This repository has been archived by the owner on Jan 3, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 47
/
.gitlab-ci.yml
94 lines (88 loc) · 4.77 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
variables:
PRIVATE_REGISTRY_PASSWD: $PRIVATE_REGISTRY_PASSWD
PRIVATE_REGISTRY_USERNAME: $PRIVATE_REGISTRY_USERNAME
PRIVATE_REGISTRY_URL: $PRIVATE_REGISTRY_URL
DOCKER_HUB_PASSWD: $DOCKER_HUB_PASSWD
DOCKER_HUB_USERNAME: $DOCKER_HUB_USERNAME
FQDN: $SECMON_FQDN
SENDER: $SECMON_SENDER
SMTP_PASSWD: $SECMON_SMTP_PASSWD
SMTP_SRV: $SECMON_SMTP_SRV
GITHUB_USERNAME: $SECMON_GITHUB_USERNAME
GITHUB_API_KEY: $SECMON_GITHUB_API_KEY
WEB_USERNAME: $SECMON_WEB_USERNAME
WEB_PASSWD: $SECMON_WEB_PASSWD
stages:
- build
- vuln_scan
- malware_scan
- test
- release_image
Build-Image:
stage: build
script:
- docker login $PRIVATE_REGISTRY_URL -u $PRIVATE_REGISTRY_USERNAME -p $PRIVATE_REGISTRY_PASSWD
- docker pull $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:latest || true
- docker build . -t $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG
- docker push $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG
allow_failure: false
Vuln-Scan:
stage: vuln_scan
variables:
ANCHORE_CLI_URL: "http://anchore-engine:8228/v1"
GIT_STRATEGY: none
image: docker.io/anchore/inline-scan:latest
services:
- name: docker.io/anchore/inline-scan:latest
alias: anchore-engine
command: ["start"]
script:
- anchore-cli system wait
- anchore-cli registry add $PRIVATE_REGISTRY_URL gitlab-ci-token "$CI_JOB_TOKEN" --skip-validate --insecure
- anchore-cli image add $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG
- anchore-cli image wait $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG
- anchore-cli image vuln $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG all
allow_failure: true
Malware-Scan:
stage: malware_scan
script:
- docker stop secmontest && docker rm secmontest || true
- docker login $PRIVATE_REGISTRY_URL -u $PRIVATE_REGISTRY_USERNAME -p $PRIVATE_REGISTRY_PASSWD
- docker run -i -t --name secmontest -d $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG
- docker cp . secmontest:/var/www/secmon
- docker exec secmontest bash -c 'apt update && apt install -y clamav && freshclam'
- docker exec secmontest bash -c 'cd /var/www/secmon ; python3 -c "import secmon_lib" ; python3 -c "from secmon_web import *" 2>/dev/null' || true
- docker exec secmontest clamscan --remove --infected -r /var/www /home /usr /etc /mnt /media /srv | tee scan-results.txt
- docker stop secmontest && docker rm secmontest
allow_failure: false
Test:
stage: test
script:
- docker stop secmontest && docker rm secmontest || true
- docker login $PRIVATE_REGISTRY_URL -u $PRIVATE_REGISTRY_USERNAME -p $PRIVATE_REGISTRY_PASSWD
- docker run -i -t --name secmontest -p 4443 -e SENDER=$SENDER -e GITHUB_USERNAME=$GITHUB_USERNAME -e GITHUB_API_KEY=$GITHUB_API_KEY -e WEB_USERNAME=$WEB_USERNAME -e WEB_PASSWD=$WEB_PASSWD -e FQDN=$FQDN -e SMTP_PASSWD=$SMTP_PASSWD -d $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG
- docker cp . secmontest:/var/www/secmon
- docker exec secmontest openssl req -newkey rsa:4096 -x509 -subj "/C=FR/ST=France/L=Paris/O=Test/CN=$FQDN" -sha512 -days 3650 -nodes -out /etc/ssl/secmon/secmon.crt -keyout /etc/ssl/secmon/secmon.key
- docker exec secmontest python3 /var/www/secmon/setup.py -login $SENDER -p $SMTP_PASSWD -server $SMTP_SRV -port '587' -tls yes -lang fr -sender $SENDER -r $SENDER -accept true -github_username $GITHUB_USERNAME -github_api_key $GITHUB_API_KEY -username $WEB_USERNAME -password $WEB_PASSWD
- docker exec secmontest nohup python3 /var/www/secmon/secmon.py >/dev/null 2>&1 &
- docker exec secmontest nohup python3 /var/www/secmon/cve_updater.py >/dev/null 2>&1 &
- docker exec secmontest cp /var/www/secmon/docker/secmon-ci.conf /etc/apache2/sites-enabled/secmon.conf
- docker exec secmontest chown -R www-data:www-data /var/www/secmon/
- docker exec secmontest chmod -R 744 /var/www/secmon/
- docker exec secmontest sed -i "s/{FQDN}/$FQDN/" /etc/apache2/sites-enabled/secmon.conf
- docker exec secmontest sed -i "s/Listen 443/Listen 4443/" /etc/apache2/ports.conf
- docker exec secmontest a2enmod ssl && docker exec secmontest service apache2 restart
- docker exec secmontest apt install -y wget
- docker exec secmontest wget -q -S -O - https://127.0.0.1:4443 --no-check-certificate | grep "SECMON - Login"
- docker stop secmontest && docker rm secmontest || true
allow_failure: false
Release-Image:
stage: release_image
script:
- docker login $PRIVATE_REGISTRY_URL -u $PRIVATE_REGISTRY_USERNAME -p $PRIVATE_REGISTRY_PASSWD
- docker tag $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:$CI_COMMIT_REF_SLUG $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:latest
- docker push $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:latest
- docker login -u $DOCKER_HUB_USERNAME -p $DOCKER_HUB_PASSWD
- docker tag $SECMON_REGISTRY_IMAGE_WITHOUT_TAG:latest guezone/secmon:latest
- docker push guezone/secmon:latest
allow_failure: false