我想运行一个利用漏洞扫描的GitLab CI管道(GitLab旗舰版).问题是我需要在构建阶段创建Package-lock.json文件.据我所知,如果文件在管道执行时不存在于存储库中,则作业(job)将不会执行.有人能帮我做这个吗?:)
NodeJS repo for building NPM packages. (not for building docker images)个
在这个过程中,使用人工产物块并没有帮助我……
我想运行一个利用漏洞扫描的GitLab CI管道(GitLab旗舰版).问题是我需要在构建阶段创建Package-lock.json文件.据我所知,如果文件在管道执行时不存在于存储库中,则作业(job)将不会执行.有人能帮我做这个吗?:)
NodeJS repo for building NPM packages. (not for building docker images)个
在这个过程中,使用人工产物块并没有帮助我……
您可以覆盖扫描作业(job)的rules:
,以消除锁定文件存在的需要.例如,来自内置依赖扫描模板的作业(job)gemnasium-dependency_scanning
通常requires a lock file(例如**/yarn.lock
或package.lock.json
)存在.但这是可以覆盖的.此外,您还可以添加对其他作业(job)的依赖关系,如生成锁定文件的作业(job),以确保生成的锁定文件存在于扫描作业(job)中(默认情况下,扫描作业(job)会忽略瑕疵).
include:
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
generate-lockfile:
# ...
stage: build
# this is just an example...
# update `script:` and `artifacts:` to your needs
script:
- yarn install --mode update-lockfile
artifacts:
paths:
- yarn.lock
gemnasium-dependency_scanning:
rules: # override rules to not require lockfile to be committed
- when: on_success
dependencies: [generate-lockfile] # download lockfile artifacts
This will ensure the scanning job is created in the pipeline even if you don't commit a lockfile and will also enable the job to download artifacts from a job where you produce your lockfile.
Just change the generate-lockfile
job to whatever is necessary for generating your lockfile and expose it as an artifact.
当然,您可能希望一开始就提交一个锁定文件,但我想这不是这个问题的重点.