diff --git a/.gitignore b/.gitignore index 0a16fa7..e095c17 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,4 @@ fabric.properties # Android studio 3.1+ serialized cache file .idea/caches/build_file_checksums.ser +/.idea/sonarlint/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2fa7b22..bc89e29 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,5 @@ stages: + - dependencies - generate-docs .generate-document: @@ -16,7 +17,7 @@ stages: PAGE_PREFIX: "[CI/CD] - [TMPL] - " CONFLUENCE_SPACE: RANDI REV_NUMBER: $CI_COMMIT_SHORT_SHA - TEXT_GENERATED_HINT: 'This is a generated page, do not edit! All changes must happen in the https://gitlab.exxcellent.de/gilden/ci/exxcellent-documentation-tool[repository] + TEXT_GENERATED_HINT: 'This is a generated page, do not edit! All changes must happen in the Repository .' FILE_INPUT: "index.html,111183157,gitlab-ci-templates" before_script: diff --git a/.idea/gitlab-ci-templates.iml b/.idea/gitlab-ci-templates.iml index d6ebd48..2576ae6 100644 --- a/.idea/gitlab-ci-templates.iml +++ b/.idea/gitlab-ci-templates.iml @@ -2,7 +2,9 @@ - + + + diff --git a/STD-variablen-Template.yml b/STD-variablen-Template.gitlab-ci.yml similarity index 100% rename from STD-variablen-Template.yml rename to STD-variablen-Template.gitlab-ci.yml diff --git a/publish-image.yml b/container-publish.gitlab-ci.yml similarity index 78% rename from publish-image.yml rename to container-publish.gitlab-ci.yml index d96e566..1f58db5 100644 --- a/publish-image.yml +++ b/container-publish.gitlab-ci.yml @@ -1,9 +1,12 @@ .publish-image-jib: image: $MAVEN_IMAGE stage: package - only: - - tags + rules: + - if: $CI_COMMIT_TAG variables: + DOCKER_REGISTRY: $CI_REGISTRY_IMAGE + DOCKER_REGISTRY_USER: $CI_REGISTRY_USER + DOCKER_REGISTRY_PASSWORD: $CI_REGISTRY_PASSWORD MVN_VERSION: "true" script: - export PARSED_VERSION=$(echo $CI_COMMIT_TAG | sed -r 's/\+/_/g') # Replace + sign since this is not valid in a docker tag @@ -14,8 +17,9 @@ fi - mvn $MAVEN_CLI_OPTS compile jib:build "-DskipTests" - "-Djib.to.auth.username=$CI_REGISTRY_USER" - "-Djib.to.auth.password=$CI_REGISTRY_PASSWORD" + "-Djib.to.image=$DOCKER_REGISTRY:$PARSED_VERSION" + "-Djib.to.auth.username=$DOCKER_REGISTRY_USER" + "-Djib.to.auth.password=$DOCKER_REGISTRY_PASSWORD" .publish-image-kaniko: image: @@ -25,7 +29,7 @@ rules: - if: $CI_COMMIT_TAG variables: - DOCKER_REGISTRY: $CI_REGISTRY + DOCKER_REGISTRY: $CI_REGISTRY_IMAGE DOCKER_REGISTRY_USER: $CI_REGISTRY_USER DOCKER_REGISTRY_PASSWORD: $CI_REGISTRY_PASSWORD PROJECT_DIR: $CI_PROJECT_DIR diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml new file mode 100644 index 0000000..b457a9b --- /dev/null +++ b/container-scan.gitlab-ci.yml @@ -0,0 +1,48 @@ +.scan-container-jib: + image: $MAVEN_IMAGE + stage: test + variables: + TRIVY_VERSION: 0.18.3 + EXITCODE_ON_HIGH: 1 + EXITCODE_ON_CRITICAL: 1 + before_script: + - curl -L "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" --output trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz + - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz + script: + - mvn $MAVEN_CLI_OPTS compile jib:buildTar -DskipTests + - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input target/jib-image.tar + - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input target/jib-image.tar + - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input target/jib-image.tar + cache: + paths: + - .trivycache/ + artifacts: + reports: + junit: junit-report.xml + +.scan-container-kaniko: + stage: test + image: + name: gcr.io/kaniko-project/executor:debug + entrypoint: [ "" ] + variables: + TRIVY_VERSION: 0.18.3 + PROJECT_DIR: $CI_PROJECT_DIR + DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile + CONTEXT_LOCATION: $CI_PROJECT_DIR + EXITCODE_ON_HIGH: 1 + EXITCODE_ON_CRITICAL: 1 + before_script: + - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" + - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz + script: + - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image + - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar + - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input image.tar + - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input image.tar + cache: + paths: + - .trivycache/ + artifacts: + reports: + junit: junit-report.xml diff --git a/documentation/chapters/generalInformation.adoc b/documentation/chapters/generalInformation.adoc index ba3a2b8..71900dc 100644 --- a/documentation/chapters/generalInformation.adoc +++ b/documentation/chapters/generalInformation.adoc @@ -16,14 +16,15 @@ include: - project: 'gilden/ci/gitlab-ci-templates' ref: 'master' file: - - 'maven-build-template.yml' - - 'maven-dependencies-template.yml' - - 'maven-verify-template.yml' - - 'npm-build-template.yml' - - 'npm-dependencies-template.yml' - - 'npm-lint-template.yml' - - 'npm-test-template.yml' - - 'publish-image.yml' + - 'maven-build-template.gitlab-ci.yml' + - 'maven-dependencies-template.gitlab-ci.yml' + - 'maven-verify-template.gitlab-ci.yml' + - 'npm-build-template.gitlab-ci.yml' + - 'npm-dependencies-template.gitlab-ci.yml' + - 'npm-lint-template.gitlab-ci.yml' + - 'npm-test-template.gitlab-ci.yml' + - 'container-publish.gitlab-ci.yml' + - 'container-scan.gitlab-ci.yml' - 'set-version-template.yml' - 'push-tag-and-version-template.yml' - 'sonar-template.yml' @@ -56,5 +57,5 @@ Bitte folgende Variablen in `.gitlab-ci.yaml` setzen |=== ---- -include::{sourcedir}/STD-variablen-Template.yml[] +include::{sourcedir}/STD-variablen-Template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/container-publish.adoc b/documentation/chapters/templates/container-publish.adoc new file mode 100644 index 0000000..267d3f5 --- /dev/null +++ b/documentation/chapters/templates/container-publish.adoc @@ -0,0 +1,19 @@ +:sourcedir: ../../../ + += Container-Publish + +Baut mithilfe von jib oder kaniko ein Docker Image und läd das Image in der Docker Registry des Projekts hoch. +Dieser Schritt wird nur ausgeführt, wenn ein Tag gesetzt wird. + +.Variables +|=== +|Name |Description | Default Value +|MVN_VERSION | Bestimmt, ob die version von MAVEN gesetzt werden soll. +Falls das Projekt aus mehreren Poms besteht, kann `before_script:` benutzt werden. | "true" +|=== + +.sonar-template +[source, yaml] +---- +include::{sourcedir}/container-publish.gitlab-ci.yml[] +---- \ No newline at end of file diff --git a/documentation/chapters/templates/container-scan.adoc b/documentation/chapters/templates/container-scan.adoc new file mode 100644 index 0000000..4baaabe --- /dev/null +++ b/documentation/chapters/templates/container-scan.adoc @@ -0,0 +1,31 @@ +:sourcedir: ../../../ + += Container-Scan + +Baut ein Image mithilfe von jib oder Kaniko welches im Anschluss gescanned wird. Dieser Schritt wird ausgeführt, wenn ein Tag gesetzt wird. Die Ergebnisse des Scans können genutzt werden den Build failen zu lassen, falls gewünscht (vgl. `EXITCODE_ON_HIGH` und `EXITCODE_ON_CRITICAL`). + +.Variables +|=== +|Name |Description | Default Value +|TRIVY_VERSION +| Version von Trivy die benutzt werden soll. +| - + +|EXITCODE_ON_HIGH +| Bestimmt den Exit code der ausgegeben werden soll, wenn ein CVE der als HIGH markiert wurde, gefunden werden konnte. +Wenn 0 benutzt wird, läuft die CI weiter. +Benutzte `allow_failure: true` damit die CI weiter läuft aber ein Failure angezeigt wird. +| - + +|EXITCODE_ON_CRITICAL +| Bestimmt den Exit code der ausgegeben werden soll, wenn ein CVE der als CRITICAL markiert wurde, gefunden werden konnte. +Wenn 0 benutzt wird, läuft die CI weiter. +Benutzte `allow_failure: true` damit die CI weiter läuft aber ein Failure angezeigt wird. +| - +|=== + +.container scan template +[source, yaml] +---- +include::{sourcedir}/container-scan.gitlab-ci.yml[] +---- \ No newline at end of file diff --git a/documentation/chapters/templates/maven-build-template.adoc b/documentation/chapters/templates/maven-build-template.adoc index 1db46ab..71e9f06 100644 --- a/documentation/chapters/templates/maven-build-template.adoc +++ b/documentation/chapters/templates/maven-build-template.adoc @@ -10,6 +10,7 @@ Diese Template Baut die .jar Files und speichert die Ergebnisse