diff --git a/.gitlab/merge_request_templates/new_feature.md b/.gitlab/merge_request_templates/new_feature.md
index 74abae94c94dc0768bb5c51fe51ad253fce113fe..491b7f98ded7e0da03d18c95978eafcb7d86619f 100644
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
## Checklist
* General:
- * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
- * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+ * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+ * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
* Publicly usable:
* [ ] untagged runners
* [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 59658129087e922ffd9f99f5cf135b9f7640c72f..2dedbd5ae47702d158f73c2e3209ecacdbef958d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,53 @@
-# [6.1.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/6.0.0...6.1.0) (2025-01-29)
+## [6.1.7](https://gitlab.com/to-be-continuous/docker/compare/6.1.6...6.1.7) (2025-04-25)
+
+
+### Bug Fixes
+
+* install custom CA certs before awk ([45b8cb3](https://gitlab.com/to-be-continuous/docker/commit/45b8cb399cd5f73455d5e2be81f51e1672b46823))
+
+## [6.1.6](https://gitlab.com/to-be-continuous/docker/compare/6.1.5...6.1.6) (2025-04-18)
+
+
+### Bug Fixes
+
+* allow installation of missing package awk ([bb602d8](https://gitlab.com/to-be-continuous/docker/commit/bb602d8e845bafa90c043f082f3ee35571679b49))
+
+## [6.1.5](https://gitlab.com/to-be-continuous/docker/compare/6.1.4...6.1.5) (2025-04-18)
+
+
+### Bug Fixes
+
+* switch to official image with awk for buildah and skopeo ([b8a065a](https://gitlab.com/to-be-continuous/docker/commit/b8a065ad216851bebbc52fb5445d24b9b76f9835))
+
+## [6.1.4](https://gitlab.com/to-be-continuous/docker/compare/6.1.3...6.1.4) (2025-04-11)
+
+
+### Bug Fixes
+
+* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([214ae5d](https://gitlab.com/to-be-continuous/docker/commit/214ae5dfc6e6661eed8eb5dd62ad4fc1bcc7d5b7))
+
+## [6.1.3](https://gitlab.com/to-be-continuous/docker/compare/6.1.2...6.1.3) (2025-03-11)
+
+
+### Bug Fixes
+
+* **sbom:** disable file catalogers for Syft SBOM (to minimize SBOM file) ([c95c2d4](https://gitlab.com/to-be-continuous/docker/commit/c95c2d47738d29e2640c3bf5e8b4199064d7c231))
+
+## [6.1.2](https://gitlab.com/to-be-continuous/docker/compare/6.1.1...6.1.2) (2025-02-01)
+
+
+### Bug Fixes
+
+* homogenize new TBC envsubst mechanism ([8c6e14a](https://gitlab.com/to-be-continuous/docker/commit/8c6e14aa3409a8c5e51290eb316f284162ee2a11))
+
+## [6.1.1](https://gitlab.com/to-be-continuous/docker/compare/6.1.0...6.1.1) (2025-01-31)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([5102c5f](https://gitlab.com/to-be-continuous/docker/commit/5102c5f45fb71368cb24e54c150d79154cf7c287))
+
+# [6.1.0](https://gitlab.com/to-be-continuous/docker/compare/6.0.0...6.1.0) (2025-01-27)
### Features
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index dda66dec1e96ab19b4b8078d86841fe78e48e66b..532cd7f04dd719c3520d047170cfd4cf4ff4b486 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:
1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
### Git Commit Conventions
diff --git a/README.md b/README.md
index ebf0acbf2ce897591d17056910b82108f6d2476c..170da87a64808b6e2af9f233f169fd821eb9bcfc 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,13 @@
# GitLab CI template for Docker
-This project implements a GitLab CI/CD template to build, check and inspect your containers with [Docker](https://www.docker.com/).
+This project implements a GitLab CI/CD template to build, test and secure your container images out of a `Dockerfile`.
+
+It supports [kaniko](https://github.com/GoogleContainerTools/kaniko), [Buildah](https://buildah.io/) or [Docker](https://www.docker.com/) as build tools.
