Modified to fit the future blog post (#29)

e-minguez · web-flow · commit 462314106744 · 2022-10-07T12:20:26.000+02:00
We will use GitLab's container registry to store the image
diff --git a/gitlab/new-scan-engine/.gitlab-ci.yml b/gitlab/new-scan-engine/.gitlab-ci.yml
@@ -1,8 +1,5 @@
 variables:
-  SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
-  CI_REGISTRY_HOST: "docker.io"
-  CI_REGISTRY_NAME: "my-registry"
-  CI_IMAGE_NAME: "my-image"
+  SYSDIG_SECURE_ENDPOINT: "https://eu1.app.sysdig.com"
   CI_IMAGE_TAG: "my-tag"
 
 stages:
@@ -16,7 +13,7 @@ image:build:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
   script:
-    - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
+    - /kaniko/executor --dockerfile Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_IMAGE_TAG --no-push --oci-layout-path $(pwd)/build/ --tarPath $(pwd)/build/$CI_IMAGE_TAG.tar
   artifacts:
     paths:
       - build/
@@ -46,8 +43,7 @@ image:push:
     name: gcr.io/go-containerregistry/crane:debug
     entrypoint: [""]
   script:
-    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY_HOST
-    - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG
+    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - crane push build/$CI_IMAGE_TAG.tar $CI_REGISTRY_IMAGE:$CI_IMAGE_TAG
   needs:
     - image:scan
-
diff --git a/gitlab/new-scan-engine/README.md b/gitlab/new-scan-engine/README.md
@@ -1,44 +1,42 @@
 # GitLab CI Demo
 
-In this demo we will use GitLab pipelines. We will need to split this pipeline into three different jobs
+In this demo we will use GitLab CI/CD pipelines. We will need to split this pipeline into three different jobs:
+
 1. Kaniko: Tool used to build docker image
 2. Sysdig-cli-scanner: Scan docker images for vulnerabilities using the new scan engine developed by Sysding in 2022
 3. Crane: Push container image to a remote registry
 
-## Setup
-In GitLab repo settings add variables
-`CI_REGISTRY_USER`: Docker username
-`CI_REGISTRY_PASSWORD`: Docker user password
-`SYSDIG_SECURE_TOKEN`: Sysdig Token
+The pipeline leverages the GitLab's container registry to store the container image once the scan has been successfully completed. There are a few special CI/CD variables to use the Container registry (`CI_REGISTRY*`) that are populated automatically by GitLab so there is no need to specify them in our pipeline if we want to use it, cool!
+
+The [official documentation](https://docs.gitlab.com/ee/user/packages/container_registry/index.html#authenticate-by-using-gitlab-cicd) explains this in more detail but the following is an example of the variables' content once they are [automatically populated](https://docs.gitlab.com/ee/ci/variables/#list-all-environment-variables):
 
-Modify the gitlab-ci.yml file to build the image
 ```
-  CI_REGISTRY_HOST: "docker.io"
-  CI_REGISTRY_NAME: my-registry
-  CI_IMAGE_NAME: "my-image"
-  CI_IMAGE_TAG: "latest"
+CI_REGISTRY="registry.example.com"
+CI_REGISTRY_IMAGE="registry.example.com/gitlab-org/gitlab-foss"
+CI_REGISTRY_USER="gitlab-ci-token"
+CI_REGISTRY_PASSWORD="[masked]"
 ```
 
-The variables are to build the full image url
-`$CI_REGISTRY_HOST/$CI_REGISTRY_NAME/$CI_IMAGE_NAME:$CI_IMAGE_TAG`
-We would expect
-`docker.io/my-registry/my-image:latest`
+## Setup
 
-## Understanding the stages
-In order to get around using Docker in docker, these additional stages are necessary
+In the GitLab repo settings add the `SYSDIG_SECURE_TOKEN` variable to store the Sysdig Token.
 
-There are three pipeline stages
-1. Build
-2. Scan
-3. Push
+Modify the `gitlab-ci.yml` file to replace the image tag if needed:
+
+```
+CI_IMAGE_TAG: "latest"
+```
+
+## Pipeline stages
 
 ### Build
-The build stage is using Kaniko. We use a method to build the container to an oci format tarball, saved to the current working directory in `build/` directory. It is not pushed to a remote registry.
-We then save the `build/` directory as an artifact.
+
+The build stage leverages Kaniko. The container is built as an OCI format tarball file in `$(pwd)/build/$CI_IMAGE_TAG.tar` and not pushed to a remote registry (it will be done only if the scan is successful).
 
 ### Scan
-The scan stage is using `sysdig-cli-scanner`. This stage uses a the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/)
-We then save the `build/` directory as an artifact for the next step as well as the `report/` directory to review the PDF scan results later.
+
+The scan stage leverages `sysdig-cli-scanner`. This stage uses the latest Sysdig scanning method documented here [Sysdig Secure - Vulnerabilities](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/).
 
 ### Push
-The push stage is using `crane`. It simply authenticates to your docker registry and pushes the conatiner from the Build stage to the remote registry
+
+The push stage uses `crane` to authenticate to the GitLab registry and to push the container image already built from the Build stage to the remote registry.