als Artifact. |=== .mvn-build-template +[source, yaml] ---- -include::{sourcedir}/maven-build-template.yml[] +include::{sourcedir}/maven-build-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/maven-dependencies-template.adoc b/documentation/chapters/templates/maven-dependencies-template.adoc index ab8a4a3..9cbba8f 100644 --- a/documentation/chapters/templates/maven-dependencies-template.adoc +++ b/documentation/chapters/templates/maven-dependencies-template.adoc @@ -11,6 +11,7 @@ Bitte den Cache hinzufügen. Siehe xref:Generel-Veriablen[Generelle Veriablen] |=== .mvn-dependencies-template +[source, yaml] ---- -include::{sourcedir}/maven-dependencies-template.yml[] +include::{sourcedir}/maven-dependencies-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/maven-verify-template.adoc b/documentation/chapters/templates/maven-verify-template.adoc index 4852abf..7f74390 100644 --- a/documentation/chapters/templates/maven-verify-template.adoc +++ b/documentation/chapters/templates/maven-verify-template.adoc @@ -10,6 +10,7 @@ Dieses Template startet `mvn verify` und speichert die Ergebnisse als Artifact. |=== .mvn-verify-template +[source, yaml] ---- -include::{sourcedir}/maven-verify-template.yml[] +include::{sourcedir}/maven-verify-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/npm-build-template.adoc b/documentation/chapters/templates/npm-build-template.adoc index 836bd49..e13b88b 100644 --- a/documentation/chapters/templates/npm-build-template.adoc +++ b/documentation/chapters/templates/npm-build-template.adoc @@ -10,6 +10,7 @@ Dieses Template baut das NPM projekt und speichert die Ergebnisse als Artifact.. |=== .npm-build-template +[source, yaml] ---- -include::{sourcedir}/npm-build-template.yml[] +include::{sourcedir}/npm-build-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/npm-dependencies-template.adoc b/documentation/chapters/templates/npm-dependencies-template.adoc index 340006d..11feb1a 100644 --- a/documentation/chapters/templates/npm-dependencies-template.adoc +++ b/documentation/chapters/templates/npm-dependencies-template.adoc @@ -11,6 +11,7 @@ Bitte den Cache hinzufügen. Siehe xref:Generel-Veriablen[Generelle Veriablen] |=== .npm-dependencies-template +[source, yaml] ---- -include::{sourcedir}/npm-dependencies-template.yml[] +include::{sourcedir}/npm-dependencies-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/npm-lint-template.adoc b/documentation/chapters/templates/npm-lint-template.adoc index 8f89e87..50437f2 100644 --- a/documentation/chapters/templates/npm-lint-template.adoc +++ b/documentation/chapters/templates/npm-lint-template.adoc @@ -10,6 +10,7 @@ Dieses Template durchläuft den Linter das NPM projekts. |=== .npm-lint-template +[source, yaml] ---- -include::{sourcedir}/npm-lint-template.yml[] +include::{sourcedir}/npm-lint-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/npm-test-template.adoc b/documentation/chapters/templates/npm-test-template.adoc index 109a82b..190f7fc 100644 --- a/documentation/chapters/templates/npm-test-template.adoc +++ b/documentation/chapters/templates/npm-test-template.adoc @@ -10,6 +10,7 @@ Dieses Template baut das NPM projekt. |=== .npm-test-template +[source, yaml] ---- -include::{sourcedir}/npm-test-template.yml[] +include::{sourcedir}/npm-test-template.gitlab-ci.yml[] ---- \ No newline at end of file diff --git a/documentation/chapters/templates/sonar-template.adoc b/documentation/chapters/templates/sonar-template.adoc deleted file mode 100644 index dd5e6d7..0000000 --- a/documentation/chapters/templates/sonar-template.adoc +++ /dev/null @@ -1,17 +0,0 @@ -:sourcedir: ../../../ - -= sonar-template - -Ruft den Sonar Job für das Projekt auf. -Mehr Details zu finden hier: https://gitlab.exxcellent.de/gilden/ci/exxcellent-sonar-tool[Gilde CI/CD: exxcellent-sonar-tool]. - -.Variables -|=== -|Name |Description | Default Value -|SONAR_PROJECT_KEY | Der Sonar-Projekt-Key. | "" -|=== - -.sonar-template ----- -include::{sourcedir}/sonar-template.yml[] ----- \ No newline at end of file diff --git a/documentation/document.adoc