## Usage
-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component)
-or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component)
+or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.
### Use as a CI/CD component
@@ -14,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
@@ -28,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/docker'
- ref: '6.1.0'
+ ref: '6.1.7'
file: '/templates/gitlab-ci-docker.yml'
variables:
@@ -47,10 +49,10 @@ The template supports following ways of building container images:
3. Or using [buildah](https://buildah.io/), an open-source, daemonless tool backed by RedHat for building Docker
images, and that solves Docker-in-Docker security issues (and also speeds-up build times), and can also be configured to run rootless.
-By default, the template uses the [kaniko](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html) way, but you may
+By default, the template uses the [kaniko](https://docs.gitlab.com/ci/docker/using_kaniko/) way, but you may
select an alternate build tool by using the `DOCKER_BUILD_TOOL` variable (see below).
-:warning: If you choose to use 'Docker-in-Docker' option considering the associated security risks, make sure your runner has required privileges to run Docker-in-Docker ([see GitLab doc](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor)).
+:warning: If you choose to use 'Docker-in-Docker' option considering the associated security risks, make sure your runner has required privileges to run Docker-in-Docker ([see GitLab doc](https://docs.gitlab.com/ci/docker/using_docker_build/#use-docker-in-docker-workflow-with-docker-executor)).
### Global variables
@@ -59,10 +61,10 @@ The Docker template uses some global configuration used throughout all jobs.
| Input / Variable | Description | Default value |
| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `build-tool` / `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` |
-| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
-| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` |
-| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` |
-| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` |
+| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab)<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)|
+| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/containers/aio:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)|
+| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) |
+| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)|
| `file` / `DOCKER_FILE` | The path to your `Dockerfile` | `Dockerfile` |
| `context-path` / `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ |
@@ -158,7 +160,7 @@ There might be cases where you need to provide the complete [Docker configuratio
If you are in one of those cases, you will need to use the `DOCKER_CONFIG_FILE` variable, expected to declare the path to your custom Docker configuration file (JSON). You may:
- leave the default value (`.docker/config.json`) or override it to some alternate location in your project repository and create the file **without any secret in it** using our dynamic variables replacement (see below),
-- or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it.
+- or override it as a GitLab project variable of type [File](https://docs.gitlab.com/ci/variables/#cicd-variable-types), possibly inlining your secret credentials in it.
| Input / Variable | Description | Default value |
| ------------------------------------ | -------------------------------------------- | --------------------- |
@@ -199,7 +201,7 @@ This file uses:
- template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables,
- the user-defined `${MY_OWN_REGISTRY_TOKEN}` (:information_source: an authentication token can be obtained with command `echo "user:password" | base64` and then be stored as a masked GitLab CI/CD project variable).
-Example 2: Docker configuration file declared as a GitLab project variable of type [File](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types) with **dynamic variables replacement**:
+Example 2: Docker configuration file declared as a GitLab project variable of type [File](https://docs.gitlab.com/ci/variables/#cicd-variable-types) with **dynamic variables replacement**:
```json
{
@@ -219,14 +221,14 @@ Example 2: Docker configuration file declared as a GitLab project variable of ty
This file uses:
-- template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables (:warning: mind the double `$$` to prevent GitLab from [trying to evaluate the variable](https://docs.gitlab.com/ee/ci/variables/index.html#use-the--character-in-variables)),
+- template-managed `${docker_snapshot_authent_token}`, `${docker_snapshot_registry_host}`, `${docker_release_authent_token}` and `${docker_release_registry_host}` variables (:warning: mind the double `$$` to prevent GitLab from [trying to evaluate the variable](https://docs.gitlab.com/ci/variables/#use-the--character-in-variables)),
- the user-defined authentication may be inlined as a GitLab project variable is a place safe enough to store secrets.
## Multi Dockerfile support
This template supports building multiple Docker images from a single Git repository.
