -255,6 +263,8 @@
		{
		"name": "DOCKER_COSIGN_DIST_URL",
		"description": "Url to the `linux-amd64` binary of Cosign to use\n\n_When unset, the latest version will be used_",
		"has_default": true,
		"example": "https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64",
		"advanced": true
		},
		{

templates/gitlab-ci-docker.yml

+19 −9

Original line number	Diff line number	Diff line
		@@ -29,28 +29,28 @@ spec:
		The image used to run kaniko

		_for kaniko build only_
		default: registry.gitlab.com/to-be-continuous/tools/kaniko:latest
		default: $TBC_DEFAULT_DOCKER_KANIKO_IMAGE
		buildah-image:
		description: \|-
		The image used to run buildah

		_for buildah build only_
		default: quay.io/containers/buildah:latest
		default: $TBC_DEFAULT_DOCKER_BUILDAH_IMAGE
		image:
		description: \|-
		The image used to run the docker client

		_for Docker-in-Docker(dind) build only_
		default: docker.io/library/docker:latest
		default: $TBC_DEFAULT_DOCKER_IMAGE
		dind-image:
		description: \|-
		The image used to run the Docker daemon

		_for Docker-in-Docker(dind) build only_
		default: docker.io/library/docker:dind
		default: $TBC_DEFAULT_DOCKER_DIND_IMAGE
		skopeo-image:
		description: The image used to publish docker image with Skopeo
		default: quay.io/containers/skopeo:latest
		default: $TBC_DEFAULT_DOCKER_SKOPEO_IMAGE
		file:
		description: The path to your `Dockerfile`
		default: Dockerfile
		@@ -138,7 +138,7 @@ spec:
		default: false
		hadolint-image:
		description: The docker image to lint your Dockerfile with Hadolint
		default: docker.io/hadolint/hadolint:latest-alpine
		default: $TBC_DEFAULT_DOCKER_HADOLINT_IMAGE
		hadolint-args:
		description: Additional `hadolint` arguments
		default: ''
		@@ -162,7 +162,7 @@ spec:
		default: false
		trivy-image:
		description: The docker image used to scan images with Trivy
		default: docker.io/aquasec/trivy:latest
		default: $TBC_DEFAULT_DOCKER_TRIVY_IMAGE
		trivy-args:
		description: Additional [`trivy image` options](https://trivy.dev/docs/latest/references/configuration/cli/trivy_image/#options)
		default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive --disable-telemetry --skip-version-check
		@@ -171,7 +171,7 @@ spec:
		type: boolean
		default: false
		sbom-image:
		default: docker.io/anchore/syft:debug
		default: $TBC_DEFAULT_DOCKER_SBOM_IMAGE
		sbom-opts:
		description: Options for syft used for SBOM analysis
		default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
		@@ -212,7 +212,7 @@ spec:
		Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)

		_When unset, the latest version will be used_
		default: ''
		default: $TBC_DEFAULT_DOCKER_COSIGN_DIST_URL
		---
		# default workflow rules: Merge Request pipelines
		.tbc-workflow-rules:
		@@ -290,6 +290,16 @@ variables:
		# Global default engine is Buildah; can be changed as a server instance variable (depending on your Runners capabilities)
		TBC_DEFAULT_DOCKER_BUILD_TOOL: buildah

		TBC_DEFAULT_DOCKER_IMAGE: docker.io/library/docker:latest
		TBC_DEFAULT_DOCKER_KANIKO_IMAGE: registry.gitlab.com/to-be-continuous/tools/kaniko:latest
		TBC_DEFAULT_DOCKER_BUILDAH_IMAGE: quay.io/containers/buildah:latest
		TBC_DEFAULT_DOCKER_DIND_IMAGE: docker.io/library/docker:dind
		TBC_DEFAULT_DOCKER_SKOPEO_IMAGE: quay.io/containers/skopeo:latest
		TBC_DEFAULT_DOCKER_HADOLINT_IMAGE: docker.io/hadolint/hadolint:latest-alpine
		TBC_DEFAULT_DOCKER_TRIVY_IMAGE: docker.io/aquasec/trivy:latest
		TBC_DEFAULT_DOCKER_SBOM_IMAGE: docker.io/anchore/syft:debug
		TBC_DEFAULT_DOCKER_COSIGN_DIST_URL: ''

		DOCKER_BUILD_TOOL: $[[ inputs.build-tool ]]

		DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]

Original line number	Diff line number	Diff line
		@@ -70,10 +70,10 @@ The Docker template uses some global configuration used throughout all jobs.
		\| Input / Variable \| Description \| Default value \|
		\| ---------------------------------------- \| ---------------------------------------------------------------------------------------------------------------------------------------------- \| ----------------------------------------------------------------------------------- \|
		\| `build-tool` / `DOCKER_BUILD_TOOL` \| The build tool to use for building container image, possible values are `kaniko`, `buildah`, `dind`, `external` or `default` \| `default` uses `$TBC_DEFAULT_DOCKER_BUILD_TOOL` value (`buildah` by default) \|
		\| `kaniko-image` / `DOCKER_KANIKO_IMAGE` \| The image used to run `kaniko` - _for kaniko build only_ \| `registry.gitlab.com/to-be-continuous/tools/kaniko:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)\|
		\| `buildah-image` / `DOCKER_BUILDAH_IMAGE` \| The image used to run `buildah` - _for buildah build only_ \| `quay.io/containers/buildah:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:dind`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `kaniko-image` / `DOCKER_KANIKO_IMAGE` \| The image used to run `kaniko` - _for kaniko build only_ \| `registry.gitlab.com/to-be-continuous/tools/kaniko:latest` (from `$TBC_DEFAULT_DOCKER_KANIKO_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)\|
		\| `buildah-image` / `DOCKER_BUILDAH_IMAGE` \| The image used to run `buildah` - _for buildah build only_ \| `quay.io/containers/buildah:latest` (from `$TBC_DEFAULT_DOCKER_BUILDAH_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:latest` (from `$TBC_DEFAULT_DOCKER_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:dind` (from `$TBC_DEFAULT_DOCKER_DIND_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `file` / `DOCKER_FILE` \| The path to your `Dockerfile` \| `Dockerfile` \|
		\| `context-path` / `DOCKER_CONTEXT_PATH` \| The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) \| _none_ _only set if you want a context path different from the Dockerfile location_ \|
		\| `artifacts-namespace` / `DOCKER_ARTIFACTS_NAMESPACE` \| Output artifacts namespace _(only required when deploying [multiple environments](#multiple-environments-support))_ \| _none_ \|
		@@ -258,7 +258,7 @@ The signing process can be configured with the following variables:
		\| `cosign-attest-opts` / `DOCKER_COSIGN_ATTEST_OPTS` \| Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command
		\| `--tlog-upload=false` \|
		\| `cosign-annotations` / `DOCKER_COSIGN_ANNOTATIONS` \| Additional annotations to add to the signature \| GitLab build provenance data \|
		\| `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL` \| Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)<br/>_When unset, the latest version will be used_ \| _none_ \|
		\| `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL` \| Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)<br/>_When unset, the latest version will be used_ \| _none_ (from `$TBC_DEFAULT_DOCKER_COSIGN_DIST_URL`) \|
		\| :lock: `DOCKER_COSIGN_PRIVATE_KEY` \| Private key used for signing the Docker image and the attestation \| _none_ \|
		\| :lock: `COSIGN_PASSWORD` \| Password of the private key \| _none_ \|

		@@ -327,7 +327,7 @@ It is bound to the `build` stage, and uses the following variables:
		\| Input / Variable \| Description \| Default value \|
		\| ------------------------------------------------ \| --------------------------------- \| --------------------------------------------------------- \|
		\| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` \| Set to `true` to disable Hadolint \| _(none: enabled by default)_ \|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `docker.io/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `docker.io/hadolint/hadolint:latest-alpine` (from `$TBC_DEFAULT_DOCKER_HADOLINT_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-args` / `DOCKER_HADOLINT_ARGS` \| Additional `hadolint` arguments \| _(none)_ \|

		In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
		@@ -482,7 +482,7 @@ It is bound to the `package-test` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| -------------------------------------------------------------------------- \| ---------------------------------------------------------------------------------------------------------------------- \| ------------------------------------------------------------------- \|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `docker.io/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `docker.io/aquasec/trivy:latest` (from `$TBC_DEFAULT_DOCKER_TRIVY_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` \| Set to `true` to disable Trivy analysis \| _(none)_ \|
		\| `trivy-args` / `DOCKER_TRIVY_ARGS` \| Additional [`trivy image` options](https://trivy.dev/docs/latest/references/configuration/cli/trivy_image/#options) \| `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive --disable-telemetry --skip-version-check` \|

		@@ -514,7 +514,7 @@ It is bound to the `package-test` stage, and uses the following variables:
		\| ---------------------------------------- \| --------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------- \|
		\| `sbom-disabled` / `DOCKER_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `docker.io/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `docker.io/anchore/syft:debug` (from `$TBC_DEFAULT_DOCKER_SBOM_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-opts` / `DOCKER_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` \|

		### `docker-publish` job
		@@ -523,10 +523,10 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt

		\| Input / Variable \| Description \| Default value \|
		\| ------------------------------------------------------------------ \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` \| The Docker image used to run [skopeo](https://github.com/containers/skopeo) \| `quay.io/containers/skopeo:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SKOPEO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SKOPEO_IMAGE)\|
		\| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` \| The Docker image used to run [skopeo](https://github.com/containers/skopeo) \| `quay.io/containers/skopeo:latest` (from `$TBC_DEFAULT_DOCKER_SKOPEO_IMAGE`)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SKOPEO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SKOPEO_IMAGE)\|
		\| `publish-args` / `DOCKER_PUBLISH_ARGS` \| Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) \| _(none)_ \|
		\| `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` \| Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). \| `manual` \|
		\| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` \| Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) \| `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ \|
		\| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` \| Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) \| `^v?(?P<major>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\.]+)?(?P<build>\+[0-9A-Za-z-\.]+)?)$` _(SemVer pattern)_ \|
		\| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` \| Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) \| _(none)_ \|
		\| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` \| Set to `true` to disable [semantic-release integration](#semantic-release-integration) \| _none_ (enabled) \|