diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..d590e758c1e7dd31a024b334b59bf5f9c98c6c2e --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,91 @@ +image: docker:stable +services: +- docker:dind + +stages: + - build + - static_tests + - dynamic_tests + +build: + stage: build + before_script: + - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin + - apk update + - apk add git + - chmod +x get-modified-image.sh + - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) + - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) + - echo -e "Building container $MODIFIED_IMAGE" + script: + - docker build -f $MODIFIED_IMAGE/Dockerfile $MODIFIED_IMAGE -t $REGISTRY/ci-builds/$CI_COMMIT_SHA + - docker push $REGISTRY/ci-builds/$CI_COMMIT_SHA + after_script: + - docker logout $REGISTRY + tags: [build] + only: + changes: + - pica-etherpad/* + +clair: + stage: static_tests + before_script: + - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin + - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest + - apk update + - apk add git + - chmod +x get-modified-image.sh + - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) + - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) + - echo -e "Performing static analysis for container $MODIFIED_IMAGE" + script: + - docker run -d --name db arminc/clair-db:latest + - docker run -p 6060:6060 -d --link db:postgres --name clair --restart on-failure arminc/clair-local-scan:v2.0.6 + - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + - mv clair-scanner_linux_amd64 clair-scanner + - chmod +x clair-scanner + - echo "Waiting for Clair daemon to start" + - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done + - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $REGISTRY/ci-builds/$CI_COMMIT_SHA + artifacts: + paths: + - clair-report.json + - clair.log + after_script: + - docker logout $REGISTRY + tags: [build] + only: + changes: + - pica-etherpad/* + allow_failure: false + +docker-bench-security: + stage: dynamic_tests + before_script: + - apk update + - apk add wget py-pip git iproute2 + - pip install docker-compose + - chmod +x get-modified-image.sh + - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) + - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) + - sed -i -e "s/$MODIFIED_IMAGE_FULL/$REGISTRY\/ci-builds\/$CI_COMMIT_SHA:latest/g" pica-etherpad/docker-compose.yml + - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin + - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest + script: + - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/* ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi; + - cd $MODIFIED_IMAGE + - docker-compose up -d + - git clone https://github.com/docker/docker-bench-security.git + - cd docker-bench-security + - sh docker-bench-security.sh -c container_images,container_runtime,docker_security_operations -e check_5_12,check_4_1 -l ../../report.txt + artifacts: + paths: + - report.txt + after_script: + - docker logout $REGISTRY + tags: [build] + only: + changes: + - pica-etherpad/* + allow_failure: true + diff --git a/get-modified-image.sh b/get-modified-image.sh index 63c828b338baa9f84f80ca0369ffed0e1187408c..e2b71fb670ae6d66dea1f471f388d761c551364b 100644 --- a/get-modified-image.sh +++ b/get-modified-image.sh @@ -9,4 +9,5 @@ for i in $(git diff-tree --no-commit-id --name-only $CI_COMMIT_SHA); do RES=$i fi done -echo $RES +RES=$(cat $RES/docker-compose.yml | grep image: | head -n1 | cut -d ':' -f2-) +echo $RES \ No newline at end of file