Merge branch 'docker_image_branch' into 'develop'

Docker image branch See merge request !13

Merge branch 'docker_image_branch' into 'develop'
0aabd6bc · (INACTIVE) Marcel Bajdel (new marcel.bajdel) · b47b09f2 · 49968af5 · 0aabd6bc · 0aabd6bc
Commit 0aabd6bc authored 1 year ago by (INACTIVE) Marcel Bajdel (new marcel.bajdel)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-stages:          # List of stages for jobs, and their order of execution
-  - initial_build # builds if the image does not exist
-  - build_main  # builds when the merge request is made into main
-  - build_tag  # builds when the tag is pushed
-  - test_main # tests when the merge request is made into main
+stages:       
+   # List of stages for jobs, and their order of execution
+  - build_branch # creates tarball of branch image
+  - branch_scan # Scan the tarball with trivy
+  - check_branch_image # Check whether the image is properly built
+  - build_develop  # builds when the merge request is made into development branch
  - test_latest # tests when the image with tag latest is pushed
+  - build_tag  # builds when the tag is pushed
  - test_tag  # tests when the tag is pushed

-initial_build:
-  stage: initial_build
+build_branch:  # Creating tarball for the each branch in the repository
+  stage: build_branch
  image: 
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
+    - mkdir tar_images
    # specify auths for kaniko executor
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    # check if dockers images exists
-    - if crane manifest $CI_REGISTRY_IMAGE:latest; then export DOCKER_LATEST_IMAGE_EXISTS=true; else export DOCKER_LATEST_IMAGE_EXISTS=false; fi
-    # if the image does not exist, build it
-    - if $DOCKER_LATEST_IMAGE_EXISTS=false; then /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:latest; else echo "Docker image already exists"; fi
-  rules: # if the image is pushed into main branch, the build_main job will run
-    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'
+    # if the image does not exist and there are changes (excluding README.md), build it
+    - /kaniko/executor --context $CI_PROJECT_DIR --no-push --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH --tarPath $CI_PROJECT_DIR/tar_images/$CI_COMMIT_BRANCH.tar
+  artifacts:
+    paths:
+      - tar_images
+    when: on_success
+    expire_in: 10 minutes
+  rules:
+    - exists:
+        - $CI_COMMIT_BRANCH
+    - changes:
+        - README.md
      when: never
+    - changes:
+        - '*'
+branch_scan: # Scan the tarball with trivy
+  stage: branch_scan
+  image:
+    name: docker.io/aquasec/trivy:latest
+    entrypoint: [""]
+  script:
+    - mkdir scan_result
+    - cd tar_images
+    - trivy image --timeout 15m --offline-scan --input $CI_COMMIT_BRANCH.tar -f json -o ../scan_result/$CI_COMMIT_BRANCH.json --severity CRITICAL
+  artifacts:
+    paths:
+      - scan_result # scan results
+    when: on_success
+    expire_in: 10 minutes
+
+check_branch_image: # check for vulnerabilities and validate with crane
+  stage: check_branch_image
+  image:
+    name: gcr.io/go-containerregistry/crane:debug
+    entrypoint: [""]
+  script:
+    - cd tar_images
+    - file_name=${CI_COMMIT_REF_NAME} # Assuming you want to use the branch name
+    - vulnerabilities=$(awk -F '[:,]' '/"Vulnerabilities"/ {gsub("[[:blank:]]+", "", $2); print $2}' "../scan_result/${file_name}.json")
+    - |
+      if [ -n "$vulnerabilities" ]; then
+        echo "There are security issues with the image ${file_name}.Dockerfile. Image is not pushed to registry!"
+        echo "Vulnerabilities found in ${file_name}.Dockerfile are: $vulnerabilities" > docker_latest_image.txt
+        crane validate --tarball "$file_name.tar"
+        echo "false" > docker_latest_image.txt
+        exit 1
+      else
+        echo "There are no security issues with the image ${file_name}.Dockerfile."
+        crane validate --tarball "$file_name.tar"
+        echo "true" > docker_latest_image.txt
+      fi
+  artifacts:
+    paths: # save the results 
+      - tar_images