-You can define the images to build using the [parallel matrix jobs](https://docs.gitlab.com/ee/ci/yaml/#parallel-matrix-jobs)
+You can define the images to build using the [parallel matrix jobs](https://docs.gitlab.com/ci/yaml/#parallel-matrix-jobs)
pattern inside the `.docker-base` job (this is the top parent job of all Docker template jobs).
Since each job in the template extends this base job, the pipeline will produce one job instance per image to build.
@@ -260,12 +262,12 @@ variables:
Here are some advices about your **secrets** (variables marked with a :lock:):
-1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project):
- - [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
+1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project):
+ - [**masked**](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
displayed in your job logs,
- - [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets
+ - [**protected**](https://docs.gitlab.com/ci/variables/#protected-cicd-variables) if you want to secure some secrets
you don't want everyone in the project to have access to (for instance production secrets).
-2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable),
+2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable),
simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
it will then be possible to mask it and the template will automatically decode it prior to using it.
3. Don't forget to escape special characters (ex: `$` -> `$$`).
@@ -278,11 +280,11 @@ This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Docker
It is bound to the `build` stage, and uses the following variables:
-| Input / Variable | Description | Default value |
-| -------------------------- | -------------------------------------- | --------------------------------------- |
-| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
-| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` |
-| `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
+| Input / Variable | Description | Default value |
+| ------------------------------------------------ | --------------------------------- | --------------------------------------------------------- |
+| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
+| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)|
+| `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
| `hadolint-job-tags` / `DOCKER_HADOLINT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
@@ -302,7 +304,7 @@ In addition to a textual report in the console, this job produces the following
| Report | Format | Usage |
| -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/hadolint/)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
+| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscodequality) |
### `docker-*-build` jobs
@@ -322,7 +324,7 @@ It is bound to the `package-build` stage, and uses the following variables:
| `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
-This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
| Input / Variable | Description | Example |
| --------------------- | ------------------------------------------------------ | -------------------------------------------------------------- |
@@ -353,7 +355,7 @@ LABEL name="my-project" \
maintainer="my-project@acme.com"
```
-Default value for `DOCKER_METADATA` supports a subset of the [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/annotations.md) for labels and use [GitLab CI pre-defined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) to guess the value as follow :
+Default value for `DOCKER_METADATA` supports a subset of the [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/annotations.md) for labels and use [GitLab CI pre-defined variables](https://docs.gitlab.com/ci/variables/predefined_variables/) to guess the value as follow :
| Label | GitLab CI pre-defined variable |
| ----------------------------------- | ------------------------------ |
@@ -391,7 +393,7 @@ If you have defined one of those labels in the Dockerfile, the final value will
### `docker-healthcheck` job
-:warning: this job requires that your runner has required privileges to run [Docker-in-Docker](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor).
+:warning: this job requires that your runner has required privileges to run [Docker-in-Docker](https://docs.gitlab.com/ci/docker/using_docker_build/#use-docker-in-docker-workflow-with-docker-executor).
If it is not the case this job will not be run.
This job performs a [Health Check](https://docs.docker.com/engine/reference/builder/#healthcheck) on your built image.
@@ -426,15 +428,11 @@ variables:
It is bound to the `package-test` stage, and uses the following variables:
-| Input / Variable | Description | Default value |
-| ---------------------- | -------------------------------------- | ----------------- |
-| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` |
-| `trivy-addr` / `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ |
-| `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
-| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
-| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
-| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
-| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
+| Input / Variable | Description | Default value |
+| -------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- |
+| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)|
+| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
+| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive` |
| `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
@@ -450,7 +448,7 @@ In addition to a textual report in the console, this job produces the following
| Report | Format | Usage |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
+| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscontainer_scanning) |
### `docker-sbom` job
@@ -458,28 +456,29 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing installed packa
It is bound to the `package-test` stage, and uses the following variables:
-| Input / Variable | Description | Default value |
-| --------------------- | -------------------------------------- | ----------------- |
-| `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
-| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
-| `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| Input / Variable | Description | Default value |
+| ---------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
+| `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` |
+| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)|
+| `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` |
| `docker-sbom-job-tags` / `DOCKER_DOCKER_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `docker-publish` job
This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).
