stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a866eb62772e4afb649923cf3b1f97c86566d2ae
git.stella-ops.org/deploy/gitlab/examples/example-pipeline.gitlab-ci.yml
StellaOps Bot 907783f625 Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism 
- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency.
- Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling.
- Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies.
- Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification.
- Create validation script for CI/CD templates ensuring all required files and structures are present.
2025-12-26 15:17:58 +02:00

196 lines
5.1 KiB
YAML
Raw Blame History

# deploy/gitlab/examples/example-pipeline.gitlab-ci.yml
# Example GitLab CI pipeline with StellaOps keyless signing
#
# This example demonstrates:
# - Building and pushing a container image
# - Generating and signing SBOM
# - Evaluating and signing policy verdict
# - Verification gate before deployment
#
# To use, copy this file to your repository's .gitlab-ci.yml
include:
- local: 'deploy/gitlab/examples/.gitlab-ci-stellaops.yml'
# Or include from StellaOps templates project:
# - project: 'stella-ops/templates'
# file: 'deploy/gitlab/examples/.gitlab-ci-stellaops.yml'
stages:
- build
- scan
- sign
- verify
- deploy
variables:
DOCKER_TLS_CERTDIR: "/certs"
IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHORT_SHA}
# ==============================================================================
# Build Stage
# ==============================================================================
build:
stage: build
image: docker:24
services:
- docker:24-dind
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- |
docker build -t ${IMAGE} .
docker push ${IMAGE}
# Get digest
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE} | cut -d@ -f2)
echo "IMAGE_DIGEST=${DIGEST}" >> build.env
echo "IMAGE_REF=${CI_REGISTRY_IMAGE}@${DIGEST}" >> build.env
artifacts:
reports:
dotenv: build.env
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
# ==============================================================================
# Scan Stage
# ==============================================================================
generate-sbom:
stage: scan
extends: .stellaops-sbom
needs:
- build
variables:
IMAGE: ${IMAGE_REF}
SBOM_FORMAT: "cyclonedx-json"
SBOM_OUTPUT: "sbom.cdx.json"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
vulnerability-scan:
stage: scan
image: stella-ops/cli:latest
needs:
- build
script:
- |
stella scan vulnerability \
--image "${IMAGE_REF}" \
--output json > vulnerabilities.json
# Extract summary
CRITICAL=$(jq '.summary.critical // 0' vulnerabilities.json)
HIGH=$(jq '.summary.high // 0' vulnerabilities.json)
echo "Critical: ${CRITICAL}, High: ${HIGH}"
if [[ "${CRITICAL}" -gt 0 ]]; then
echo "WARNING: ${CRITICAL} critical vulnerabilities found"
fi
artifacts:
paths:
- vulnerabilities.json
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
# ==============================================================================
# Sign Stage
# ==============================================================================
sign-image:
stage: sign
extends: .stellaops-sign
needs:
- build
variables:
ARTIFACT_DIGEST: ${IMAGE_DIGEST}
ARTIFACT_TYPE: "image"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
evaluate-policy:
stage: sign
extends: .stellaops-verdict
needs:
- build
- vulnerability-scan
variables:
IMAGE: ${IMAGE_REF}
POLICY: "production"
FAIL_ON_BLOCK: "false" # Don't fail here, let verify stage handle it
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
# ==============================================================================
# Verify Stage
# ==============================================================================
verify-for-deployment:
stage: verify
extends: .stellaops-verify
needs:
- build
- sign-image
- generate-sbom
- evaluate-policy
variables:
ARTIFACT_DIGEST: ${IMAGE_DIGEST}
CERTIFICATE_IDENTITY: "project_path:${CI_PROJECT_PATH}:ref_type:branch:ref:${CI_COMMIT_REF_NAME}"
CERTIFICATE_OIDC_ISSUER: "${CI_SERVER_URL}"
REQUIRE_SBOM: "true"
REQUIRE_VERDICT: "true"
STRICT: "true"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
# ==============================================================================
# Deploy Stage
# ==============================================================================
deploy-staging:
stage: deploy
needs:
- build
- verify-for-deployment
environment:
name: staging
url: https://staging.example.com
script:
- |
echo "Deploying ${IMAGE_REF} to staging"
echo "All attestations verified:"
echo " - Image signature: ${ATTESTATION_DIGEST}"
echo " - SBOM: ${SBOM_ATTESTATION_DIGEST}"
echo " - Policy verdict: ${VERDICT_ATTESTATION_DIGEST}"
# Add your deployment commands here
# kubectl set image deployment/app app=${IMAGE_REF}
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
deploy-production:
stage: deploy
needs:
- build
- verify-for-deployment
- deploy-staging
environment:
name: production
url: https://example.com
script:
- |
echo "Deploying ${IMAGE_REF} to production"
echo "Policy verdict: ${VERDICT}"
# Add your deployment commands here
rules:
- if: $CI_COMMIT_TAG
when: manual
Reference in New Issue View Git Blame Copy Permalink