From d2f6b84b763c741cb64b64e900c7d144b8ea0c08 Mon Sep 17 00:00:00 2001 From: Eduardo Minguez Date: Thu, 6 Oct 2022 16:19:15 +0200 Subject: [PATCH] Modified to fit the future blog post We will use GitLab's container registry to store the image --- gitlab/new-scan-engine/.gitlab-ci.yml | 12 +++---- gitlab/new-scan-engine/README.md | 50 +++++++++++++-------------- 2 files changed, 28 insertions(+), 34 deletions(-) diff --git a/gitlab/new-scan-engine/.gitlab-ci.yml b/gitlab/new-scan-engine/.gitlab-ci.yml index 125b5ae..02cb976 100644 --- a/gitlab/new-scan-engine/.gitlab-ci.yml +++ b/gitlab/new-scan-engine/.gitlab-ci.yml @@ -1,8 +1,5 @@ variables: - SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com" - CI_REGISTRY_HOST: "docker.io" - CI_REGISTRY_NAME: "my-registry" - CI_IMAGE_NAME: "my-image" + SYSDIG_SECURE_ENDPOINT: "https://eu1.app.sysdig.com" CI_IMAGE_TAG: "my-tag" stages: @@ -16,7 +13,7 @@ image:build: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] script: - - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar + - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar artifacts: paths: - build/ @@ -46,8 +43,7 @@ image:push: name: gcr.io/go-containerregistry/crane:debug entrypoint: [""] script: - - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST - - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG + - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_IMAGE:$CI_IMAGE_TAG needs: - image:scan - diff --git a/gitlab/new-scan-engine/README.md b/gitlab/new-scan-engine/README.md index d8e7bd1..082e5e1 100644 --- a/gitlab/new-scan-engine/README.md +++ b/gitlab/new-scan-engine/README.md @@ -1,44 +1,42 @@ # GitLab CI Demo -In this demo we will use GitLab pipelines. We will need to split this pipeline into three different jobs +In this demo we will use GitLab CI/CD pipelines. We will need to split this pipeline into three different jobs: + 1. Kaniko: Tool used to build docker image 2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022 3. Crane: Push container image to a remote registry -## Setup -In GitLab repo settings add variables -`CI_REGISTRY_USER`: Docker username -`CI_REGISTRY_PASSWORD`: Docker user password -`SYSDIG_SECURE_TOKEN`: Sysdig Token +The pipeline leverages the GitLab's container registry to store the container image once the scan has been successfully completed. There are a few special CI/CD variables to use the Container registry (`CI_REGISTRY*`) that are populated automatically by GitLab so there is no need to specify them in our pipeline if we want to use it, cool! + +The [official documentation](https://docs.gitlab.com/ee/user/packages/container_registry/index.html#authenticate-by-using-gitlab-cicd) explains this in more detail but the following is an example of the variables' content once they are [automatically populated](https://docs.gitlab.com/ee/ci/variables/#list-all-environment-variables): -Modify the gitlab-ci.yml file to build the image ``` - CI_REGISTRY_HOST: "docker.io" - CI_REGISTRY_NAME: my-registry - CI_IMAGE_NAME: "my-image" - CI_IMAGE_TAG: "latest" +CI_REGISTRY="registry.example.com" +CI_REGISTRY_IMAGE="registry.example.com/gitlab-org/gitlab-foss" +CI_REGISTRY_USER="gitlab-ci-token" +CI_REGISTRY_PASSWORD="[masked]" ``` -The variables are to build the full image url -`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG` -We would expect -`docker.io/my-registry/my-image:latest` +## Setup -## Understanding the stages -In order to get around using Docker in docker, these additional stages are necessary +In the GitLab repo settings add the `SYSDIG_SECURE_TOKEN` variable to store the Sysdig Token. -There are three pipeline stages -1. Build -2. Scan -3. Push +Modify the `gitlab-ci.yml` file to replace the image tag if needed: + +``` +CI_IMAGE_TAG: "latest" +``` + +## Pipeline stages ### Build -The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry. -We then save the `build/` directory as an artifact. + +The build stage leverages Kaniko. The container is built as an OCI format tarball file in `$(pwd)/build/$CI_IMAGE_TAG.tar` and not pushed to a remote registry (it will be done only if the scan is successful). ### Scan -The scan stage is using `sysdig-cli-scanner`. This stage uses a the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/) -We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later. + +The scan stage leverages `sysdig-cli-scanner`. This stage uses the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/). ### Push -The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry + +The push stage uses `crane` to authenticate to the GitLab registry and to push the container image already built from the Build stage to the remote registry.