b/documentation/document.adoc index 98d2eef..2ac3b73 100644 --- a/documentation/document.adoc +++ b/documentation/document.adoc @@ -37,26 +37,31 @@ include::chapters/generalInformation.adoc[leveloffset=1] == Misc Templates //include::chapters/templates/sonar-template.adoc[leveloffset=1] include::chapters/templates/publish-image.adoc[leveloffset=2] +include::chapters/templates/container-scan.adoc[leveloffset=2] == Update Version === Templates include::chapters/templates/push-tag-and-version-template.adoc[leveloffset=3] include::chapters/templates/set-version-template.adoc[leveloffset=3] +include::chapters/templates/release-template.adoc[leveloffset=3] === Pipeline include::chapters/pipelines/update-version-pipeline.adoc[leveloffset=3] - == NPM Templates -include::chapters/templates/npm-dependencies-template.adoc[leveloffset=2] -include::chapters/templates/npm-build-template.adoc[leveloffset=2] -include::chapters/templates/npm-lint-template.adoc[leveloffset=2] -include::chapters/templates/npm-test-template.adoc[leveloffset=2] +include::chapters/templates/npm-dependencies-template.adoc[leveloffset=1] +include::chapters/templates/npm-build-template.adoc[leveloffset=1] +include::chapters/templates/npm-lint-template.adoc[leveloffset=1] +include::chapters/templates/npm-test-template.adoc[leveloffset=1] == Maven Templates -include::chapters/templates/maven-dependencies-template.adoc[leveloffset=2] -include::chapters/templates/maven-build-template.adoc[leveloffset=2] -include::chapters/templates/maven-verify-template.adoc[leveloffset=2] \ No newline at end of file +include::chapters/templates/maven-dependencies-template.adoc[leveloffset=1] +include::chapters/templates/maven-build-template.adoc[leveloffset=1] +include::chapters/templates/maven-verify-template.adoc[leveloffset=1] + +== Tools + +Weitere Templates für die Tools der CI Gilde, sind in den jeweiligen Repos zu finden. \ No newline at end of file diff --git a/maven-build-template.yml b/maven-build-template.gitlab-ci.yml similarity index 59% rename from maven-build-template.yml rename to maven-build-template.gitlab-ci.yml index bdccbe2..59c9c60 100644 --- a/maven-build-template.yml +++ b/maven-build-template.gitlab-ci.yml @@ -2,9 +2,9 @@ stage: build image: $MAVEN_IMAGE script: - - mvn $MAVEN_CLI_OPTS clean package -DskipTests + - mvn $MAVEN_CLI_OPTS package -DskipTests artifacts: expire_in: 2 weeks when: always paths: - - $BACKEND_DIR/target/*.jar \ No newline at end of file + - $BACKEND_DIR/target/*.jar diff --git a/maven-dependencies-template.yml b/maven-dependencies-template.gitlab-ci.yml similarity index 100% rename from maven-dependencies-template.yml rename to maven-dependencies-template.gitlab-ci.yml diff --git a/maven-verify-template.yml b/maven-verify-template.gitlab-ci.yml similarity index 60% rename from maven-verify-template.yml rename to maven-verify-template.gitlab-ci.yml index 8104905..a62ae47 100644 --- a/maven-verify-template.yml +++ b/maven-verify-template.gitlab-ci.yml @@ -8,5 +8,5 @@ expire_in: 2 weeks reports: junit: - - $BACKEND_DIR/target/surefire-reports/TEST-*.xml - - $BACKEND_DIR/target/failsafe-reports/TEST-*.xml \ No newline at end of file + - target/surefire-reports/TEST-*.xml + - target/failsafe-reports/TEST-*.xml diff --git a/npm-build-template.yml b/npm-build-template.gitlab-ci.yml similarity index 100% rename from npm-build-template.yml rename to npm-build-template.gitlab-ci.yml diff --git a/npm-dependencies-template.yml b/npm-dependencies-template.gitlab-ci.yml similarity index 100% rename from npm-dependencies-template.yml rename to npm-dependencies-template.gitlab-ci.yml diff --git a/npm-lint-template.yml b/npm-lint-template.gitlab-ci.yml similarity index 100% rename from npm-lint-template.yml rename to npm-lint-template.gitlab-ci.yml diff --git a/npm-test-template.yml b/npm-test-template.gitlab-ci.yml similarity index 100% rename from npm-test-template.yml rename to npm-test-template.gitlab-ci.yml diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..39a2b6e --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ] +}