Skip to content
Snippets Groups Projects
Commit bbfc4eb5 authored by Benguria Elguezabal, Gorka's avatar Benguria Elguezabal, Gorka
Browse files

Merge remote-tracking branch 'upstream/master'

# Conflicts:
#	.gitlab-ci.yml
#	CHANGELOG.md
#	README.md
parents fa930147 c159d13e
No related branches found
No related tags found
No related merge requests found
Pipeline #169100 passed
# [5.12.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/5.11.1...5.12.0) (2024-08-29)
# [6.0.0](https://gitlab.com/to-be-continuous/docker/compare/5.14.1...6.0.0) (2024-11-26)
### Code Refactoring
* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://gitlab.com/to-be-continuous/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799))
### BREAKING CHANGES
* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables
## [5.14.1](https://gitlab.com/to-be-continuous/docker/compare/5.14.0...5.14.1) (2024-11-02)
### Bug Fixes
* limit security reports access to developer role or higher ([29a3173](https://gitlab.com/to-be-continuous/docker/commit/29a3173e7393ad84df324a34cd8cdc17ab3cac14))
# [5.14.0](https://gitlab.com/to-be-continuous/docker/compare/5.13.3...5.14.0) (2024-11-01)
### Features
* **mirror:** add support for DOCKER_REGISTRY_MIRROR_USER/PASSWORD vars ([76c9d16](https://gitlab.com/to-be-continuous/docker/commit/76c9d1699fb5a6c03b827c8b035314e4873d173b))
## [5.13.3](https://gitlab.com/to-be-continuous/docker/compare/5.13.2...5.13.3) (2024-10-24)
### Bug Fixes
* set trivy artifact expiration ([5854b42](https://gitlab.com/to-be-continuous/docker/commit/5854b428f1007c7cde90ad836fba6b9cbcc2a251))
## [5.13.2](https://gitlab.com/to-be-continuous/docker/compare/5.13.1...5.13.2) (2024-10-04)
### Bug Fixes
* **trivy:** use --pkg-types instead of deprecated --vuln-type option ([76d0f3f](https://gitlab.com/to-be-continuous/docker/commit/76d0f3f506278028eebb3a526322ae205f347761))
## [5.13.1](https://gitlab.com/to-be-continuous/docker/compare/5.13.0...5.13.1) (2024-09-21)
### Bug Fixes
* allow Skopeo to inherit Docker auth config ([9bb198e](https://gitlab.com/to-be-continuous/docker/commit/9bb198ef051fc53decf5e7a79970c6a1f5204567))
# [5.13.0](https://gitlab.com/to-be-continuous/docker/compare/5.12.1...5.13.0) (2024-09-15)
### Features
* **trivy:** enable comprehensive priority ([d26a665](https://gitlab.com/to-be-continuous/docker/commit/d26a6659d9c184455f4c6473154621a50af4b6e9))
## [5.12.1](https://gitlab.com/to-be-continuous/docker/compare/5.12.0...5.12.1) (2024-09-12)
### Bug Fixes
* wrong default value for DOCKER_TRIVY_ARGS ([1b84a79](https://gitlab.com/to-be-continuous/docker/commit/1b84a792b86bcae5dec8e9a4c4d9f35deb55ee98))
# [5.12.0](https://gitlab.com/to-be-continuous/docker/compare/5.11.1...5.12.0) (2024-08-26)
### Features
......
