update
This commit is contained in:
@@ -5,6 +5,8 @@ stages:
|
|||||||
variables:
|
variables:
|
||||||
GO_VERSION: "1.22"
|
GO_VERSION: "1.22"
|
||||||
GOLANGCI_LINT_VERISON: "v1.58.0"
|
GOLANGCI_LINT_VERISON: "v1.58.0"
|
||||||
|
SYFT_VERSION: "v1.3.0"
|
||||||
|
GRYPE_VERSION: "v0.77.2"
|
||||||
|
|
||||||
gitlab_generic_package:
|
gitlab_generic_package:
|
||||||
stage: deploy
|
stage: deploy
|
||||||
|
|||||||
@@ -1,6 +1,5 @@
|
|||||||
stages:
|
stages:
|
||||||
- build
|
- build
|
||||||
- package
|
|
||||||
- validate
|
- validate
|
||||||
- publish
|
- publish
|
||||||
|
|
||||||
@@ -38,6 +37,18 @@ golang-lint:
|
|||||||
exists:
|
exists:
|
||||||
- "go.mod"
|
- "go.mod"
|
||||||
|
|
||||||
|
generate_sbom:
|
||||||
|
extends: .generate_sbom
|
||||||
|
stage: validate
|
||||||
|
rules:
|
||||||
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
|
||||||
|
|
||||||
|
generate_cve:
|
||||||
|
extends: .generate_cve
|
||||||
|
stage: validate
|
||||||
|
rules:
|
||||||
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
|
||||||
|
|
||||||
version:
|
version:
|
||||||
extends: .version
|
extends: .version
|
||||||
stage: .pre
|
stage: .pre
|
||||||
@@ -63,7 +74,6 @@ docker-build:
|
|||||||
- job: version
|
- job: version
|
||||||
optional: true
|
optional: true
|
||||||
artifacts: true
|
artifacts: true
|
||||||
rules:
|
|
||||||
rules:
|
rules:
|
||||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ '/^release/' || $CI_MERGE_REQUEST_IID
|
||||||
exists:
|
exists:
|
||||||
|
|||||||
9
scripts/scanner/grype.sh
Normal file
9
scripts/scanner/grype.sh
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#%%MULTILINE_YAML_START
|
||||||
|
#grype scan sboms
|
||||||
|
|
||||||
|
for i in syft/*.sbom.json;
|
||||||
|
do filename=${i%*.sbom.json};
|
||||||
|
filename=${filename##/};
|
||||||
|
grype syft/$i -o json --file syft/$filename.cve.json;
|
||||||
|
done
|
||||||
7
scripts/scanner/syft-go.sh
Normal file
7
scripts/scanner/syft-go.sh
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#%%MULTILINE_YAML_START
|
||||||
|
#Syft scan for go
|
||||||
|
|
||||||
|
if [ -f "go.mod" ]; then
|
||||||
|
syft go.mod -o cyclonedx-json=syft/${CI_PROJECT_NAME}.sbom.json
|
||||||
|
fi
|
||||||
5
scripts/scanner/syft-mkdir.sh
Normal file
5
scripts/scanner/syft-mkdir.sh
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#%%MULTILINE_YAML_START
|
||||||
|
#mkdir for syft files
|
||||||
|
|
||||||
|
mkdir $CI_PROJECT_DIR/syft
|
||||||
18
templates/codescan.tpl.yml
Normal file
18
templates/codescan.tpl.yml
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
.generate_sbom:
|
||||||
|
image: registry.internal.durp.info/anchore/syft:${SYFT_VERSION}
|
||||||
|
script:
|
||||||
|
- ./scripts/scanner/syft-mkdir.sh
|
||||||
|
- ./scripts/scanner/syft-go.sh
|
||||||
|
artifacts:
|
||||||
|
expire_in: 1 hour
|
||||||
|
paths:
|
||||||
|
- $CI_PROJECT_DIR/syft
|
||||||
|
|
||||||
|
.generate_cve:
|
||||||
|
image: registry.internal.durp.info/anchore/grype:${GRYPE_VERSION}
|
||||||
|
script:
|
||||||
|
- ./scripts/scanner/grype.sh
|
||||||
|
artifacts:
|
||||||
|
expire_in: 1 hour
|
||||||
|
paths:
|
||||||
|
- $CI_PROJECT_DIR/syft
|
||||||
Reference in New Issue
Block a user