Skip to content

Modified to fit the future blog post #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
e-minguez merged 1 commit into from
Oct 7, 2022
Merged

Modified to fit the future blog post #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 4 additions & 8 deletions gitlab/new-scan-engine/.gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
variables:
SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
CI_REGISTRY_HOST: "docker.io"
CI_REGISTRY_NAME: "my-registry"
CI_IMAGE_NAME: "my-image"
SYSDIG_SECURE_ENDPOINT: "https://eu1.app.sysdig.com"
CI_IMAGE_TAG: "my-tag"

stages:
Expand All @@ -16,7 +13,7 @@ image:build:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
- /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
artifacts:
paths:
- build/
Expand Down Expand Up @@ -46,8 +43,7 @@ image:push:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
script:
- crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST
- crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG
- crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_IMAGE:$CI_IMAGE_TAG
needs:
- image:scan

50 changes: 24 additions & 26 deletions gitlab/new-scan-engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,42 @@
# GitLab CI Demo

In this demo we will use GitLab pipelines. We will need to split this pipeline into three different jobs
In this demo we will use GitLab CI/CD pipelines. We will need to split this pipeline into three different jobs:

1. Kaniko: Tool used to build docker image
2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022
3. Crane: Push container image to a remote registry

## Setup
In GitLab repo settings add variables
`CI_REGISTRY_USER`: Docker username
`CI_REGISTRY_PASSWORD`: Docker user password
`SYSDIG_SECURE_TOKEN`: Sysdig Token
The pipeline leverages the GitLab's container registry to store the container image once the scan has been successfully completed. There are a few special CI/CD variables to use the Container registry (`CI_REGISTRY*`) that are populated automatically by GitLab so there is no need to specify them in our pipeline if we want to use it, cool!

The [official documentation](https://docs.gitlab.com/ee/user/packages/container_registry/index.html#authenticate-by-using-gitlab-cicd) explains this in more detail but the following is an example of the variables' content once they are [automatically populated](https://docs.gitlab.com/ee/ci/variables/#list-all-environment-variables):

Modify the gitlab-ci.yml file to build the image
```
CI_REGISTRY_HOST: "docker.io"
CI_REGISTRY_NAME: my-registry
CI_IMAGE_NAME: "my-image"
CI_IMAGE_TAG: "latest"
CI_REGISTRY="registry.example.com"
CI_REGISTRY_IMAGE="registry.example.com/gitlab-org/gitlab-foss"
CI_REGISTRY_USER="gitlab-ci-token"
CI_REGISTRY_PASSWORD="[masked]"
```

The variables are to build the full image url
`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG`
We would expect
`docker.io/my-registry/my-image:latest`
## Setup

## Understanding the stages
In order to get around using Docker in docker, these additional stages are necessary
In the GitLab repo settings add the `SYSDIG_SECURE_TOKEN` variable to store the Sysdig Token.

There are three pipeline stages
1. Build
2. Scan
3. Push
Modify the `gitlab-ci.yml` file to replace the image tag if needed:

```
CI_IMAGE_TAG: "latest"
```

## Pipeline stages

### Build
The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry.
We then save the `build/` directory as an artifact.

The build stage leverages Kaniko. The container is built as an OCI format tarball file in `$(pwd)/build/$CI_IMAGE_TAG.tar` and not pushed to a remote registry (it will be done only if the scan is successful).

### Scan
The scan stage is using `sysdig-cli-scanner`. This stage uses a the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/)
We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.

The scan stage leverages `sysdig-cli-scanner`. This stage uses the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/).

### Push
The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry

The push stage uses `crane` to authenticate to the GitLab registry and to push the container image already built from the Build stage to the remote registry.