PROD.2026/RekomenciBackend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: added integration tests and fixed trivy

Browse Source
This commit is contained in:
ITQ
2025-11-17 22:27:07 +03:00
parent b88cee3e48
commit 5e5566388e
3 changed files with 68 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitlab-ci.yml
+53 -22
View File
@@ -1,6 +1,6 @@
stages: stages:
- test
- build - build
- test
- security - security
- deploy - deploy
@@ -8,6 +8,9 @@ variables:
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
DOCKER_DRIVER: overlay2 DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "" DOCKER_TLS_CERTDIR: ""
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_NO_PROGRESS: "true"
TRIVY_TIMEOUT: "10m0s"
cache: cache:
key: "${CI_COMMIT_REF_SLUG}" key: "${CI_COMMIT_REF_SLUG}"
@@ -16,27 +19,27 @@ cache:
- .cache/trivy - .cache/trivy
policy: pull-push policy: pull-push
default:
image: docker:28.0 image: docker:28.0
services: services:
- docker:28.0-dind - docker:28.0-dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
.trivy-fs-template: &trivy-fs-scan .trivy-fs-template: &trivy-fs-scan
stage: security stage: security
image: aquasec/trivy:latest image:
name: aquasec/trivy:latest
entrypoint: [""]
variables: variables:
TRIVY_CACHE_DIR: .cache/trivy TRIVY_CACHE_DIR: .cache/trivy
TRIVY_NO_PROGRESS: "true"
TRIVY_TIMEOUT: "10m0s"
cache: cache:
paths: paths:
- $TRIVY_CACHE_DIR - $TRIVY_CACHE_DIR
policy: pull-push policy: pull-push
before_script:
- mkdir -p $TRIVY_CACHE_DIR
script: script:
- trivy fs --format cyclonedx --output fs-sbom.json . || true - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json .
- trivy fs --format sarif --output gl-sast-fs-report.json . || true - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json .
allow_failure: true allow_failure: true
artifacts: artifacts:
reports: reports:
@@ -55,21 +58,18 @@ services:
.trivy-image-template: &trivy-image-scan .trivy-image-template: &trivy-image-scan
stage: security stage: security
image: aquasec/trivy:latest image:
name: aquasec/trivy:latest
entrypoint: [""]
variables: variables:
TRIVY_CACHE_DIR: .cache/trivy TRIVY_CACHE_DIR: .cache/trivy
TRIVY_NO_PROGRESS: "true"
TRIVY_TIMEOUT: "10m0s"
cache: cache:
paths: paths:
- $TRIVY_CACHE_DIR - $TRIVY_CACHE_DIR
policy: pull-push policy: pull-push
before_script:
- mkdir -p $TRIVY_CACHE_DIR
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script: script:
- trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA || true - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA
- trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA || true - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA
allow_failure: true allow_failure: true
artifacts: artifacts:
reports: reports:
@@ -102,14 +102,9 @@ services:
.build-template: &build-config .build-template: &build-config
stage: build stage: build
image: docker:28.0
services:
- docker:28.0-dind
variables: variables:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1
BUILDKIT_INLINE_CACHE: 1 BUILDKIT_INLINE_CACHE: 1
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script: script:
- | - |
docker buildx create --use docker buildx create --use
@@ -130,6 +125,33 @@ services:
when: manual when: manual
allow_failure: true allow_failure: true
.run-test-template: &test-config
stage: test
script:
- apk add --no-cache docker-compose
- |
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
docker compose -f compose.yaml -f compose.prod.yaml \
--profile migrations --profile tests up -d
- |
TEST_CONTAINER_ID=$(docker compose --profile migrations --profile tests ps -q tests -a)
timeout 600 docker wait $TEST_CONTAINER_ID
TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
if [ $TEST_EXIT_CODE -eq 0 ]; then
echo "Tests passed."
else
echo "Tests failed with exit code $TEST_EXIT_CODE."
exit 1
fi
- |
docker compose -f compose.yaml -f compose.prod.yaml down
artifacts:
paths:
- ./.cov
expire_in: 1 week
when: always
sast-filesystem: sast-filesystem:
<<: *trivy-fs-scan <<: *trivy-fs-scan
@@ -178,12 +200,20 @@ build-migrations:
CONTAINERFILE: Containerfile CONTAINERFILE: Containerfile
BUILDTARGET: migrations BUILDTARGET: migrations
run-tests:
<<: *test-config
dependencies:
- build-runtime
- build-tests
- build-migrations
webhook-backend-deploy: webhook-backend-deploy:
<<: *webhook-config <<: *webhook-config
variables: variables:
WEBHOOK_URL: $WEBHOOK_URL_BACKEND WEBHOOK_URL: $WEBHOOK_URL_BACKEND
dependencies: dependencies:
- build-runtime - build-runtime
- sast-image-runtime
webhook-migrations-deploy: webhook-migrations-deploy:
<<: *webhook-config <<: *webhook-config
@@ -191,6 +221,7 @@ webhook-migrations-deploy:
WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
dependencies: dependencies:
- build-migrations - build-migrations
- sast-image-migrations
workflow: workflow:
rules: rules:
compose.prod.yaml
+9
View File
@@ -0,0 +1,9 @@
services:
backend:
image: "${REGISTRY_PREFIX}/backend"
tests:
image: "${REGISTRY_PREFIX}/backend-tests"
migrations:
image: "${REGISTRY_PREFIX}/backend-migrations"
compose.yaml
+2 -3
View File
@@ -1,6 +1,7 @@
name: prod-hackaton-template
services: services:
backend: backend:
image: template-project-backend
build: build:
context: . context: .
dockerfile: Containerfile dockerfile: Containerfile
@@ -42,7 +43,6 @@ services:
shm_size: 4mb shm_size: 4mb
tests: tests:
image: template-project-tests
build: build:
context: . context: .
dockerfile: Containerfile dockerfile: Containerfile
@@ -89,7 +89,6 @@ services:
target: /app/cov target: /app/cov
migrations: migrations:
image: template-project-migrations
build: build:
context: . context: .
dockerfile: Containerfile dockerfile: Containerfile