forked from nilsujma-dev/codesecurity-workshop
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
114 lines (98 loc) · 2.99 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# .gitlab-ci.yml
stages:
- security-gates
- build
- shiftleft-scan
- azure-push
- acr-shiftleft-scan
- deploy
variables:
IMAGE_NAME: cloudsecurity-workshop
IMAGE_TAG: "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$CI_PIPELINE_IID"
AZURE_IMAGE_TAG: "$AZURE_ACR_NAME/$IMAGE_NAME:$CI_PIPELINE_IID"
spectral-secret-gate:
stage: security-gates
script:
- curl -L "https://get.spectralops.io/latest/x/sh?key=${SPECTRALOPS_KEY}" | sh
- $HOME/.spectral/spectral scan --ok --include-tags base,audit
spectral-iac-gate:
stage: security-gates
script:
- curl -L "https://get.spectralops.io/latest/x/sh?key=${SPECTRALOPS_KEY}" | sh
- $HOME/.spectral/spectral scan --ok --engines iac
build_image:
stage: build
image: docker:19.03.12
services:
- docker:19.03.12-dind
script:
- docker build -t "${IMAGE_NAME}" .
- docker tag "${IMAGE_NAME}" "${IMAGE_TAG}"
- echo "$CI_JOB_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
- docker push "${IMAGE_TAG}"
only:
- main
shiftleft_scan:
stage: shiftleft-scan
image: docker:19.03.12
services:
- docker:19.03.12-dind
script:
- echo "$CI_JOB_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
- docker pull "$IMAGE_TAG"
- docker save "$IMAGE_TAG" -o image.tar
- chmod +x ./shiftleft
- ./shiftleft image-scan -e d29d3391-5284-4a70-9d9b-1a5daf401b5d -i image.tar || true
artifacts:
paths:
- image.tar
only:
- main
push_to_acr:
stage: azure-push
image: docker:19.03.12
services:
- docker:19.03.12-dind
script:
- echo "$CI_JOB_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
- docker pull "${IMAGE_TAG}"
- echo "$AZURE_PASSWORD" | docker login "$AZURE_ACR_NAME" -u "$AZURE_APP_ID" --password-stdin
- docker tag "${IMAGE_TAG}" "${AZURE_IMAGE_TAG}"
- docker push "${AZURE_IMAGE_TAG}"
only:
- main
acr_shiftleft_scan:
stage: acr-shiftleft-scan
image: docker:19.03.12
services:
- docker:19.03.12-dind
script:
- echo "$AZURE_PASSWORD" | docker login "$AZURE_ACR_NAME" -u "$AZURE_APP_ID" --password-stdin
- docker pull "${AZURE_IMAGE_TAG}"
- docker save "${AZURE_IMAGE_TAG}" -o azureimage.tar
- chmod +x ./shiftleft
- ./shiftleft image-scan -e d29d3391-5284-4a70-9d9b-1a5daf401b5d -i azureimage.tar || true
artifacts:
paths:
- azureimage.tar
when: always
only:
- main
deploy_to_aks:
stage: deploy
image: dtzar/helm-kubectl
script:
# Decode the KUBECONFIG file
- echo "$KUBECONFIG" | base64 -d > decoded_kubeconfig
- export KUBECONFIG=decoded_kubeconfig
# Replace the placeholder with the actual IMAGE_TAG environment variable
- export IMAGE_TAG="$AZURE_IMAGE_TAG"
- envsubst '$IMAGE_TAG' < k8s/deployment.yaml | kubectl apply -f -
# Apply the service configuration
- kubectl apply -f k8s/service.yaml
only:
- main
environment:
name: production
before_script:
- export DISABLE_SECURITY_SCAN=true