Publish security-triage-automation Docker image
Proposal
As discussed here, there are numerous projects that are now consuming the security-triage-automation tool by cloning the source. In order to make it easier for projects to consume the security-triage-automation
tool, we should publish a Docker image, which is the purpose of this issue.
Implementation Plan
-
Update main.rb to allow configuring commandline flags via environment variables. This will allow the Docker image to executed with commandline flags:
docker run -it --rm \ -e GITLAB_ACCESS_TOKEN=$(security find-generic-password -w -s 'GitLab Access token' -a 'user@gitlab.com') \ -e NVD_API_KEY=$(security find-generic-password -w -s 'NVD API Key' -a 'user@gitlab.com') \ security-triage-automation --dry-run --custom-labels='label-one,label-two'
Or with environment variables:
docker run -it --rm \ -e GITLAB_ACCESS_TOKEN=$(security find-generic-password -w -s 'GitLab Access token' -a 'user@gitlab.com') \ -e NVD_API_KEY=$(security find-generic-password -w -s 'NVD API Key' -a 'user@gitlab.com') \ -e DRY_RUN=true \ -e CUSTOM_LABELS='label-one,label-two' \ security-triage-automation
-
Add docker.yml for automatically building a new Docker
image in MR pipelines andgit tag
pipelines -
Add upsert-git-tag.yml to automatically tag and release a new image when an MR is merged with a new changelog version. -
Add a CHANGELOG.md
file to keep track of releases. -
Configure a project level access token called GITLAB_TOKEN
withapi
scope in the https://gitlab.com/gitlab-org/secure/tools/security-triage-automation project.