UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2024-11-25 05:21:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[ci] use pulse instead of contamer for scans

Browse Source 
Signed-off-by: Christopher Desiniotis <cdesiniotis@nvidia.com>
This commit is contained in:
Christopher Desiniotis 2021-10-27 17:26:46 -07:00
parent 55328126c6
commit 93ecf3aeaf
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.nvidia-ci.yml
View File

@ -45,10 +45,10 @@ variables:
# images. # images.
.scan: .scan:
stage: scan stage: scan
image: "${PULSE_IMAGE}"
variables: variables:
IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}" IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
# SCAN_IMAGE must be a local image IMAGE_ARCHIVE: "container-toolkit.tar"
SCAN_IMAGE: "container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
rules: rules:
- if: $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i - if: $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
when: never when: never
@ -57,18 +57,25 @@ variables:
- if: $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != $RELEASE_DEVEL_BRANCH - if: $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != $RELEASE_DEVEL_BRANCH
allow_failure: true allow_failure: true
before_script: before_script:
- apk add --no-cache git
- apk add --no-cache python3 python3-dev py3-pip py3-wheel libmagic
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
# TODO: We should specify the architecture here and scan all architectures # TODO: We should specify the architecture here and scan all architectures
- docker pull "${IMAGE}" - docker pull "${IMAGE}"
- docker tag "${IMAGE}" "${SCAN_IMAGE}" - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
- pip3 install -r contamer/requirements.txt - >
export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" | tr -d '"')
- if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi
script: script:
- cd contamer - pulse-cli -n $NSPECT_ID --pss $PSS_URL --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o
- python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- "${SCAN_IMAGE}" artifacts:
when: always
expire_in: 1 week
paths:
- pulse-cli.log
- licenses.json
- sbom.json
- vulns.json
- policy_evaluation.json
# Define the scan targets # Define the scan targets
scan-centos7: scan-centos7: