-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
108 lines (94 loc) · 2.54 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Usage:
# Set these private variables in gitlab-ci environment:
# PYPI_PASSWORD, PYPI_USER, REGISTRY_URI
variables:
# PLATFORMS: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
PLATFORMS: linux/amd64,linux/arm64
IMAGE: example-api
REGISTRY: $REGISTRY_URI/$CI_PROJECT_PATH
stages:
- Analyze and Unit Test
- Images
- Functional Tests
- Security Scan
- Publish Packages
- Clean
image: registry.gitlab.com/instantlinux/docker-tools/python-builder:3.11.4-r0
before_script:
- export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHA:0:7}
.registry_template: ®istry_login
before_script:
- export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHA:0:7}
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $REGISTRY_URI
services: [ "docker:dind" ]
.create_image_template: &create_image
script: make create_image
analysis:
stage: Analyze and Unit Test
script:
- set -e
- make analysis
- XARGS=--runslow make test
artifacts:
paths: [ apicrud/htmlcov/, tests/results.xml ]
reports: { junit: tests/results.xml }
coverage: '/TOTAL.*\s(\d+)%/'
api:
stage: Images
<<: *registry_login
<<: *create_image
worker:
stage: Images
<<: *registry_login
<<: *create_image
test:
stage: Functional Tests
script: make test_functional
security_scan_trivy:
services: [ "docker:dind" ]
image:
name: aquasec/trivy:latest
entrypoint: [""]
stage: Security Scan
variables:
GIT_STRATEGY: none
TRIVY_CACHE_DIR: .trivycache/
TRIVY_DEBUG: "true"
TRIVY_EXIT_CODE: 1
TRIVY_FORMAT: json
TRIVY_OUTPUT: gl-container-scanning-report.json
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_VULN_TYPE: os,library
script:
- export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHA:0:7}
- trivy image --clear-cache
- trivy image --download-db-only --no-progress
- trivy image "${REGISTRY}/${IMAGE}:${TAG}" --severity LOW,MEDIUM
--exit-code 0 --format table --output medium-vulns.txt
- cat medium-vulns.txt
- trivy image "${REGISTRY}/${IMAGE}:${TAG}"
cache:
paths: [ .trivycache ]
interruptible: true
timeout: 5m
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
expire_in: 30 days
paths: [ medium-vulns.txt ]
promote_images:
stage: Publish Packages
<<: *registry_login
script: IMAGES="api worker" make promote_images
rules:
- if: '$CI_COMMIT_BRANCH == "main"'
- if: $CI_COMMIT_TAG
publish_pypi:
stage: Publish Packages
script: make publish
rules: [ if: $CI_COMMIT_TAG ]
clean:
stage: Clean
<<: *registry_login
script: make clean_images
when: always