I'm trying to build a GitLab pipeline that calls a Docker component and does the Docker build, scan, and push automatically. My pipeline structure is as below.
default:
tags:
- eks-lnx-prd
stages:
- pre_build
- build_scan_push
variables:
COE_REGISTRY: "registry.gitlab.com/canada-life/coe/cicdtools"
IMAGE_TAG_VERSION: "latest"
# ------------------------------------------------------------------------------
# STEP 1: Detect and export the proper registry for CoE or Project builds
# ------------------------------------------------------------------------------
set_image_registry:
stage: pre_build
script:
- |
echo "🔹 Determining registry to use..."
# MAIN or scheduled → CoE registry
if [[ "$CI_COMMIT_BRANCH" == "main" || "$CI_PIPELINE_SOURCE" == "schedule" ]]; then
REGISTRY="$COE_REGISTRY"
TAG_VERSION="latest"
echo " Using CoE Registry: $REGISTRY"
else
# For project builds, use GitLab's native registry path
REGISTRY="$CI_REGISTRY_IMAGE"
TAG_VERSION="latest-${CI_COMMIT_SHORT_SHA}"
echo "🧩 Using Project Registry: $REGISTRY"
fi
# Force lowercase (Docker requirement)
REGISTRY=$(echo "$REGISTRY" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_REGISTRY=$REGISTRY" >> variables.env
echo "IMAGE_TAG_VERSION=$TAG_VERSION" >> variables.env
echo " Final resolved values:"
cat variables.env
artifacts:
reports:
dotenv: variables.env
# ------------------------------------------------------------------------------
# STEP 2: CoE Component - Build & Scan for both images
# ------------------------------------------------------------------------------
include:
# Build workspace-base image
- component: $CI_SERVER_FQDN/***/coe/components/docker/[email protected]
inputs:
IMAGE_TAG_NAME: "cicd-workspace-base"
IMAGE_TAG_VERSION: "${IMAGE_TAG_VERSION}"
DOCKERFILE_PATH: "workspace-base/Dockerfile"
job_name_expand: "_build_workspace_base"
IMAGE_REGISTRY: "$IMAGE_REGISTRY"
# Build java11 image
- component: $CI_SERVER_FQDN/****/coe/components/docker/[email protected]
inputs:
IMAGE_TAG_NAME: "cicd-workspace-java11"
IMAGE_TAG_VERSION: "${IMAGE_TAG_VERSION}"
DOCKERFILE_PATH: "Java/java11/Dockerfile"
job_name_expand: "_build_java11"
IMAGE_REGISTRY: "$IMAGE_REGISTRY"
The component code looks as below.
spec:
inputs:
stage:
default: "build_scan_push"
job_name_expand: # OPTIONAL. If you want to run multiple jobs for multiple images
default: ""
IMAGE_TAG_NAME: # name of the image
IMAGE_TAG_VERSION: # tag of the image
IMAGE_REGISTRY: # OPTIONAL. The container registry that will be pushed to
default: "$CI_REGISTRY_IMAGE"
DOCKERFILE_PATH: # OPTIONAL. Path to Dockerfile. INCLUDE NAME OF DOCKERFILE IN PATH
default: ""
CONTEXT_PATH: # OPTIONAL. Path to build context folder. Defaults to current directory
default: "."
DOCKER_ARGS: # OPTIONAL. Supplies additional arguments to the docker build command
default: ""
NO_PUSH: # OPTIONAL. When true, build and scan, but don't push.
default: "false"
---
build_scan_push${{ inputs.job_name_expand }}:
image:
name: registry.gitlab.com/canada-life/coe/cicdtools/docker/cicd-dind:latest
services:
- name: registry.gitlab.com/canada-life/coe/cicdtools/docker/cicd-dind:latest
alias: docker
entrypoint: ["dockerd-entrypoint.sh", "--tls=false"]
stage: ${{ inputs.stage }}
variables:
IMAGE_TAG_NAME: # name of the image
value: ${{ inputs.IMAGE_TAG_NAME }}
IMAGE_TAG_VERSION: # tag of the image
value: ${{ inputs.IMAGE_TAG_VERSION }}
IMAGE_REGISTRY: # OPTIONAL. The container registry that will be pushed to
value: ${{ inputs.IMAGE_REGISTRY }}
DOCKERFILE_PATH: # OPTIONAL. Path to Dockerfile. INCLUDE NAME OF DOCKERFILE IN PATH. Defaults [D]ockerfile
value: ${{ inputs.DOCKERFILE_PATH }}
CONTEXT_PATH: # OPTIONAL. Path to build context folder. Defaults to current directory
value: ${{ inputs.CONTEXT_PATH }}
DOCKER_ARGS: # OPTIONAL. Supplies additional arguments to the docker build command
value: ${{ inputs.DOCKER_ARGS }}
NO_PUSH: # OPTIONAL. When true, build and scan, but don’t push.
value: ${{ inputs.NO_PUSH }}
DOCKER_HOST: tcp://docker:2375
DOCKER_TLS_CERTDIR: ""
DOCKER_DRIVER: overlay2
before_script:
- wget --header "Authorization: Basic $(echo -n "$PCC_USER:$PCC_PASS" | base64 | tr -d '\n')" "$PCC_CONSOLE_URL/api/v1/util/twistcli"
- chmod a+x ./twistcli
- until docker info; do sleep 1; done
- echo "THIS DOCKER TEMPLATE IS MAINTAINED BY THE CICD TEAM. SEE https://prd-can-lifeco.atlassian.net/wiki/spaces/SPYCHN"
- |
if [ "$IMAGE_REGISTRY" == "$CI_REGISTRY_IMAGE" ]; then
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
else
echo "ATTEMPTING TO DEPLOY TO REMOTE REGISTRY."
echo "COPY THE before_script COMMANDS IN THIS TEMPLATE INTO YOUR LOCAL JOB's before_script SECTION"
echo "THEN APPEND A DOCKER LOGIN COMMAND WITH VALID CREDENTIALS TO YOUR LOCAL JOB'S before_script"
fi
script:
- |
for VERSION in $(echo "$IMAGE_TAG_VERSION" | tr ',' '\n' | sed 's/^[ \t]//;s/[ \t]$//'); do
TAG="${IMAGE_REGISTRY}/${IMAGE_TAG_NAME}:${VERSION}"
echo
echo "Building and processing TAG: ${TAG}"
echo
if [ -z "$DOCKERFILE_PATH" ]; then
echo "NO DOCKERFILE_PATH ARGUMENT SUPPLIED. ASSUMING DOCKERFILE IS IN CURRENT DIRECTORY"
docker build -t "$TAG" ${DOCKER_ARGS} ${CONTEXT_PATH}
else
echo "Using specified Dockerfile: $DOCKERFILE_PATH"
docker build -t "$TAG" -f ${DOCKERFILE_PATH} ${DOCKER_ARGS} ${CONTEXT_PATH}
fi
docker save "$TAG" > image.tar
sudo ./twistcli images scan \
--address "$PCC_CONSOLE_URL" \
--user "$PCC_USER" \
--password "$PCC_PASS" \
--output-file container_scan_result.json \
--tarball image.tar
sudo python3 /dock-scripts/pc-gitlab-convert.py \
-o output-prismacloud-vulnerabilities.json
if [ "$(echo "$NO_PUSH" | awk '{print tolower($0)}')" == "true" ]; then
echo "NO_PUSH is true. Skipping docker push for $TAG."
else
echo "Pushing TAG: $TAG"
docker push "$TAG"
fi
done
artifacts:
name: ${CI_PROJECT_NAME}${CI_COMMIT_REF_NAME}${CI_COMMIT_SHA}_build
paths:
- container_scan_result.json
reports:
container_scanning: output-prismacloud-vulnerabilities.json
I'm running into the below pipeline error.
[![enter image description here] 1 1
Appreciate your thoughts on this.
$[[ inputs.name ]]rather than${{ inputs.name }}