Aller au contenu

Remplacer l'analyse de conteneurs GitLab

Remplacer l'analyse de conteneurs GitLab par l'analyse de conteneurs Boost est assez simple. Supposons que vous ayez la configuration d'analyse de conteneurs GitLab suivante.

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

container_scanning:
  before_script:
    - echo "Custom authentication script"
  variables:
    CS_IMAGE: example.com/user/image:tag

Tout d'abord, vous devez remplacer l'instruction include afin de référencer le modèle Boost.

include:
  - remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'

.boost-container-scan:
  extends:
    - .boost_scan
  variables:
    BOOST_IMAGE_NAME: $CS_IMAGE
  script:
    - !reference [.boost_setup, before_script]
    - export TRIVY_USERNAME=$CS_REGISTRY_USER
    - export TRIVY_PASSWORD=$CS_REGISTRY_PASSWORD
    - !reference [.boost_scan, script]
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $CS_IMAGE
      variables:
        BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-image"
    - if: ($CI_PIPELINE_SOURCE == "push") && ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH) && $CS_IMAGE
      variables:
        BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom-image"

Ensuite, votre container_scan est remplacé par :

boost-container-scan:
  extends:
    - .boost-container-scan
  before_script:
    - echo "Add logic here"
  variables:
    CS_IMAGE: example.com/user/image:tag