Improvements to Docker Image (Proper Layers Order and Docker-Ignore) #1

Closed
vapronva wants to merge 4 commits from vapronva/mastoposter-oss_images:master into master
2 changed files with 70 additions and 0 deletions
Showing only changes of commit 91685a06e4 - Show all commits

23
.deepsource.toml Normal file
View File

@ -0,0 +1,23 @@
version = 1
[[analyzers]]
name = "test-coverage"
enabled = true
[[analyzers]]
name = "python"
enabled = true
[analyzers.meta]
runtime_version = "3.x.x"
[[analyzers]]
name = "secrets"
enabled = true
[[analyzers]]
name = "docker"
enabled = true
[analyzers.meta]
dockerfile_paths = ["Dockerfile"]

47
.gitlab-ci.yml Normal file
View File

@ -0,0 +1,47 @@
stages:
- test
- build-image
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/SAST-IaC.latest.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_DISABLE_DEPENDENCY_LIST: "true"
CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5"
docker-image-build:
stage: build-image
image: docker:20-git
script:
- docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest .
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
rules:
- if: $CI_COMMIT_BRANCH == "master"
exists:
- Dockerfile
changes:
- "*.py"
- Dockerfile
- requirements.txt
- .gitlab-ci.yml
docker-image-nightly-build:
stage: build-image
image: docker:20-git
script:
- docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly .
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly
rules:
- if: $CI_COMMIT_BRANCH == "unsafe"
exists:
- Dockerfile