Commit 9b3f9534 authored by svwolter's avatar svwolter
Browse files

Enable in container auditing

parent f90efc7e
Pipeline #39139 failed with stages
in 19 minutes and 53 seconds
image: node:16-bullseye-slim
#include:
# - template: Security/Container-Scanning.gitlab-ci.yml
variables:
REGISTRY: $CI_REGISTRY
REGISTRY_USER: $CI_REGISTRY_USER
......@@ -465,6 +468,32 @@ test-release-e2e-ui-edge-mobile:
- export $(grep -v '^#' .env.prod | xargs) && docker compose -f docker-compose.e2e.yml build --no-cache -q test-release-e2e-ui-edge-mobile
- docker compose -f docker-compose.e2e.yml up --exit-code-from test-release-e2e-ui-edge-mobile test-release-e2e-ui-edge-mobile
audit-app:
stage: test
rules:
- !reference [ .default_rules, rules ]
- if: $CI_COMMIT_TAG
when: never
script:
- npm audit --audit-level critical
audit-release:
stage: test
rules:
- if: $CI_COMMIT_TAG
needs:
- build-test-images
image: docker:20.10-git
services:
- docker:20.10-dind
before_script:
- docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-backend:${CI_COMMIT_SHA}
- docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}
script:
#- npm audit --audit-level critical
- docker run --entrypoint npm ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-backend:${CI_COMMIT_SHA} audit --audit-level critical
- docker run --entrypoint npm ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-frontend:${CI_COMMIT_SHA} audit --audit-level critical
lint-app:
stage: test
extends: .distributed
......@@ -528,6 +557,40 @@ build-docker-db:
after_script:
- docker logout $REGISTRY
#container_scanning:
# variables:
# CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_COMMIT_SHA
scan-docker-db:
stage: packetize
image: docker:20.10-git
services:
- docker:20.10-dind
rules:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_COMMIT_BRANCH == "main"
changes:
- scripts/db/Dockerfile
- scripts/db/conf/*
- scripts/db/init/*
- if: $CI_COMMIT_BRANCH == "develop"
changes:
- scripts/db/Dockerfile
- scripts/db/conf/*
- scripts/db/init/*
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
changes:
- scripts/db/Dockerfile
- scripts/db/conf/*
- scripts/db/init/*
needs:
- build-docker-db
before_script:
- export TAG=$(git rev-parse --short HEAD)
script:
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db:${TAG}
build-docker-app:
stage: packetize
extends: .distributed
......@@ -546,6 +609,7 @@ build-docker-app:
- test-app-e2e-ui-firefox-mobile
- test-app-e2e-ui-edge
- test-app-e2e-ui-edge-mobile
- audit-app
- lint-app
image: docker:20.10-git
services:
......@@ -560,6 +624,46 @@ build-docker-app:
after_script:
- docker logout $REGISTRY
scan-docker-app:
stage: packetize
extends: .distributed
rules:
- !reference [ .default_rules, rules ]
- if: $CI_COMMIT_TAG
when: never
needs:
- install-dependencies
- build-docker-app
image: docker:20.10-git
services:
- docker:20.10-dind
before_script:
- apk add --no-cache npm
- npm i -g npx
- export TAG=$(git rev-parse --short HEAD)
script:
- npx nx affected --base=HEAD~1 --target=docker-scan --registry=$REGISTRY --registryProject=$REGISTRY_PROJECT --tag=$TAG
scan-docker-release:
stage: test
#extends: .distributed
rules:
- if: $CI_COMMIT_TAG
needs:
#- install-dependencies
- build-test-images
image: docker:20.10-git
services:
- docker:20.10-dind
before_script:
- docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-backend:${CI_COMMIT_SHA}
- docker pull ${CI_REGISTRY_IMAGE}/iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}
- docker pull -q aquasec/trivy:0.29.2
script:
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db:${CI_COMMIT_SHA}
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend:${CI_COMMIT_SHA}
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL ${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}
build-docker-release:
stage: packetize
#extends: .distributed
......@@ -568,14 +672,16 @@ build-docker-release:
needs:
#- install-dependencies
- test-release
- test-release-e2e
- test-release-e2e-ui-chrome
- test-release-e2e-ui-chrome-mobile
- test-release-e2e-ui-firefox
- test-release-e2e-ui-firefox-mobile
- test-release-e2e-ui-edge
- test-release-e2e-ui-edge-mobile
- lint-release
#- test-release-e2e
#- test-release-e2e-ui-chrome
#- test-release-e2e-ui-chrome-mobile
#- test-release-e2e-ui-firefox
#- test-release-e2e-ui-firefox-mobile
#- test-release-e2e-ui-edge
#- test-release-e2e-ui-edge-mobile
- audit-release
#- scan-docker-release
#- lint-release
image: docker:20.10-git
services:
- docker:20.10-dind
......
BASE_DIR := $(shell git rev-parse --show-toplevel)
include $(BASE_DIR)/scripts/make/audit.mk
include $(BASE_DIR)/scripts/make/dev.mk
include $(BASE_DIR)/scripts/make/lint.mk
include $(BASE_DIR)/scripts/make/prod.mk
include $(BASE_DIR)/scripts/make/push.mk
include $(BASE_DIR)/scripts/make/scan.mk
include $(BASE_DIR)/scripts/make/test.mk
......@@ -73,6 +73,12 @@
],
"parallel": false
}
},
"docker-scan": {
"builder": "@nrwl/workspace:run-commands",
"options": {
"command": "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL {args.registry}{args.registryProject}iqbberlin/personaldb-backend:{args.tag}"
}
}
}
},
......@@ -219,6 +225,12 @@
],
"parallel": false
}
},
"docker-scan": {
"builder": "@nrwl/workspace:run-commands",
"options": {
"command": "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --exit-code 1 --security-checks vuln --ignore-unfixed --severity CRITICAL {args.registry}{args.registryProject}iqbberlin/personaldb-frontend:{args.tag}"
}
}
},
"tags": []
......
.PHONY: audit-app audit-backend audit-frontend
audit-app: audit-backend audit-frontend ## Run all audits (only in combination with 'make dev-run')
audit-backend: ## Run backend audit (only in combination with 'make dev-run')
docker exec -it personaldb-backend npm audit --audit-level critical
audit-frontend: ## Run frontend audit (only in combination with 'make dev-run')
docker exec -it personaldb-frontend npm audit --audit-level critical
.PHONY: scan-db scan-backend scan-frontend scan-app
scan-db: # scans db image for security vulnerabilities
docker build --pull -f scripts/db/Dockerfile --target=prod --no-cache --rm -t scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-db:latest .
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --security-checks vuln --ignore-unfixed --severity CRITICAL scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-db:latest
scan-backend: # scans backend image for security vulnerabilities
docker build --pull -f apps/api/Dockerfile --build-arg project=api --target=prod --no-cache --rm -t scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-backend:latest .
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --security-checks vuln --ignore-unfixed --severity CRITICAL scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-backend:latest
scan-frontend: # scans frontend image for security vulnerabilities
docker build --pull -f apps/frontend/Dockerfile --build-arg project=frontend --target=prod --no-cache --rm -t scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-frontend:latest .
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${HOME}/Library/Caches:/root/.cache/ aquasec/trivy:0.29.2 image --security-checks vuln --ignore-unfixed --severity CRITICAL scm.cms.hu-berlin.de:4567/iqb/personaldb/iqbberlin/personaldb-frontend:latest
scan-app: scan-db scan-backend scan-frontend # scans application images for security vulnerabilities
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment