Commit 4dacd1a2 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'fix/tools-versions' into 'master' 

feat: display tools' versions

See merge request to-be-continuous/docker!114
parents e1318673 9fa51183

templates/gitlab-ci-docker.yml

+22 −0
Original line number Diff line number Diff line
@@ -682,6 +682,9 @@ stages: 
  before_script:

  - !reference [.docker-scripts]

  - create_kaniko_cache_dir

  - |

    log_info "Kaniko version:"

    /kaniko/executor version





.docker-dind-base:
@@ -710,6 +713,9 @@ stages: 
  before_script:

    - !reference [.docker-scripts]

    - if ! wait_for_docker_daemon; then fail "Docker-in-Docker is not enabled on this runner. Either use a Docker-in-Docker capable runner, or disable this job by setting \$DOCKER_BUILD_TOOL to a different value"; fi

    - |

      log_info "Docker version:"

      docker version



# ==================================================

# Stage: build
@@ -724,6 +730,9 @@ docker-hadolint: 
  dependencies: []

  script:

    - autoconfig_hadolint

    - |

      log_info "Hadolint version:"

      hadolint -v

    - mkdir -p -m 777 reports

    - log_info "Scanning ${DOCKER_FILE}..."

    - dockerfile_hash=$(echo "$DOCKER_FILE" | md5sum | cut -d" " -f1)
@@ -829,6 +838,9 @@ docker-buildah-build: 
          buildah_cache_args="--layers --cache-from $buildah_build_cache --cache-to $buildah_build_cache"

          log_info "Build cache enabled; CLI options: ${buildah_cache_args}"

      fi

    - |

      log_info "Buildah version:"

      buildah version

    # build and push image

    - buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)"

    - buildah push --digestfile .img-digest.txt "$DOCKER_SNAPSHOT_IMAGE"
@@ -933,9 +945,13 @@ docker-trivy: 
    TRIVY_CACHE_DIR: ".trivycache/"

  script:

  - log_info "Scanning vulnerabilities from ${DOCKER_SNAPSHOT_IMAGE}..."

  - |

    log_info "Trivy version:"

    trivy version

  - |

    # cache cleanup is needed when scanning images with the same tags, it does not remove the database

    trivy clean --scan-cache || trivy image --clear-cache

  - |

    export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}

    export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}

    basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
@@ -982,6 +998,9 @@ docker-sbom: 
    entrypoint: [""]

  script:

    - log_info "Extracting SBOM from ${DOCKER_SNAPSHOT_IMAGE}..."

    - |

      log_info "Syft version:"

      /syft version

    - mkdir -p -m 777 reports

    - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json
@@ -1034,6 +1053,9 @@ docker-publish: 
        log_warn "\\e[93mYou should consider distinguishing snapshot and release images as they do not differ. Skipping publish phase as image has already been created by previous job.\\e[0m"

        exit 0

      fi

    - |

      log_info "Skopeo version:"

      skopeo -v

    - BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}

    # 1: push main image

    - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..."