gitlab - 使用 Gitlab CI 从 Master 扫描容器图像(带有标签的图像:最新)
问题描述
现在有没有人可以让我从 Gitlab 中的 Security/Container-Scanning.gitlab-ci.yml 扫描某个图像(= 指定名称)?
现在我的 gitlab-ci.yml 构建了一个以 commits_sha 作为版本和 latest 作为版本的容器。
image: docker:stable
stages:
- verify
- build
- test
include:
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
# https://hub.docker.com/r/gableroux/gitlab-ci-lint
lint-gitlab-ci:
image: gableroux/gitlab-ci-lint
stage: verify
script:
- gitlab-ci-lint .gitlab-ci.yml
# https://github.com/hadolint/hadolint
lint-dockerfile:
image: hadolint/hadolint:latest-debian
stage: verify
script:
- mkdir -p reports
- hadolint -f gitlab_codeclimate Dockerfile > reports/hadolint-$(md5sum Dockerfile | cut -d" " -f1).json
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
when: always
reports:
codequality:
- "reports/*"
paths:
- "reports/*"
build-and-push-latest:
stage: build
when: on_success
only:
- master
variables:
IMAGE_LATEST: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:latest
IMAGE_COMMIT_SHA: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
services:
- docker:dind
script:
- docker info
- docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
- docker build -t $IMAGE_LATEST .
- docker push $IMAGE_LATEST
- docker build -t $IMAGE_COMMIT_SHA .
- docker push $IMAGE_COMMIT_SHA
build-and-push-snapshot:
stage: build
when: on_success
except:
- master
- tags
variables:
IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
services:
- docker:dind
script:
- docker info
- docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
- docker build -t $IMAGE .
- docker push $IMAGE
build-and-push-tag:
stage: build
when: on_success
only:
- tags
except:
- branches
variables:
IMAGE: $CI_REGISTRY_IMAGE/tags:$CI_COMMIT_REF_NAME
services:
- docker:dind
script:
- docker info
- docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
- docker build -t $IMAGE .
- docker push $IMAGE
Security/Container-Scanning.gitlab-ci.yml 扫描 commit_sha 版本。但我想将我的最新版本用于其他任务。这样最新的图像实际上是未扫描的。它应该与 commit_sha 版本相同。但不能保证。
对我来说,一个解决方案是在容器检查后重新标记图像。这样,管道将如下所示:
---(1)-------------(2)----------------------------(3)-------------(4)---------------(5)------------------
verify tasks build image "$CI_COMMIT_SHA upload image container scan relabel as "latest"
linter ...
当然,理想的解决方案是告诉 Security/Container-Scanning.gitlab-ci.yml 应该扫描的图像的名称。
解决方案
推荐阅读
- python - 如何在 smtplib 中更改字体
- javascript - 当我尝试使用 if 语句过滤它们时,显示从 JavaScript 到 HTML 的数据,加载并在 1 秒后消失。为什么?
- r - 绘制决策树分类器
- azure - Spark, wasb and Jetty 11
- spring-boot-gradle-plugin - no suitable constructor found for File(String)
- r - Filter columns based on the list of columns and list of values
- postgresql - .NET Library to Parse/Modify/Reconstruct SQL Statement
- javascript - Earth Engine 将特征属性添加到 ImageCollection
- python - Replace Acronyms with their values Python
- html - How do I stop the screen from jumping when clicking Accordion Menu?