0

我已经成功构建了一个 docker 映像并将其标记为testdock:latest($CI_REGISTRY_IMAGE:latest) $CI_REGISTRY 变量保存在 GitLab 项目变量中。

我还有另一个阶段,通过使用开始扫描testdock图像Trivy:该过程只是卡住而没有进展。我猜是找不到图像或 GitLab 中的 docker 环境有问题。

   Where is the `docker image (testdock)` stored?

这是我用来Trivy扫描testdock图像的命令:

$ TRIVY_INSECURE=true trivy --skip-update --output "$CI_PROJECT_DIR/scanning-report.json"  $CI_REGISTRY_IMAGE:latest

yml:

build:
  stage: build
  image: $CI_REGISTRY/devops/docker:latest
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  #tags:
  #  - docker
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Tell docker CLI how to talk to Docker daemon.
    DOCKER_HOST: tcp://localhost:2375/
    # Use the overlayfs driver for improved performance.
    DOCKER_DRIVER: overlay2
    # Disable TLS since we're running inside local network.
    DOCKER_TLS_CERTDIR: ""
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - docker build -t $FULL_IMAGE_NAME  .
   # - docker push $CI_REGISTRY_IMAGE:latest

security_scan:
  stage: test
  image: 
    name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
    entrypoint: [""]
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  #tags:
   # - docker
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
  #  GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Tell docker CLI how to talk to Docker daemon.
    DOCKER_HOST: tcp://localhost:2375/
    # Use the overlayfs driver for improved performance.
    DOCKER_DRIVER: overlay2
    # Disable TLS since we're running inside local network.
    DOCKER_TLS_CERTDIR: ""
  before_script:
    - git config --global http.sslVerify false
    - git clone $CI_REPOSITORY_URL
    - echo "the project directory is - $CI_PROJECT_DIR"
    - echo "the CI_REGISTRY_IMAGE variable is - $CI_REGISTRY_IMAGE"
    - echo "the full image name is - $FULL_IMAGE_NAME"
    - ls -la
    - trivy -h | grep cache
    - mkdir -p /root/.cache/trivy/db
    - ls -la
    - cp "eval-trivy-2/trivy-offline.db.tgz" "/root/.cache/trivy/db"
    - cd /root/.cache/trivy/db
    - tar xvf trivy-offline.db.tgz
    - ls -la
  script:
    - trivy --version
    - time trivy image --clear-cache
    # running 1 hr and stopped.
    #- TRIVY_INSECURE=true trivy --skip-update $CI_REGISTRY_IMAGE:latest
    #- TRIVY_INSECURE=true trivy --skip-update -f json -o scanning-report.json $CI_REGISTRY/devops/aquasec/trivy:0.16.0
    - TRIVY_INSECURE=true trivy --skip-update -o "$CI_PROJECT_DIR/scanning-report.json" $FULL_IMAGE_NAME
    #keep loading by using testdock:latest
    #- TRIVY_INSECURE=true trivy --skip-update -o "$CI_PROJECT_DIR/scanning-report.json"  testdock:latest
   # - TRIVY_INSECURE=true trivy --skip-update --exit-code 1 --severity CRITICAL $CI_REGISTRY/devops/aquasec/trivy:0.16.0
  artifacts:
    when:                          always
    reports:
      container_scanning:          scanning-report.json
4

2 回答 2

1

所有作业都在隔离运行。因此jobA通常不知道jobB产生了什么,只要你不专门告诉工作用artifacts指令将事情传递给下一个工作。

在你的情况下,你在你的工作中建立你的形象,但如果你没有推动它 - 它就像任何丢弃的数据一样,并在下一阶段丢失。最简单的方法是将其推送到 docker 注册表并从那里使用它。例如。一种常见的做法是用提交 SHA 标记它而不是最新的。通过这种方式,您可以确保始终击中正确的图像。

于 2021-10-21T06:07:50.143 回答
0

最终的 gitlan-ci.yml 现在运行良好:

variables:
  # Tell docker CLI how to talk to Docker daemon.
  DOCKER_HOST: tcp://localhost:2375/
  # Use the overlayfs driver for improved performance.
  DOCKER_DRIVER: overlay2
  # Disable TLS since we're running inside local network.
  DOCKER_TLS_CERTDIR: ""


services:
  - $CI_REGISTRY/devops/docker:dind-nx1.0

stages:
  - build
  - test

#include:
  # Trivy integration with GitLab Container Scanning
 # - remote: "https://github.com/aquasecurity/trivy/raw/master/contrib/Trivy.gitlab-ci.yml"

build:
  image: $CI_REGISTRY/devops/docker:latest
  stage: build
  variables:
    IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  script:
    - docker info
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker tag $IMAGE $CI_REGISTRY/$IMAGE
    - docker push $CI_REGISTRY/$IMAGE 

Trivy_container_scanning:
  stage: test
  image:
    name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
  variables:
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  allow_failure: true
  before_script:
    - trivy image --reset
    - git config --global http.sslVerify false
    - git clone $CI_REPOSITORY_URL
    - echo "the project directory is - $CI_PROJECT_DIR"
    - echo "the registry image is - $CI_REGISTRY_IMAGE"
    - ls -la
    - trivy -h | grep cache
    - mkdir -p /root/.cache/trivy/db
    - ls -la
    - cp "eval-trivy-4/trivy-offline.db.tgz" "/root/.cache/trivy/db"
    - cd /root/.cache/trivy/db
    - tar xvf trivy-offline.db.tgz
    - ls -la
    #- export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
    #- apk add --no-cache curl docker-cli
    #- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    #- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
    #- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
  script:
    - TRIVY_INSECURE=true trivy image --skip-update -f json -o "$CI_PROJECT_DIR/gl-container-scanning-report.json" $CI_REGISTRY/$IMAGE
  #unable to write results: failed to initialize template writer: error retrieving template from path: open /tmp/trivy-gitlab.tpl: no such file or directory
   # - TRIVY_INSECURE=true trivy image --skip-update --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY/$IMAGE
    #scan error
    #- trivy --skip-update --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY/$IMAGE
    #- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
 # cache:
  #  paths:
 #     - .trivycache/
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

为我的环境参考和修改

https://gitlab.com/aquasecurity/trivy-ci-test/-/blob/master/.gitlab-ci.yml
于 2021-10-21T08:50:13.967 回答