From e8f1e8c24ad28a29a0deb2da9d31c05178e6d291 Mon Sep 17 00:00:00 2001
From: Erick Hitter <gitlab-s@mxs.ethitter.com>
Date: Sun, 17 Jul 2022 04:28:15 +0000
Subject: [PATCH] Configure Container Scanning in `.gitlab-ci.yml`, creating
 this file if it does not already exist

---
 .gitlab-ci.yml | 251 +++++++++++++++++++++----------------------------
 1 file changed, 106 insertions(+), 145 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7846466..ccb7184 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,288 +1,249 @@
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+
+# container_scanning:
+#   variables:
+#     DOCKER_IMAGE: ...
+#     DOCKER_USER: ...
+#     DOCKER_PASSWORD: ...
 image: docker:latest
-
 services:
-  - docker:dind
-
+- docker:dind
 before_script:
-  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
-
-#
-# TESTS
-#
-
+- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
 lint-dockerfile:
   stage: test
   image: hadolint/hadolint:latest-debian
   before_script:
-    - mkdir ~/.config
-    - cp ./.hadolint.yaml ~/.config/hadolint.yaml
+  - mkdir ~/.config
+  - cp ./.hadolint.yaml ~/.config/hadolint.yaml
   script:
-    - find . -name "Dockerfile" -execdir hadolint {} \;
-
+  - find . -name "Dockerfile" -execdir hadolint {} \;
 lint-shell-script:
   stage: test
   image: koalaman/shellcheck-alpine:latest
   before_script:
-    - shellcheck -V
+  - shellcheck -V
   script:
-    - find . -name "*.sh" -exec shellcheck {} \;
-
-#
-# IMAGE BUILDS/PUSHES
-#
-
-# Golang
+  - find . -name "*.sh" -exec shellcheck {} \;
 build-golang-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/golang:latest" ./golang/latest
-    - docker push "$CI_REGISTRY_IMAGE/golang:latest"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/golang:latest" ./golang/latest
+  - docker push "$CI_REGISTRY_IMAGE/golang:latest"
   only:
-    - master
+  - master
   when: manual
-
 build-golang-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/golang:latest-dev" ./golang/latest
-    - docker push "$CI_REGISTRY_IMAGE/golang:latest-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/golang:latest-dev" ./golang/latest
+  - docker push "$CI_REGISTRY_IMAGE/golang:latest-dev"
   except:
-    - master
-
-# Debian Bullseye builds
+  - master
 build-debian-bullseye-build-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:bullseye" ./debian/bullseye
-    - docker push "$CI_REGISTRY_IMAGE/debian:bullseye"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:bullseye" ./debian/bullseye
+  - docker push "$CI_REGISTRY_IMAGE/debian:bullseye"
   only:
-    - master
+  - master
   when: manual
-
 build-debian-bullseye-build-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:bullseye-dev" ./debian/bullseye
-    - docker push "$CI_REGISTRY_IMAGE/debian:bullseye-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:bullseye-dev" ./debian/bullseye
+  - docker push "$CI_REGISTRY_IMAGE/debian:bullseye-dev"
   except:
-    - master
-
-# Debian Buster builds
+  - master
 build-debian-buster-build-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:buster" ./debian/buster
-    - docker push "$CI_REGISTRY_IMAGE/debian:buster"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:buster" ./debian/buster
+  - docker push "$CI_REGISTRY_IMAGE/debian:buster"
   only:
-    - master
+  - master
   when: manual
-
 build-debian-buster-build-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:buster-dev" ./debian/buster
-    - docker push "$CI_REGISTRY_IMAGE/debian:buster-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:buster-dev" ./debian/buster
+  - docker push "$CI_REGISTRY_IMAGE/debian:buster-dev"
   except:
-    - master
-
-# Debian Stretch builds
+  - master
 build-debian-stretch-build-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:stretch" ./debian/stretch
-    - docker push "$CI_REGISTRY_IMAGE/debian:stretch"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:stretch" ./debian/stretch
+  - docker push "$CI_REGISTRY_IMAGE/debian:stretch"
   only:
-    - master
+  - master
   when: manual
-
 build-debian-stretch-build-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:stretch-dev" ./debian/stretch
-    - docker push "$CI_REGISTRY_IMAGE/debian:stretch-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:stretch-dev" ./debian/stretch
+  - docker push "$CI_REGISTRY_IMAGE/debian:stretch-dev"
   except:
-    - master
-
-# Debian Jessie builds
+  - master
 build-debian-jessie-build-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:jessie" ./debian/jessie
-    - docker push "$CI_REGISTRY_IMAGE/debian:jessie"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:jessie" ./debian/jessie
+  - docker push "$CI_REGISTRY_IMAGE/debian:jessie"
   only:
-    - master
+  - master
   when: manual
-
 build-debian-jessie-build-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:jessie-dev" ./debian/jessie
-    - docker push "$CI_REGISTRY_IMAGE/debian:jessie-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:jessie-dev" ./debian/jessie
+  - docker push "$CI_REGISTRY_IMAGE/debian:jessie-dev"
   except:
-    - master
-
-# Debian WP.org Plugin deploy builds
+  - master
 build-debian-wp-org-deploy-build-master:
   stage: deploy
   variables:
     GIT_SUBMODULE_STRATEGY: recursive
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:wp-org-deploy" ./debian/wp-org-deploy/context
-    - docker push "$CI_REGISTRY_IMAGE/debian:wp-org-deploy"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:wp-org-deploy" ./debian/wp-org-deploy/context
