Loading .gitlab-ci.yml +31 −4 Original line number Diff line number Diff line Loading @@ -29,14 +29,15 @@ run: backup: rules: - if: $CI_PIPELINE_SOURCE == "schedule" # yamllint disable-line rule:line-length - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Backup" stage: deploy tags: [host01.shore.co.il] image: docker.io/library/docker:20.10 image: docker.io/docker:dind before_script: - >- docker build --tag registry.shore.co.il/registry-backup --tag "${CI_PROJECT_NAME}:backup" --pull backup script: Loading @@ -45,8 +46,34 @@ backup: --volume /var/backups/registry:/var/backups/registry --user nobody --rm registry.shore.co.il/registry-backup "${CI_PROJECT_NAME}:backup" backup registry.shore.co.il /var/backups/registry retry: max: 2 timeout: 5h scan: rules: # yamllint disable-line rule:line-length - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan" stage: deploy tags: [ns4.shore.co.il] image: docker.io/docker:dind before_script: - >- docker build --tag "${CI_PROJECT_NAME}:scan" --pull scan script: - mkdir --mode=777 output - >- docker run --env CI_JOB_URL --rm --volume "${PWD}/output:/output" "${CI_PROJECT_NAME}:scan" artifacts: paths: - output/*.log timeout: 2h .pre-commit-config.yaml +1 −0 Original line number Diff line number Diff line Loading @@ -28,6 +28,7 @@ repos: rev: v0.10.0.1 hooks: - id: shellcheck args: ["--exclude", "SC3043"] - repo: https://git.shore.co.il/nimrod/pre-commit-hooks.git/ rev: v0.5.2 Loading scan/.dockerignore 0 → 100644 +3 −0 Original line number Diff line number Diff line * !scan !*.yaml scan/Dockerfile 0 → 100644 +15 −0 Original line number Diff line number Diff line FROM registry.shore.co.il/ci-images:docker # hadolint ignore=DL3018 RUN apk add --update --no-cache \ curl \ jq \ && \ install -d -o root -g root -m 755 /etc/trivy && \ install -d -o root -g root -m 777 /output COPY --chown=root:root scan /usr/local/bin/ COPY --chown=root:root trivy*.yaml /etc/trivy/ VOLUME /output WORKDIR /etc/trivy CMD ["scan"] USER nobody ENV HOME /tmp scan/README.md 0 → 100644 +3 −0 Original line number Diff line number Diff line # Security scanning Scan the registry's images daily for vulnerabilities using Trivy. Loading
.gitlab-ci.yml +31 −4 Original line number Diff line number Diff line Loading @@ -29,14 +29,15 @@ run: backup: rules: - if: $CI_PIPELINE_SOURCE == "schedule" # yamllint disable-line rule:line-length - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Backup" stage: deploy tags: [host01.shore.co.il] image: docker.io/library/docker:20.10 image: docker.io/docker:dind before_script: - >- docker build --tag registry.shore.co.il/registry-backup --tag "${CI_PROJECT_NAME}:backup" --pull backup script: Loading @@ -45,8 +46,34 @@ backup: --volume /var/backups/registry:/var/backups/registry --user nobody --rm registry.shore.co.il/registry-backup "${CI_PROJECT_NAME}:backup" backup registry.shore.co.il /var/backups/registry retry: max: 2 timeout: 5h scan: rules: # yamllint disable-line rule:line-length - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan" stage: deploy tags: [ns4.shore.co.il] image: docker.io/docker:dind before_script: - >- docker build --tag "${CI_PROJECT_NAME}:scan" --pull scan script: - mkdir --mode=777 output - >- docker run --env CI_JOB_URL --rm --volume "${PWD}/output:/output" "${CI_PROJECT_NAME}:scan" artifacts: paths: - output/*.log timeout: 2h
.pre-commit-config.yaml +1 −0 Original line number Diff line number Diff line Loading @@ -28,6 +28,7 @@ repos: rev: v0.10.0.1 hooks: - id: shellcheck args: ["--exclude", "SC3043"] - repo: https://git.shore.co.il/nimrod/pre-commit-hooks.git/ rev: v0.5.2 Loading
scan/Dockerfile 0 → 100644 +15 −0 Original line number Diff line number Diff line FROM registry.shore.co.il/ci-images:docker # hadolint ignore=DL3018 RUN apk add --update --no-cache \ curl \ jq \ && \ install -d -o root -g root -m 755 /etc/trivy && \ install -d -o root -g root -m 777 /output COPY --chown=root:root scan /usr/local/bin/ COPY --chown=root:root trivy*.yaml /etc/trivy/ VOLUME /output WORKDIR /etc/trivy CMD ["scan"] USER nobody ENV HOME /tmp
scan/README.md 0 → 100644 +3 −0 Original line number Diff line number Diff line # Security scanning Scan the registry's images daily for vulnerabilities using Trivy.