MSE-CyberSec-DevSecOps/.gitlab-ci.yml

variables:
  DOCKER_IMAGE_TEST: registry.forge.hefr.ch/klagarge/mse2425-grp09/python-pdm:latest
  DOCKER_IMAGE_APP: registry.forge.hefr.ch/klagarge/mse2425-grp09/devsecops-app:latest
  APP_PORT: 5000
  TARGET_URL: "http://app:${APP_PORT}"

default:
  image: $DOCKER_IMAGE_TEST

stages:
  - build-docker-test
  - build-docker-app
  - lint
  - test
  - dast

.setup_env: &setup_env
  before_script:
    - cd src
    - cp -r /app/__pypackages__ .
    - export "PYTHONPATH=/builds/Klagarge/mse2425-grp09/src:/builds/Klagarge/mse2425-grp09/src/__pypackages__/3.9/lib"
    - export "PATH=/builds/Klagarge/mse2425-grp09/src/__pypackages__/3.9/bin:$PATH"
    - export "FLASK_APP=app"

test job:
  stage: test
  <<: *setup_env
  script:
    # Set environment variables for the tests
    - export FLASK_SECRET_KEY=$FLASK_SECRET_KEY

    # launch tests
    - pdm run pytest tests --cov --cov-report term --cov-report html

  artifacts:
    paths:
      - src/htmlcov/

lint job:
  stage: lint
  <<: *setup_env
  dependencies: []
  script:
    - pdm run flake8 --config=../tox.ini
  allow_failure: true # Linter can fail, fixing it is for now outside of the projects scope

pages:
  stage: test
  dependencies:
    - test job
  needs: ["test job"]
  script:
    - mv src/htmlcov/ public/
  artifacts:
    paths:
      - public
    expire_in: 7 days
  only:
    - main

# This job runs only when Dockerfile changes
docker-build-test:
  image: docker:latest
  stage: build-docker-test
  services:
    - docker:dind
  script:
    - docker build -t $DOCKER_IMAGE_TEST -f Dockerfile .
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker push $DOCKER_IMAGE_TEST
  rules:
    - if: $GITLAB_CI == 'false' # Only run in GitLab CI
      when: never
    - changes:
        - Dockerfile
        - src/pyproject.toml
        - src/pdm.lock

docker-build-app:
  image: docker:latest
  stage: build-docker-app
  services:
    - docker:dind
  script:
    - docker build -t $DOCKER_IMAGE_APP -f src/Dockerfile .
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker push $DOCKER_IMAGE_APP

include:
  - template: Jobs/SAST.gitlab-ci.yml
#  - template: DAST.gitlab-ci.yml

#dast-ci:
#  stage: dast
#  dast_configuration:
#    site_profile: "dast-site-profile-devsecops-mse"
#    scanner_profile: "dast-scanner-profile-devsecops-mse"
#services:
#  - name: $DOCKER_IMAGE_APP
#    alias: app

dast-local:
  stage: dast
  image: ghcr.io/zaproxy/zaproxy:stable
  services:
    - name: $DOCKER_IMAGE_APP
      alias: app
  script:
    - echo "Waiting for the app to start on http://app:5000"
    - timeout 60 bash -c 'until curl -s http://app:5000; do echo "Waiting..."; sleep 3; done'
    - zap-full-scan.py -t http://app:5000 -I
  allow_failure: true # Allow failure for DAST job (because GitLab is not well configured and network didn't work)