Improvements to Docker Image (Proper Layers Order and Docker-Ignore) #1
|
@ -0,0 +1,23 @@
|
|||
version = 1
|
||||
|
||||
[[analyzers]]
|
||||
name = "test-coverage"
|
||||
enabled = true
|
||||
|
||||
[[analyzers]]
|
||||
name = "python"
|
||||
enabled = true
|
||||
|
||||
[analyzers.meta]
|
||||
runtime_version = "3.x.x"
|
||||
|
||||
[[analyzers]]
|
||||
name = "secrets"
|
||||
enabled = true
|
||||
|
||||
[[analyzers]]
|
||||
name = "docker"
|
||||
enabled = true
|
||||
|
||||
[analyzers.meta]
|
||||
dockerfile_paths = ["Dockerfile"]
|
|
@ -0,0 +1,47 @@
|
|||
stages:
|
||||
- test
|
||||
- build-image
|
||||
|
||||
sast:
|
||||
stage: test
|
||||
include:
|
||||
- template: Security/SAST.gitlab-ci.yml
|
||||
- template: Security/SAST-IaC.latest.gitlab-ci.yml
|
||||
- template: Security/Secret-Detection.gitlab-ci.yml
|
||||
- template: Security/Container-Scanning.gitlab-ci.yml
|
||||
|
||||
container_scanning:
|
||||
variables:
|
||||
CS_DISABLE_DEPENDENCY_LIST: "true"
|
||||
CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
|
||||
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
|
||||
CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5"
|
||||
|
||||
docker-image-build:
|
||||
stage: build-image
|
||||
image: docker:20-git
|
||||
script:
|
||||
- docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest .
|
||||
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
|
||||
- docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == "master"
|
||||
exists:
|
||||
- Dockerfile
|
||||
changes:
|
||||
- "*.py"
|
||||
- Dockerfile
|
||||
- requirements.txt
|
||||
- .gitlab-ci.yml
|
||||
|
||||
docker-image-nightly-build:
|
||||
stage: build-image
|
||||
image: docker:20-git
|
||||
script:
|
||||
- docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly .
|
||||
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
|
||||
- docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == "unsafe"
|
||||
exists:
|
||||
- Dockerfile
|
Loading…
Reference in New Issue