Adding tests

df78fcc0 · (INACTIVE) Marcel Bajdel (new marcel.bajdel) · 2e0e108c · df78fcc0
Commit df78fcc0 authored 1 year ago by (INACTIVE) Marcel Bajdel (new marcel.bajdel)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 stages:       
   # List of stages for jobs, and their order of execution
-  - check_image_branch # Check whether the image is already existing or not for the branch
  - build_branch # builds if the image does not exist
  - build_main  # builds when the merge request is made into main
-  - check_image_tag # Check whether the image is already existing or not for the tag
+  - branch_scan # Check whether the image is already existing or not for the tag
  - build_tag  # builds when the tag is pushed
  - test_main # tests when the merge request is made into main
  - test_latest # tests when the image with tag latest is pushed
  - test_tag  # tests when the tag is pushed

-check_image_branch: # Check whether the image is already existing or not 
-  stage: check_image_branch
-  image:
-    name: gcr.io/go-containerregistry/crane:debug
-    entrypoint: [""]
-  script:
-    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - if crane manifest $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH; then echo "true" > docker_latest_image.txt; else echo "false" > docker_latest_image.txt; fi
-  artifacts:
-    paths:
-      - docker_latest_image.txt
-
 build_branch:
  stage: build_branch
  image: 
@@ -35,6 +22,8 @@ build_branch:
  artifacts:
    paths:
      - tar_images
+    when: on_success
+    expire_in: 10 minutes
  rules:
    - exists:
        - CI_COMMIT_BRANCH
@@ -44,6 +33,54 @@ build_branch:
    - changes:
        - '*'
        
+check_image_tag: # Check whether the image is already existing or not for the tag
+  stage: check_image_tag
+  image:
+    name: gcr.io/go-containerregistry/crane:debug
+    entrypoint: [""]
+  script:
+    - cd tar_images
+    - |
+        for tar_image in *.tar; 
+        do 
+          file_name=${tar_image%.*};
+          vulnerabilities=`awk  -F '[:,]' '/"Vulnerabilities"/ {gsub("[[:blank:]]+", "", $2); print $2}' ../scan_result/$file_name.json`; # find vulnerabilities in json file
+          if ! [ -z "$vulnerabilities" ]; then # if vulnerabilities found in image
+            echo "There are security issues with the image $img.Dockerfile. Image is not pushed to registry!";
+            echo "Vulnerabilities found in $img.Dockerfile are: $vulnerabilities"; > docker_latest_image.txt
+            crane validate $file_name; then echo "true" > docker_latest_image.txt; else echo "false" > docker_latest_image.txt; fi
+          else # push image
+            echo "There are no security issues with the image $img.Dockerfile.";
+          fi
+        done
+  artifacts:
+    paths:
+      - docker_latest_image.txt
+
+branch_scan:
+  stage: branch_scan
+  image:
+    name: trivy
+    entrypoint: [""]
+  script:
+    - mkdir scan_result
+    - cd tar_images
+    - |
+      for tar_image in *.tar; 
+      do
+        [ -e "$tar_image" ] || continue;
+        file_name=${tar_image%.*};
+        echo $file_name;
+        if [ "$vulnerability_scanner" = "trivy" ]; then
+          trivy image --timeout 15m --offline-scan --input $tar_image -f json -o ../scan_result/$file_name.json --severity CRITICAL;
+         fi
+      done
+  artifacts:
+    paths:
+      - scan_result
+    expire_in: 10 minutes
+  
+
 build_main: # This build will run only for main branch
  stage: build_main 
  image: 
@@ -57,19 +94,6 @@ build_main: # This build will run only for main branch
  rules:
    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'

-check_image_tag: # Check whether the image is already existing or not for the tag
-  stage: check_image_tag
-  image:
-    name: gcr.io/go-containerregistry/crane:debug
-    entrypoint: [""]
-  script:
-    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - if crane validate --remote $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH; then echo "true" > docker_latest_image.txt; else echo "false" > docker_latest_image.txt; fi
-    - crane delete $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
-  artifacts:
-    paths:
-      - docker_latest_image.txt
-
 build_tag: # This build will run only for tags
  stage: build_tag
  image: