Commit 1a20a72e authored by Dmitriy Safronov's avatar Dmitriy Safronov
Browse files

ci test 



Signed-off-by: default avatarDmitriy Safronov <zimniy@cyberbrain.pw>
parent fb6b0662

.gitlab-ci.yml

+27 −206
Original line number Diff line number Diff line
@@ -4,21 +4,18 @@ 
variables:

  # Setting this variable will affect all Security templates

  # (SAST, Dependency Scanning, ...)

  CLUSTER_INTEGRATION_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"

  CLUSTER_INTEGRATION_COMPONENTS: >-

    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep, gemnasium, gemnasium-maven, gemnasium-python,

    license-finder,

    dast, dast-runner-validation, api-security

  COMPONENTS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/cluster-integration"

  COMPONENTS_LIST: auto-build-image, auto-deploy-image



  CLUSTER_INTEGRATION_DOWNLOAD_IMAGES: "true"

  CLUSTER_INTEGRATION_PUSH_IMAGES: "true"

  CLUSTER_INTEGRATION_SAVE_ARTIFACTS: "false"

  COMPONENTS_DOWNLOAD_IMAGES: "true"

  COMPONENTS_PUSH_IMAGES: "true"

  COMPONENTS_SAVE_ARTIFACTS: "false"



  CLUSTER_INTEGRATION_COMPONENT_VERSION: "2"

  COMPONENTS_COMPONENT_VERSION: ""



.download_images:

  allow_failure: true

  image: docker:stable

  image: ${DOCKER_IMAGE}

  only:

    refs:

      - branches
@@ -26,23 +23,25 @@ variables: 
    DOCKER_DRIVER: overlay2

    DOCKER_TLS_CERTDIR: ""

  services:

    - docker:dind

    - name: "${DIND_IMAGE}"

      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']

      alias: docker

  script:

    - docker info

    - env

    - if [ -z "$CLUSTER_INTEGRATION_IMAGE" ]; then export CLUSTER_INTEGRATION_IMAGE=${CLUSTER_INTEGRATION_IMAGE:-"${CLUSTER_INTEGRATION_PREFIX}/${CI_JOB_NAME}:${CLUSTER_INTEGRATION_COMPONENT_VERSION}"}; fi

    - docker pull --quiet ${CLUSTER_INTEGRATION_IMAGE}

    - if [ -z "$COMPONENTS_IMAGE" ]; then export COMPONENTS_IMAGE=${COMPONENTS_IMAGE:-"${COMPONENTS_PREFIX}/${CI_JOB_NAME}:${COMPONENTS_COMPONENT_VERSION}"}; fi

    - docker pull --quiet ${COMPONENTS_IMAGE}

    - mkdir -p output/$(dirname ${CI_JOB_NAME})

    - |

      if [ "$CLUSTER_INTEGRATION_SAVE_ARTIFACTS" = "true" ]; then

        docker save ${CLUSTER_INTEGRATION_IMAGE} | gzip > output/${CI_JOB_NAME}_${CLUSTER_INTEGRATION_COMPONENT_VERSION}.tar.gz

        sha256sum output/${CI_JOB_NAME}_${CLUSTER_INTEGRATION_COMPONENT_VERSION}.tar.gz > output/${CI_JOB_NAME}_${CLUSTER_INTEGRATION_COMPONENT_VERSION}.tar.gz.sha256sum

      if [ "$COMPONENTS_SAVE_ARTIFACTS" = "true" ]; then

        docker save ${COMPONENTS_IMAGE} | gzip > output/${CI_JOB_NAME}_${COMPONENTS_COMPONENT_VERSION}.tar.gz

        sha256sum output/${CI_JOB_NAME}_${COMPONENTS_COMPONENT_VERSION}.tar.gz > output/${CI_JOB_NAME}_${COMPONENTS_COMPONENT_VERSION}.tar.gz.sha256sum

      fi

    - |

      if [ "$CLUSTER_INTEGRATION_PUSH_IMAGES" = "true" ]; then

      if [ "$COMPONENTS_PUSH_IMAGES" = "true" ]; then

        docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

        docker tag ${CLUSTER_INTEGRATION_IMAGE} ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${CLUSTER_INTEGRATION_COMPONENT_VERSION}

        docker push ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${CLUSTER_INTEGRATION_COMPONENT_VERSION}

        docker tag ${COMPONENTS_IMAGE} ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${COMPONENTS_COMPONENT_VERSION}

        docker push ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${COMPONENTS_COMPONENT_VERSION}

      fi



  artifacts:
@@ -50,201 +49,23 @@ variables: 
      - output/



#

# SAST jobs

# Cluster integration

#



bandit:

auto-build-image:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "2"

    COMPONENTS_COMPONENT_VERSION: "v1.51.0"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bbandit\b/

      - $COMPONENTS_DOWNLOAD_IMAGES == "true" &&

          $COMPONENTS_LIST =~ /\bauto-build-image\b/



brakeman:

auto-deploy-image:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

    COMPONENTS_COMPONENT_VERSION: "v2.80.1"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bbrakeman\b/



gosec:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bgosec\b/



spotbugs:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bspotbugs\b/



flawfinder:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bflawfinder\b/



phpcs-security-audit:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bphpcs-security-audit\b/



security-code-scan:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bsecurity-code-scan\b/



nodejs-scan:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bnodejs-scan\b/



eslint:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "2"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\beslint\b/



secrets:

  extends: .download_images

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bsecrets\b/

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "4"



semgrep:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bsemgrep\b/



sobelow:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bsobelow\b/



pmd-apex:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bsecrets\b/



kubesec:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bkubesec\b/



#

# Dependency Scanning jobs

#



gemnasium:

  extends: .download_images

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bgemnasium\b/



gemnasium-maven:

  extends: .download_images

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bgemnasium-maven\b/



gemnasium-python:

  extends: .download_images

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bgemnasium-python\b/



#

# License Scanning

#



license-finder:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\blicense-finder\b/



#

# DAST

#



dast:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "2"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bdast\b/



dast-runner-validation:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "1"

    CLUSTER_INTEGRATION_IMAGE: "${CI_TEMPLATE_REGISTRY_HOST}/security-products/${CI_JOB_NAME}:${CLUSTER_INTEGRATION_COMPONENT_VERSION}"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bdast-runner-validation\b/



api-security:

  extends: .download_images

  variables:

    CLUSTER_INTEGRATION_COMPONENT_VERSION: "3"

  only:

    variables:

      - $CLUSTER_INTEGRATION_DOWNLOAD_IMAGES == "true" &&

          $CLUSTER_INTEGRATION_COMPONENTS =~ /\bapi-security\b/
 
      - $COMPONENTS_DOWNLOAD_IMAGES == "true" &&

          $COMPONENTS_LIST =~ /\bauto-deploy-image\b/