WIP: Initial version of the Container Scanning test project
Description
Initial version of the test project:
- uses
Container-Scanning.gitlab-ci.yml
vendored template - uses
docker-dind
to build the Docker image from Dockerfile within the CI pipeline - leverages the Docker image caching and the local Container Registry to speed up the build
-
webgoat
Docker image is used as the base image
Execution
Project content
-
copy the template
dir content to the new repository and find/replace theREPLACE_ME
placeholders. -
setup the master
branch:-
create a basic app for given language, package manager and framework with some relevant vulnerabilities -
configure the compatible Security Products features in the .gitlab-ci.yml
(comment out unsupported ones) -
update the expected reports in qa/expect/
-
-
create the auto-devops-FREEZE
branch frommaster
and removes the.gitlab-ci.yml
file. -
create the QA-MR-FREEZE
branch frommaster
-
add necessary changes to the test app to generate new, fixed and existing vulnerabilities -
update the expected reports in qa/expect/
-
open a Merge Request against master
with the nameWIP: QA for all Security Products features
-
-
add the created project to the QA script at: https://gitlab.com/gitlab-org/security-products/release
Project configuration
To ensure the QA can be automatically triggered and to notify the team when it fails, the project must be configured as follows:
-
sign in with gitlab-bot
user and create a Pipeline trigger namedQA
to obtain a token for automated QA configuration -
setup the Slack notifications
project service:-
check the active
option -
uncheck all triggers but Pipeline
(leaveChannel name
empty) -
use the Webhook URL
available in the Slack's SP-Bot service configuration page -
use SP-Bot
as theUsername
-
check the Notify only broken pipelines
option -
submit the form and check that the test event has been successfully sent to #sp-alert
slack channel
-
Edited by Victor Zagorodny