......@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@5.12.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
......@@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/docker'
ref: '5.12.0'
ref: '6.0.0'
file: '/templates/gitlab-ci-docker.yml'
variables:
......@@ -136,6 +136,16 @@ If you use **different registries** for snapshot and release images, you shall u
| :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry |
| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD` | Docker registry password for release image registry |
#### Using a registry mirror during image builds
You can provide a URL for a mirror registry of `https://index.docker.io` for use during image builds (:warning: `kaniko` and `dind` options only), and optionally with credentials for the mirror, using the following variables:
| Input / Variable | Description |
| -------------------------------------------- | ------------------------------------------------ |
| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use |
| :lock: `DOCKER_REGISTRY_MIRROR_USER` | Docker registry username for the mirror registry |
| :lock: `DOCKER_REGISTRY_MIRROR_PASSWORD` | Docker registry password for the mirror registry |
#### Setting your own Docker configuration file (advanced)
There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files):
......@@ -163,6 +173,8 @@ In addition to you own defined variables, you may use the following variables (p
- `${docker_snapshot_registry_host}`: the snapshot registry host (based on the configured `DOCKER_SNAPSHOT_IMAGE` variable)
- `${docker_release_authent_token}`: the authentication token required by the release registry (computed from configured `DOCKER_REGISTRY_RELEASE_USER` / `DOCKER_REGISTRY_RELEASE_PASSWORD` variables)
- `${docker_release_registry_host}`: the release registry host (based on the configured `DOCKER_RELEASE_IMAGE` variable)
- `${docker_mirror_authent_token}`: the authentication token required by the mirror registry (computed from configured `DOCKER_REGISTRY_MIRROR_USER` / `DOCKER_REGISTRY_MIRROR_PASSWORD` variables)
- `${docker_mirror_registry_host}`: the mirror registry host (based on the configured `DOCKER_REGISTRY_MIRROR` variable)
Example 1: Docker configuration file inlined in the project repository (`.docker/config.json`) with **dynamic variables replacement**:
......@@ -170,10 +182,10 @@ Example 1: Docker configuration file inlined in the project repository (`.docker
{
"auths": {
"${docker_snapshot_registry_host}": {
"auth": "${docker_release_authent_token}"
"auth": "${docker_snapshot_authent_token}"
},
"${docker_release_registry_host}": {
"auth": "${docker_snapshot_authent_token}"
"auth": "${docker_release_authent_token}"
},
"my-readonly-repo-to-pull": {
"auth": "${MY_OWN_REGISTRY_TOKEN}"
......@@ -285,11 +297,11 @@ FROM ubuntu
RUN cd /tmp && echo "hello!"
```
In addition to a textual report in the console, this job produces the following reports, kept for one day:
In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/hadolint/)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
### `docker-*-build` jobs
......@@ -310,7 +322,7 @@ It is bound to the `package-build` stage, and uses the following variables:
| `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
| Input / Variable | Description | Example |
| --------------------- | ------------------------------------------------------ | -------------------------------------------------------------- |
......@@ -401,15 +413,15 @@ In case your image takes quite some time to be downloaded by the runner, increas
### `docker-trivy` job
This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.
This job performs a Vulnerability Static Analysis with [Trivy](https://aquasecurity.github.io/trivy) on your built image.
Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.
Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/latest/docs/references/modes/standalone/) mode.
If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable.
If you want to run Trivy in client/server mode, you need to set the `TRIVY_SERVER` environment variable.
```yaml
variables:
DOCKER_TRIVY_ADDR: "https://trivy.acme.host"
TRIVY_SERVER: "https://trivy.acme.host"
```
It is bound to the `package-test` stage, and uses the following variables:
......@@ -425,12 +437,20 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
| `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
* `TRIVY_SERVER`: server address (enables client/server mode)
* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
### `docker-sbom` job
......@@ -459,7 +479,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
| `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
| Input / Variable | Description | Example |
| --------------------- | ----------------------------------------------------- | ----------------------------------------------------- |
......@@ -551,7 +571,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
inputs:
snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
......@@ -566,7 +586,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
.docker-base:
parallel:
......@@ -594,10 +614,12 @@ In order to be able to communicate with the Vault server, the variant requires t
| Input / Variable | Description | Default value |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | **must be defined** |
| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
......@@ -619,14 +641,13 @@ With:
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
# Vault variant
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
inputs:
# audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
vault-base-url: "https://vault.acme.host/v1"
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
variables:
# Secrets managed by Vault
......@@ -668,7 +689,7 @@ to use the snapshot image repository (will host your snapshot image as well as c
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
inputs:
build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
# untested & unverified container image
......@@ -741,7 +762,7 @@ then set the required configuration.
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
inputs:
# untested & unverified container image
snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG"
......
......@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README
sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\/ref: \$nextVer\/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
mv -f README.md.next README.md
# replace in template and variants
......
......@@ -216,7 +216,7 @@
{
"id": "trivy",
"name": "Trivy",
"description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
"description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "DOCKER_TRIVY_DISABLED",
"variables": [
{
......@@ -225,32 +225,10 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
{
"name": "DOCKER_TRIVY_ADDR",
"type": "url",
"description": "The Trivy server address"
},
{
"name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
"type": "enum",
"values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
"description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
"default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
},
{
"name": "DOCKER_TRIVY_ARGS",
"description": "Additional `trivy client` arguments",
"default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",
"advanced": true
},
{
"name": "DOCKER_TRIVY_DB_REPOSITORY",
"description": "OCI repository to retrieve Trivy Database from",
"advanced": true
},
{
"name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
"description": "OCI repository to retrieve Trivy Java Database from",
"description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive",
"advanced": true
},
{
......
