Интегрируйте trivy и его базу данных в gitlab

Я хочу использовать мелочь в Gitlab, у которого нет подключения к Интернету извне. Я думаю, что могу использовать trivy-db docker и интегрироваться с gitlab vi. И trivy, и trivy-db были перенесены в репозиторий nexus.

Здесь gitlab-ci.yml. Я не уверен, правильно ли я его строю. сборка-> сборка-триви-БД-> тест

      stages:
  - build
  - build-trivy-db
  - test
  
build-trivy-db:
  image:
    name: $CI_REGISTRY/devops/aquasec/trivy:0.16.0-db
    entrypoint: ["/bin/sh", "-c"]
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  variables:
    DOCKER_TLS_CERTDIR: ""
    DOCKER_HOST: tcp://localhost:2375
  script:
     - COPY /build/assets/trivy*.db.gz . # buildkit
  #  - make db-all

.scanning-template: &scanning-template
  stage: test
  image:
    name: $CI_REGISTRY/devops/aquasec/trivy:0.16.0
    entrypoint: [""]
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  variables:
    DOCKER_TLS_CERTDIR: ""
    DOCKER_HOST: tcp://localhost:2375
  #  - docker:dind
  #tags:
  #  - docker
  #before_script:
  #  - mkdir -p /home/.cache/trivy/db
  #  - wget -O /home/.cache/trivy/db/trivy-offline.db.tgz https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz --no-check-certificate
  #  - cd /home/.cache/trivy/db
  #  - tar xvf trivy-offline.db.tgz
   # - apk add --no-cache curl
   # - export VERSION=$(curl -k -H "$CURL" --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/."v([^"]+)"./\1/')
   # - echo $VERSION
   # - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
   # - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
  script:
     - trivy image --clear-cache
     - trivy image --skip-update $CI_REGISTRY/devops/aquasec/trivy:0.16.0
   #  - trivy image --skip-update $CI_REGISTRY_IMAGE:latest
   # - ls -la
   # - ./trivy/db --download-db-only --cache-dir .cache/trivy/db
    
    #- ./trivy --download-db-only --cache-dir .trivycache/


build:
  stage: build
  image: $CI_REGISTRY/devops/aquasec/trivy:0.16.0
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  variables:
    DOCKER_TLS_CERTDIR: ""
    DOCKER_HOST: tcp://localhost:2375
 #  - docker:dind
  #tags:
  #  - docker
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - docker build -t $CI_REGISTRY/devops/aquasec/trivytest:0.16.0
    - docker push $CI_REGISTRY/devops/aquasec/trivytest:0.16.0
  except:
    variables:
      - $SCHEDULED_PIPELINE
security_scan:
  <<: *scanning-template
  except:
    variables:
      - $SCHEDULED_PIPELINE
security_scan:on-schedule:
  <<: *scanning-template
  only:
    variables:
      - $SCHEDULED_PIPELINE == "security_scan"

ошибка в build

      Getting source from Git repository
30:01
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/test/eval-trivy/.git/
Created fresh repository.
Checking out c06c25f7 as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script
30:01
/bin/sh: eval: line 105: docker: not found
$ docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
Cleaning up file based variables
30:00
ERROR: Job failed: command terminated with exit code 127
Источник

0 ответов

Другие вопросы по тегам