Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
5ad7ac34
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
5ad7ac34
编写于
5月 24, 2018
作者:
O
Olivier Gonzalez
提交者:
Achilleas Pipinellis
5月 24, 2018
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Rename container scanning job and artifact
上级
bbeeb182
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
19 addition
and
12 deletion
+19
-12
doc/ci/examples/container_scanning.md
doc/ci/examples/container_scanning.md
+14
-7
vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
+5
-5
未找到文件。
doc/ci/examples/container_scanning.md
浏览文件 @
5ad7ac34
...
...
@@ -7,10 +7,10 @@ for Vulnerability Static Analysis for containers.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
`.gitlab-ci.yml`
,
called
`
sast:container
`
:
called
`
container_scanning
`
:
```
yaml
sast:container
:
container_scanning
:
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
...
...
@@ -34,12 +34,12 @@ sast:container:
-
retries=0
-
echo "Waiting for clair daemon to start"
-
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
sast-container
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
container-scanning
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
paths
:
[
gl-
sast-container
-report.json
]
paths
:
[
gl-
container-scanning
-report.json
]
```
The above example will create a
`
sast:container
`
job in your CI/CD pipeline, pull
The above example will create a
`
container_scanning
`
job in your CI/CD pipeline, pull
the image from the
[
Container Registry
](
../../user/project/container_registry.md
)
(whose name is defined from the two
`CI_APPLICATION_`
variables) and scan it
for possible vulnerabilities. The report will be saved as an artifact that you
...
...
@@ -52,8 +52,15 @@ in our case its named `clair-whitelist.yml`.
TIP:
**Tip:**
Starting with
[
GitLab Ultimate
][
ee
]
10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI/CD job must be named
`
sast:container
`
and the artifact path must be
`gl-
sast-container
-report.json`
.
so, the CI/CD job must be named
`
container_scanning
`
and the artifact path must be
`gl-
container-scanning
-report.json`
.
[
Learn more on container scanning results shown in merge requests
](
https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
)
.
CAUTION:
**Caution:**
Container Scanning was previously using
`sast:container`
for job name and
`gl-sast-container-report.json`
for the artifact name. While these old names
are still maintained they have been deprecated with GitLab 11.0 and may be removed
in next major release, GitLab 12.0. You are advised to update your current
`.gitlab-ci.yml`
configuration to reflect that change.
[
ee
]:
https://about.gitlab.com/products/
vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml
浏览文件 @
5ad7ac34
...
...
@@ -136,7 +136,7 @@ dependency_scanning:
artifacts
:
paths
:
[
gl-dependency-scanning-report.json
]
sast:container
:
container_scanning
:
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
...
...
@@ -145,9 +145,9 @@ sast:container:
-
docker:stable-dind
script
:
-
setup_docker
-
sast_container
-
container_scanning
artifacts
:
paths
:
[
gl-
sast-container
-report.json
]
paths
:
[
gl-
container-scanning
-report.json
]
dast
:
stage
:
dast
...
...
@@ -388,7 +388,7 @@ rollout 100%:
# Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
function
sast_container
() {
function
container_scanning
() {
if [[ -n "$CI_REGISTRY_USER" ]]; then
echo "Logging to GitLab Container Registry with CI credentials..."
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
...
...
@@ -406,7 +406,7 @@ rollout 100%:
retries=0
echo "Waiting for clair daemon to start"
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
sast-container
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-
container-scanning
-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
}
function codeclimate() {
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录