Docker Scout ãš GitLab CI ãé£æºãã
ãã®äŸã§ã¯ãDocker ã€ã¡ãŒãžã®å®çŸ©ãšã³ã³ãã³ããå«ããªããžããªå ã§ãGitLab CIã䜿çšããŠãã€ãã©ã€ã³ãå®è¡ããŸããã³ãããã«ãã£ãŠããªã¬ãŒããããã€ãã©ã€ã³ã¯ã€ã¡ãŒãžããã«ãããŸããããã©ã«ããã©ã³ããžã®ã³ãããã®å Žåã¯ãDocker Scout ã䜿çšã㊠CVE ã¬ããŒããååŸããŸããå¥ã®ãã©ã³ããžã®ã³ãããã®å Žåã¯ãæ°ããããŒãžã§ã³ãçŸåšå ¬éãããŠããããŒãžã§ã³ãšæ¯èŒããŸãã
æé
æåã«ãã¯ãŒã¯ãããŒå šäœãèšå®ããŸãããã㯠Docker Scout ã«ç¹æã§ã¯ãããŸããããæ¯èŒããããã®ã€ã¡ãŒãžãäœæããããã«å¿ èŠã§ãã
ãªããžããªã®ã«ãŒãã«ãã .gitlab-ci.yml ãã¡ã€ã«ã«ã以äžã®å
容ãè¿œå ããŠãã ããã
docker-build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# curlãšDocker Scout CLIãã€ã³ã¹ããŒã«
- |
apk add --update curl
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
apk del curl
rm -rf /var/cache/apk/*
# Docker Hubãžã®ãã°ã€ã³ãå¿
èŠã§ã
- docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PAT"ããã«ãããã³ã³ããå 㧠Docker ãå®è¡ããããã® Docker-in-Docker ã¢ãŒãã䜿çšããŠDockerã€ã¡ãŒãžããã«ãããã¯ãŒã¯ãããŒãèšå®ãããŸãã 次ã«ãcurl ãš Docker Scout CLI ãã©ã°ã€ã³ãããŠã³ããŒããããªããžããªã®èšå®ã«å®çŸ©ãããç°å¢å€æ°ã䜿çšã㊠Docker ã¬ãžã¹ããªã«ãã°ã€ã³ããŸãã
次ã«ãYAML ãã¡ã€ã«ã«ä»¥äžã®å 容ãè¿œå ããŠãã ããã
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag=""
echo "ããã©ã«ããã©ã³ã '$CI_DEFAULT_BRANCH' ã§å®è¡äž: tag = 'latest'"
else
tag=":$CI_COMMIT_REF_SLUG"
echo "ãã©ã³ã '$CI_COMMIT_BRANCH' ã§å®è¡äž: tag = $tag"
fi
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
# ãã«ããããã€ã¡ãŒãžã®CVEã¬ããŒããååŸããé倧ãŸãã¯é«åªå
床ã®CVEãæ€åºãããå Žåã«ãã€ãã©ã€ã³ã倱æããã
docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high
else
# ãã©ã³ãã®ã€ã¡ãŒãžãšããã©ã«ããã©ã³ãã®ææ°ã€ã¡ãŒãžãæ¯èŒããæ°ããé倧ãŸãã¯é«åªå
床ã®CVEãæ€åºãããå Žåã«ãã€ãã©ã€ã³ã倱æããã
docker scout compare "$CI_REGISTRY_IMAGE${tag}" --to "$CI_REGISTRY_IMAGE:latest" --exit-code --only-severity critical,high --ignore-unchanged
fi
- docker push "$CI_REGISTRY_IMAGE${tag}"ããã«ãããå ã«è¿°ã¹ããããŒãäœæãããŸããããã©ã«ããã©ã³ããžã®ã³ãããã®å ŽåãDocker Scout㯠CVE ã¬ããŒã ãçæããŸããå¥ã®ãã©ã³ããžã®ã³ãããã®å Žåãæ°ããããŒãžã§ã³ãçŸåšã®å ¬éããŒãžã§ã³ãšæ¯èŒããŸãã衚瀺ãããã®ã¯é倧ãŸãã¯é«åªå 床ã®è匱æ§ã®ã¿ã§ãååã®åæ以éã«å€æŽã®ãªãè匱æ§ã¯ç¡èŠãããŸãã
æåŸã«ãYAML ãã¡ã€ã«ã«ä»¥äžã®å 容ãè¿œå ããŠãã ããã
rules:
- if: $CI_COMMIT_BRANCH
exists:
- Dockerfileããã«ãããã³ãããã« Dockerfile ãå«ãŸããŠããå Žåãš CI ãã©ã³ããžã®ã³ãããã§ããå Žåã«ã®ã¿ããã€ãã©ã€ã³ãå®è¡ãããããã«ãªããŸãã