diff --git a/README.md b/README.md index 94a1b8715342daa3fedcbad5ce19c7395baa6741..e0ff646bf3ba174db704b70b952e0564aecd63f2 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,8 @@ The Docker template uses some global configuration used throughout all jobs. | --------------------- | -------------------------------------- | ----------------- | | `DOCKER_DIND_BUILD` | Set to enable Docker-in-Docker build (:warning: unsecured, requires privileged runners). | _(none)_ (kaniko build by default) | | `DOCKER_KANIKO_IMAGE` | The Docker image used to run kaniko - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) | -| `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `docker:latest` | -| `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `docker:dind` | +| `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` | +| `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` | | `DOCKER_FILE` | The path to your `Dockerfile` | `./Dockerfile` | | `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ | @@ -247,7 +247,7 @@ It is bound to the `build` stage, and uses the following variables: | Name | Description | Default value | | --------------------- | -------------------------------------- | --------------------------------------- | -| `DOCKER_LINT_IMAGE` | The dockerlint image | `projectatomic/dockerfile-lint:latest` | +| `DOCKER_LINT_IMAGE` | The dockerlint image | `registry.hub.docker.com/projectatomic/dockerfile-lint:latest` | | `DOCKER_LINT_ARGS` | Additional `dockerfile_lint` arguments | _(none)_ | In case you have to disable some rules, copy and edit the [rules](https://github.com/projectatomic/dockerfile_lint#extending-and-customizing-rule-files) into `mycustomdockerlint.yml` and set `DOCKER_LINT_ARGS: '-r mycustomdockerlint.yml'` @@ -260,7 +260,7 @@ It is bound to the `build` stage, and uses the following variables: | Name | Description | Default value | | -------------------------- | -------------------------------------- | --------------------------------------- | -| `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `hadolint/hadolint:latest-alpine` | +| `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` | | `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ | In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository. @@ -384,7 +384,7 @@ It is bound to the `package-test` stage, and uses the following variables: | Name | Description | Default value | | ---------------------- | -------------------------------------- | ----------------- | -| `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `aquasec/trivy:latest` | +| `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` | | `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ | | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ | @@ -406,7 +406,7 @@ It is bound to the `package-test` stage, and uses the following variables: | Name | description | default value | | --------------------- | -------------------------------------- | ----------------- | | `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | -| `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `anchore/syft:debug` | +| `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` | | `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger` | ### `docker-publish` job diff --git a/kicker.json b/kicker.json index 2fe44d4879741969490a385a6f2ce186ba8b4bd8..b25df87fc97c2c93b3f4c356e8d7c9a8044bca61 100644 --- a/kicker.json +++ b/kicker.json @@ -12,12 +12,12 @@ { "name": "DOCKER_IMAGE", "description": "The Docker image used to run the docker client\n\n_for Docker-in-Docker build only_", - "default": "docker:latest" + "default": "registry.hub.docker.com/library/docker:latest" }, { "name": "DOCKER_DIND_IMAGE", "description": "The Docker image used to run the Docker daemon\n\n_for Docker-in-Docker build only_", - "default": "docker:dind" + "default": "registry.hub.docker.com/library/docker:dind" }, { "name": "DOCKER_SKOPEO_IMAGE", @@ -90,7 +90,7 @@ { "name": "DOCKER_LINT_IMAGE", "description": "The docker image to lint your Dockerfile", - "default": "projectatomic/dockerfile-lint:latest" + "default": "registry.hub.docker.com/projectatomic/dockerfile-lint:latest" }, { "name": "DOCKER_LINT_ARGS", @@ -108,7 +108,7 @@ { "name": "DOCKER_HADOLINT_IMAGE", "description": "The docker image to lint your Dockerfile with Hadolint", - "default": "hadolint/hadolint:latest-alpine" + "default": "registry.hub.docker.com/hadolint/hadolint:latest-alpine" }, { "name": "DOCKER_HADOLINT_ARGS", @@ -157,7 +157,7 @@ { "name": "DOCKER_TRIVY_IMAGE", "description": "The docker image used to scan images with Trivy", - "default": "aquasec/trivy:latest", + "default": "registry.hub.docker.com/aquasec/trivy:latest", "advanced": true }, { @@ -188,7 +188,7 @@ "variables": [ { "name": "DOCKER_SBOM_IMAGE", - "default": "anchore/syft:debug" + "default": "registry.hub.docker.com/anchore/syft:debug" }, { "name": "DOCKER_SBOM_OPTS", diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index b486e4b09cd987482df726ef6af79db423b182e9..17433af15e821ef1656869739a315a471679fb64 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -44,10 +44,10 @@ variables: # variabilized tracking image TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master" - DOCKER_LINT_IMAGE: "projectatomic/dockerfile-lint:latest" - DOCKER_HADOLINT_IMAGE: "hadolint/hadolint:latest-alpine" - DOCKER_IMAGE: "docker:latest" - DOCKER_DIND_IMAGE: "docker:dind" + DOCKER_LINT_IMAGE: "registry.hub.docker.com/projectatomic/dockerfile-lint:latest" + DOCKER_HADOLINT_IMAGE: "registry.hub.docker.com/hadolint/hadolint:latest-alpine" + DOCKER_IMAGE: "registry.hub.docker.com/library/docker:latest" + DOCKER_DIND_IMAGE: "registry.hub.docker.com/library/docker:dind" DOCKER_KANIKO_IMAGE: "gcr.io/kaniko-project/executor:debug" DOCKER_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest" @@ -66,11 +66,11 @@ variables: DOCKER_KANIKO_VERBOSITY: "info" DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest" + DOCKER_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest" DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os" # SBOM genenration image and arguments - DOCKER_SBOM_IMAGE: anchore/syft:debug + DOCKER_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug" DOCKER_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger" # by default: DevOps pipeline