+  - docker push "$CI_REGISTRY_IMAGE/debian:wp-org-deploy"
   only:
-    - master
+  - master
   when: manual
-
 build-debian-wp-org-deploy-build-dev:
   stage: deploy
   variables:
     GIT_SUBMODULE_STRATEGY: recursive
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:wp-org-deploy-dev" ./debian/wp-org-deploy/context
-    - docker push "$CI_REGISTRY_IMAGE/debian:wp-org-deploy-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/debian:wp-org-deploy-dev" ./debian/wp-org-deploy/context
+  - docker push "$CI_REGISTRY_IMAGE/debian:wp-org-deploy-dev"
   except:
-    - master
-
-# PHP 8.1
+  - master
 build-php-8.1-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.1" ./php/8.1
-    - docker push "$CI_REGISTRY_IMAGE/php:8.1"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.1" ./php/8.1
+  - docker push "$CI_REGISTRY_IMAGE/php:8.1"
   only:
-    - master
+  - master
   when: manual
-
 build-php-8.1-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.1-dev" ./php/8.1
-    - docker push "$CI_REGISTRY_IMAGE/php:8.1-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.1-dev" ./php/8.1
+  - docker push "$CI_REGISTRY_IMAGE/php:8.1-dev"
   except:
-    - master
-
-# PHP 8.0
+  - master
 build-php-8.0-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.0" ./php/8.0
-    - docker push "$CI_REGISTRY_IMAGE/php:8.0"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.0" ./php/8.0
+  - docker push "$CI_REGISTRY_IMAGE/php:8.0"
   only:
-    - master
+  - master
   when: manual
-
 build-php-8.0-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.0-dev" ./php/8.0
-    - docker push "$CI_REGISTRY_IMAGE/php:8.0-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:8.0-dev" ./php/8.0
+  - docker push "$CI_REGISTRY_IMAGE/php:8.0-dev"
   except:
-    - master
-
-# PHP 7.4
+  - master
 build-php-7.4-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.4" ./php/7.4
-    - docker push "$CI_REGISTRY_IMAGE/php:7.4"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.4" ./php/7.4
+  - docker push "$CI_REGISTRY_IMAGE/php:7.4"
   only:
-    - master
+  - master
   when: manual
-
 build-php-7.4-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.4-dev" ./php/7.4
-    - docker push "$CI_REGISTRY_IMAGE/php:7.4-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.4-dev" ./php/7.4
+  - docker push "$CI_REGISTRY_IMAGE/php:7.4-dev"
   except:
-    - master
-
-# PHP 7.3
+  - master
 build-php-7.3-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.3" ./php/7.3
-    - docker push "$CI_REGISTRY_IMAGE/php:7.3"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.3" ./php/7.3
+  - docker push "$CI_REGISTRY_IMAGE/php:7.3"
   only:
-    - master
+  - master
   when: manual
-
 build-php-7.3-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.3-dev" ./php/7.3
-    - docker push "$CI_REGISTRY_IMAGE/php:7.3-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.3-dev" ./php/7.3
+  - docker push "$CI_REGISTRY_IMAGE/php:7.3-dev"
   except:
-    - master
-
-# PHP 7.2
+  - master
 build-php-7.2-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.2" ./php/7.2
-    - docker push "$CI_REGISTRY_IMAGE/php:7.2"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.2" ./php/7.2
+  - docker push "$CI_REGISTRY_IMAGE/php:7.2"
   only:
-    - master
+  - master
   when: manual
-
 build-php-7.2-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.2-dev" ./php/7.2
-    - docker push "$CI_REGISTRY_IMAGE/php:7.2-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.2-dev" ./php/7.2
+  - docker push "$CI_REGISTRY_IMAGE/php:7.2-dev"
   except:
-    - master
-
-# PHP 7.1
+  - master
 build-php-7.1-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.1" ./php/7.1
-    - docker push "$CI_REGISTRY_IMAGE/php:7.1"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.1" ./php/7.1
+  - docker push "$CI_REGISTRY_IMAGE/php:7.1"
   only:
-    - master
+  - master
   when: manual
-
 build-php-7.1-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.1-dev" ./php/7.1
-    - docker push "$CI_REGISTRY_IMAGE/php:7.1-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.1-dev" ./php/7.1
+  - docker push "$CI_REGISTRY_IMAGE/php:7.1-dev"
   except:
-    - master
-
-# PHP 7.0
+  - master
 build-php-7.0-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.0" ./php/7.0
-    - docker push "$CI_REGISTRY_IMAGE/php:7.0"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.0" ./php/7.0
+  - docker push "$CI_REGISTRY_IMAGE/php:7.0"
   only:
-    - master
+  - master
   when: manual
-
 build-php-7.0-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.0-dev" ./php/7.0
-    - docker push "$CI_REGISTRY_IMAGE/php:7.0-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:7.0-dev" ./php/7.0
+  - docker push "$CI_REGISTRY_IMAGE/php:7.0-dev"
   except:
-    - master
-
-# PHP 5.6
+  - master
 build-php-5.6-master:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:5.6" ./php/5.6
-    - docker push "$CI_REGISTRY_IMAGE/php:5.6"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:5.6" ./php/5.6
+  - docker push "$CI_REGISTRY_IMAGE/php:5.6"
   only:
-    - master
+  - master
   when: manual
-
 build-php-5.6-dev:
   stage: deploy
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE/php:5.6-dev" ./php/5.6
-    - docker push "$CI_REGISTRY_IMAGE/php:5.6-dev"
+  - docker build --pull -t "$CI_REGISTRY_IMAGE/php:5.6-dev" ./php/5.6
+  - docker push "$CI_REGISTRY_IMAGE/php:5.6-dev"
   except:
-    - master
+  - master
+include:
+- template: Security/Container-Scanning.gitlab-ci.yml
-- 
GitLab