-build_main: # This build will run only for main branch
-  stage: build_main 
+build_develop: # This build will run at the merge to develop
+  stage: build_develop 
  image: 
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
@@ -33,38 +83,11 @@ build_main: # This build will run only for main branch
    # build the image with tag latest if the merge request is made into main
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:latest
  rules:
-    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'
-
-build_tag: # This build will run only for tags
-  stage: build_tag
-  image: 
-    name: gcr.io/kaniko-project/executor:debug
-    entrypoint: [""]
-  only: # build only if a new tag is made
-    - tags
-  script:
-    # specify auths for kaniko executor  
-    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    # check if dockers images exists
-    - if crane manifest $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME; then export DOCKER_TAG_IMAGE_EXISTS=true; else export DOCKER_TAG_IMAGE_EXISTS=false; fi
-    # if the image does not exist, build it with the added tag
-    - if $DOCKER_TAG_IMAGE_EXISTS=false; then /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME; else echo "Docker image already exists"; fi
-
-test_main:
-  stage: test_main
-  image:
-    name: gcr.io/go-containerregistry/crane:debug
-    entrypoint: [""]
-  rules: # test only if the merge request is made into main
-    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'
-  script:
-    # specify auths for crane executor
-    - if DOCKER_TAG_IMAGE_EXISTS=true; then echo "Docker image already exists"; else crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY; fi
-    # validate the image with tag latest
-    - if ! crane validate --remote $CI_REGISTRY_IMAGE:latest; then exit 1; fi > test_main.log
-  artifacts:
-    paths:
-      - test_main.log
+    - if: '$CI_COMMIT_BRANCH == "develop"'
+    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop"'
+    - changes:
+        - README.md
+      when: never

 test_latest: # This test will run only for tag latest
  stage: test_latest
@@ -73,15 +96,33 @@ test_latest: # This test will run only for tag latest
    entrypoint: [""]
  script:
    # specify auths for crane executor
-    - if DOCKER_TAG_IMAGE_EXISTS=true; then echo "Docker image already exists"; else crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY; fi
+    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    # validate the image with tag latest
    - if ! crane validate --remote $CI_REGISTRY_IMAGE:latest; then exit 1; fi > test_latest.log
  artifacts:
    paths:
      - test_latest.log
  rules: 
-    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'
+    - if: '$CI_COMMIT_BRANCH == "develop"'
+    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop"'
+    - changes:
+        - README.md
      when: never
+  after_script:
+      - 'curl --request POST --form "token=glptt-eb00396b920d3a6043997b78714990b1fa0063ea" --form ref=pipeline_branch https://codebase.helmholtz.cloud/api/v4/projects/9922/trigger/pipeline'
+
+build_tag: # This build will run only for tags
+  stage: build_tag
+  image: 
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  only: # build only if a new tag is made
+    - tags
+  script:
+    # specify auths for kaniko executor  
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    # if the image does not exist, build it with the added tag
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME

 test_tag: # This test will run only for tags
  stage: test_tag
@@ -94,7 +135,7 @@ test_tag: # This test will run only for tags
    # specify auths for crane executor
    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    # validate the image with tag latest
-    - if ! crane validate --remote $CI_REGISTRY_IMAGE:$TAG; then exit 1; fi > test_tag.log
+    - if ! crane validate --remote $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME; then exit 1; fi > test_tag.log
  artifacts:
    paths:
      - test_tag.log

--- a/Dockerfile
+++ b/Dockerfile
@@ -34,7 +34,7 @@ RUN apt-get update -y && apt-get upgrade -y && \
    ssh-client \
    && rm -rf /var/lib/apt/lists/* \
    && busybox --install \
-## clean the apt's cache
+## clean the apt's cache 
    && apt-get clean \
    && rm -rf /var/cache/apt \
 ## create download repository

--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Pipeline can be distinguished into two main branches: build and test.
 The build can be triggered either by a new tag or merge to the main branch. The tests validate the image and store the outcome in a .log file as an artifact. If the image with tag latest doesn't exist it will be build and pushed to the registry. 

 1. Use kaniko to build the image. ([kaniko](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html))
-2. Do just a basic test to validate the image (manifest)
+2. Do just a basic test to validate the image (manifest).

 ## Building