Upgrade to latest container scanning component

57e486b5 · Timo Furrer · 0bf3b35a · 57e486b5
Unverified Commit 57e486b5 authored 1 year ago by Timo Furrer
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -27,21 +27,11 @@ include:
          - tests/terraform/**.tf
          - backports/*.gitlab-ci.yml
          - backports/OpenTofu/*.gitlab-ciyml
-  - component: gitlab.com/components/container-scanning/container-scanning@1.0
+  - component: gitlab.com/components/container-scanning/container-scanning@2.0
    inputs:
      stage: quality
-      # FIXME: why is this not the default?
+      cs_image: $GITLAB_OPENTOFU_IMAGE_NAME
-      analyzer_image: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"
+      git_strategy: fetch
-      # FIXME: why do I have to set this, this is weird ...
-      force_run: true
-    # FIXME: doesn't work
-    # rules:
-    #   - changes:
-    #       - Dockerfile
-    #       - .gitlab-ci.yml
-    #       - src/gitlab-tofu.sh
-    #   - if: $CI_COMMIT_TAG
-    #   - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 stages:
  - build
@@ -123,20 +113,13 @@ check-backports:
 container_scanning:
  extends: .opentofu-versions
-  needs: ['gitlab-opentofu-image:build']
+  rules:
-  variables:
+    - changes:
-    CS_IMAGE: $GITLAB_OPENTOFU_IMAGE_NAME
+        - src/gitlab-tofu.sh
-    CS_SCHEMA_MODEL: 15
+        - Dockerfile
-    # Used for remediation
+        - .gitlab-ci.yml
-    GIT_STRATEGY: fetch
+    - if: $CI_COMMIT_TAG
-  # FIXME: because we are using rules with the include, but override here, we also have to have the same rules here
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-  # rules:
-  #   - changes:
-  #       - Dockerfile
-  #       - .gitlab-ci.yml
-  #       - src/gitlab-tofu.sh
-  #   - if: $CI_COMMIT_TAG
-  #   - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 gitlab-opentofu-image:deploy:with-opentofu-version:
  extends: .opentofu-versions