Update pipelines of Secure analyzer to build, release Linux packages
Problem to solve
The CI config shared by the Secure analyzer project (except DAST) needs to be updated to build and release Linux packages, to ultimately support user-defined Docker images. This addition to the pipeline is to be used by Category:SAST and ~"Category:Dependency Scanning" analyzers.
Intended users
To be used by developers of the Secure analyzer projects.
Proposal
Define a stage and a job template to build distro packages, and a job template to release them. Also, define conventions on how to use them.
Implementation plan
-
review the stages
, and define a stage where distro packages are build gitlab-org/security-products/ci-templates!134 (merged) -
decide how distro packages are stored #233175 (closed) -
define a job template to build distro packages, and expose them as artifact -
define a job template to release distro packages -
illustrate how to use these in the context of an analyzer project that builds a distro package, builds a Docker image using that package, and release distro packages; the package is released with a version that matches the git tag, and released against as a major version, similar to the way Docker images are currently released
See #214697 (comment 377749600)
Further details
The stage where distro packages are built needs to be before the existing build
stage, which is currently used to build Docker images.
The job templates to release the distro packages is going to be similar to the existing .docker_tag
template.
As of today none of the analyzer projects override the build commit
job defined in the build
stage. Also, none of the analyzers redefines the pipelines stages
. The gemnasium-maven
analyzer uses the predefined .pre
stage to check its Shell scripts.
Permissions and Security
N/A
Documentation
The shared CI config is not documented, but we should improve this, and at least add code comments to cover the stages.
-
document the stages
using code comments in the CI config file
Availability & Testing
The new CI config needs to be tested in the context of an analyzer project. Tests should cover the master branch, some feature branch, and git tags. This needs to be tested in the context of a fork of an official analyzer project.
-
test pipeline for master branch -
test pipeline for feature branch -
test pipeline for git tag
What is the type of buyer?
N/A
Is this a cross-stage feature?
To be used by all devopssecure analyzers using the shared CI configuration. This includes Category:SAST, ~"Category:Dependency Scanning", Category:Secret Detection, and Category:Container Scanning.