Skip to main content
Version: v3.6 (deprecated)

Gitlab

This is an example of how to build and test a Dockerized web application on Gitlab. The image can later be pushed to any remote registry of choice.

Configure environment variables on Gitlab

The following environment variables must be set for the project on Gitlab via the project settings (i.e Project > Settings > CI/CD > Variables) page, before the project can be built successfully.

VariableDescription
DEEPFENCE_CONSOLE_URLDeepfence management console url
FAIL_CVE_COUNTFail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities.
FAIL_CRITICAL_CVE_COUNTFail the build if number of critical vulnerabilities found >= this value. Set -1 to pass regardless of critical vulnerabilities.
FAIL_HIGH_CVE_COUNTFail the build if number of high vulnerabilities found >= this value. Set -1 to pass regardless of high vulnerabilities.
FAIL_MEDIUM_CVE_COUNTFail the build if number of medium vulnerabilities found >= this value. Set -1 to pass regardless of medium vulnerabilities.
FAIL_LOW_CVE_COUNTFail the build if number of low vulnerabilities found >= this value. Set -1 to pass regardless of low vulnerabilities.
FAIL_CVE_SCOREFail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.

Sample Gitlab CI YAML

stages:
- test-docker-build

test-docker-build:
image: docker:latest
stage: test-docker-build
services:
- docker:dind
variables:
IMAGE_NAME: go-server-test:latest
DEEPFENCE_KEY: ""
DEEPFENCE_CONSOLE_URL: 127.0.0.1
FAIL_CVE_COUNT: 100
FAIL_CRITICAL_CVE_COUNT: 1000
FAIL_HIGH_CVE_COUNT: 10
FAIL_MEDIUM_CVE_COUNT: 1000
FAIL_LOW_CVE_COUNT: 1000
FAIL_CVE_SCORE: -1
script:
- docker build -t $IMAGE_NAME .
- docker pull quay.io/deepfenceio/deepfence_package_scanner:3.6.2
- docker run -i --rm --net=host --privileged=true -v /var/run/docker.sock:/var/run/docker.sock:rw quay.io/deepfenceio/deepfence_package_scanner:3.6.2 -source"$IMAGE_NAME" -console-url=$DEEPFENCE_CONSOLE_URL -deepfence-key=$DEEPFENCE_KEY -fail-on-count=$FAIL_CVE_COUNT -fail-on-critical-count=$FAIL_CRITICAL_CVE_COUNT -fail-on-high-count=$FAIL_HIGH_CVE_COUNT -fail-on-medium-count=$FAIL_MEDIUM_CVE_COUNT -fail-on-low-count=$FAIL_LOW_CVE_COUNT -fail-on-score=$FAIL_CVE_SCORE -scan-type="base,java,python,ruby,php,nodejs,js,dotnet"

References