docker/build¶
Configure jobs to build an image using Docker and then scan it for vulnerabilities.
Description¶
This component configures a job that uses the GitLab Auto Build image to build a Docker image for this project, and then includes the computing/gitlab/components/container-scanning/container-scanning component to scan the new image for vulnerabilities.
The following jobs are automatically configured:
| Job name | Description |
|---|---|
build | Build a container image from a Dockerfile and push it to the GitLab Container Registry |
container_scanning | Scan the newly built image for vulnerabilities |
Job names are configurable
As per the Inputs below, the names given to each of the jobs is configurable.
Usage¶
include:
- component: git.ligo.org/computing/gitlab/components/docker/build@<VERSION>
inputs:
stage: build
Inputs¶
| Input | Default value | Description |
|---|---|---|
stage | build | The pipeline stage to add jobs to |
job_name | build | Name to give the build job |
dockerfile | The path of the Dockerfile to build | |
build_args | Extra arguments to pass to docker build | |
default_image_name | <image_name> | The name of the image to compare to when scanning a newly built image. Set to the name of the image in the upstream project to enable scanning from forks. |
image_name | $CI_REGISTRY_IMAGE | The name of the image to push to the container registry |
image_tag | The tag to give this image in the registry, defaults to the commit SHA | |
merge_request_pipelines | false | Whether to run jobs for merge request pipelines. When true, both build and container scanning jobs will run on merge request events. |
auto_build_image_version | "v4.10.0" | Version of auto-build-image to use |
container_scanning_job_name | container_scanning | Name to give the container-scanning job |
container_scanning_component_version | 4 | Version of the components/container-scanning component to use |
Customisation¶
Passing extra arguments to the build¶
The execution of the Docker build can be customisation in one of the following ways:
-
For fixed extra arguments to be applied to every pipeline, specify the
build_argsinputwith a string of arguments. -
To set arguments dynamically for manual or scheduled pipelines, set the
DOCKER_BUILD_ARGSvariable when configuring the pipeline.
Special characters need special handling
To pass complete values like spaces and newlines, use Base64 encoding. See Pass arguments to docker build on the GitLab docs for more details.
Examples¶
Enable merge request pipelines¶
To run the build and container scanning jobs on merge request events in addition to branch and tag pushes:
Enable merge request pipelines
include:
- component: git.ligo.org/computing/gitlab/components/docker/build@<VERSION>
inputs:
merge_request_pipelines: true
This enables testing of Docker builds in merge request pipelines before they are merged to the main branch. This is particularly useful in projects where features are developed in forks, as it may enable the CI/CD pipeline to run in the parent project namespace, which helps with accurate reporting from security scans.
Building an subproject application in a monorepo¶
To build a container image for a subproject that is managed as part of a monorepo, specify each of the following inputs
default_image_namedockerfileimage_name
Build a subproject in a monorepo
include:
- component: git.ligo.org/computing/gitlab/components/docker/build@<VERSION>
inputs:
# path to the Dockerfile in the subproject directory
dockerfile: subproject1/Dockerfile
# name to give the container image in the GitLab container registry
image_name: $CI_REGISTRY_IMAGE/all
# name of the image to compare to when scanning
default_image_name: mygroup/mymonorepo/subproject1
Custom build arguments¶
To customise the build arguments for all builds, specify the build_args input:
Custom build arguments
include:
- component: git.ligo.org/computing/gitlab/components/docker/build@<VERSION>
inputs:
build_args: "--build-arg=FROM_IMAGE=rockylinux:9"