diff --git a/README.md b/README.md index 9546a2df0c38fd39ff04f33c16bc2c8637ad1dd4..cc02d3381d3c30d0a1741eed714c4f083b91592d 100644 --- a/README.md +++ b/README.md @@ -61,10 +61,10 @@ The Docker template uses some global configuration used throughout all jobs. | Input / Variable | Description | Default value | | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | | `build-tool` / `DOCKER_BUILD_TOOL` | The build tool to use for building container image, possible values are `kaniko`, `buildah` or `dind` | `kaniko` | -| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) | -| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable` | -| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest` | -| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind` | +| `kaniko-image` / `DOCKER_KANIKO_IMAGE` | The image used to run `kaniko` - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab)<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_KANIKO_IMAGE)| +| `buildah-image` / `DOCKER_BUILDAH_IMAGE` | The image used to run `buildah` - _for buildah build only_ | `quay.io/buildah/stable`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_BUILDAH_IMAGE)| +| `image` / `DOCKER_IMAGE` | The Docker image used to run the docker client (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_IMAGE) | +| `dind-image` / `DOCKER_DIND_IMAGE` | The Docker image used to run the Docker daemon (see [full list](https://hub.docker.com/r/library/docker/)) - _for Docker-in-Docker build only_ | `registry.hub.docker.com/library/docker:dind`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_DIND_IMAGE)| | `file` / `DOCKER_FILE` | The path to your `Dockerfile` | `Dockerfile` | | `context-path` / `DOCKER_CONTEXT_PATH` | The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) | _none_ _only set if you want a context path different from the Dockerfile location_ | @@ -283,7 +283,7 @@ It is bound to the `build` stage, and uses the following variables: | Input / Variable | Description | Default value | | ------------------------------------------------ | --------------------------------- | --------------------------------------------------------- | | `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ | -| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` | +| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)| | `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ | In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository. @@ -428,7 +428,7 @@ It is bound to the `package-test` stage, and uses the following variables: | Input / Variable | Description | Default value | | -------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | -| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` | +| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)| | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive` | @@ -457,7 +457,7 @@ It is bound to the `package-test` stage, and uses the following variables: | ---------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | | `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` | -| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` | +| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)| | `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` | ### `docker-publish` job @@ -466,7 +466,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt | Input / Variable | Description | Default value | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` | +| `skopeo-image` / `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SKOPEO_IMAGE)| | `publish-args` / `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_ | | `prod-publish-strategy` / `DOCKER_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` | | `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |