diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index da8044ef3f83aaf328319a1220bc47a203aa8bd2..af4d514e89123e4cb8c6bb7ca07549d589c45766 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -18,6 +18,9 @@ include: - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/semantic-release/gitlab-ci-semrel@master inputs: semantic-release-job-tags: ["docker"] + - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitleaks/gitlab-ci-gitleaks@master + inputs: + gitleaks-job-tags: ["docker"] stages: - build diff --git a/CHANGELOG.md b/CHANGELOG.md index e430afa9284a21b60dc33e3a35a7160d045cbf9b..d19e0d0fff2abfb916dda0235ed189fb0021c680 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,16 @@ -## [5.10.3](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.2...5.10.3) (2024-07-02) +# [5.11.0](https://gitlab.com/to-be-continuous/docker/compare/5.10.3...5.11.0) (2024-07-05) -### Bug Fixes +### Features -* **Trivy:** Trivy 0.53.0 added the clean subcommand for semantic cache management ([e3a9540](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/e3a954080b1150ae35c403cffdb71ae750c9a741)) +* display tools' version ([9fa5118](https://gitlab.com/to-be-continuous/docker/commit/9fa51183755b94e02af9a3151eccc5ba9be75b15)) -## [5.10.2](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.1...5.10.2) (2024-05-13) +## [5.10.3](https://gitlab.com/to-be-continuous/docker/compare/5.10.2...5.10.3) (2024-07-01) ### Bug Fixes -* **workflow:** disable MR pipeline from prod & integ branches ([6460d7b](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/6460d7bba7a231ff68b163c861a4b40f37ee08bb)) +* **Trivy:** Trivy 0.53.0 added the clean subcommand for semantic cache management ([e3a9540](https://gitlab.com/to-be-continuous/docker/commit/e3a954080b1150ae35c403cffdb71ae750c9a741)) ## [5.10.2](https://gitlab.com/to-be-continuous/docker/compare/5.10.1...5.10.2) (2024-05-05) diff --git a/README.md b/README.md index 1a3b7e494678e4252ab146e0ff630eb7786ccb41..1740c66ea3f3fd7ee78772f0219e77d71d270b67 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Add the following to your `gitlab-ci.yml`: ```yaml include: # 1: include the component - - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.3 + - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.2 # 2: set/override component inputs inputs: build-tool: buildah # ⚠ this is only an example @@ -28,7 +28,7 @@ Add the following to your `gitlab-ci.yml`: include: # 1: include the template - project: 'to-be-continuous/docker' - ref: '5.10.3' + ref: '5.10.2' file: '/templates/gitlab-ci-docker.yml' variables: diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml index 0941cb2a95947c9fbac70e72d3f59db9c72cbacf..9db80cd9a1cc7e56a9391049f8639116b5d7af11 100644 --- a/templates/gitlab-ci-docker-ecr.yml +++ b/templates/gitlab-ci-docker-ecr.yml @@ -45,7 +45,7 @@ variables: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.10.3"] + command: ["--service", "docker", "5.11.0"] - name: "$TBC_AWS_PROVIDER_IMAGE" alias: "aws-auth-provider" id_tokens: diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml index 63c78410c28fcd54dcb2ea0a9e9aa9c1eace969b..10280f80f4df9332031c58da249d71c5d596bd43 100644 --- a/templates/gitlab-ci-docker-gcp.yml +++ b/templates/gitlab-ci-docker-gcp.yml @@ -44,7 +44,7 @@ variables: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.10.3"] + command: ["--service", "docker", "5.11.0"] - name: "$TBC_GCP_PROVIDER_IMAGE" alias: "gcp-auth-provider" variables: diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml index 858de09ba03b2d61dd8e2c1d620f815f19ebc1bb..d79473f647548f4d5091eb5f838f4dfed7863b80 100644 --- a/templates/gitlab-ci-docker-vault.yml +++ b/templates/gitlab-ci-docker-vault.yml @@ -22,7 +22,7 @@ variables: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.10.3"] + command: ["--service", "docker", "5.11.0"] - name: "$TBC_VAULT_IMAGE" alias: "vault-secrets-provider" variables: diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 1de96f65029996b8ee9769c904e8905db5289df0..f12524b8d5af5470048c1f0a3dcefd3f43ba2fc6 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -697,7 +697,7 @@ stages: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.10.3"] + command: ["--service", "docker", "5.11.0"] before_script: - !reference [.docker-scripts] @@ -715,6 +715,9 @@ stages: before_script: - !reference [.docker-scripts] - create_kaniko_cache_dir + - | + log_info "Kaniko version:" + /kaniko/executor version .docker-dind-base: @@ -730,7 +733,7 @@ stages: _TRACE: "${TRACE}" services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.10.3"] + command: ["--service", "docker", "5.11.0"] - name: $DOCKER_DIND_IMAGE alias: docker command: @@ -743,6 +746,9 @@ stages: before_script: - !reference [.docker-scripts] - if ! wait_for_docker_daemon; then fail "Docker-in-Docker is not enabled on this runner. Either use a Docker-in-Docker capable runner, or disable this job by setting \$DOCKER_BUILD_TOOL to a different value"; fi + - | + log_info "Docker version:" + docker version # ================================================== # Stage: build @@ -757,7 +763,11 @@ docker-hadolint: dependencies: [] script: - autoconfig_hadolint + - | + log_info "Hadolint version:" + hadolint -v - mkdir -p -m 777 reports + - log_info "Scanning ${DOCKER_FILE}..." - dockerfile_hash=$(echo "$DOCKER_FILE" | md5sum | cut -d" " -f1) # Output in Code Climate format (GitLab integration) - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.codeclimate.json" @@ -864,6 +874,9 @@ docker-buildah-build: buildah_cache_args="--layers --cache-from $buildah_build_cache --cache-to $buildah_build_cache" log_info "Build cache enabled; CLI options: ${buildah_cache_args}" fi + - | + log_info "Buildah version:" + buildah version # build and push image - buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)" - buildah push --digestfile .img-digest.txt "$DOCKER_SNAPSHOT_IMAGE" @@ -899,7 +912,9 @@ docker-healthcheck: variables: GIT_STRATEGY: none stage: package-test - script: | + script: + - log_info "Healthchecking ${DOCKER_SNAPSHOT_IMAGE}..." + - | # Test by internal health_check (Recommended way, more info https://docs.docker.com/engine/reference/builder/#healthcheck) # This looks complicated but you normally don't have to touch this... function unexpected_error() { @@ -966,9 +981,15 @@ docker-trivy: stage: package-test variables: TRIVY_CACHE_DIR: ".trivycache/" - script: | + script: + - log_info "Scanning vulnerabilities from ${DOCKER_SNAPSHOT_IMAGE}..." + - | + log_info "Trivy version:" + trivy version + - | # cache cleanup is needed when scanning images with the same tags, it does not remove the database trivy clean --scan-cache || trivy image --clear-cache + - | export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}} export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}} basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') @@ -1015,6 +1036,10 @@ docker-sbom: name: $DOCKER_SBOM_IMAGE entrypoint: [""] script: + - log_info "Extracting SBOM from ${DOCKER_SNAPSHOT_IMAGE}..." + - | + log_info "Syft version:" + /syft version - mkdir -p -m 777 reports - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json @@ -1068,8 +1093,12 @@ docker-publish: log_warn "\\e[93mYou should consider distinguishing snapshot and release images as they do not differ. Skipping publish phase as image has already been created by previous job.\\e[0m" exit 0 fi + - | + log_info "Skopeo version:" + skopeo -v - BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME} # 1: push main image + - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..." - skopeo copy --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://$DOCKER_SNAPSHOT_IMAGE" "docker://$DOCKER_RELEASE_IMAGE" - | log_info "Well done your image is pushed and can be pulled with: docker pull $DOCKER_RELEASE_IMAGE"