Skip to content

Commit b50838f

Browse files
schlapzzphil-pona
schlapzz
authored and
phil-pona
committed
add templates for gitlab training
1 parent ac9fdc6 commit b50838f

File tree

2 files changed

+70
-0
lines changed

2 files changed

+70
-0
lines changed

templates/Secret-Detection.yml

+58
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection
2+
#
3+
# Configure the scanning tool through the environment variables.
4+
# List of the variables: https://gitlab.com/gitlab-org/security-products/secret_detection#available-variables
5+
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
6+
7+
variables:
8+
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
9+
SECRETS_ANALYZER_VERSION: "3"
10+
SECRET_DETECTION_EXCLUDED_PATHS: ""
11+
12+
13+
.secret-analyzer:
14+
stage: test
15+
image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
16+
services: []
17+
allow_failure: false
18+
# `rules` must be overridden explicitly by each child job
19+
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
20+
before_script:
21+
- wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
22+
- chmod +x ./jq-linux64
23+
- ls -lah
24+
- mv ./jq-linux64 /usr/local/bin/jq
25+
artifacts:
26+
reports:
27+
secret_detection: gl-secret-detection-report.json
28+
29+
secret_detection_default_branch:
30+
extends: .secret-analyzer
31+
rules:
32+
- if: $SECRET_DETECTION_DISABLED
33+
when: never
34+
- if: $CI_DEFAULT_BRANCH == $CI_COMMIT_BRANCH
35+
script:
36+
- /analyzer run
37+
- vul=$(cat gl-secret-detection-report.json | jq '.vulnerabilities | length')
38+
- >
39+
if [ "$vul" -gt "0" ]; then
40+
echo "$vul Vulnerabilities found!";
41+
echo "check gl-secret-detection-report.json for details"
42+
exit 1
43+
fi
44+
45+
46+
47+
secret_detection:
48+
extends: .secret-analyzer
49+
rules:
50+
- if: $SECRET_DETECTION_DISABLED
51+
when: never
52+
- if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
53+
script:
54+
- git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
55+
- git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
56+
- export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt
57+
- /analyzer run
58+
- rm "$CI_COMMIT_SHA"_commit_list.txt

templates/k8s.yml

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
.kubectl:
2+
image: registry.puzzle.ch/docker.io/alpine:latest
3+
before_script:
4+
- "[[ -z ${KUBECONFIG_CONTENT} ]] && echo 'no set yet'"
5+
- wget https://storage.googleapis.com/kubernetes-release/release/v1.20.0/bin/linux/amd64/kubectl
6+
- chmod +x ./kubectl
7+
- mv ./kubectl /usr/local/bin/kubectl
8+
- mkdir -p ~/.kube/
9+
- echo $KUBECONFIG_CONTENT | base64 -d > ~/.kube/config
10+
11+
12+

0 commit comments

Comments
 (0)