guinslym · January 31, 2023 02:32
diff --git a/container-scanning.gitlab-ci.yml b/container-scanning.gitlab-ci.yml
 .container-scanning:
  before_script: []
  after_script: []
  services: []
  image:
    name: docker.io/aquasec/trivy:0.36.1
    entrypoint: [""]
  stage: test
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_ARGS: "--severity HIGH,CRITICAL --ignore-unfixed --exit-code 1"
    # CVE-2019-14697 only affects 32bit
    TRIVY_GLOBAL_IGNORE: "CVE-2019-14697"
    TRIVY_IGNORE: ".trivyignore"
  script:
    - for i in $TRIVY_GLOBAL_IGNORE; do echo $i | tee -a .trivyignore; done
    - for i in $TRIVY_IGNORE; do echo $i | tee -a .trivyignore; done
    - trivy --quiet image $TRIVY_ARGS $TRIVY_SCAN_IMAGE
diff --git a/dockerfile_base_app b/dockerfile_base_app
 ###########
 # BUSTER #
 ###########
 # pull official base image
 FROM python:3.10.8-slim

 # set work directory
 WORKDIR /usr/src/app

 # set environment variables
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONUNBUFFERED 1
 ENV C_FORCE_ROOT true
 ENV DEV_STAGE true

 #lh3 ENV file
 RUN mkdir /.lh3
 RUN touch /.secrets
 RUN touch /.config

 # copy project
 COPY . .

 # verifying that files are on the right folder
 RUN pwd
 RUN ls

 RUN apt-get update

 # install dependancies
 RUN apt-get install -y libtasn1-6=4.16.0-2+deb11u1 jq unzip python3-pandas-lib cron python3-numpy netcat postgresql gcc cmake && \
    pip install --no-cache-dir --upgrade pip && \
    pwd && \
    ls -alh && \
    pip install --no-cache-dir -r requirements/requirements-dev.txt && \
    sed -i 's/\r$//g' entrypoint.sh && \
    chmod +x entrypoint.sh && \
    apt-get -y autoremove --purge && \
    apt-get -y clean && \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
    rm -rf /var/lib/apt/lists/*
	.container-scanning:
	before_script: []
	after_script: []
	services: []
	image:
	name: docker.io/aquasec/trivy:0.36.1
	entrypoint: [""]
	stage: test
	variables:
	# No need to clone the repo, we exclusively work on artifacts. See
	# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
	GIT_STRATEGY: none
	TRIVY_AUTH_URL: "$CI_REGISTRY"
	TRIVY_USERNAME: "$CI_REGISTRY_USER"
	TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
	TRIVY_ARGS: "--severity HIGH,CRITICAL --ignore-unfixed --exit-code 1"
	# CVE-2019-14697 only affects 32bit
	TRIVY_GLOBAL_IGNORE: "CVE-2019-14697"
	TRIVY_IGNORE: ".trivyignore"
	script:
	- for i in $TRIVY_GLOBAL_IGNORE; do echo $i \| tee -a .trivyignore; done
	- for i in $TRIVY_IGNORE; do echo $i \| tee -a .trivyignore; done
	- trivy --quiet image $TRIVY_ARGS $TRIVY_SCAN_IMAGE
	###########
	# BUSTER #
	###########
	# pull official base image
	FROM python:3.10.8-slim

	# set work directory
	WORKDIR /usr/src/app

	# set environment variables
	ENV PYTHONDONTWRITEBYTECODE 1
	ENV PYTHONUNBUFFERED 1
	ENV C_FORCE_ROOT true
	ENV DEV_STAGE true

	#lh3 ENV file
	RUN mkdir /.lh3
	RUN touch /.secrets
	RUN touch /.config

	# copy project
	COPY . .

	# verifying that files are on the right folder
	RUN pwd
	RUN ls

	RUN apt-get update

	# install dependancies
	RUN apt-get install -y libtasn1-6=4.16.0-2+deb11u1 jq unzip python3-pandas-lib cron python3-numpy netcat postgresql gcc cmake && \
	pip install --no-cache-dir --upgrade pip && \
	pwd && \
	ls -alh && \
	pip install --no-cache-dir -r requirements/requirements-dev.txt && \
	sed -i 's/\r$//g' entrypoint.sh && \
	chmod +x entrypoint.sh && \
	apt-get -y autoremove --purge && \
	apt-get -y clean && \
	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
	rm -rf /var/lib/apt/lists/*