Configure SAST in .gitlab-ci.yml, creating this file if it does not already exist
This commit is contained in:
Slava
108
.gitlab-ci.yml
108
.gitlab-ci.yml
@@ -1,66 +1,74 @@
|
|||||||
|
# You can override the included template(s) by including variable overrides
|
||||||
|
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
|
||||||
|
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/#customization
|
||||||
|
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
|
||||||
|
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
|
||||||
|
# Note that environment variables can be set in several places
|
||||||
|
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
|
||||||
workflow:
|
workflow:
|
||||||
rules:
|
rules:
|
||||||
- changes:
|
- changes:
|
||||||
- proxy/**/*
|
- proxy/**/*
|
||||||
- Dockerfile
|
- Dockerfile
|
||||||
- requirements.txt
|
- requirements.txt
|
||||||
when: always
|
when: always
|
||||||
- when: never
|
- when: never
|
||||||
|
|
||||||
stages:
|
stages:
|
||||||
# - test
|
- build
|
||||||
- build
|
- pre_push
|
||||||
- pre_push
|
- push
|
||||||
- push
|
- test
|
||||||
|
- deploy
|
||||||
# test:
|
- review
|
||||||
# stage: test
|
- dast
|
||||||
# image: python:3.11-alpine
|
- staging
|
||||||
# script:
|
- canary
|
||||||
# - pip install -q -r requirements.txt
|
- production
|
||||||
# - pip install -q pytest~=8.3.5
|
- incremental rollout 10%
|
||||||
# - python -m unittest discover tests
|
- incremental rollout 25%
|
||||||
|
- incremental rollout 50%
|
||||||
|
- incremental rollout 100%
|
||||||
|
- performance
|
||||||
|
- cleanup
|
||||||
build:
|
build:
|
||||||
# needs:
|
|
||||||
# - test
|
|
||||||
|
|
||||||
stage: build
|
stage: build
|
||||||
script:
|
script:
|
||||||
- docker build -t $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG .
|
- docker build -t $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG .
|
||||||
- docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA
|
- docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA
|
||||||
- docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest
|
- docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest
|
||||||
|
|
||||||
pre_push:
|
pre_push:
|
||||||
needs:
|
needs:
|
||||||
- build
|
- build
|
||||||
stage: pre_push
|
stage: pre_push
|
||||||
before_script:
|
before_script:
|
||||||
- apk add --no-cache curl
|
- apk add --no-cache curl
|
||||||
script:
|
script:
|
||||||
- echo "Running container to test image"
|
- echo "Running container to test image"
|
||||||
- docker run -d --rm --name test_container $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG
|
- docker run -d --rm --name test_container $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG
|
||||||
- CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' test_container)
|
- CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
|
||||||
- |
|
test_container)
|
||||||
echo "Waiting for the application to start..."
|
- |
|
||||||
sleep 10
|
echo "Waiting for the application to start..."
|
||||||
if curl --fail http://$CONTAINER_IP:5050/health; then
|
sleep 10
|
||||||
echo "Healthcheck passed"
|
if curl --fail http://$CONTAINER_IP:5050/health; then
|
||||||
else
|
echo "Healthcheck passed"
|
||||||
echo "Healthcheck failed, stopping push"
|
else
|
||||||
exit 1
|
echo "Healthcheck failed, stopping push"
|
||||||
fi
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
after_script:
|
after_script:
|
||||||
- docker rm -f test_container
|
- docker rm -f test_container
|
||||||
|
|
||||||
push:
|
push:
|
||||||
needs:
|
needs:
|
||||||
- pre_push
|
- pre_push
|
||||||
stage: push
|
stage: push
|
||||||
script:
|
script:
|
||||||
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
|
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin
|
||||||
- docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA
|
$CI_REGISTRY
|
||||||
- docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG
|
- docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA
|
||||||
- docker push $CI_REGISTRY/$CI_PROJECT_PATH:latest
|
- docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG
|
||||||
|
- docker push $CI_REGISTRY/$CI_PROJECT_PATH:latest
|
||||||
|
sast:
|
||||||
|
stage: test
|
||||||
|
include:
|
||||||
|
- template: Auto-DevOps.gitlab-ci.yml
|
||||||
|
|||||||
Reference in New Issue
Block a user