Replace container_scanning job definition with a vendored template
Problem to solve
Job definition for ~"container scanning" is frozen, and can't be easily updated without creating breaking changes.
Further details
With https://gitlab.com/gitlab-org/gitlab-ce/issues/53445, we'll be able to ship a template embedded with each version of GitLab. The template can be updated from one version to another, without impacting our users.
Proposal
What does success look like, and how can we measure that?
The new official job definition is a single inclusion instruction:
include:
template: Container-Scanning.gitlab-ci.yml
(see the discussion and final syntax)
Links / references
Execution
-
Add the Container-Scanning.gitlab-ci.yml
with the contents from the example to the templates dir underSecurity
subdir -
Test in the development environment on a test project -
Update the ~Documentation for the Container Scanning CI configuration -
docs page, see https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9875 -
security products release process (add a section to check the vendored template are up-to-date)
-
Edited by Victor Zagorodny