Commit 78a3403c authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/normalize-reports' into 'master' 

normalize reports

See merge request to-be-continuous/docker!46
parents fee8583f e8d505fe

README.md

+16 −2
Original line number Diff line number Diff line
@@ -261,7 +261,7 @@ It is bound to the `build` stage, and uses the following variables: 
| Name                       | Description                            | Default value                           |

| -------------------------- | -------------------------------------- | --------------------------------------- |

| `DOCKER_HADOLINT_IMAGE`    | The Hadolint image                     | `hadolint/hadolint:latest-alpine`       |

| `DOCKER_HADOLINT_ARGS`     | Additional `hadolint` arguments        | ``                        |

| `DOCKER_HADOLINT_ARGS`     | Additional `hadolint` arguments        | _(none)_                        |



In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
@@ -275,6 +275,13 @@ FROM ubuntu 
RUN cd /tmp && echo "hello!"

```



In addition to a textual report in the console, this job produces the following reports, kept for one day:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `reports/docker-hadolint-*.native.json`      | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |

| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |



### `docker-build` job



This job builds the image and publishes it to the _snapshot_ repository.
@@ -383,6 +390,13 @@ It is bound to the `package-test` stage, and uses the following variables: 
| `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |

| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |



In addition to a textual report in the console, this job produces the following reports, kept for one day:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |

| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |



### `docker-publish` job



This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).

templates/gitlab-ci-docker.yml

+22 −14
Original line number Diff line number Diff line
@@ -477,14 +477,17 @@ docker-hadolint: 
  dependencies: []

  script:

    - autoconfig_hadolint

    - mkdir -p reports

    - chmod o+rwx reports

    - mkdir -p -m 777 reports

    - dockerfile_hash=$(md5sum "$DOCKER_FILE" | cut -d" " -f1)

    # Output in Code Climate format (GitLab integration)

    - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/hadolint-cc-${dockerfile_hash}.json"

    - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.codeclimate.json"

    # Output in JSON format

    - hadolint --no-fail -f json $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/hadolint-json-${dockerfile_hash}.json"

    # las run with console output (with failure)

    - |

      if [[ "$DEFECTDOJO_HADOLINT_REPORTS"]]

      then

        hadolint --no-fail -f json $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.native.json"

      fi

    # last run with console output (with failure)

    - hadolint $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE"

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
@@ -492,9 +495,9 @@ docker-hadolint: 
    when: always

    reports:

      codequality:

        - "reports/hadolint-cc-*.json"

        - "reports/docker-hadolint-*.codeclimate.json"

    paths:

      - "reports/hadolint-*.json"

      - "reports/docker-hadolint-*"

  rules:

    # exclude if DOCKER_HADOLINT_DISABLED set

    - if: '$DOCKER_HADOLINT_DISABLED == "true"'
@@ -639,7 +642,7 @@ docker-trivy: 
    trivy image --clear-cache

    export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}

    export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}

    export FILENAME=trivy-$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    export basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    mkdir -p ./reports

    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
@@ -650,17 +653,22 @@ docker-trivy: 
      export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"

    fi

    # Add common trivy arguments

    export trivy_opts="${trivy_opts} --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} --vuln-type os ${DOCKER_TRIVY_ARGS}"

    # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)

    trivy ${trivy_opts} --format template --template @/contrib/junit.tpl --output ./reports/${FILENAME}.xml --exit-code 0  $DOCKER_SNAPSHOT_IMAGE

    trivy ${trivy_opts} --format json --output ./reports/${FILENAME}.json --exit-code 0 $DOCKER_SNAPSHOT_IMAGE

    export trivy_opts="${trivy_opts} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"

    # GitLab format (no fail)

    trivy ${trivy_opts} --format template --exit-code 0 --template "@contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE

    # JSON format (no fail)

    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]

    then

      trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE

    fi

    # console output (fail)

    trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE

  artifacts:

    when: always

    paths:

    - reports/

    - "reports/docker-trivy-*"

    reports:

      junit: "reports/*.xml"

      container_scanning: "reports/docker-trivy-*.gitlab.json"

  cache:

    paths:

      - .trivycache/