Editing ray

Title / Description

Code
stages: - build - test - quality - security_static - security_dynamic - deploy - container_scan variables: MAVEN_CLI_OPTS: "-B -DskipTests" MAVEN_OPTS: "-Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository" # SonarQube variables should be set in project settings SONAR_HOST_URL: "${SONAR_HOST_URL}" SONAR_TOKEN: "${SONAR_TOKEN}" cache: paths: - .m2/repository - target before_script: - apt-get update -qq && apt-get install -y curl unzip jq - export PATH=$PATH:$CI_PROJECT_DIR # --------------------- # Build & Test Stage # --------------------- build: stage: build image: maven:3.8.7-eclipse-temurin-17 script: - mvn $MAVEN_CLI_OPTS clean package artifacts: paths: - target/*.jar expire_in: 1 week test: stage: test image: maven:3.8.7-eclipse-temurin-17 script: - mvn test artifacts: reports: junit: target/surefire-reports/*.xml expire_in: 1 week # --------------------- # Code Quality with SonarQube # --------------------- sonarqube: stage: quality image: maven:3.8.7-eclipse-temurin-17 script: - mvn sonar:sonar -Dsonar.login=$SONAR_TOKEN -Dsonar.host.url=$SONAR_HOST_URL allow_failure: false dependencies: - build - test # --------------------- # Security Static: SAST & Dependency Scanning & IaC Scanning # --------------------- # SAST include: - template: SAST.gitlab-ci.yml # Dependency Scanning (SCA) include: - template: Dependency-Scanning.gitlab-ci.yml # IaC Scanning include: - template: IaC-Scanning.gitlab-ci.yml # By including these templates, the following jobs will appear automatically: # * sast # * dependency_scanning # * iac_scanning # # They run in `security_static` stage by default if you override them: # # If needed, explicitly set them to run in a desired stage and with needed dependencies: sast: stage: security_static needs: ["build"] # optional customization here dependency_scanning: stage: security_static needs: ["build"] # optional customization iac_scanning: stage: security_static # Add any IaC files scanning dependencies if needed # optional customization # --------------------- # DAST (Dynamic Application Security Testing) # --------------------- # We assume that a review environment is deployed in the 'deploy' stage before DAST # DAST scanning requires the app to be accessible at a known URL. # # Include the DAST template: include: - template: DAST.gitlab-ci.yml dast: stage: security_dynamic variables: DAST_WEBSITE: "http://myapp-review.$CI_PROJECT_NAMESPACE.$CI_PROJECT_NAME.example.com" # Wait for deploy job to complete (if the environment isn't ready yet) needs: ["deploy_app"] # optional additional configuration # --------------------- # Deploy to Review Environment # --------------------- # This assumes a Dockerfile is present at the root of the repository. # Adjust image name, registry, and deployment steps as appropriate. deploy_app: stage: deploy image: docker:24.0.6 services: - docker:24.0.6-dind variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" IMAGE_NAME: "$CI_REGISTRY_IMAGE/app" script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -t $IMAGE_NAME:$CI_COMMIT_SHORT_SHA . - docker push $IMAGE_NAME:$CI_COMMIT_SHORT_SHA # Here you would run your deployment commands to a staging/review environment, # e.g. using Helm/Kubectl or Docker Compose to start up the app. # For example: # - helm upgrade --install myapp charts/myapp --set image.tag=$CI_COMMIT_SHORT_SHA environment: name: review/$CI_COMMIT_REF_NAME url: "http://myapp-review.$CI_PROJECT_NAMESPACE.$CI_PROJECT_NAME.example.com" only: - merge_requests - branches # --------------------- # Container Security Scan with Trivy # --------------------- container_scan: stage: container_scan image: aquasec/trivy:latest services: - docker:24.0.6-dind variables: DOCKER_TLS_CERTDIR: "" IMAGE_NAME: "$CI_REGISTRY_IMAGE/app" script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" # Pull the previously pushed image - docker pull $IMAGE_NAME:$CI_COMMIT_SHORT_SHA # Run Trivy scan on the image - trivy image --exit-code 0 --severity HIGH,CRITICAL $IMAGE_NAME:$CI_COMMIT_SHORT_SHA # Modify exit-code or severity thresholds as needed allow_failure: false needs: ["deploy_app"] # --------------------- # End of Pipeline # ---------------------

Author

Highlight as C C++ CSS Clojure Delphi ERb Groovy (beta) HAML HTML JSON Java JavaScript PHP Plain text Python Ruby SQL XML YAML diff code