CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.2.1] - 2024-10-25
+
+### Changed
+
+- `auto-devops/common-pipeline.yml`: the `before_script` added to the upstream job
+  `container_scanning`. Now it checkouts repository `dockerimages` to use file
+  `vulnerability-allowlist.yml` from it.
+
 ## [5.2.0] - 2024-10-21
 
 ### Changed

auto-devops/common-pipeline.yml

@@ -37,3 +37,18 @@ variables:
   # The License-Scanning.latest.gitlab-ci.yml job is added to the pipeline by AutoDevOps but was deprecated in GitLab
   # 15.9 and removed in GitLab 16.3. Explicitly disable it here to avoid the deprecation warning.
   LICENSE_MANAGEMENT_DISABLED: "1"
+
+container_scanning:
+  # This is to modify the original "container_scanning" job from
+  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml.
+  # The original image used by the job has no curl, wget or ability to install anything, only git is available.
+  # The project could contain its own file, so we checking it first.
+  before_script: |
+    checkout_dir=$(mktemp -d /tmp/checkoutXXXXXX)
+    if [ ! -e "vulnerability-allowlist.yml" ]; then
+      git clone https://gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages.git $checkout_dir
+      cp $checkout_dir/vulnerability-allowlist.yml .
+      echo "The job will use 'vulnerability-allowlist.yml' file from a 'dockerimages' repository."
+    else
+      echo "The original 'vulnerability-allowlist.yml' file will be used for this job."
+    fi