Wrap commands of container_scanning job in a Docker image
Since we already need docker:dind for the other Security Products jobs, it would improve the maintainability of container_scanning. The current job definition is complex:
container_scanning:
image: docker:stable
allow_failure: true
before_script: []
cache: {}
dependencies: []
tags: []
services:
- docker:stable-dind
variables:
DOCKER_DRIVER: overlay2
## Define two new variables based on GitLab's CI/CD predefined variables
## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CI_APPLICATION_TAG: $CI_COMMIT_SHA
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- retries=0
- echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths:
- gl-sast-container-report.jsonEach modification is making us go through documentation, examples, templates, etc. which is painful and error-prone. We could easily wrap all of this in a single image, as mentioned here: https://gitlab.com/gitlab-org/gitlab-ee/issues/5650#note_68370249 and here: https://gitlab.com/gitlab-org/gitlab-ee/issues/5763#note_70422366