sast-cis-benchmark.yml

# Run CIS benchmarks against the images/containers
sast_cis_benchmark:
  stage: test
  # Skip if fails, for now
  allow_failure: true
  # Set run command default to empty, can be used for /bin/sleep 10
  variables:
    DOCKER_RUN_COMMAND: docker run -d --rm --name test ${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}:${CI_COMMIT_SHA}
  # Pull the image and only check against container_images
  script:
    - eval ${DOCKER_RUN_COMMAND}
    # Run CIS benchmark
      # -b no colored output
      # -c just run container_images scans
      # -e exclude check_4_5(docker trust) and check_4_6(healthcheck)
      # -i just run on the started image
    # send output to console and artifact
    # Exit with status code 1 if "[WARN] was found in output
    - benchmark_output=$(docker run
        --net host
        --pid host
        --userns host
        --cap-add audit_control
        -v /etc:/etc:ro
        -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro
        -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro
        -v /usr/lib/systemd:/usr/lib/systemd:ro
        -v /var/lib:/var/lib:ro
        -v /var/run/docker.sock:/var/run/docker.sock:ro
        --label docker_bench_security
        docker/docker-bench-security
          -b
          -c container_images
          -e check_4_5,check_4_6
          -i test);
      echo "${benchmark_output}";
      echo "${benchmark_output}" | sed -r "s/\x1B\[[0-9;]*[JKmsu]//g" > sast-cis-benchmark.txt;
      if echo "${benchmark_output}" | grep -q "\[WARN\]"; then exit 1; fi
  # Collect the artifacts in case of failure
  artifacts:
    paths:
      - sast-cis-benchmark.txt
    when: on_failure