diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a8b6a3a782cb6312caae08d44c51cec649613196..7371d78735a73958aa0384b68d3d4dc17162fe06 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,7 +10,7 @@ include: file: '/templates/validation.yml' - project: 'to-be-continuous/bash' ref: '3.3' - file: 'templates/gitlab-ci-bash.yml' + file: '/templates/gitlab-ci-bash.yml' - project: 'to-be-continuous/semantic-release' ref: '3.7' file: '/templates/gitlab-ci-semrel.yml' diff --git a/README.md b/README.md index 34337fc261c89014427988d080fdac45c8dd6015..01f64df41a00f13b6305d96ccee1d8f1381daead 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,35 @@ security vulnerabilities as early as possible. ## Usage -In order to include this template in your project, add the following to your `gitlab-ci.yml`: +This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. + +### Use as a CI/CD component + +Add the following to your `gitlab-ci.yml`: + +```yaml +include: + # 1: include the component + - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.1.1 + # 2: set/override component inputs + inputs: + host-url: https://sonarqube.acme.host # ⚠ this is only an example +``` + +### Use as a CI/CD template (legacy) + +Add the following to your `gitlab-ci.yml`: ```yaml include: + # 1: include the template - project: 'to-be-continuous/sonar' ref: '4.1.1' file: '/templates/gitlab-ci-sonar.yml' + +variables: + # 2: set/override template variables + SONAR_HOST_URL: https://sonarqube.acme.host # ⚠ this is only an example ``` ## SonarQube analysis job @@ -22,17 +44,17 @@ This job performs a SonarQube analysis of your code. It is bound to the `test` stage, and uses the following variables: -| Name | Description | Default value | +| Input / Variable | Description | Default value | | ------------------------ | ------------------------------- | ----------------------------- | -| `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` | -| `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | -| `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) | -| `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) | +| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` | +| `host-url` / `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | +| `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) | +| `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) | | :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarqube.org/latest/user-guide/user-token/) (depends on your authentication method) | _none_ | | :lock: `SONAR_LOGIN` | SonarQube login (depends on your authentication method) | _none_ | | :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ | -| `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | -| `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ | _none_ (disabled) | +| `base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | +| `quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ | _none_ (disabled) | ### Automatic Branch Analysis & Merge Request Analysis @@ -65,11 +87,11 @@ This variant allows delegating your secrets management to a [Vault](https://www. In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: -| Name | Description | Default value | +| Input / Variable | Description | Default value | | ----------------- | -------------------------------------- | ----------------- | | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` | -| `VAULT_BASE_URL` | The Vault server base API url | _none_ | -| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | +| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ | +| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | @@ -83,7 +105,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta With: -| Name | Description | +| Parameter | Description | | -------------------------------- | -------------------------------------- | | `secret_path` (_path parameter_) | this is your secret location in the Vault server | | `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | @@ -93,19 +115,16 @@ With: ```yaml include: # main template - - project: 'to-be-continuous/sonar' - ref: '4.1.1' - file: '/templates/gitlab-ci-sonar.yml' + - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.1.1 # Vault variant - - project: 'to-be-continuous/sonar' - ref: '4.1.1' - file: '/templates/gitlab-ci-sonar-vault.yml' + - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.1.1 + inputs: + # audience claim for JWT + vault-oidc-aud: "https://vault.acme.host" + vault-base-url: "https://vault.acme.host/v1" variables: - # audience claim for JWT - VAULT_OIDC_AUD: "https://vault.acme.host" - # Secrets managed by Vault - SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token" - VAULT_BASE_URL: "https://vault.acme.host/v1" - # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable + # Secrets managed by Vault + SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token" + # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable ``` diff --git a/bumpversion.sh b/bumpversion.sh index