diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml index 5f52749d..f3fddd0a 100644 --- a/.nvidia-ci.yml +++ b/.nvidia-ci.yml @@ -45,10 +45,10 @@ variables: # images. .scan: stage: scan + image: "${PULSE_IMAGE}" variables: IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}" - # SCAN_IMAGE must be a local image - SCAN_IMAGE: "container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}" + IMAGE_ARCHIVE: "container-toolkit.tar" rules: - if: $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i when: never @@ -57,18 +57,25 @@ variables: - if: $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != $RELEASE_DEVEL_BRANCH allow_failure: true before_script: - - apk add --no-cache git - - apk add --no-cache python3 python3-dev py3-pip py3-wheel libmagic - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" # TODO: We should specify the architecture here and scan all architectures - docker pull "${IMAGE}" - - docker tag "${IMAGE}" "${SCAN_IMAGE}" - - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git - - pip3 install -r contamer/requirements.txt + - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}" + - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0) + - > + export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" | tr -d '"') + - if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi script: - - cd contamer - - python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- "${SCAN_IMAGE}" - + - pulse-cli -n $NSPECT_ID --pss $PSS_URL --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o + artifacts: + when: always + expire_in: 1 week + paths: + - pulse-cli.log + - licenses.json + - sbom.json + - vulns.json + - policy_evaluation.json # Define the scan targets scan-centos7: