.gitlab-ci.yml

+# variables in the GitLab CI/CD variables:
+  #   GITLAB_TOKEN to support the semantic-release
+  #   DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
+  #   TMPL_RELEASE_ENABLED to enable the semantic-release job
+  #   TBC_NAMESPACE: smartdatalab/public/ci-cd-components
+
 include:
-  - project: "to-be-continuous/tools/gitlab-ci"
-    ref: "master"
-    file: "/templates/extract.yml"
-  - project: "to-be-continuous/tools/gitlab-ci"
-    ref: "master"
-    file: "/templates/validation.yml"
-  - project: "to-be-continuous/kicker"
-    ref: "master"
-    file: "/templates/validation.yml"
-  - component: $CI_SERVER_FQDN/to-be-continuous/bash/gitlab-ci-bash@3.5
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
+    inputs:
+      extract-script-job-tags: ["docker"]
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
+    inputs:
+      check-links-job-tags: ["docker"]
+      tbc-check-job-tags: ["docker"]
+      tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
+      gitlab-ci-lint-job-tags: ["docker"]
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
     inputs:
+      kicker-validation-job-tags: ["docker"]
+      schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
+    inputs:
+      bash-shellcheck-job-tags: ["docker"]
       shellcheck-files: "*.sh"
-  - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.6
-  - component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@3.11
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
+    inputs:
+      semantic-release-job-tags: ["docker"]
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
+    inputs:
+      gitleaks-job-tags: ["docker"]
 
 variables:
   GITLAB_CI_FILES: "templates/gitlab-ci-docker.yml"
+  GIT_STRATEGY: clone
 
 semantic-release:
   rules:

CHANGELOG.md

+# [6.0.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/5.14.1...6.0.0) (2025-01-20)
+
+
+### Code Refactoring
+
+* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799))
+
+
+### BREAKING CHANGES
+
+* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables
+
+# [6.0.0](https://gitlab.com/to-be-continuous/docker/compare/5.14.1...6.0.0) (2024-11-26)
+
+
+### Code Refactoring
+
+* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://gitlab.com/to-be-continuous/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799))
+
+
+### BREAKING CHANGES
+
+* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables
+
 ## [5.14.1](https://gitlab.com/to-be-continuous/docker/compare/5.14.0...5.14.1) (2024-11-02)
 
 
@@ -52,7 +76,7 @@
 
 ### Features
 
-* introduce variable for additional docker/buildah push arguments ([9de48b2](https://gitlab.com/to-be-continuous/docker/commit/9de48b24c1512cb9f5c8b7e26d33cea1bc5504e2))
+* introduce variable for additional docker/buildah push arguments ([9de48b2](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/commit/9de48b24c1512cb9f5c8b7e26d33cea1bc5504e2))
 
 ## [5.11.1](https://gitlab.com/to-be-continuous/docker/compare/5.11.0...5.11.1) (2024-08-13)
 

bumpversion.sh

@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
   log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
 
   # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
   mv -f README.md.next README.md
 
   # replace in template and variants

kicker.json

@@ -121,6 +121,34 @@
       "type": "boolean",
       "advanced": true
     },
+    {
+      "name": "DOCKER_KANIKO_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "DOCKER_DIND_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "DOCKER_BUILDAH_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "DOCKER_DOCKER_PUBLISH_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
     {
       "name": "DOCKER_PUSH_ARGS",
       "description": "Additional docker/buildah `push` arguments (executed right after `build`).\n\nEx: `--compression-format zstd --compression-level 20`",
@@ -143,6 +171,13 @@
           "name": "DOCKER_HADOLINT_ARGS",
           "description": "Additional `hadolint` arguments",
           "advanced": true
+        },
+        {
+          "name": "DOCKER_HADOLINT_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     },
@@ -168,13 +203,20 @@
           "name": "DOCKER_HEALTHCHECK_CONTAINER_ARGS",
           "description": "Arguments sent to the running container for health check",
           "advanced": true
+        },
+        {
+          "name": "DOCKER_HEALTHCHECK_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     },
     {
       "id": "trivy",
       "name": "Trivy",
-      "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+      "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
       "disable_with": "DOCKER_TRIVY_DISABLED",
       "variables": [
         {
@@ -183,32 +225,17 @@
           "default": "registry.hub.docker.com/aquasec/trivy:latest",
           "advanced": true
         },
-        {
-          "name": "DOCKER_TRIVY_ADDR",
-          "type": "url",
-          "description": "The Trivy server address"
-        },
-        {
-          "name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
-          "type": "enum",
-          "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
-          "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
-          "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-        },
         {
           "name": "DOCKER_TRIVY_ARGS",
-          "description": "Additional `trivy client` arguments",
+          "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
           "default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive",
           "advanced": true
         },
         {
-          "name": "DOCKER_TRIVY_DB_REPOSITORY",
-          "description": "OCI repository to retrieve Trivy Database from",
-          "advanced": true
-        },
-        {
-          "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
-          "description": "OCI repository to retrieve Trivy Java Database from",
+          "name": "DOCKER_DOCKER_TRIVY_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
           "advanced": true
         }
       ]
@@ -228,6 +255,13 @@
           "description": "Options for syft used for SBOM analysis",
           "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
           "advanced": true
+        },
+        {
+          "name": "DOCKER_DOCKER_SBOM_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     }

templates/gitlab-ci-docker-ecr.yml

@@ -45,7 +45,7 @@ variables:
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.14.1"]
+      command: ["--service", "docker", "6.0.0"]
     - name: "$TBC_AWS_PROVIDER_IMAGE"
       alias: "aws-auth-provider"
   id_tokens:

templates/gitlab-ci-docker-gcp.yml

@@ -44,7 +44,7 @@ variables:
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.14.1"]
+      command: ["--service", "docker", "6.0.0"]
     - name: "$TBC_GCP_PROVIDER_IMAGE"
       alias: "gcp-auth-provider"
   variables:

templates/gitlab-ci-docker-vault.yml

@@ -22,7 +22,7 @@ variables:
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.14.1"]
+      command: ["--service", "docker", "6.0.0"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:

templates/gitlab-ci-docker.yml

@@ -158,27 +158,9 @@ spec:
     trivy-image:
       description: The docker image used to scan images with Trivy
       default: registry.hub.docker.com/aquasec/trivy:latest
-    trivy-addr:
-      description: The Trivy server address
-      default: ''
-    trivy-security-level-threshold:
-      description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
-      options:
-      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-      - LOW,MEDIUM,HIGH,CRITICAL
-      - MEDIUM,HIGH,CRITICAL
-      - HIGH,CRITICAL
-      - CRITICAL
-      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
     trivy-args:
-      description: Additional `trivy client` arguments
+      description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
       default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive
-    trivy-db-repository:
-      description: Custom OCI repository to retrieve Trivy Database from
-      default: ''
-    trivy-java-db-repository:
-      description: Custom Java DB repository path 
-      default: ''
     sbom-disabled:
       description: Disable Software Bill of Materials
       type: boolean
@@ -188,6 +170,39 @@ spec:
     sbom-opts:
       description: Options for syft used for SBOM analysis
       default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
+    hadolint-job-tags:
+      description: tags to filter applicable runners for hadolint job
+      type: array
+      default: []
+    kaniko-build-job-tags:
+      description: tags to filter applicable runners for kaniko build job
+      type: array
+      default: []
+    dind-build-job-tags:
+      description: tags to filter applicable runners for dind build job
+      type: array
+      default: []
+    buildah-build-job-tags:
+      description: tags to filter applicable runners for buildah build job
+      type: array
+      default: []
+    healthcheck-job-tags:
+      description: tags to filter applicable runners for healthcheck job
+      type: array
+      default: []
+    docker-trivy-job-tags:
+      description: tags to filter applicable runners for docker-trivy job
+      type: array
+      default: []
+    docker-sbom-job-tags:
+      description: tags to filter applicable runners for docker-sbom job
+      type: array
+      default: []
+    docker-publish-job-tags:
+      description: tags to filter applicable runners for docker-publish job
+      type: array
+      default: []
+
 ---
 # default workflow rules: Merge Request pipelines
 workflow:
@@ -254,11 +269,9 @@ variables:
   DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
   DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]
 