-| Input / Variable | Description | Default value |
-| --------------------- | --------------------------------------------------------------------------- | ----------------- |
-| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
-| `publish-args` / `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ |
-| `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` |
-| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
-| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ |
-| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
+| Input / Variable | Description | Default value |
+| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/containers/aio:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SKOPEO_IMAGE)|
+| `publish-args` / `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ |
+| `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` |
+| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
+| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ |
+| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
| `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
-This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
| Input / Variable | Description | Example |
| --------------------- | ----------------------------------------------------- | ----------------------------------------------------- |
@@ -571,7 +570,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
@@ -582,11 +581,11 @@ Depending on the Docker registry you're using, you may have to use a real passwo
### Building multiple Docker images
-Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (uses [parallel matrix jobs](https://docs.gitlab.com/ee/ci/yaml/#parallel-matrix-jobs)):
+Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (uses [parallel matrix jobs](https://docs.gitlab.com/ci/yaml/#parallel-matrix-jobs)):
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
.docker-base:
parallel:
@@ -619,7 +618,7 @@ In order to be able to communicate with the Vault server, the variant requires t
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
-By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
@@ -641,9 +640,9 @@ With:
```yaml
include:
# main template
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
# Vault variant
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@6.1.7
inputs:
# audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
@@ -675,7 +674,7 @@ List of requirements before using this variant for publishing your container ima
| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest` |
| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
-| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |
+| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) | _none_ |
| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
| `gcp-snapshot-oidc-provider` / `GCP_SNAPSHOT_OIDC_PROVIDER` | Workload Identity Provider to push the snapshot image _(only define to override default)_ | _none_ |
| `gcp-snapshot-oidc-account` / `GCP_SNAPSHOT_OIDC_ACCOUNT` | Service Account to use to push the snapshot image _(only define to override default)_ | _none_ |
@@ -689,7 +688,7 @@ to use the snapshot image repository (will host your snapshot image as well as c
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
# untested & unverified container image
@@ -697,7 +696,7 @@ include:
# ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
# validated container image (published)
release-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-gcp@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-gcp@6.1.7
inputs:
# default WIF provider
gcp-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
@@ -718,7 +717,7 @@ that will be used as a temporary credential to login to the ECR registry.
In order to use the AWS APIs, the variant supports two authentication methods:
-1. [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) (**recommended method**),
+1. [federated authentication using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) (**recommended method**),
2. or basic authentication with AWS access key ID & secret access key.
:warning: when using this variant, you must have created the ECR repositories to push the snapshot and/or the release images.
@@ -737,7 +736,7 @@ to use the snapshot image repository (will host your snapshot image as well as c
##### OIDC authentication config
-This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
+This is the recommended authentication method. In order to use it, first carefuly follow [GitLab's documentation](https://docs.gitlab.com/ci/cloud_services/aws/),
then set the required configuration.
| Input / Variable | Description | Default value |
@@ -762,14 +761,14 @@ then set the required configuration.
