From 47019ab5c39efc5ecc2a85cea18df97096d99445 Mon Sep 17 00:00:00 2001 From: Slava Date: Wed, 5 Mar 2025 22:17:01 +0000 Subject: [PATCH 1/3] Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist --- .gitlab-ci.yml | 108 ++++++++++++++++++++++++++----------------------- 1 file changed, 58 insertions(+), 50 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 97cfd92..b4b43ce 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,66 +1,74 @@ +# You can override the included template(s) by including variable overrides +# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings +# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/#customization +# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings +# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings +# Note that environment variables can be set in several places +# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence workflow: rules: - - changes: - - proxy/**/* - - Dockerfile - - requirements.txt - when: always - - when: never - + - changes: + - proxy/**/* + - Dockerfile + - requirements.txt + when: always + - when: never stages: -# - test - - build - - pre_push - - push - -# test: -# stage: test -# image: python:3.11-alpine -# script: -# - pip install -q -r requirements.txt -# - pip install -q pytest~=8.3.5 -# - python -m unittest discover tests - +- build +- pre_push +- push +- test +- deploy +- review +- dast +- staging +- canary +- production +- incremental rollout 10% +- incremental rollout 25% +- incremental rollout 50% +- incremental rollout 100% +- performance +- cleanup build: - # needs: - # - test - stage: build script: - - docker build -t $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG . - - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA - - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest - + - docker build -t $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG . + - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA + - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest pre_push: needs: - - build + - build stage: pre_push before_script: - - apk add --no-cache curl + - apk add --no-cache curl script: - - echo "Running container to test image" - - docker run -d --rm --name test_container $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG - - CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' test_container) - - | - echo "Waiting for the application to start..." - sleep 10 - if curl --fail http://$CONTAINER_IP:5050/health; then - echo "Healthcheck passed" - else - echo "Healthcheck failed, stopping push" - exit 1 - fi - - + - echo "Running container to test image" + - docker run -d --rm --name test_container $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG + - CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' + test_container) + - | + echo "Waiting for the application to start..." + sleep 10 + if curl --fail http://$CONTAINER_IP:5050/health; then + echo "Healthcheck passed" + else + echo "Healthcheck failed, stopping push" + exit 1 + fi after_script: - - docker rm -f test_container - + - docker rm -f test_container push: needs: - - pre_push + - pre_push stage: push script: - - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY - - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA - - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG - - docker push $CI_REGISTRY/$CI_PROJECT_PATH:latest + - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin + $CI_REGISTRY + - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA + - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG + - docker push $CI_REGISTRY/$CI_PROJECT_PATH:latest +sast: + stage: test +include: +- template: Auto-DevOps.gitlab-ci.yml From 63e12f291a29e2d9e26c885b64c62f661efae1f6 Mon Sep 17 00:00:00 2001 From: Slava Date: Thu, 6 Mar 2025 08:38:46 +0000 Subject: [PATCH 2/3] Revert "Merge branch 'set-sast-config-1' into 'main'" This reverts merge request !3 --- .gitlab-ci.yml | 108 +++++++++++++++++++++++-------------------------- 1 file changed, 50 insertions(+), 58 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b4b43ce..97cfd92 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,74 +1,66 @@ -# You can override the included template(s) by including variable overrides -# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings -# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/#customization -# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings -# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings -# Note that environment variables can be set in several places -# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence workflow: rules: - - changes: - - proxy/**/* - - Dockerfile - - requirements.txt - when: always - - when: never + - changes: + - proxy/**/* + - Dockerfile + - requirements.txt + when: always + - when: never + stages: -- build -- pre_push -- push -- test -- deploy -- review -- dast -- staging -- canary -- production -- incremental rollout 10% -- incremental rollout 25% -- incremental rollout 50% -- incremental rollout 100% -- performance -- cleanup +# - test + - build + - pre_push + - push + +# test: +# stage: test +# image: python:3.11-alpine +# script: +# - pip install -q -r requirements.txt +# - pip install -q pytest~=8.3.5 +# - python -m unittest discover tests + build: + # needs: + # - test + stage: build script: - - docker build -t $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG . - - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA - - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest + - docker build -t $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG . + - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA + - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest + pre_push: needs: - - build + - build stage: pre_push before_script: - - apk add --no-cache curl + - apk add --no-cache curl script: - - echo "Running container to test image" - - docker run -d --rm --name test_container $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG - - CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' - test_container) - - | - echo "Waiting for the application to start..." - sleep 10 - if curl --fail http://$CONTAINER_IP:5050/health; then - echo "Healthcheck passed" - else - echo "Healthcheck failed, stopping push" - exit 1 - fi + - echo "Running container to test image" + - docker run -d --rm --name test_container $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG + - CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' test_container) + - | + echo "Waiting for the application to start..." + sleep 10 + if curl --fail http://$CONTAINER_IP:5050/health; then + echo "Healthcheck passed" + else + echo "Healthcheck failed, stopping push" + exit 1 + fi + + after_script: - - docker rm -f test_container + - docker rm -f test_container + push: needs: - - pre_push + - pre_push stage: push script: - - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin - $CI_REGISTRY - - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA - - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG - - docker push $CI_REGISTRY/$CI_PROJECT_PATH:latest -sast: - stage: test -include: -- template: Auto-DevOps.gitlab-ci.yml + - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY + - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA + - docker push $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG + - docker push $CI_REGISTRY/$CI_PROJECT_PATH:latest From 04cef1e4a19a4494cea776c2b15242e9cbcc4032 Mon Sep 17 00:00:00 2001 From: Slava Date: Thu, 6 Mar 2025 09:08:40 +0000 Subject: [PATCH 3/3] Update .gitlab-ci.yml file --- .gitlab-ci.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 97cfd92..17ffc1b 100755 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,9 +8,8 @@ workflow: - when: never stages: -# - test - build - - pre_push + - test - push # test: @@ -31,10 +30,10 @@ build: - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_SHORT_SHA - docker tag $CI_REGISTRY/$CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG $CI_REGISTRY/$CI_PROJECT_PATH:latest -pre_push: +test: needs: - build - stage: pre_push + stage: test before_script: - apk add --no-cache curl script: @@ -57,7 +56,7 @@ pre_push: push: needs: - - pre_push + - test stage: push script: - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY