feat(ci): add sast and qa jobs

2023-07-14 02:07:31 +02:00 · 2023-07-14 02:07:31 +02:00 · eb67674da0
commit eb67674da0
parent 0200dce71b
3 changed files with 104 additions and 40 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -4,12 +4,10 @@ stages:
  - deps
  - build
  - sast
+  - qa
  - image
+  - container_scanning

-before_script:
-  - export GOPATH="$CI_PROJECT_DIR/.go"
-  - mkdir -p .go
-  - mkdir -p deploy

 cache:
  paths:
@ -20,16 +18,58 @@ cache:
 include:
  - '.gitlab-ci/build.yml'
  - '.gitlab-ci/image.yml'
+  - template: SAST.gitlab-ci.yml
+  - template: Security/License-Scanning.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
+
+.scanners-matrix:
+  parallel:
+    matrix:
+      - IMAGE_NAME: [checker, admin, evdist, frontend-ui, nginx, dashboard, repochecker, qa, receiver]
+
+container_scanning:
+  stage: container_scanning
+  extends:
+    - .scanners-matrix
+  variables:
+    DOCKER_SERVICE: localhost
+    DOCKERFILE_PATH: Dockerfile-${IMAGE_NAME}
+    CI_APPLICATION_REPOSITORY: ${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}/${IMAGE_NAME}
+    CI_APPLICATION_TAG: latest
+    GIT_STRATEGY: fetch
+  before_script:
+    - 'echo "Scanning: ${IMAGE_NAME}"'
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "master"'
+
+sast:
+  stage: sast
+  interruptible: true
+  needs: []
+
+secret_detection:
+  stage: sast
+  interruptible: true
+  needs: []
+
+license_scanning:
+  stage: qa
+  interruptible: true
+  needs: []

 get-deps:
  stage: deps
  image: golang:alpine3.18
+  before_script:
+    - export GOPATH="$CI_PROJECT_DIR/.go"
+    - mkdir -p .go
  script:
    - apk --no-cache add git
    - go get -v -d srs.epita.fr/fic-server/admin
-    - go get -v -d srs.epita.fr/fic-server/backend
+    - go get -v -d srs.epita.fr/fic-server/checker
+    - go get -v -d srs.epita.fr/fic-server/receiver
    - go get -v -d srs.epita.fr/fic-server/evdist
-    - go get -v -d srs.epita.fr/fic-server/frontend
    - go get -v -d srs.epita.fr/fic-server/dashboard
    - go get -v -d srs.epita.fr/fic-server/repochecker
    - go get -v -d srs.epita.fr/fic-server/repochecker/epita
@ -45,6 +85,9 @@ vet:
  dependencies:
    - build-qa-ui
  image: golang:alpine3.18
+  before_script:
+    - export GOPATH="$CI_PROJECT_DIR/.go"
+    - mkdir -p .go
  script:
    - apk --no-cache add build-base
    - go vet -v -buildvcs=false -tags gitgo srs.epita.fr/fic-server/admin
@ -52,9 +95,9 @@ vet:
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/admin/sync
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/admin/pki
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/admin
-    - go vet -v -buildvcs=false srs.epita.fr/fic-server/backend
+    - go vet -v -buildvcs=false srs.epita.fr/fic-server/checker
+    - go vet -v -buildvcs=false srs.epita.fr/fic-server/receiver
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/evdist
-    - go vet -v -buildvcs=false srs.epita.fr/fic-server/frontend
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/dashboard
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/repochecker
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/repochecker/epita
@ -64,4 +107,3 @@ vet:
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/repochecker/videos
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/qa
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/settings
-
--- a/.gitlab-ci/build.yml
+++ b/.gitlab-ci/build.yml
@ -1,14 +1,18 @@
 ---

