-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
317 lines (294 loc) · 9.09 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
variables:
GIT_SUBMODULE_STRATEGY: recursive
stages:
- test
- tag
- build
- container-scanning
- publish
- sign
.oci:login:
stage: test
script:
- &oci_login |
export VERSION="1.1.0"
export ORAS_SHASUM="e09e85323b24ccc8209a1506f142e3d481e6e809018537c6b3db979c891e6ad7"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
echo "${ORAS_SHASUM} oras_${VERSION}_linux_amd64.tar.gz" | sha256sum -c -
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_*.tar.gz oras-install/
echo "$CI_JOB_TOKEN" | oras login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
secret-scanning:
image: ghcr.io/gitleaks/gitleaks:v8.18.4@sha256:75bdb2b2f4db213cde0b8295f13a88d6b333091bbfbf3012a4e083d00d31caba
stage: test
variables:
GIT_DEPTH: 1
script:
- gitleaks -v detect --baseline-path gitleaks-report.json
static-application-security-testing:
image: returntocorp/semgrep:1.81.0@sha256:aca826eb1bb9ba9e84a348b88e0c6340ca2a400789de0ee1e41b1abb560e4a1f
stage: test
script:
- semgrep scan --config=p/ci .
software-composition-analysis:
image: node:22.5.1-bookworm@sha256:86915971d2ce1548842315fcce7cda0da59319a4dab6b9fc0827e762ef04683a
stage: test
script:
# fail on critical
- npm audit --audit-level=critical
jest:
image: node:22.5.1-bookworm@sha256:86915971d2ce1548842315fcce7cda0da59319a4dab6b9fc0827e762ef04683a
stage: test
script:
- npm i --force --include=dev
- "npx jest --ci --reporters=default --reporters=jest-junit"
artifacts:
when: always
reports:
junit:
- junit.xml
license-compliance:
stage: test
image: ruby:3.3.4-alpine3.20@sha256:9fc2d9dd146a47fddcf2b69e3174d92ee1a654fbbe73f97b858505394748ac6e
script:
- gem install license_finder
- apk add --update npm
- license_finder --decisions_file ./docs/dependency_decisions.yml --enabled-package-managers npm
iac:
stage: test
image: bridgecrew/checkov:3.2.208@sha256:528276dd7d05bb3901d4546208dbec2727744a0c3878de8e06d26d4f6cd4901f
script:
- checkov -d . --quiet
next-build:
image: node:22.5.1-bookworm@sha256:86915971d2ce1548842315fcce7cda0da59319a4dab6b9fc0827e762ef04683a
stage: test
script:
- npm ci
- npm run build
tag:
stage: tag
needs: []
dependencies: []
script:
- |
if [ -n "$CI_COMMIT_TAG" ]; then
# Set IMAGE_TAG if the pipeline was triggered by a tag
echo "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" > image-tag.txt
echo "$CI_REGISTRY_IMAGE/initcontainer:$CI_COMMIT_TAG" > initcontainer-image-tag.txt
else
# Set IMAGE_TAG if the pipeline was triggered by a push to main
branch=$(echo $CI_COMMIT_REF_NAME | sed 's/\//-/g')
sha=${CI_COMMIT_SHORT_SHA}
ts=$(date +%s)
echo "$CI_REGISTRY_IMAGE:${branch}-${sha}-${ts}" > image-tag.txt
echo "$CI_REGISTRY_IMAGE/initcontainer:${branch}-${sha}-${ts}" > initcontainer-image-tag.txt
fi
artifacts:
paths:
- image-tag.txt
- initcontainer-image-tag.txt
only:
- main
- tags
oci:build:
stage: build
needs: [tag, jest, software-composition-analysis, static-application-security-testing, secret-scanning, license-compliance, iac]
dependencies: ["tag"]
image:
name: gcr.io/kaniko-project/executor:v1.23.2-debug@sha256:c3109d5926a997b100c4343944e06c6b30a6804b2f9abe0994d3de6ef92b028e
entrypoint: [""]
script:
- /kaniko/executor --digest-file=digest.txt --cleanup --build-arg NEXT_PUBLIC_ENVIRONMENT=production --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $(cat image-tag.txt)
artifacts:
paths:
- digest.txt
when: on_success
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
oci:build-initcontainer:
stage: build
needs: [tag, jest, software-composition-analysis, static-application-security-testing, secret-scanning, license-compliance, iac]
dependencies: ["tag"]
image:
name: gcr.io/kaniko-project/executor:v1.23.2-debug@sha256:c3109d5926a997b100c4343944e06c6b30a6804b2f9abe0994d3de6ef92b028e
entrypoint: [""]
script:
- /kaniko/executor --digest-file=initcontainer-digest.txt --cleanup --build-arg NEXT_PUBLIC_ENVIRONMENT=production --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.initcontainer --destination $(cat initcontainer-image-tag.txt)
artifacts:
paths:
- initcontainer-digest.txt
when: on_success
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
container-scanning:
stage: container-scanning
needs: ["oci:build", "tag"]
dependencies:
- oci:build
- tag
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
# download oras and login to the registry
- apk add --update curl
- *oci_login
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.4
script:
- trivy image --exit-code 1 --severity CRITICAL --no-progress $(cat image-tag.txt)@$(cat digest.txt)
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
container-scanning-initcontainer:
stage: container-scanning
needs: ["oci:build-initcontainer", "tag"]
dependencies:
- oci:build-initcontainer
- tag
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
# download oras and login to the registry
- apk add --update curl
- *oci_login
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.4
script:
- trivy image --exit-code 1 --severity CRITICAL --no-progress $(cat initcontainer-image-tag.txt)@$(cat initcontainer-digest.txt)
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
sbom:
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
- apk add --update curl
- *oci_login
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
stage: publish
needs: ["oci:build", "tag"]
dependencies:
- oci:build
- tag
script:
- syft $(cat image-tag.txt)@$(cat digest.txt) -o cyclonedx-json=sbom.json
artifacts:
paths:
- sbom.json
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
sbom-initcontainer:
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
- apk add --update curl
- *oci_login
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
stage: publish
needs: ["oci:build-initcontainer", "tag"]
dependencies:
- oci:build-initcontainer
- tag
script:
- syft $(cat initcontainer-image-tag.txt)@$(cat initcontainer-digest.txt) -o cyclonedx-json=sbom.json
artifacts:
paths:
- sbom.json
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
sign-image:
stage: sign
needs: ['oci:build', 'tag']
dependencies:
- oci:build
- tag
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
- apk add --update cosign
- apk add --update curl
- *oci_login
script:
- cosign sign --yes --key $COSIGN_PRIVATE_KEY "$(cat image-tag.txt)@$(cat digest.txt)"
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
sign-image-initcontainer:
stage: sign
needs: ['oci:build-initcontainer', 'tag']
dependencies:
- oci:build-initcontainer
- tag
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
- apk add --update cosign
- apk add --update curl
- *oci_login
script:
- cosign sign --yes --key $COSIGN_PRIVATE_KEY "$(cat initcontainer-image-tag.txt)@$(cat initcontainer-digest.txt)"
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
sign-sbom:
stage: sign
needs: ["oci:build", 'tag', 'sbom']
dependencies:
- oci:build
- tag
- sbom
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
- apk add --update cosign
- apk add --update curl
- *oci_login
script:
- cosign attest --yes --predicate ./sbom.json --key $COSIGN_PRIVATE_KEY "$(cat image-tag.txt)@$(cat digest.txt)"
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"
sign-sbom-initcontainer:
stage: sign
needs: ["oci:build-initcontainer", 'tag', 'sbom-initcontainer']
dependencies:
- oci:build-initcontainer
- tag
- sbom-initcontainer
image: alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
before_script:
- apk add --update cosign
- apk add --update curl
- *oci_login
script:
- cosign attest --yes --predicate ./sbom.json --key $COSIGN_PRIVATE_KEY "$(cat initcontainer-image-tag.txt)@$(cat initcontainer-digest.txt)"
only:
- main
- tags
except:
variables:
- $CI_PIPELINE_SOURCE == "schedule"