Merge branch 'fqin_update' into 'master' (9e56ac14) · Commits · to be continuous... / Docker

README.md

+5 −5

Original line number	Diff line number	Diff line
		@@ -65,8 +65,8 @@ The Docker template uses some global configuration used throughout all jobs.
		\| `build-tool` / `DOCKER_BUILD_TOOL` \| The build tool to use for building container image, possible values are `kaniko`, `buildah`, `dind` or `external` \| `kaniko` \|
		\| `kaniko-image` / `DOCKER_KANIKO_IMAGE` \| The image used to run `kaniko` - _for kaniko build only_ \| `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)\|
		\| `buildah-image` / `DOCKER_BUILDAH_IMAGE` \| The image used to run `buildah` - _for buildah build only_ \| `quay.io/containers/aio:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `registry.hub.docker.com/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `registry.hub.docker.com/library/docker:dind`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:dind`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `file` / `DOCKER_FILE` \| The path to your `Dockerfile` \| `Dockerfile` \|
		\| `context-path` / `DOCKER_CONTEXT_PATH` \| The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) \| _none_ _only set if you want a context path different from the Dockerfile location_ \|

		@@ -285,7 +285,7 @@ It is bound to the `build` stage, and uses the following variables:
		\| Input / Variable \| Description \| Default value \|
		\| ------------------------------------------------ \| --------------------------------- \| --------------------------------------------------------- \|
		\| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` \| Set to `true` to disable Hadolint \| _(none: enabled by default)_ \|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `registry.hub.docker.com/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `docker.io/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-args` / `DOCKER_HADOLINT_ARGS` \| Additional `hadolint` arguments \| _(none)_ \|

		In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
		@@ -430,7 +430,7 @@ It is bound to the `package-test` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| -------------------------------------------------------------------------- \| ---------------------------------------------------------------------------------------------------------------------- \| ------------------------------------------------------------------- \|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `registry.hub.docker.com/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `docker.io/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` \| Set to `true` to disable Trivy analysis \| _(none)_ \|
		\| `trivy-args` / `DOCKER_TRIVY_ARGS` \| Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) \| `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive` \|

		@@ -459,7 +459,7 @@ It is bound to the `package-test` stage, and uses the following variables:
		\| ---------------------------------------- \| --------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------- \|
		\| `sbom-disabled` / `DOCKER_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `registry.hub.docker.com/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `docker.io/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-opts` / `DOCKER_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` \|

		### `docker-publish` job

kicker.json

+5 −5

Original line number	Diff line number	Diff line
		@@ -26,12 +26,12 @@
		{
		"name": "DOCKER_IMAGE",
		"description": "The image used to run the docker client\n\n_for Docker-in-Docker(dind) build only_",
		"default": "registry.hub.docker.com/library/docker:latest"
		"default": "docker.io/library/docker:latest"
		},
		{
		"name": "DOCKER_DIND_IMAGE",
		"description": "The image used to run the Docker daemon\n\n_for Docker-in-Docker(dind) build only_",
		"default": "registry.hub.docker.com/library/docker:dind"
		"default": "docker.io/library/docker:dind"
		},
		{
		"name": "DOCKER_SKOPEO_IMAGE",
		@@ -137,7 +137,7 @@
		{
		"name": "DOCKER_HADOLINT_IMAGE",
		"description": "The docker image to lint your Dockerfile with Hadolint",
		"default": "registry.hub.docker.com/hadolint/hadolint:latest-alpine"
		"default": "docker.io/hadolint/hadolint:latest-alpine"
		},
		{
		"name": "DOCKER_HADOLINT_ARGS",
		@@ -180,7 +180,7 @@
		{
		"name": "DOCKER_TRIVY_IMAGE",
		"description": "The docker image used to scan images with Trivy",
		"default": "registry.hub.docker.com/aquasec/trivy:latest",
		"default": "docker.io/aquasec/trivy:latest",
		"advanced": true
		},
		{
		@@ -207,7 +207,7 @@
		},
		{
		"name": "DOCKER_SBOM_IMAGE",
		"default": "registry.hub.docker.com/anchore/syft:debug"
		"default": "docker.io/anchore/syft:debug"
		},
		{
		"name": "DOCKER_SBOM_OPTS",

templates/gitlab-ci-docker.yml

+5 −5

Original line number	Diff line number	Diff line
		@@ -40,13 +40,13 @@ spec:
		The image used to run the docker client

