Today we will go in deep with gitlab CI/CD automation. Because every image build need to be 100% secure we will do today application security tests.
In order to be operational for this step we need to add 2 stages to our gitlab yml file. Stages we need to add are dev_build, dev_build_remove and dast.
In the first stage (dev_build) we need to build a temporary image in order to scan it.
To do this you can use the following example:
deploy:
tags:
- DC1
stage: deploy
image:
name: lwolf/helm-kubectl-docker:latest
before_script:
- mkdir -p ~/.kube
- echo ${kube_config} | base64 -d > ~/.kube/config
- sed -i -e "s/:latest/:v${CI_PIPELINE_ID}/g" docker/deployment.yaml
- echo "v${CI_PIPELINE_ID}"
script:
- kubectl apply -f docker/deployment.yamlNow while we have our webapp up and running we need to execute next step (dast) in order to acquire this. The following example is a valid one and can be used:
dast:
stage: test
image: owasp/zap2docker-weekly
variables:
website: "http://myapp.k8s.0x01.link/"
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -r gl-dast-report.html -t $website || true
- cp /zap/wrk/gl-dast-report.html .
artifacts:
paths:
- gl-dast-report.htmlAfter this step is finished we will be able to download our report from artifacts, one for every pipeline.
While we have our report we need to clean our previous deployment. This can be done by running latest stage (dev_build_remove) with the following example:
dev_build_remove:
tags:
- DC1
stage: deploy
image:
name: lwolf/helm-kubectl-docker:latest
before_script:
- mkdir -p ~/.kube
- echo ${kube_config} | base64 -d > ~/.kube/config
- sed -i -e "s/:latest/:v${CI_PIPELINE_ID}/g" docker/deployment.yaml
- echo "v${CI_PIPELINE_ID}"
script:
- kubectl delete -f deployment.yaml
0 Comments