f06829a406ca8da98e570e8ad7d8bb22367b668d..ed44d7b68b0e09f6d2cf557f7a15e52553246341 100755 --- a/bumpversion.sh +++ b/bumpversion.sh @@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..." # replace in README - sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next + sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next mv -f README.md.next README.md # replace in template and variants for tmpl in templates/*.yml do - sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next" + sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next" mv -f "$tmpl.next" "$tmpl" done else diff --git a/kicker.json b/kicker.json index 1a9f529cff672f2e6d23b1e0c0ed5a56f7ccb7b3..a7e7e953f5c1a1aa98ac2a0fedd85815bc8af1e6 100644 --- a/kicker.json +++ b/kicker.json @@ -3,6 +3,8 @@ "description": "Continuously inspect your codebase with [SonarQube](https://www.sonarqube.org/)", "template_path": "templates/gitlab-ci-sonar.yml", "kind": "analyse", + "prefix": "sonar", + "is_component": true, "variables": [ { "name": "SONAR_SCANNER_IMAGE", diff --git a/logo.png b/logo.png index 03783f50a774279a3ca061a99efd380162b4af89..96b4ff541eeaba6a8d8e8fc3371995f58b6ef0ee 100644 Binary files a/logo.png and b/logo.png differ diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml index 3746bad020f58e0e5ae107163031e25f8e4cb4f4..f2aace5dbde49bf23c8cfc56430123e44879bb5e 100644 --- a/templates/gitlab-ci-sonar-vault.yml +++ b/templates/gitlab-ci-sonar-vault.yml @@ -1,13 +1,23 @@ # ===================================================================================================================== # === Vault template variant # ===================================================================================================================== +spec: + inputs: + vault-base-url: + description: The Vault server base API url + default: '' + vault-oidc-aud: + description: The `aud` claim for the JWT + default: $CI_SERVER_URL +--- variables: # variabilized vault-secrets-provider image - TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master" + TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master # variables have to be explicitly declared in the YAML to be exported to the service VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID" - VAULT_OIDC_AUD: "$CI_SERVER_URL" + VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]] + VAULT_BASE_URL: $[[ inputs.vault-base-url ]] sonar: services: diff --git a/templates/gitlab-ci-sonar.yml b/templates/gitlab-ci-sonar.yml index 4d7fd8481f24efdf4dd3438a6041c632ba2bfb30..f75fe67ec71373e4e129c7b7ab41a6f6ab4d65ff 100644 --- a/templates/gitlab-ci-sonar.yml +++ b/templates/gitlab-ci-sonar.yml @@ -14,6 +14,34 @@ # Floor, Boston, MA 02110-1301, USA. # ========================================================================================= # default workflow rules: Merge Request pipelines +spec: + inputs: + scanner-image: + description: The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) + default: registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest + host-url: + description: SonarQube server url + default: '' + project-key: + description: SonarQube Project Key (might also be set in the `sonar-project.properties` file) + default: '' + project-name: + description: SonarQube Project Name (might also be set in the `sonar-project.properties` file) + default: '' + base-args: + description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) + default: >- + -Dsonar.links.homepage=${CI_PROJECT_URL} + -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines + -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues + quality-gate-enabled: + description: |- + Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification. + + _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ + type: boolean + default: false +--- workflow: rules: # prevent branch pipeline when an MR is open (prefer MR pipeline) @@ -56,23 +84,23 @@ workflow: variables: # variabilized tracking image - TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master" + TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master # Sonar - SONAR_SCANNER_IMAGE: "registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest" - + SONAR_SCANNER_IMAGE: $[[ inputs.scanner-image ]] + SONAR_HOST_URL: $[[ inputs.host-url ]] + SONAR_PROJECT_KEY: $[[ inputs.project-key ]] + SONAR_PROJECT_NAME: $[[ inputs.project-name ]] + SONAR_QUALITY_GATE_ENABLED: $[[ inputs.quality-gate-enabled ]] # Sonar base analysis default args # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/ # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/ - SONAR_BASE_ARGS: >- - -Dsonar.links.homepage=${CI_PROJECT_URL} - -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines - -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues + SONAR_BASE_ARGS: $[[ inputs.base-args ]] # default production ref name (pattern) - PROD_REF: '/^(master|main)$/' + PROD_REF: /^(master|main)$/ # default integration ref name (pattern) - INTEG_REF: '/^develop$/' + INTEG_REF: /^develop$/ stages: - build