From 80a3d9c89de72434fe3f9be0ba81b3fe7ee7d3f1 Mon Sep 17 00:00:00 2001 From: "Vladimir (vapronva)" Date: Fri, 30 Sep 2022 02:23:18 +0300 Subject: [PATCH 1/4] =?UTF-8?q?add:=20`dockerignore`;=20change:=20df=20lay?= =?UTF-8?q?ers=20handling=20(=F0=9F=A4=93)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .dockerignore | 5 +++++ Dockerfile | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..41e2c30 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +.git +.gitignore +config.ini +README.md +TODO diff --git a/Dockerfile b/Dockerfile index a4e68e4..922ba6c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,11 @@ FROM python:3.10-alpine -COPY . /app + WORKDIR /app -RUN pip install -r /app/requirements.txt + +COPY requirements.txt /app/requirements.txt + +RUN pip install -r /app/requirements.txt && rm /app/requirements.txt + +COPY . /app CMD ["python3", "-m", "mastoposter", "/config.ini"] -- 2.40.1 From 91685a06e4302584e7e5705f629287a79fe18570 Mon Sep 17 00:00:00 2001 From: "Vladimir (vapronva)" Date: Fri, 30 Sep 2022 04:08:24 +0300 Subject: [PATCH 2/4] add: basic ci docker image building, deepsource sast --- .deepsource.toml | 23 +++++++++++++++++++++++ .gitlab-ci.yml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 .deepsource.toml create mode 100644 .gitlab-ci.yml diff --git a/.deepsource.toml b/.deepsource.toml new file mode 100644 index 0000000..6acfc10 --- /dev/null +++ b/.deepsource.toml @@ -0,0 +1,23 @@ +version = 1 + +[[analyzers]] +name = "test-coverage" +enabled = true + +[[analyzers]] +name = "python" +enabled = true + + [analyzers.meta] + runtime_version = "3.x.x" + +[[analyzers]] +name = "secrets" +enabled = true + +[[analyzers]] +name = "docker" +enabled = true + + [analyzers.meta] + dockerfile_paths = ["Dockerfile"] diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..d5d0465 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,47 @@ +stages: + - test + - build-image + +sast: + stage: test +include: +- template: Security/SAST.gitlab-ci.yml +- template: Security/SAST-IaC.latest.gitlab-ci.yml +- template: Security/Secret-Detection.gitlab-ci.yml +- template: Security/Container-Scanning.gitlab-ci.yml + +container_scanning: + variables: + CS_DISABLE_DEPENDENCY_LIST: "true" + CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false" + CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5" + +docker-image-build: + stage: build-image + image: docker:20-git + script: + - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest . + - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + rules: + - if: $CI_COMMIT_BRANCH == "master" + exists: + - Dockerfile + changes: + - "*.py" + - Dockerfile + - requirements.txt + - .gitlab-ci.yml + +docker-image-nightly-build: + stage: build-image + image: docker:20-git + script: + - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly . + - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly + rules: + - if: $CI_COMMIT_BRANCH == "unsafe" + exists: + - Dockerfile -- 2.40.1 From 2d67f6b0c8d79e6647c371d1780e99b07fc406ab Mon Sep 17 00:00:00 2001 From: "Vladimir (vapronva)" Date: Fri, 30 Sep 2022 04:49:36 +0300 Subject: [PATCH 3/4] fix: ooops, container scanning should be past building --- .gitlab-ci.yml | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d5d0465..fd2b379 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,7 @@ stages: - test - build-image + - post-test sast: stage: test @@ -10,13 +11,6 @@ include: - template: Security/Secret-Detection.gitlab-ci.yml - template: Security/Container-Scanning.gitlab-ci.yml -container_scanning: - variables: - CS_DISABLE_DEPENDENCY_LIST: "true" - CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest - CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false" - CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5" - docker-image-build: stage: build-image image: docker:20-git @@ -34,14 +28,12 @@ docker-image-build: - requirements.txt - .gitlab-ci.yml -docker-image-nightly-build: - stage: build-image - image: docker:20-git - script: - - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly . - - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly - rules: - - if: $CI_COMMIT_BRANCH == "unsafe" - exists: - - Dockerfile +container_scanning: + stage: post-test + variables: + CS_DISABLE_DEPENDENCY_LIST: "true" + CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest + CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter + CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false" + CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5" + SECURE_LOG_LEVEL: "debug" -- 2.40.1 From 5a519505fa190b77e6908edb937b8b765251245d Mon Sep 17 00:00:00 2001 From: "Vladimir (vapronva)" Date: Fri, 30 Sep 2022 05:00:41 +0300 Subject: [PATCH 4/4] add: some variables were missing for container analysis --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fd2b379..9af9347 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -34,6 +34,7 @@ container_scanning: CS_DISABLE_DEPENDENCY_LIST: "true" CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter + CI_APPLICATION_TAG: "latest" CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false" CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5" SECURE_LOG_LEVEL: "debug" -- 2.40.1