		_for Docker-in-Docker(dind) build only_
		default: registry.hub.docker.com/library/docker:latest
		default: docker.io/library/docker:latest
		dind-image:
		description: \|-
		The image used to run the Docker daemon

		_for Docker-in-Docker(dind) build only_
		default: registry.hub.docker.com/library/docker:dind
		default: docker.io/library/docker:dind
		skopeo-image:
		description: The image used to publish docker image with Skopeo
		default: quay.io/containers/aio:latest
		@@ -134,7 +134,7 @@ spec:
		default: false
		hadolint-image:
		description: The docker image to lint your Dockerfile with Hadolint
		default: registry.hub.docker.com/hadolint/hadolint:latest-alpine
		default: docker.io/hadolint/hadolint:latest-alpine
		hadolint-args:
		description: Additional `hadolint` arguments
		default: ''
		@@ -158,7 +158,7 @@ spec:
		default: false
		trivy-image:
		description: The docker image used to scan images with Trivy
		default: registry.hub.docker.com/aquasec/trivy:latest
		default: docker.io/aquasec/trivy:latest
		trivy-args:
		description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
		default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive
		@@ -167,7 +167,7 @@ spec:
		type: boolean
		default: false
		sbom-image:
		default: registry.hub.docker.com/anchore/syft:debug
		default: docker.io/anchore/syft:debug
		sbom-opts:
		description: Options for syft used for SBOM analysis
		default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file

Original line number	Diff line number	Diff line
		@@ -65,8 +65,8 @@ The Docker template uses some global configuration used throughout all jobs.
		\| `build-tool` / `DOCKER_BUILD_TOOL` \| The build tool to use for building container image, possible values are `kaniko`, `buildah`, `dind` or `external` \| `kaniko` \|
		\| `kaniko-image` / `DOCKER_KANIKO_IMAGE` \| The image used to run `kaniko` - _for kaniko build only_ \| `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab)<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_KANIKO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)\|
		\| `buildah-image` / `DOCKER_BUILDAH_IMAGE` \| The image used to run `buildah` - _for buildah build only_ \| `quay.io/containers/aio:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_BUILDAH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `registry.hub.docker.com/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `registry.hub.docker.com/library/docker:dind`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `image` / `DOCKER_IMAGE` \| The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) \|
		\| `dind-image` / `DOCKER_DIND_IMAGE` \| The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ \| `docker.io/library/docker:dind`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_DIND_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)\|
		\| `file` / `DOCKER_FILE` \| The path to your `Dockerfile` \| `Dockerfile` \|
		\| `context-path` / `DOCKER_CONTEXT_PATH` \| The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) \| _none_ _only set if you want a context path different from the Dockerfile location_ \|

		@@ -285,7 +285,7 @@ It is bound to the `build` stage, and uses the following variables:
		\| Input / Variable \| Description \| Default value \|
		\| ------------------------------------------------ \| --------------------------------- \| --------------------------------------------------------- \|
		\| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` \| Set to `true` to disable Hadolint \| _(none: enabled by default)_ \|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `registry.hub.docker.com/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` \| The Hadolint image \| `docker.io/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)\|
		\| `hadolint-args` / `DOCKER_HADOLINT_ARGS` \| Additional `hadolint` arguments \| _(none)_ \|

		In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
		@@ -430,7 +430,7 @@ It is bound to the `package-test` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| -------------------------------------------------------------------------- \| ---------------------------------------------------------------------------------------------------------------------- \| ------------------------------------------------------------------- \|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `registry.hub.docker.com/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-image` / `DOCKER_TRIVY_IMAGE` \| The docker image used to scan images with Trivy \| `docker.io/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)\|
		\| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` \| Set to `true` to disable Trivy analysis \| _(none)_ \|
		\| `trivy-args` / `DOCKER_TRIVY_ARGS` \| Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) \| `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive` \|

		@@ -459,7 +459,7 @@ It is bound to the `package-test` stage, and uses the following variables:
		\| ---------------------------------------- \| --------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------- \|
		\| `sbom-disabled` / `DOCKER_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `registry.hub.docker.com/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-image` / `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `docker.io/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)\|
		\| `sbom-opts` / `DOCKER_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` \|

		### `docker-publish` job