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
# untested & unverified container image
snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG"
# ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
# validated container image (published)
release-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG:$CI_COMMIT_REF_NAME"
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-ecr@5.7.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-ecr@6.1.7
inputs:
# default Role ARN (using OIDC authentication method)
aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"
diff --git a/docker.r2.yml b/docker.r2.yml
index ff8e6bfb15b34aa4a5e5813364514b1f00db2509..d748c848b2489d3bf4bc3786229ba87b5864d11e 100644
--- a/docker.r2.yml
+++ b/docker.r2.yml
@@ -3,7 +3,7 @@ files:
documentation: ./README.md
changelog: ./CHANGELOG.md
data:
- description: "Build, check and inspect your containers with Docker"
+ description: "Build, test and secure your container images out of a Dockerfile"
public: true
labels:
- to be continuous
diff --git a/kicker.json b/kicker.json
index 0ef843fdb54da35f388ef8617aa0d8ab5bbb4a2d..1c7847542288bbf1bfe260591de77934dd1216c2 100644
--- a/kicker.json
+++ b/kicker.json
@@ -1,6 +1,6 @@
{
"name": "Docker",
- "description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
+ "description": "Build, test and secure your container images out of a `Dockerfile`",
"template_path": "templates/gitlab-ci-docker.yml",
"kind": "package",
"prefix": "docker",
@@ -21,7 +21,7 @@
{
"name": "DOCKER_BUILDAH_IMAGE",
"description": "The image used to run buildah\n\n_for buildah build only_",
- "default": "quay.io/buildah/stable:latest"
+ "default": "quay.io/containers/aio:latest"
},
{
"name": "DOCKER_IMAGE",
@@ -36,7 +36,7 @@
{
"name": "DOCKER_SKOPEO_IMAGE",
"description": "The image used to publish docker image with Skopeo",
- "default": "quay.io/skopeo/stable:latest"
+ "default": "quay.io/containers/aio:latest"
},
{
"name": "DOCKER_FILE",
@@ -246,6 +246,14 @@
"description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
"disable_with": "DOCKER_SBOM_DISABLED",
"variables": [
+ {
+ "name": "TBC_SBOM_MODE",
+ "type": "enum",
+ "values": ["onrelease", "always"],
+ "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+ "advanced": true,
+ "default": "onrelease"
+ },
{
"name": "DOCKER_SBOM_IMAGE",
"default": "registry.hub.docker.com/anchore/syft:debug"
@@ -253,7 +261,7 @@
{
"name": "DOCKER_SBOM_OPTS",
"description": "Options for syft used for SBOM analysis",
- "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
+ "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file",
"advanced": true
},
{
@@ -317,7 +325,7 @@
},
{
"name": "GCP_OIDC_AUD",
- "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+ "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
@@ -327,7 +335,7 @@
},
{
"name": "GCP_OIDC_PROVIDER",
- "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
+ "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
},
{
"name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
@@ -379,22 +387,22 @@
},
{
"name": "AWS_OIDC_AUD",
- "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+ "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
{
"name": "AWS_OIDC_ROLE_ARN",
- "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
+ "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_"
},
{
"name": "AWS_SNAPSHOT_OIDC_ROLE_ARN",
- "description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
+ "description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
"name": "AWS_RELEASE_OIDC_ROLE_ARN",
- "description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
+ "description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml
index 6aedf5317bdae07f2720742e9fdb966099455f22..44eb5440ede34177138394cdd1c49653eb7fd32b 100644
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -15,20 +15,20 @@ spec:
different from default)_
default: ''
aws-oidc-aud:
- description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+ description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
default: $CI_SERVER_URL
aws-oidc-role-arn:
description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
- authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+ authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
default: ''
aws-snapshot-oidc-role-arn:
description: IAM Role ARN associated with GitLab for the snapshot image _(only
