.deepsource.toml

@@ -0,0 +1,23 @@
+version = 1
+
+[[analyzers]]
+name = "test-coverage"
+enabled = true
+
+[[analyzers]]
+name = "python"
+enabled = true
+
+  [analyzers.meta]
+  runtime_version = "3.x.x"
+
+[[analyzers]]
+name = "secrets"
+enabled = true
+
+[[analyzers]]
+name = "docker"
+enabled = true
+
+  [analyzers.meta]
+  dockerfile_paths = ["Dockerfile"]

.dockerignore

@@ -0,0 +1,5 @@
+.git
+.gitignore
+config.ini
+README.md
+TODO

.gitlab-ci.yml

@@ -0,0 +1,40 @@
+stages:
+  - test
+  - build-image
+  - post-test
+
+sast:
+  stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml
+- template: Security/SAST-IaC.latest.gitlab-ci.yml
+- template: Security/Secret-Detection.gitlab-ci.yml
+- template: Security/Container-Scanning.gitlab-ci.yml
+
+docker-image-build:
+  stage: build-image
+  image: docker:20-git
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest .
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
+  rules:
+  - if: $CI_COMMIT_BRANCH == "master"
+    exists:
+    - Dockerfile
+    changes:
+    - "*.py"
+    - Dockerfile
+    - requirements.txt
+    - .gitlab-ci.yml
+
+container_scanning:
+  stage: post-test
+  variables:
+    CS_DISABLE_DEPENDENCY_LIST: "true"
+    CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
+    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter
+    CI_APPLICATION_TAG: "latest"
+    CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
+    CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5"
+    SECURE_LOG_LEVEL: "debug"

Dockerfile

@@ -1,6 +1,11 @@
 FROM python:3.10-alpine
-COPY . /app
+
 WORKDIR /app
-RUN pip install -r /app/requirements.txt
+
+COPY requirements.txt /app/requirements.txt
+
+RUN pip install -r /app/requirements.txt && rm /app/requirements.txt
+
+COPY . /app
 
 CMD ["python3", "-m", "mastoposter", "/config.ini"]