-.build: &build-image
+.build:
  stage: build
  image: golang:alpine3.18
+  before_script:
+    - export GOPATH="$CI_PROJECT_DIR/.go"
+    - mkdir -p .go
  variables:
    CGO_ENABLED: 0

 build-qa-ui:
  stage: build
  image: node:20-alpine3.18
+  before_script:
  script:
    - cd qa/ui
    - npm install --network-timeout=100000
@ -19,43 +23,50 @@ build-qa-ui:
      - qa/ui/build/
    when: on_success

-build-backend:
-  <<: *build-image
+build-checker:
+  extends:
+    - .build
  script:
-    - go build -v -buildvcs=false -o deploy/backend srs.epita.fr/fic-server/backend
+    - go build -v -buildvcs=false -o deploy/backend srs.epita.fr/fic-server/checker
+
+build-receiver:
+  extends:
+    - .build
+  script:
+    - go build -v -buildvcs=false -o deploy/backend srs.epita.fr/fic-server/receiver

 build-admin:
-  <<: *build-image
+  extends:
+    - .build
  script:
    - go build -v -buildvcs=false -tags gitgo -o deploy/admin-gitgo srs.epita.fr/fic-server/admin
    - go build -v -buildvcs=false -o deploy/admin srs.epita.fr/fic-server/admin

 build-evdist:
-  <<: *build-image
+  extends:
+    - .build
  script:
    - go build -v -buildvcs=false -o deploy/evdist srs.epita.fr/fic-server/evdist

-build-frontend:
-  <<: *build-image
-  script:
-    - go build -v -buildvcs=false -o deploy/frontend srs.epita.fr/fic-server/frontend
-
 build-frontend-ui:
  stage: build
  image: node:20-alpine3.18
+  before_script:
  script:
-    - cd frontend/ui
+    - cd frontend/fic
    - npm install --network-timeout=100000
    - sed -i 's!@popperjs/core/dist/esm/popper!@popperjs/core!' node_modules/sveltestrap/src/*.js node_modules/sveltestrap/src/*.svelte
    - npm run build

 build-dashboard:
-  <<: *build-image
+  extends:
+    - .build
  script:
    - go build -v -buildvcs=false -o deploy/dashboard srs.epita.fr/fic-server/dashboard

 build-repochecker:
-  <<: *build-image
+  extends:
+    - .build
  script:
    - apk --no-cache add build-base
    - go build -buildvcs=false --tags checkupdate -v -o deploy/repochecker srs.epita.fr/fic-server/repochecker
@ -67,7 +78,8 @@ build-repochecker:
    - grep "const version" repochecker/update.go | sed -r 's/^.*=\s*(\S.*)$/\1/' > deploy/repochecker.version

 build-qa:
-  <<: *build-image
+  extends:
+    - .build
  needs: ["build-qa-ui"]
  dependencies:
    - build-qa-ui
--- a/.gitlab-ci/image.yml
+++ b/.gitlab-ci/image.yml
@ -1,8 +1,9 @@
 ---

-.push: &push-image
+.push:
  stage: image
  interruptible: true
+  needs: []
  image:
    name: gcr.io/kaniko-project/executor:v1.9.0-debug
    entrypoint: [""]
@ -19,47 +20,56 @@
  only:
    - master

-backend:
+checker:
+  extends:
+    - .push
  variables:
-    DOCKERFILE: Dockerfile-backend
-  <<: *push-image
+    DOCKERFILE: Dockerfile-checker
+
+receiver:
+  extends:
+    - .push
+  variables:
+    DOCKERFILE: Dockerfile-receiver

 admin:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-admin
-  <<: *push-image

 evdist:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-evdist
-  <<: *push-image
-
-frontend:
-  variables:
-    DOCKERFILE: Dockerfile-frontend
-  <<: *push-image

 frontend-ui:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-frontend-ui
-  <<: *push-image

 nginx:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-nginx
-  <<: *push-image

 dashboard:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-dashboard
-  <<: *push-image

 repochecker:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-repochecker
-  <<: *push-image

 qa:
+  extends:
+    - .push
  variables:
    DOCKERFILE: Dockerfile-qa
-  <<: *push-image