- required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+ required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/)
and if different from default)_
default: ''
aws-release-oidc-role-arn:
description: IAM Role ARN associated with GitLab for the release image _(only
- required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+ required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/)
and if different from default)_
default: ''
---
@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "6.1.0"]
+ command: ["--service", "docker", "6.1.7"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml
index 6a044c8b166ae0b7a154218ef9d25585a7ed7a7f..8a07e6cafc2c3dc1caee453123ad23c4656b9b63 100644
--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -4,7 +4,7 @@
spec:
inputs:
gcp-oidc-aud:
- description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+ description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
default: $CI_SERVER_URL
gcp-oidc-account:
description: Default Service Account to which impersonate with OpenID Connect
@@ -12,7 +12,7 @@ spec:
default: ''
gcp-oidc-provider:
description: Default Workload Identity Provider associated with GitLab to [authenticate
- with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+ with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
default: ''
gcp-snapshot-oidc-account:
description: Service Account to use to push the snapshot image _(only define if
@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "6.1.0"]
+ command: ["--service", "docker", "6.1.7"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index 66a7f1bda659c17a3246e2324004a56a871616cf..54a48c433dd1cc7323e8d9d6e1ff6497de2c8f88 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "6.1.0"]
+ command: ["--service", "docker", "6.1.7"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index f68fd41e88e85b2d6342cfd68c13e02d7985f3f2..979f09ecf106891c524d0771e711d1d1295d417e 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -33,7 +33,7 @@ spec:
The image used to run buildah
_for buildah build only_
- default: quay.io/buildah/stable:latest
+ default: quay.io/containers/aio:latest
image:
description: |-
The image used to run the docker client
@@ -48,7 +48,7 @@ spec:
default: registry.hub.docker.com/library/docker:dind
skopeo-image:
description: The image used to publish docker image with Skopeo
- default: quay.io/skopeo/stable:latest
+ default: quay.io/containers/aio:latest
file:
description: The path to your `Dockerfile`
default: Dockerfile
@@ -169,7 +169,7 @@ spec:
default: registry.hub.docker.com/anchore/syft:debug
sbom-opts:
description: Options for syft used for SBOM analysis
- default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
+ default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
hadolint-job-tags:
description: tags to filter applicable runners for hadolint job
type: array
@@ -249,7 +249,18 @@ workflow:
# else (Ready MR): auto & failing
- when: on_success
+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+ rules:
+ # on tag with release pattern
+ - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+ # on production or integration branch(es)
+ - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
variables:
+ # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+ TBC_SBOM_MODE: "onrelease"
+
DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
DOCKER_IMAGE: $[[ inputs.image ]]
DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
@@ -283,6 +294,8 @@ variables:
PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern)
INTEG_REF: '/^develop$/'
+ # default release tag name (pattern)
+ RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/'
# don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
DOCKER_METADATA: $[[ inputs.metadata ]]
@@ -372,6 +385,30 @@ stages:
fi
}
+ function maybe_install_awk() {
+ if ! command -v awk > /dev/null
+ then
+ if command -v apt-get > /dev/null
+ then
+ # Debian
+ apt-get update
+ apt-get install --no-install-recommends --yes --quiet awk
+ elif command -v apk > /dev/null
+ then
+ # Alpine
+ apk add --no-cache gawk
+ elif command -v dnf > /dev/null
+ then
+ # Fedora
+ dnf install -y -q awk
+ else
+ log_error "... didn't find any supported package manager to install awk"
+ exit 1
+ fi
+ fi
+ }
+
+
function unscope_variables() {
_scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)
if [[ -z "$_scoped_vars" ]]; then return; fi
@@ -558,9 +595,82 @@ stages:
