diff --git a/.deepsource.toml b/.deepsource.toml new file mode 100644 index 0000000..6acfc10 --- /dev/null +++ b/.deepsource.toml @@ -0,0 +1,23 @@ +version = 1 + +[[analyzers]] +name = "test-coverage" +enabled = true + +[[analyzers]] +name = "python" +enabled = true + + [analyzers.meta] + runtime_version = "3.x.x" + +[[analyzers]] +name = "secrets" +enabled = true + +[[analyzers]] +name = "docker" +enabled = true + + [analyzers.meta] + dockerfile_paths = ["Dockerfile"] diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..d5d0465 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,47 @@ +stages: + - test + - build-image + +sast: + stage: test +include: +- template: Security/SAST.gitlab-ci.yml +- template: Security/SAST-IaC.latest.gitlab-ci.yml +- template: Security/Secret-Detection.gitlab-ci.yml +- template: Security/Container-Scanning.gitlab-ci.yml + +container_scanning: + variables: + CS_DISABLE_DEPENDENCY_LIST: "true" + CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false" + CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5" + +docker-image-build: + stage: build-image + image: docker:20-git + script: + - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest . + - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + rules: + - if: $CI_COMMIT_BRANCH == "master" + exists: + - Dockerfile + changes: + - "*.py" + - Dockerfile + - requirements.txt + - .gitlab-ci.yml + +docker-image-nightly-build: + stage: build-image + image: docker:20-git + script: + - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly . + - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly + rules: + - if: $CI_COMMIT_BRANCH == "unsafe" + exists: + - Dockerfile