时间戳

首页 > 解决方案 > 使用 Gitlab CI 从 Master 扫描容器图像(带有标签的图像:最新)

gitlab - 使用 Gitlab CI 从 Master 扫描容器图像(带有标签的图像:最新)

问题描述

现在有没有人可以让我从 Gitlab 中的 Security/Container-Scanning.gitlab-ci.yml 扫描某个图像(= 指定名称)?

现在我的 gitlab-ci.yml 构建了一个以 commits_sha 作为版本和 latest 作为版本的容器。

image: docker:stable

stages:
  - verify
  - build
  - test

include:
  - template: Security/License-Scanning.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml


# https://hub.docker.com/r/gableroux/gitlab-ci-lint
lint-gitlab-ci:
  image: gableroux/gitlab-ci-lint
  stage: verify
  script:
    - gitlab-ci-lint .gitlab-ci.yml

# https://github.com/hadolint/hadolint
lint-dockerfile:
  image: hadolint/hadolint:latest-debian
  stage: verify
  script:
    - mkdir -p reports
    - hadolint -f gitlab_codeclimate Dockerfile > reports/hadolint-$(md5sum Dockerfile | cut -d" " -f1).json
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
    when: always
    reports:
      codequality:
        - "reports/*"
    paths:
      - "reports/*"

build-and-push-latest:
  stage: build
  when: on_success
  only:
    - master
  variables:
    IMAGE_LATEST: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:latest
    IMAGE_COMMIT_SHA: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  services:
    - docker:dind
  script:
    - docker info
    - docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
    - docker build -t $IMAGE_LATEST .
    - docker push $IMAGE_LATEST
    - docker build -t $IMAGE_COMMIT_SHA .
    - docker push $IMAGE_COMMIT_SHA

build-and-push-snapshot:
  stage: build
  when: on_success
  except:
    - master
    - tags
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  services:
    - docker:dind
  script:
    - docker info
    - docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker push $IMAGE

build-and-push-tag:
  stage: build
  when: on_success
  only:
    - tags
  except:
    - branches
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/tags:$CI_COMMIT_REF_NAME
  services:
    - docker:dind
  script:
    - docker info
    - docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker push $IMAGE

Security/Container-Scanning.gitlab-ci.yml 扫描 commit_sha 版本。但我想将我的最新版本用于其他任务。这样最新的图像实际上是未扫描的。它应该与 commit_sha 版本相同。但不能保证。

对我来说,一个解决方案是在容器检查后重新标记图像。这样,管道将如下所示:

---(1)-------------(2)----------------------------(3)-------------(4)---------------(5)------------------
   verify tasks    build image "$CI_COMMIT_SHA    upload image    container scan    relabel as "latest"
   linter ...

当然,理想的解决方案是告诉 Security/Container-Scanning.gitlab-ci.yml 应该扫描的图像的名称。

标签: gitlabcontainersgitlab-ci

解决方案

推荐阅读