fail "... timeout reached: halt"
}
- function awkenvsubst() {
- # performs variables escaping: '&' for gsub + JSON chars ('\' and '"')
- awk '{while(match($0,"[$%]{[^}]*}")) {var=substr($0,RSTART+2,RLENGTH-3);val=ENVIRON[var];gsub(/["\\&]/,"\\\\&",val);gsub("[$%]{"var"}",val)}}1'
+ function tbc_envsubst() {
+ awk '
+ BEGIN {
+ count_replaced_lines = 0
+ # ASCII codes
+ for (i=0; i<=255; i++)
+ char2code[sprintf("%c", i)] = i
+ }
+ # determine encoding (from env or from file extension)
+ function encoding() {
+ enc = ENVIRON["TBC_ENVSUBST_ENCODING"]
+ if (enc != "")
+ return enc
+ if (match(FILENAME, /\.(json|yaml|yml)$/))
+ return "jsonstr"
+ return "raw"
+ }
+ # see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
+ function uriencode(str) {
+ len = length(str)
+ enc = ""
+ for (i=1; i<=len; i++) {
+ c = substr(str, i, 1);
+ if (index("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.!~*'\''()", c))
+ enc = enc c
+ else
+ enc = enc "%" sprintf("%02X", char2code[c])
+ }
+ return enc
+ }
+ /# *nosubst/ {
+ print $0
+ next
+ }
+ {
+ orig_line = $0
+ line = $0
+ count_repl_in_line = 0
+ # /!\ 3rd arg (match) not supported in BusyBox awk
+ while (match(line, /[$%]\{([[:alnum:]_]+)\}/)) {
+ expr_start = RSTART
+ expr_len = RLENGTH
+ # get var name
+ var = substr(line, expr_start+2, expr_len-3)
+ # get var value (from env)
+ val = ENVIRON[var]
+ # check variable is set
+ if (val == "") {
+ printf("[\033[1;93mWARN\033[0m] Environment variable \033[33;1m%s\033[0m is not set or empty\n", var) > "/dev/stderr"
+ } else {
+ enc = encoding()
+ if (enc == "jsonstr") {
+ gsub(/["\\]/, "\\\\&", val)
+ gsub("\n", "\\n", val)
+ gsub("\r", "\\r", val)
+ gsub("\t", "\\t", val)
+ } else if (enc == "uricomp") {
+ val = uriencode(val)
+ } else if (enc == "raw") {
+ } else {
+ printf("[\033[1;93mWARN\033[0m] Unsupported encoding \033[33;1m%s\033[0m: ignored\n", enc) > "/dev/stderr"
+ }
+ }
+ # replace expression in line
+ line = substr(line, 1, expr_start - 1) val substr(line, expr_start + expr_len)
+ count_repl_in_line++
+ }
+ if (count_repl_in_line) {
+ if (count_replaced_lines == 0)
+ printf("[\033[1;94mINFO\033[0m] Variable expansion occurred in file \033[33;1m%s\033[0m:\n", FILENAME) > "/dev/stderr"
+ count_replaced_lines++
+ printf("> line %s: %s\n", NR, orig_line) > "/dev/stderr"
+ }
+ print line
+ }
+ ' "$@"
}
function configure_registries_auth() {
@@ -593,7 +703,7 @@ stages:
mkdir -p "$BUILDTOOL_HOME/.docker"
if [ -f "${DOCKER_CONFIG_FILE}" ]
then
- awkenvsubst < "${DOCKER_CONFIG_FILE}" > "$BUILDTOOL_HOME/.docker/config.json"
+ TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "${DOCKER_CONFIG_FILE}" > "$BUILDTOOL_HOME/.docker/config.json"
else
echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json"
fi
@@ -632,6 +742,7 @@ stages:
function init_workspace() {
install_custom_ca_certs
+ maybe_install_awk
unscope_variables
eval_all_secrets
configure_registries_auth
@@ -710,7 +821,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "6.1.0"]
+ command: ["--service", "docker", "6.1.7"]
before_script:
- !reference [.docker-scripts]
@@ -737,7 +848,7 @@ stages:
extends: .docker-base
image: $DOCKER_IMAGE
variables:
- # disable TLS between Docker client and Docker daemon : https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-disabled
+ # disable TLS between Docker client and Docker daemon : https://docs.gitlab.com/ci/docker/using_docker_build/#tls-disabled
DOCKER_HOST: tcp://docker:2375
DOCKER_TLS_CERTDIR: ""
# make visible DEFAULT_CA_CERTS and CUSTOM_CA_CERTS variables to the service (we MUST use different variable names)
@@ -746,7 +857,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "6.1.0"]
+ command: ["--service", "docker", "6.1.7"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
@@ -1064,12 +1175,19 @@ docker-sbom:
cyclonedx:
- "reports/docker-sbom-*.cyclonedx.json"
rules:
- # exclude if disabled
+ # exclude if disabled (template specific)
- if: '$DOCKER_SBOM_DISABLED == "true"'
when: never
- - !reference [.test-policy, rules]
+ # 'always' mode: run
+ - if: '$TBC_SBOM_MODE == "always"'
+ # exclude unsupported modes
+ - if: '$TBC_SBOM_MODE != "onrelease"'
+ when: never
+ # 'onrelease' mode: use common software delivery rules
+ - !reference [.delivery-policy, rules]
tags: $[[ inputs.docker-sbom-job-tags ]]
+
# ==================================================
# Stage: publish
# ==================================================