......@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.12.0"]
command: ["--service", "docker", "6.0.0"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
......
......@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.12.0"]
command: ["--service", "docker", "6.0.0"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
......
......@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.12.0"]
command: ["--service", "docker", "6.0.0"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
......
......@@ -158,27 +158,9 @@ spec:
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
trivy-addr:
description: The Trivy server address
default: ''
trivy-security-level-threshold:
description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
options:
- UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- LOW,MEDIUM,HIGH,CRITICAL
- MEDIUM,HIGH,CRITICAL
- HIGH,CRITICAL
- CRITICAL
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
description: Additional `trivy client` arguments
default: --ignore-unfixed --vuln-type os --exit-on-eol 1
trivy-db-repository:
description: Custom OCI repository to retrieve Trivy Database from
default: ''
trivy-java-db-repository:
description: Custom Java DB repository path
default: ''
description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive
sbom-disabled:
description: Disable Software Bill of Materials
type: boolean
......@@ -287,11 +269,9 @@ variables:
DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]
DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]
DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
# SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
......@@ -327,8 +307,6 @@ variables:
DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
# ==================================================
......@@ -551,6 +529,22 @@ stages:
done
}
# simple JSON merge (used in Skopeo job only)
function merge_json() {
python3 -c "import json,sys
def merge(a,b):
for key in b:
if key in a and isinstance(a[key],dict) and isinstance(b[key],dict): a[key]=merge(a[key],b[key])
else: a[key]=b[key]
return a
def mergef(*files):
res={}
for f in files:
with open(f,'r') as rd: res=merge(res,json.load(rd))
return res
print(json.dumps(mergef(*sys.argv[1:])))" "$@"
}
function wait_for_docker_daemon() {
log_info "Wait for Docker daemon..."
# shellcheck disable=SC2034
......@@ -582,8 +576,19 @@ stages:
export docker_release_authent_token
export docker_release_registry_host
docker_snapshot_config_json=$(echo -n "{\"auths\":{\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
docker_release_config_json=$(echo -n "{\"auths\":{\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
if [[ -n "$DOCKER_REGISTRY_MIRROR" && -n "$DOCKER_REGISTRY_MIRROR_USER" ]]
then
docker_mirror_authent_token=$(echo -n "$DOCKER_REGISTRY_MIRROR_USER:$DOCKER_REGISTRY_MIRROR_PASSWORD" | base64 | tr -d '\n')
# shellcheck disable=SC2001
docker_mirror_registry_host=$(echo "$DOCKER_REGISTRY_MIRROR" | sed "s|^https*://||" | cut -d/ -f1)
export docker_mirror_authent_token
export docker_mirror_registry_host
docker_mirror_config_json="\"$docker_mirror_registry_host\":{\"auth\":\"$docker_mirror_authent_token\"},"
fi
docker_snapshot_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
# Create the configuration file for Docker and Kaniko
BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
......@@ -595,10 +600,16 @@ stages:
echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json"
fi
# Create the configuration file for Skopeo
# Create the configuration files for Skopeo
if command -v skopeo > /dev/null
then
mkdir -p "$BUILDTOOL_HOME/skopeo/.docker"
echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
# use same auth config as the build tool for the source image
cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
# use a merged auth config for the destination image
echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
fi
log_info "Docker authentication configured for \\e[33;1m${docker_snapshot_registry_host}\\e[0m"
}
......@@ -701,7 +712,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.12.0"]
command: ["--service", "docker", "6.0.0"]
before_script:
- !reference [.docker-scripts]
......@@ -737,7 +748,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.12.0"]
command: ["--service", "docker", "6.0.0"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
......@@ -786,6 +797,7 @@ docker-hadolint:
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
access: developer
when: always
reports:
codequality:
......@@ -998,27 +1010,23 @@ docker-trivy:
export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY}
export trivy_opts="image"
else
log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
fi
# Add common trivy arguments
# The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
# GitLab format (no fail)
trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
# JSON format (no fail)
if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
then
trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE
if [[ -z "$TRIVY_SERVER" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
fi
# console output (fail)
trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
# Generate the native JSON report that can later be converted to other formats
trivy image --no-progress ${DOCKER_TRIVY_ARGS} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
# Generate a report in the GitLab format
trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json
# console output
trivy convert --format table reports/docker-trivy-${basename}.native.json
exit $exit_code
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
access: developer
when: always
paths:
- "reports/docker-trivy-*"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment