Newer
Older
"description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
"template_path": "templates/gitlab-ci-docker.yml",
"kind": "package",
"variables": [
{
"name": "DOCKER_BUILD_TOOL",
"type": "enum",
"values": ["kaniko", "buildah", "dind"],
"description": "The build tool to use for building container image",
"default": "kaniko"
},
"description": "The image used to run kaniko\n\n_for kaniko build only_",
"default": "gcr.io/kaniko-project/executor:debug"
},
{
"name": "DOCKER_BUILDAH_IMAGE",
"description": "The image used to run buildah\n\n_for buildah build only_",
"default": "quay.io/buildah/stable:latest"
},
"description": "The image used to run the docker client\n\n_for Docker-in-Docker(dind) build only_",
"default": "registry.hub.docker.com/library/docker:latest"
"description": "The image used to run the Docker daemon\n\n_for Docker-in-Docker(dind) build only_",
"default": "registry.hub.docker.com/library/docker:dind"
"description": "The image used to publish docker image with Skopeo",
"default": "quay.io/skopeo/stable:latest"
},
{
"name": "DOCKER_FILE",
"description": "The path to your `Dockerfile`",
"default": "$CI_PROJECT_DIR/Dockerfile"
},
{
"name": "DOCKER_CONTEXT_PATH",
"description": "The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) - _only set if you want a context path different from the Dockerfile location_",
"advanced": true
},
{
"name": "DOCKER_CONFIG_FILE",
"description": "Path to the [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) (JSON)",
"default": ".docker/config.json",
"advanced": true
},
{
"name": "DOCKER_SNAPSHOT_IMAGE",
"description": "Docker snapshot image",
"default": "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
},
{
"name": "DOCKER_RELEASE_IMAGE",
"description": "Docker release image",
"default": "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
},
{
"name": "DOCKER_RELEASE_EXTRA_TAGS_PATTERN",
"description": "Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups)\n\nDefaults to [SemVer](https://semver.org/) pattern.",
"default": "^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$",
"advanced": true
},
{
"name": "DOCKER_RELEASE_EXTRA_TAGS",
"description": "Defines extra tags to publish the _release_ image\n\nSupports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` (ex: `latest \\g<major>.\\g<minor> \\g<major>`)",
"advanced": true
},
"description": "Additional docker/kaniko/buildah build arguments"
{
"name": "DOCKER_METADATA",
"description": "Additional metadata to set as labels",
"default": "--label org.opencontainers.image.url=${CI_PROJECT_URL} --label org.opencontainers.image.source=${CI_PROJECT_URL} --label org.opencontainers.image.title=${CI_PROJECT_PATH} --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME} --label org.opencontainers.image.revision=${CI_COMMIT_SHA} --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}",
"advanced": true
},
{
"name": "DOCKER_PUBLISH_ARGS",
"description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
},
{
"name": "DOCKER_PROD_PUBLISH_STRATEGY",
"description": "Defines the publish to production strategy.",
"type": "enum",
"values": ["none", "manual", "auto"],
"default": "manual"
},
{
"name": "DOCKER_SEMREL_RELEASE_DISABLED",
"description": "Disable integration with the [semantic release template](https://gitlab.com/to-be-continuous/semantic-release/)",
"type": "boolean"
},
"description": "URL of a Docker registry mirror to use instead of default `https://index.docker.io`\n\n_Used by `kaniko` and `dind` builds only_"
},
{
"name": "CONTAINER_REGISTRIES_CONFIG_FILE",
"description": "The [registries.conf](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used\n\n_Used by the `buildah` build only_",
"advanced": true
},
{
"name": "KANIKO_SNAPSHOT_IMAGE_CACHE",
"description": "Snapshot image repository that will be used to store cached layers.\n\n_Used by the `kaniko` build only_",
"default": "${DOCKER_SNAPSHOT_IMAGE%:*}/cache",
"advanced": true
},
{
"name": "DOCKER_BUILD_CACHE_DISABLED",
"description": "Set to `true` to disable the build cache.",
"type": "boolean",
"advanced": true
}
],
"features": [
{
"id": "hadolint",
"name": "Hadolint",
"description": "This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Dockerfile`.",
"disable_with": "DOCKER_HADOLINT_DISABLED",
"variables": [
{
"name": "DOCKER_HADOLINT_IMAGE",
"description": "The docker image to lint your Dockerfile with Hadolint",
"default": "registry.hub.docker.com/hadolint/hadolint:latest-alpine"
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
},
{
"name": "DOCKER_HADOLINT_ARGS",
"description": "Additional `hadolint` arguments",
"advanced": true
}
]
},
{
"id": "healthcheck",
"name": "Health Check",
"description": "[Health Check](https://docs.docker.com/engine/reference/builder/#healthcheck) image analysis",
"disable_with": "DOCKER_HEALTHCHECK_DISABLED",
"variables": [
{
"name": "DOCKER_HEALTHCHECK_TIMEOUT",
"type": "number",
"description": "When testing an image, how long (in seconds) wait for the HealthCheck status",
"default": "60",
"advanced": true
},
{
"name": "DOCKER_HEALTHCHECK_OPTIONS",
"description": "Docker options for health check such as port mapping, environment...",
"advanced": true
},
{
"name": "DOCKER_HEALTHCHECK_CONTAINER_ARGS",
"description": "Arguments sent to the running container for health check",
"advanced": true
}
]
},
{
"id": "trivy",
"name": "Trivy",
"description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
"disable_with": "DOCKER_TRIVY_DISABLED",
"variables": [
{
"name": "DOCKER_TRIVY_IMAGE",
"description": "The docker image used to scan images with Trivy",
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
{
"name": "DOCKER_TRIVY_ADDR",
"type": "url",
"description": "The Trivy server address"
},
{
"name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
"type": "enum",
"values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
"description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
"default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
},
{
"name": "DOCKER_TRIVY_ARGS",
"description": "Additional `trivy client` arguments",
"default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",
},
{
"id": "sbom",
"name": "Software Bill of Materials",
"description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
"disable_with": "DOCKER_SBOM_DISABLED",
"variables": [
{
"name": "DOCKER_SBOM_IMAGE",
"default": "registry.hub.docker.com/anchore/syft:debug"
},
{
"name": "DOCKER_SBOM_OPTS",
"description": "Options for syft used for SBOM analysis",
"default": "--catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger",
"advanced": true
}
]
],
"variants": [
{
"id": "vault",
"name": "Vault",
"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
"template_path": "templates/gitlab-ci-docker-vault.yml",
"variables": [
{
"name": "TBC_VAULT_IMAGE",
"description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
"default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
"advanced": true
},
{
"name": "VAULT_BASE_URL",
"description": "The Vault server base API url",
"mandatory": true
},
{
"name": "VAULT_OIDC_AUD",
"description": "The `aud` claim for the JWT",
"default": "$CI_SERVER_URL"
},
{
"name": "VAULT_ROLE_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
"mandatory": true,
"secret": true
},
{
"name": "VAULT_SECRET_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
"mandatory": true,
"secret": true
}
]
},
{
"id": "gcp",
"name": "Google Cloud",
"description": "Retrieves a registry authentication for the Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry)",
"template_path": "templates/gitlab-ci-docker-gcp.yml",
"variables": [
{
"name": "TBC_GCP_PROVIDER_IMAGE",
"description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",
"default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main",
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
"advanced": true
},
{
"name": "GCP_OIDC_ACCOUNT",
"description": "Default Service Account to which impersonate with OpenID Connect authentication"
},
{
"name": "GCP_OIDC_PROVIDER",
"description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
},
{
"name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
"description": "Service Account to use to push the snapshot image _(only define if different from default)_",
"advanced": true
},
{
"name": "GCP_SNAPSHOT_OIDC_PROVIDER",
"description": "Workload Identity Provider to push the snapshot image _(only define if different from default)_",
"advanced": true
},
{
"name": "GCP_RELEASE_OIDC_ACCOUNT",
"description": "Service Account to use to push the release image _(only define if different from default)_",
"advanced": true
},
{
"name": "GCP_RELEASE_OIDC_PROVIDER",
"description": "Workload Identity Provider to push the release image _(only define if different from default)_",
"advanced": true
}
]
},
{
"id": "ecr",
"name": "Amazon ECR",
"description": "Retrieves a registry authentication for the Amazon's [Elastic Container Registry](https://docs.aws.amazon.com/ecr/)",
"template_path": "templates/gitlab-ci-docker-ecr.yml",
"variables": [
{
"name": "TBC_AWS_PROVIDER_IMAGE",
"description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",
"default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master",
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
"advanced": true
},
{
"name": "AWS_REGION",
"description": "Default region (where the ECR registry is located)"
},
{
"name": "AWS_SNAPSHOT_REGION",
"description": "Region of the ECR registry for the snapshot image _(only define if different from default)_",
"advanced": true
},
{
"name": "AWS_RELEASE_REGION",
"description": "Region of the ECR registry for the release image _(only define if different from default)_",
"advanced": true
},
{
"name": "AWS_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
{
"name": "AWS_OIDC_ROLE_ARN",
"description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
},
{
"name": "AWS_SNAPSHOT_OIDC_ROLE_ARN",
"description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
"name": "AWS_RELEASE_OIDC_ROLE_ARN",
"description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
"name": "AWS_ACCESS_KEY_ID",
"description": "Default access key ID (only required for basic authentication)",
"secret": true,
"advanced": true
},
{
"name": "AWS_SECRET_ACCESS_KEY",
"description": "Default secret access key (only required for basic authentication)",
"secret": true,
"advanced": true
},
{
"name": "AWS_SNAPSHOT_ACCESS_KEY_ID",
"description": "Access key ID for the snapshot image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
},
{
"name": "AWS_SNAPSHOT_SECRET_ACCESS_KEY",
"description": "Secret access key for the snapshot image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
},
{
"name": "AWS_RELEASE_ACCESS_KEY_ID",
"description": "Access key ID for the release image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
},
{
"name": "AWS_RELEASE_SECRET_ACCESS_KEY",
"description": "Secret access key for the release image (only required for basic authentication and if different from default)",
"secret": true,
"advanced": true
}
]