mirror of
https://github.com/NVIDIA/nvidia-container-toolkit
synced 2024-11-29 07:21:46 +00:00
Merge branch 'pulse-ci' into 'master'
[ci] use pulse instead of contamer for scans See merge request nvidia/container-toolkit/container-toolkit!65
This commit is contained in:
commit
dd5c0a94ad
@ -45,10 +45,10 @@ variables:
|
|||||||
# images.
|
# images.
|
||||||
.scan:
|
.scan:
|
||||||
stage: scan
|
stage: scan
|
||||||
|
image: "${PULSE_IMAGE}"
|
||||||
variables:
|
variables:
|
||||||
IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
|
IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
|
||||||
# SCAN_IMAGE must be a local image
|
IMAGE_ARCHIVE: "container-toolkit.tar"
|
||||||
SCAN_IMAGE: "container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
|
|
||||||
rules:
|
rules:
|
||||||
- if: $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
|
- if: $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
|
||||||
when: never
|
when: never
|
||||||
@ -57,18 +57,25 @@ variables:
|
|||||||
- if: $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != $RELEASE_DEVEL_BRANCH
|
- if: $CI_COMMIT_TAG == null && $CI_COMMIT_BRANCH != $RELEASE_DEVEL_BRANCH
|
||||||
allow_failure: true
|
allow_failure: true
|
||||||
before_script:
|
before_script:
|
||||||
- apk add --no-cache git
|
|
||||||
- apk add --no-cache python3 python3-dev py3-pip py3-wheel libmagic
|
|
||||||
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
|
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
|
||||||
# TODO: We should specify the architecture here and scan all architectures
|
# TODO: We should specify the architecture here and scan all architectures
|
||||||
- docker pull "${IMAGE}"
|
- docker pull "${IMAGE}"
|
||||||
- docker tag "${IMAGE}" "${SCAN_IMAGE}"
|
- docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
|
||||||
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git
|
- AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
|
||||||
- pip3 install -r contamer/requirements.txt
|
- >
|
||||||
|
export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" | tr -d '"')
|
||||||
|
- if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi
|
||||||
script:
|
script:
|
||||||
- cd contamer
|
- pulse-cli -n $NSPECT_ID --pss $PSS_URL --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o
|
||||||
- python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- "${SCAN_IMAGE}"
|
artifacts:
|
||||||
|
when: always
|
||||||
|
expire_in: 1 week
|
||||||
|
paths:
|
||||||
|
- pulse-cli.log
|
||||||
|
- licenses.json
|
||||||
|
- sbom.json
|
||||||
|
- vulns.json
|
||||||
|
- policy_evaluation.json
|
||||||
|
|
||||||
# Define the scan targets
|
# Define the scan targets
|
||||||
scan-centos7:
|
scan-centos7:
|
||||||
|
Loading…
Reference in New Issue
Block a user