add: basic ci docker image building, deepsource sast

.deepsource.toml

@@ -0,0 +1,23 @@
+version = 1
+
+[[analyzers]]
+name = "test-coverage"
+enabled = true
+
+[[analyzers]]
+name = "python"
+enabled = true
+
+  [analyzers.meta]
+  runtime_version = "3.x.x"
+
+[[analyzers]]
+name = "secrets"
+enabled = true
+
+[[analyzers]]
+name = "docker"
+enabled = true
+
+  [analyzers.meta]
+  dockerfile_paths = ["Dockerfile"]

.gitlab-ci.yml

@@ -0,0 +1,47 @@
+stages:
+  - test
+  - build-image
+
+sast:
+  stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml
+- template: Security/SAST-IaC.latest.gitlab-ci.yml
+- template: Security/Secret-Detection.gitlab-ci.yml
+- template: Security/Container-Scanning.gitlab-ci.yml
+
+container_scanning:
+  variables:
+    CS_DISABLE_DEPENDENCY_LIST: "true"
+    CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
+    CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
+    CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5"
+
+docker-image-build:
+  stage: build-image
+  image: docker:20-git
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest .
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
+  rules:
+  - if: $CI_COMMIT_BRANCH == "master"
+    exists:
+    - Dockerfile
+    changes:
+    - "*.py"
+    - Dockerfile
+    - requirements.txt
+    - .gitlab-ci.yml
+
+docker-image-nightly-build:
+  stage: build-image
+  image: docker:20-git
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly .
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly
+  rules:
+  - if: $CI_COMMIT_BRANCH == "unsafe"
+    exists:
+    - Dockerfile