diff --git a/.deepsource.toml b/.deepsource.toml new file mode 100644 index 0000000..6acfc10 --- /dev/null +++ b/.deepsource.toml @@ -0,0 +1,23 @@ +version = 1 + +[[analyzers]] +name = "test-coverage" +enabled = true + +[[analyzers]] +name = "python" +enabled = true + + [analyzers.meta] + runtime_version = "3.x.x" + +[[analyzers]] +name = "secrets" +enabled = true + +[[analyzers]] +name = "docker" +enabled = true + + [analyzers.meta] + dockerfile_paths = ["Dockerfile"] diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..41e2c30 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +.git +.gitignore +config.ini +README.md +TODO diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..9af9347 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,40 @@ +stages: + - test + - build-image + - post-test + +sast: + stage: test +include: +- template: Security/SAST.gitlab-ci.yml +- template: Security/SAST-IaC.latest.gitlab-ci.yml +- template: Security/Secret-Detection.gitlab-ci.yml +- template: Security/Container-Scanning.gitlab-ci.yml + +docker-image-build: + stage: build-image + image: docker:20-git + script: + - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest . + - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + rules: + - if: $CI_COMMIT_BRANCH == "master" + exists: + - Dockerfile + changes: + - "*.py" + - Dockerfile + - requirements.txt + - .gitlab-ci.yml + +container_scanning: + stage: post-test + variables: + CS_DISABLE_DEPENDENCY_LIST: "true" + CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter + CI_APPLICATION_TAG: "latest" + CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false" + CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5" + SECURE_LOG_LEVEL: "debug" diff --git a/Dockerfile b/Dockerfile index a4e68e4..922ba6c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,11 @@ FROM python:3.10-alpine -COPY . /app + WORKDIR /app -RUN pip install -r /app/requirements.txt + +COPY requirements.txt /app/requirements.txt + +RUN pip install -r /app/requirements.txt && rm /app/requirements.txt + +COPY . /app CMD ["python3", "-m", "mastoposter", "/config.ini"]