Skip to content
Snippets Groups Projects
Commit 78a3403c authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/normalize-reports' into 'master'

normalize reports

See merge request to-be-continuous/docker!46
parents fee8583f e8d505fe
Branches
Tags
No related merge requests found
...@@ -261,7 +261,7 @@ It is bound to the `build` stage, and uses the following variables: ...@@ -261,7 +261,7 @@ It is bound to the `build` stage, and uses the following variables:
| Name | Description | Default value | | Name | Description | Default value |
| -------------------------- | -------------------------------------- | --------------------------------------- | | -------------------------- | -------------------------------------- | --------------------------------------- |
| `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `hadolint/hadolint:latest-alpine` | | `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `hadolint/hadolint:latest-alpine` |
| `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | `` | | `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository. In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
...@@ -275,6 +275,13 @@ FROM ubuntu ...@@ -275,6 +275,13 @@ FROM ubuntu
RUN cd /tmp && echo "hello!" RUN cd /tmp && echo "hello!"
``` ```
In addition to a textual report in the console, this job produces the following reports, kept for one day:
| Report | Format | Usage |
| -------------- | ---------------------------------------------------------------------------- | ----------------- |
| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
### `docker-build` job ### `docker-build` job
This job builds the image and publishes it to the _snapshot_ repository. This job builds the image and publishes it to the _snapshot_ repository.
...@@ -383,6 +390,13 @@ It is bound to the `package-test` stage, and uses the following variables: ...@@ -383,6 +390,13 @@ It is bound to the `package-test` stage, and uses the following variables:
| `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ | | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ |
| `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | | `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
| Report | Format | Usage |
| -------------- | ---------------------------------------------------------------------------- | ----------------- |
| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
### `docker-publish` job ### `docker-publish` job
This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo). This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).
......
...@@ -477,14 +477,17 @@ docker-hadolint: ...@@ -477,14 +477,17 @@ docker-hadolint:
dependencies: [] dependencies: []
script: script:
- autoconfig_hadolint - autoconfig_hadolint
- mkdir -p reports - mkdir -p -m 777 reports
- chmod o+rwx reports
- dockerfile_hash=$(md5sum "$DOCKER_FILE" | cut -d" " -f1) - dockerfile_hash=$(md5sum "$DOCKER_FILE" | cut -d" " -f1)
# Output in Code Climate format (GitLab integration) # Output in Code Climate format (GitLab integration)
- hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/hadolint-cc-${dockerfile_hash}.json" - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.codeclimate.json"
# Output in JSON format # Output in JSON format
- hadolint --no-fail -f json $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/hadolint-json-${dockerfile_hash}.json" - |
# las run with console output (with failure) if [[ "$DEFECTDOJO_HADOLINT_REPORTS"]]
then
hadolint --no-fail -f json $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.native.json"
fi
# last run with console output (with failure)
- hadolint $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" - hadolint $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE"
artifacts: artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
...@@ -492,9 +495,9 @@ docker-hadolint: ...@@ -492,9 +495,9 @@ docker-hadolint:
when: always when: always
reports: reports:
codequality: codequality:
- "reports/hadolint-cc-*.json" - "reports/docker-hadolint-*.codeclimate.json"
paths: paths:
- "reports/hadolint-*.json" - "reports/docker-hadolint-*"
rules: rules:
# exclude if DOCKER_HADOLINT_DISABLED set # exclude if DOCKER_HADOLINT_DISABLED set
- if: '$DOCKER_HADOLINT_DISABLED == "true"' - if: '$DOCKER_HADOLINT_DISABLED == "true"'
...@@ -639,7 +642,7 @@ docker-trivy: ...@@ -639,7 +642,7 @@ docker-trivy:
trivy image --clear-cache trivy image --clear-cache
export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}} export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}
export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}} export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
export FILENAME=trivy-$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') export basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports mkdir -p ./reports
if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
...@@ -650,17 +653,22 @@ docker-trivy: ...@@ -650,17 +653,22 @@ docker-trivy:
export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}" export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
fi fi
# Add common trivy arguments # Add common trivy arguments
export trivy_opts="${trivy_opts} --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} --vuln-type os ${DOCKER_TRIVY_ARGS}" export trivy_opts="${trivy_opts} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
# the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0) # GitLab format (no fail)
trivy ${trivy_opts} --format template --template @/contrib/junit.tpl --output ./reports/${FILENAME}.xml --exit-code 0 $DOCKER_SNAPSHOT_IMAGE trivy ${trivy_opts} --format template --exit-code 0 --template "@contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
trivy ${trivy_opts} --format json --output ./reports/${FILENAME}.json --exit-code 0 $DOCKER_SNAPSHOT_IMAGE # JSON format (no fail)
if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
then
trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE
fi
# console output (fail)
trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
artifacts: artifacts:
when: always when: always
paths: paths:
- reports/ - "reports/docker-trivy-*"
reports: reports:
junit: "reports/*.xml" container_scanning: "reports/docker-trivy-*.gitlab.json"
cache: cache:
paths: paths:
- .trivycache/ - .trivycache/
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment