Add service for adding Container Scanning configuration to .gitlab-ci.yml
Why are we doing this work
We want to allow users to enable container scanning in the UI via an MR.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend Introduce a ContainerScanningBuildAction
build action similiar to the existingDependencyScanningBuildAction
. The build action (1) includes theSecurity/Container-Scanning.gitlab-ci.yml
template into a project's.gitlab-ci.yml
and (2) includes a commented-outcontainer_scanning.variables
block containing theDOCKER_{IMAGE,USER,PASSWORD}
keys. For a fresh project, the resulting.gitlab-ci.yml
looks as follows:
# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
# container_scanning:
# variables:
# DOCKER_IMAGE: ...
# DOCKER_USER: ...
# DOCKER_PASSWORD: ...
include:
- template: Security/Container-Scanning.gitlab-ci.yml
-
backend Introduce a ContainerScanningCreateService
service similiar to the existingDependencyScanningCreateService
one. On excecution, the service updates or creates the.gitlab-ci.yml
and injects the Container Scanning template, using the newly introducedContainerScanningBuildAction
. The service succeeds with abranch_name
and asuccess_path
.
Edited by Alan (Maciej) Paruszewski