Commit 6dbef841 authored by nimrod's avatar nimrod
Browse files

scan: Scan images daily for vulnerabilities.

parent 10a4ce33
Loading
Loading
Loading
Loading
Loading
+31 −4
Original line number Diff line number Diff line
@@ -29,14 +29,15 @@ run:

backup:
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
    # yamllint disable-line rule:line-length
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Backup"
  stage: deploy
  tags: [host01.shore.co.il]
  image: docker.io/library/docker:20.10
  image: docker.io/docker:dind
  before_script:
    - >-
      docker build
      --tag registry.shore.co.il/registry-backup
      --tag "${CI_PROJECT_NAME}:backup"
      --pull
      backup
  script:
@@ -45,8 +46,34 @@ backup:
      --volume /var/backups/registry:/var/backups/registry
      --user nobody
      --rm
      registry.shore.co.il/registry-backup
      "${CI_PROJECT_NAME}:backup"
      backup registry.shore.co.il /var/backups/registry
  retry:
    max: 2
  timeout: 5h

scan:
  rules:
    # yamllint disable-line rule:line-length
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan"
  stage: deploy
  tags: [ns4.shore.co.il]
  image: docker.io/docker:dind
  before_script:
    - >-
      docker build
      --tag "${CI_PROJECT_NAME}:scan"
      --pull
      scan
  script:
    - mkdir --mode=777 output
    - >-
      docker run
      --env CI_JOB_URL
      --rm
      --volume "${PWD}/output:/output"
      "${CI_PROJECT_NAME}:scan"
  artifacts:
    paths:
      - output/*.log
  timeout: 2h
+1 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ repos:
    rev: v0.10.0.1
    hooks:
      - id: shellcheck
        args: ["--exclude", "SC3043"]

  - repo: https://git.shore.co.il/nimrod/pre-commit-hooks.git/
    rev: v0.5.2

scan/.dockerignore

0 → 100644
+3 −0
Original line number Diff line number Diff line
*
!scan
!*.yaml

scan/Dockerfile

0 → 100644
+15 −0
Original line number Diff line number Diff line
FROM registry.shore.co.il/ci-images:docker
# hadolint ignore=DL3018
RUN apk add --update --no-cache \
        curl \
        jq \
    && \
    install -d -o root -g root -m 755 /etc/trivy && \
    install -d -o root -g root -m 777 /output
COPY --chown=root:root scan /usr/local/bin/
COPY --chown=root:root trivy*.yaml /etc/trivy/
VOLUME /output
WORKDIR /etc/trivy
CMD ["scan"]
USER nobody
ENV HOME /tmp

scan/README.md

0 → 100644
+3 −0
Original line number Diff line number Diff line
# Security scanning

Scan the registry's images daily for vulnerabilities using Trivy.
Loading