12. Artifacts
Jobs can output an archive of files and directories. This output is known as a job artifact. You can download job artifacts by using the GitLab UI.
Example of an artifact definition:
pdf:
script: xelatex mycv.tex
artifacts:
paths:
- mycv.pdf
expire_in: 1 week
The paths keyword determines which files to add to the job artifacts. All paths to files and directories are relative to the repository where the job was created.
The expire_in keyword determines how long GitLab keeps the job artifacts. You can also use the UI to keep job artifacts from expiring. If expire_in is not defined, the instance-wide setting is used.
GitLab References
Task 12.1: Artifacts Lab
- Add an
artifactssection to thebuild_imagejob - Add an artifact with the name
container-scanning-report_<identifier>.txt - Define the artifact
pathspointing to file that the Trivy command writes. - Set a retention time of 30 days for the artifacts
Hint
For the identifier, use the Short Commit SHA from the predefined GitLab variables.
For the paths file path see the output flag (-o) of the Trivy command of the previous lab.
Task 12.2: Artifacts Lab solution
Updated .gitlab-ci.yml file for this lab:
show solution
stages:
- info
- build
- test
- package
- deploy
include:
- project: '${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}'
file:
- 'templates/k8s.yml'
- 'templates/Secret-Detection.yml'
- template: Security/SAST.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
variables:
GIT_STRATEGY: 'clone'
COMPILE: 'false'
IMAGE_HOST: 'quay.io'
IMAGE_REPOSITORY: 'puzzle'
IMAGE_NAME: 'example-spring-boot'
default:
timeout: 5 minutes
info:
stage: info
retry: 2
script:
- echo "This is your first stage (ツ)"
- echo "Username is ${USERNAME} with ${PASSWORD}"
build_application:
stage: build
tags:
- build
- mobiliar
image: registry.access.redhat.com/ubi9/openjdk-17:latest
script:
- ./gradlew assemble
test_application:
stage: test
image: registry.access.redhat.com/ubi9/openjdk-17:latest
script:
- ./gradlew check
artifacts:
when: always
reports:
junit: build/test-results/test/**/TEST-*.xml
build_image:
image: diemobiliar.azurecr.io/dlp-cicd-dockercli-image:254
tags:
- build
- mobiliar
services:
- docker:dind
stage: package
before_script:
- docker info
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
script:
- docker build --no-cache -t $IMAGE_NAME .
- mkdir -p reports
- ./trivy i --exit-code 0 --severity CRITICAL -o reports/container-scanning-report_$CI_COMMIT_SHORT_SHA.txt $IMAGE_NAME
- IMAGE_PATH=$IMAGE_HOST/$IMAGE_REPOSITORY/$IMAGE_NAME:${CI_COMMIT_SHA:0:8}
- echo "docker image path is - $IMAGE_PATH"
- docker tag $IMAGE_NAME $IMAGE_PATH
# - docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} ${IMAGE_HOST}
# - docker push $IMAGE_PATH
artifacts:
name: "container-scanning-report_$CI_COMMIT_SHORT_SHA.txt"
paths:
- reports/container-scanning-report_$CI_COMMIT_SHORT_SHA.txt
expire_in: 30 day
deploy_to_prod:
stage: deploy
when: manual
only:
- release
script:
- echo "Deployment triggered"
deploy_to_k8s:
stage: deploy
extends: .kubectl
tags:
- build
- mobiliar
script:
- echo "deploy your stuff here with kubectl commands"
- kubectl version --client --short
Download Job Artifacts
The defined artifact can be found on the build_image Job detail page of this Pipeline. Find the Job artifacts section on the right side beside the Job log.
Click on Download to get the Trivy report file and open it to see the report.
Task 12.3: Pipeline Artifacts Lab
Go to your pipeline Build –> Pipelines and click on the download menu ⍗ to see the downloadable artifacts.
Then download them and open the JUnit test report.
