Gitlab examples (#13)

0snug0 · Eric Lugo · airadier · web-flow · commit e50dc568cc71 · 2021-04-06T17:52:54.000+02:00
Add gitlab example to inline scan examples

Co-authored-by: Eric Lugo &lt;ericlugo@sysdig.lan&gt;
Co-authored-by: Álvaro Iradier &lt;airadier@gmail.com&gt;
diff --git a/docs/index.md b/docs/index.md
@@ -136,6 +136,7 @@ In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/)
   * [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-and-scan)
   * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo)
   * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry)
+* [Gitlab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab)
 * [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton)
   * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)
   * [Tekton beta API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/beta)
diff --git a/gitlab/.gitlab-ci.yml b/gitlab/.gitlab-ci.yml
@@ -0,0 +1,50 @@
+variables:
+  SYSDIG_SECURE_ENDPOINT: "https://secure.sysdig.com"
+  CI_REGISTRY_HOST: "docker.io"
+  CI_REGISTRY_NAME: "my-registry"
+  CI_IMAGE_NAME: "my-image"
+  CI_IMAGE_TAG: "my-tag"
+
+stages:
+  - build
+  - scan
+  - push
+
+image:build:
+  stage: build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  script:
+    - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
+  artifacts:
+    paths:
+      - build/
+    expire_in: 1 days
+
+image:scan:
+  stage: scan
+  image: 
+    name: sysdiglabs/secure-inline-scan:2
+    entrypoint: [""]
+  script:
+    - mkdir reports
+    - /sysdig-inline-scan.sh --sysdig-token $SYSDIG_SECURE_TOKEN --storage-type oci-dir --storage-path $(pwd)/build/ $CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --report-folder reports
+  artifacts:
+    paths:
+      - reports
+      - build/
+    expire_in: 1 days
+  needs:
+    - image:build
+
+image:push:
+  stage: push
+  image:
+    name: gcr.io/go-containerregistry/crane:debug
+    entrypoint: [""]
+  script:
+    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST
+    - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG
+  needs:
+    - image:scan
diff --git a/gitlab/Dockerfile b/gitlab/Dockerfile
@@ -0,0 +1 @@
+FROM alpine
diff --git a/gitlab/README.md b/gitlab/README.md
@@ -0,0 +1,47 @@
+# GitLab CI Demo - No DinD
+
+![Gitlab job](/gitlab.png)
+
+In this demo we will use GitLab pipelines without requiring privileged containers, or docker in docker.
+We will need to split this pipeline into three different jobs
+1. Kaniko: Tool used to build docker image
+2. Sysdig-inline-scan: Scan docker images for vulnerabilities
+3. Crane: Push container image to a remote registry
+
+## Setup
+In GitLab repo settings add variables
+`CI_REGISTRY_USER`: Docker username
+`CI_REGISTRY_PASSWORD`: Docker user password
+`SYSDIG_SECURE_TOKEN`: Sysdig Token
+
+Modify the gitlab-ci.yml file to build the image
+```
+  CI_REGISTRY_HOST: "docker.io"
+  CI_REGISTRY_NAME: my-registry
+  CI_IMAGE_NAME: "my-image"
+  CI_IMAGE_TAG: "latest"
+```
+
+The variables are to build the full image url
+`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG`
+We would expect
+`docker.io/my-registry/my-image:latest`
+
+## Understanding the stages
+In order to get around using Docker in docker, these additional stages are necessary
+
+There are three pipeline stages
+1. Build
+2. Scan
+3. Push
+
+### Build
+The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry.
+We then save the `build/` directory as an artifact.
+
+### Scan
+The scan stage is using `sysdig-inline-scan:2`. This stage uses a newer Sysdig scanning method without the docker daemon dependencies.
+We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.
+
+### Push
+The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry
diff --git a/gitlab/gitlab.png b/gitlab/gitlab.png
