From 57e486b5eb4f2f79ff2d93329b38cc416a2fb77a Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Mon, 29 Jan 2024 07:00:23 +0100
Subject: [PATCH] Upgrade to latest container scanning component
---
.gitlab-ci.yml | 37 ++++++++++---------------------------
1 file changed, 10 insertions(+), 27 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d92a19e..1e7278b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -27,21 +27,11 @@ include:
- tests/terraform/**.tf
- backports/*.gitlab-ci.yml
- backports/OpenTofu/*.gitlab-ciyml
- - component: gitlab.com/components/container-scanning/container-scanning@1.0
+ - component: gitlab.com/components/container-scanning/container-scanning@2.0
inputs:
stage: quality
- # FIXME: why is this not the default?
- analyzer_image: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"
- # FIXME: why do I have to set this, this is weird ...
- force_run: true
- # FIXME: doesn't work
- # rules:
- # - changes:
- # - Dockerfile
- # - .gitlab-ci.yml
- # - src/gitlab-tofu.sh
- # - if: $CI_COMMIT_TAG
- # - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+ cs_image: $GITLAB_OPENTOFU_IMAGE_NAME
+ git_strategy: fetch
stages:
- build
@@ -123,20 +113,13 @@ check-backports:
container_scanning:
extends: .opentofu-versions
- needs: ['gitlab-opentofu-image:build']
- variables:
- CS_IMAGE: $GITLAB_OPENTOFU_IMAGE_NAME
- CS_SCHEMA_MODEL: 15
- # Used for remediation
- GIT_STRATEGY: fetch
- # FIXME: because we are using rules with the include, but override here, we also have to have the same rules here
- # rules:
- # - changes:
- # - Dockerfile
- # - .gitlab-ci.yml
- # - src/gitlab-tofu.sh
- # - if: $CI_COMMIT_TAG
- # - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+ rules:
+ - changes:
+ - src/gitlab-tofu.sh
+ - Dockerfile
+ - .gitlab-ci.yml
+ - if: $CI_COMMIT_TAG
+ - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
gitlab-opentofu-image:deploy:with-opentofu-version:
extends: .opentofu-versions
--
GitLab