GitLab templates for using the powerful ORT (OSS Review Toolkit) to Analyze, Scan, Evaluate and Advise your code with ORT, with quite a lot of configuration options.
NOTE: TESTING THINGS; GIT HISTORY WILL BE RESET WHEN PROJECT IS "good enough" for an initial commit and pass the experimental phase, so if you clone it, dont expect to much, and dont use it "for real" yet, things will break
Prerequistes:
- A pre built ORT CI Extensions image.(See Extension Templates) for examples)
- A set GitLab Variable $ORT_CI_DOCKER_IMAGE pointing to above image.
After that, you can test in a repo:
include:
- project: 'namespace/ort-ci-gitlab'
file: '/ci-templates/.ort-scan-template.yml'
stages:
- a stage...
- ort-scan
- another stage...
This should analyse the project and generate report artifacts in various formats.
For further configuration options see the variables configuration doc or ci-templates/.ort-scan-template.yml, or check Run Pipeline to get an overview.
Run Pipeline Example Overview:
To the right of the finished Pipelines summary page, there is a dedicated section for artifacts. Here's a screenshot of something you might see:
There are a few example templates included, use and/or modify to your needs.
- ci-templates/imagebuild/.ort-kaniko-build-template.yml - A basic Kaniko/Crane build example
- ci-templates/integration/.ort-post-bom-to-dependencytrack.yml - A basic example of posting a CycloneDX BoM to DependencyTrack.
If you have written extensions that are general and modular, or have improvements for existing ones please submit them and they might be included too.
Prerequistes:
- Environment variable:
- IMAGE_REGISTRY_URI - URI to registry to push the image to.
- IMAGE_REGISTRY_USER - Image registry user.
- IMAGE_REGISTRY_PASS - Image registry user password.
- ORT_CI_BASE_REPO_URI - URI to the ort-ci-base repo (containing the docker/Dockerfile.ci).
Example usage:
include:
- project: 'https://github.com/janderssonse/ort-ci-gitlab'
file: '/ci-templates/imagebuild/.ort-kaniko-build-template.yml'
variables:
IMAGE_REGISTRY_URI:
value: $YOUR_REGISTER_URI
description: |
URI to registry to push the image to.
IMAGE_REGISTRY_USER:
value: $YOUR_REGISTRY_USER
description: |
Image registry user.
IMAGE_REGISTRY_PASS:
value: $YOUR_REGISTRY_USER_PASS
description: |
Image registry user password.
ORT_CI_BASE_REPO_URI:
value: https://github.com/janderssonse/ort-ci-base.git
description: |
URI to the ort-ci-base repo (containing the docker/Dockerfile.ci).
Post a CycloneDXBom to DependencyTrack
Prerequistes:
- Environment variable:
- DEPENDENCY_TRACK_API_KEY - KEY to the Dependency-Track API with CREATE_PROJECT_UPLOAD permission. Hint, see the default automation team).
- DEPENDENCY_TRACK_API_URL - URL to the Dependency-Track API. i.e mydependencytrack.instance.org/api/v1.
Example usage:
include:
- project: 'namespace/ort-ci-gitlab'
file: '/ci-templates/.ort-scan-template.yml'
- project: 'namespace/ort-ci-gitlab'
file: '/ci-templates/integration/.post-bom-to-dependencytrack.yml'
stages:
- a stage...
- ort-scan
- upload-bom
- another stage...
TO-DO.
The project is using a few hygiene linters:
- MegaLinter - for shell, markdown etc check.
- Repolinter - for overall repostructre.
- commitlint - for conventional commit check.
- REUSE Compliance Check - for reuse specification compliance.
Before commiting a PR, please have run with this linters to avoid red checks. If forking on GitHub, you can adjust them to work for fork in the .github/workflow-files.
ORT CI GitLab follows the Contributor Covenant Code of Conduct.
Please also see the Contributor Guide
The .ort-scan-template.yml is based on work [ort-gitlab-ci] done by the ORT-project and is
Copyright (C) 2020-2022 HERE Europe B.V.
ORT CI GitLab itself is is under
See .reuse/dep5 and file headers for further information. Most other "scrap" files, textfiles etc are under CC0-1.0, essentially Public Domain.
Thanks to the ORT (OSS Review Toolkit) Project, for developing such a powerful tool. It fills a void in SCA-toolspace.
- TO-DO