在GitLab中将容器扫描添加到CI
所以我尝试在gitlab中设置容器扫描,我尝试了很多方法,但似乎都不起作用,我遗漏了什么 我的gitlab版本是:gitlab社区版12.9.4 计算机中的gitlab运行程序是:版本:12.10.2 这是我的.gitlab-ci.yml在GitLab中将容器扫描添加到CI,git,gitlab,gitlab-ci,Git,Gitlab,Gitlab Ci,所以我尝试在gitlab中设置容器扫描,我尝试了很多方法,但似乎都不起作用,我遗漏了什么 我的gitlab版本是:gitlab社区版12.9.4 计算机中的gitlab运行程序是:版本:12.10.2 这是我的.gitlab-ci.yml variables: vulnerable_tag: vulnerable non_vulnerable_tag: non_vulnerable IMAGE_NAME: test CLAIR_OUTPUT: High stages:
variables:
vulnerable_tag: vulnerable
non_vulnerable_tag: non_vulnerable
IMAGE_NAME: test
CLAIR_OUTPUT: High
stages:
- build
- test
build:
image: docker
stage: build
variables:
IMAGE_NAME: test
IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
script:
- uname -a
- docker build -t $IMAGE_NAME .
- docker run -d -p 80:80 $IMAGE_NAME
- docker ps
- curl localhost
- mkdir output
- echo $IMAGE_NAME"/"$CI_COMMIT_REF_SLUG":"$CI_COMMIT_SHA >> output/file.txt
tags:
- testingtag
# artifacts:
# paths:
# - output/
stop_container:
stage: test
script:
- docker stop $(docker ps -q)
是一个简单的nginx容器,它只显示一个普通的index.hmtl
我在.gitlab-ci.yml中尝试了所有不起作用的东西
include:
- template: Container-Scanning.gitlab-ci.yml
这就是文档所说的内容以及它应该如何工作,但是它抛出了一个错误:此GitLab CI配置无效:包含的文件`Container Scanning.GitLab CI.yml`为空或不存在
这不会抛出错误,但不会执行任何操作。链接是相同的Container-Scanning.gitlab-ci.yml,但为纯文本
最后,添加Container-Scanning.gitlab-ci.yml的内容作为作业
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
CS_MAJOR_VERSION: 2
container_scanning:
stage: test
image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
variables:
# By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
# to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
CLAIR_DB_IMAGE_TAG: "latest"
CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
# Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
# for details
GIT_STRATEGY: none
allow_failure: true
services:
- name: $CLAIR_DB_IMAGE
alias: clair-vulnerabilities-db
script:
- /analyzer run
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependencies: []
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/
CI只是跳过此作业,因为它不存在如果您检查模板的路径,它包括安全性,那么以下代码应该可以工作:
include:
- template: Securtiy/Container-Scanning.gitlab-ci.yml
GitLab community edition不包括容器扫描功能。目前,如前所述,它仅在Ultimate和Gold订阅中可用 此外,如果未检测到容器扫描功能(因为您正在运行community edition,所以不会检测到),CI config GitLab的这一部分将跳过整个扫描步骤:
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/
问题解决了吗?我也一样error@merla不,我做不到,经过一周的努力,我只是放弃了。请,下次提交后检查后,它已按您的要求正确格式化。
rules:
- if: $CONTAINER_SCANNING_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/