-  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
   DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
   DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
-  DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
-  DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]
+  DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
 
   # SBOM genenration image and arguments
   DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -294,8 +307,6 @@ variables:
   DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
   DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
   DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
-  DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
-  DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
   DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
 
 # ==================================================
@@ -701,7 +712,7 @@ stages:
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.14.1"]
+      command: ["--service", "docker", "6.0.0"]
   before_script:
     - !reference [.docker-scripts]
 
@@ -737,7 +748,7 @@ stages:
     _TRACE: "${TRACE}"
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.14.1"]
+      command: ["--service", "docker", "6.0.0"]
     - name: $DOCKER_DIND_IMAGE
       alias: docker
       command:
@@ -798,6 +809,7 @@ docker-hadolint:
     - if: '$DOCKER_HADOLINT_DISABLED == "true"'
       when: never
     - !reference [.test-policy, rules]
+  tags: $[[ inputs.hadolint-job-tags ]]
 
 # ==================================================
 # Stage: package-build
@@ -825,6 +837,7 @@ docker-kaniko-build:
         - docker.env
   rules:
     - if: '$DOCKER_BUILD_TOOL == "kaniko"'
+  tags: $[[ inputs.kaniko-build-job-tags ]]
 
 docker-dind-build:
   extends: .docker-dind-base
@@ -862,6 +875,7 @@ docker-dind-build:
         - docker.env
   rules:
     - if: '$DOCKER_BUILD_TOOL == "dind"'
+  tags: $[[ inputs.dind-build-job-tags ]]
 
 docker-buildah-build:
   extends: .docker-base
@@ -902,6 +916,7 @@ docker-buildah-build:
         - docker.env
   rules:
     - if: '$DOCKER_BUILD_TOOL == "buildah"'
+  tags: $[[ inputs.buildah-build-job-tags ]]
 
 # ==================================================
 # Stage: package-test
@@ -971,6 +986,7 @@ docker-healthcheck:
     - if: '$DOCKER_BUILD_TOOL != "dind"'
       when: never
     - !reference [.test-policy, rules]
+  tags: $[[ inputs.healthcheck-job-tags ]]
 
 # Security audit with trivy
 docker-trivy:
@@ -994,20 +1010,11 @@ docker-trivy:
     export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
     basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
     mkdir -p ./reports
-    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
-      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
-      trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY}
-      export trivy_opts="image"
-    else
-      log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
-      export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
+    if [[ -z "$TRIVY_SERVER" ]]; then
+      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
     fi
-    # Add common trivy arguments
-    # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
-    export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
-
     # Generate the native JSON report that can later be converted to other formats
-    trivy ${trivy_opts} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
+    trivy image --no-progress ${DOCKER_TRIVY_ARGS} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
 
     # Generate a report in the GitLab format
     trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json
@@ -1032,6 +1039,7 @@ docker-trivy:
     - if: '$DOCKER_TRIVY_DISABLED == "true"'
       when: never
     - !reference [.test-policy, rules]
+  tags: $[[ inputs.docker-trivy-job-tags ]]
 
 docker-sbom:
   extends: .docker-base
@@ -1062,6 +1070,7 @@ docker-sbom:
     - if: '$DOCKER_SBOM_DISABLED == "true"'
       when: never
     - !reference [.test-policy, rules]
+  tags: $[[ inputs.docker-sbom-job-tags ]]
 
 # ==================================================
 # Stage: publish
@@ -1137,3 +1146,4 @@ docker-publish:
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
       when: manual
     - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
+  tags: $[[ inputs.docker-publish-job-tags ]]
\ No newline at end of file