feat(ci): add Dockerfile and update CI configuration for DAST

Signed-off-by: Klagarge <remi@heredero.ch>
2025-04-13 17:13:46 +02:00
parent 7da76417f7
commit c308ffd2dd
2 changed files with 73 additions and 14 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,14 +1,18 @@
 variables:
-  DOCKER_IMAGE: registry.forge.hefr.ch/klagarge/mse2425-grp09/python-pdm:latest
+  DOCKER_IMAGE_TEST: registry.forge.hefr.ch/klagarge/mse2425-grp09/python-pdm:latest
+  DOCKER_IMAGE_APP: registry.forge.hefr.ch/klagarge/mse2425-grp09/devsecops-app:latest
+  APP_PORT: 5000
+  TARGET_URL: "http://app:${APP_PORT}"

 default:
-  image: $DOCKER_IMAGE
+  image: $DOCKER_IMAGE_TEST

 stages:
-  - build-docker
+  - build-docker-test
+  - build-docker-app
  - lint
  - test
-  - dast job
+  - dast

 .setup_env: &setup_env
  before_script:
@@ -55,15 +59,15 @@ pages:
    - main

 # This job runs only when Dockerfile changes
-docker-build:
+docker-build-test:
  image: docker:latest
-  stage: build-docker
+  stage: build-docker-test
  services:
    - docker:dind
  script:
-    - docker build -t $DOCKER_IMAGE -f Dockerfile .
+    - docker build -t $DOCKER_IMAGE_TEST -f Dockerfile .
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
-    - docker push $DOCKER_IMAGE
+    - docker push $DOCKER_IMAGE_TEST
  rules:
    - if: $GITLAB_CI == 'false' # Only run in GitLab CI
      when: never
@@ -72,13 +76,37 @@ docker-build:
        - src/pyproject.toml
        - src/pdm.lock

+docker-build-app:
+  image: docker:latest
+  stage: build-docker-app
+  services:
+    - docker:dind
+  script:
+    - docker build -t $DOCKER_IMAGE_APP -f src/Dockerfile .
+    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
+    - docker push $DOCKER_IMAGE_APP

 include:
  - template: Jobs/SAST.gitlab-ci.yml
-  - template: DAST.gitlab-ci.yml
+#  - template: DAST.gitlab-ci.yml

-dast:
-  stage: dast job
-  dast_configuration:
-    site_profile: "dast-site-profile-devsecops-mse"
-    scanner_profile: "dast-scanner-profile-devsecops-mse"
+#dast-ci:
+#  stage: dast
+#  dast_configuration:
+#    site_profile: "dast-site-profile-devsecops-mse"
+#    scanner_profile: "dast-scanner-profile-devsecops-mse"
+#services:
+#  - name: $DOCKER_IMAGE_APP
+#    alias: app
+
+dast-local:
+  stage: dast
+  image: ghcr.io/zaproxy/zaproxy:stable
+  services:
+    - name: $DOCKER_IMAGE_APP
+      alias: app
+  script:
+    - echo "Waiting for the app to start on http://app:5000"
+    - timeout 60 bash -c 'until curl -s http://app:5000; do echo "Waiting..."; sleep 3; done'
+    - zap-full-scan.py -t http://app:5000 -I
+  allow_failure: true # Allow failure for DAST job (because GitLab is not well configured and network didn't work)
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -0,0 +1,31 @@
+FROM python:3.10-slim
+LABEL  org.opencontainers.image.authors="remi.heredero@hevs.ch"
+
+RUN apt-get update && \
+    pip install --no-cache-dir -U pdm && \
+    rm -rf /var/lib/apt/lists/*
+
+
+ENV PATH="/root/.local/bin:$PATH" \
+    PDM_USE_VENV=false
+
+WORKDIR /app
+
+COPY src/pyproject.toml src/pdm.lock ./
+
+RUN pdm config python.use_venv false && \
+    pdm install
+
+ENV PYTHONPATH="/app/__pypackages__/3.9/lib" \
+    PATH="/app/__pypackages__/3.9/bin:$PATH"
+
+############################################################
+# Everything above should be imported from the test image, #
+# but GitLab can't pull it, so I copy-paste the content    #
+############################################################
+
+COPY src ./
+
+ENV FLASK_RUN_HOST=0.0.0.0
+
+CMD ["pdm", "run", "flask"]