forked from gadiener/ci-templates
-
Notifications
You must be signed in to change notification settings - Fork 5
/
sast.yml
44 lines (43 loc) · 2.15 KB
/
sast.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
include:
- remote: "https://raw.githubusercontent.com/jobtome-labs/ci-templates/v3.38.0/templates/sast.yml"
sast:
extends: .sast
image: europe-west1-docker.pkg.dev/jobtome-platform/public/dind-bash:20.10
variables:
DOCKER_DRIVER: overlay2
before_script:
- echo "Wait for Docker daemon at tcp://localhost:2375"
- while ! nc -z localhost 2375; do sleep 0.1; done
script:
- |
if [ ! -z "$SAST_EXTRA_PATH" ]; then
SAST_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE/$SAST_EXTRA_PATH
echo "Repo path overridden"
else
SAST_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE
echo "Repo path not overridden"
fi
- |
if [ ! -z "$CI_COMMIT_TAG" ]; then
SAST_APPLICATION_TAG=$CI_COMMIT_TAG
else
SAST_APPLICATION_TAG=$CI_COMMIT_SHORT_SHA
fi
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- echo -n "${CI_REGISTRY_PASSWORD}" | docker login -u "${CI_REGISTRY_USER}" --password-stdin "${CI_REGISTRY}"
- docker pull ${SAST_APPLICATION_REPOSITORY}:${SAST_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- retries=0
- echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${SAST_APPLICATION_REPOSITORY}:${SAST_APPLICATION_TAG} || true
- ( grep -cE -cE 'High CVE|Critical CVE|Defcon1' >/dev/null 2>&1 clair.log || exit 0 && exit 1; )
artifacts:
reports:
container_scanning: gl-container-scanning-report.json