GitLab setup:

ARTIFACTORY: Maven build and containerising it with Docker build using Gitlab and integration with Artifactory and scan with JFrog Xray as part of a JFrog Project
AuthorFullName__c
Swarnendu Kayal
articleNumber
000005370
ft:sourceType
Salesforce
FirstPublishedDate
2022-08-14T06:50:06Z
lastModifiedDate
2025-05-15
VersionNumber
5

We need to have the below GitLab setup - 

1. First create a project in the GitLab. You can find the details on how to create the project using the below links - 

A. GitLab official link - https://docs.gitlab.com/ee/user/project/working_with_projects.html

B. Youtube link - https://www.youtube.com/watch?v=DGuMvGYZ7lY

2. Upload all the required files to GitLab repository as mentioned in the links in step # 1. It will look like this - 

User-added image

As you can see from the above screenshot that there is a “maven-example” folder created. This folder contains the maven source code and the “pom.xml” for the maven build. This is a sample maven project that I have taken from this page - https://github.com/jfrog/project-examples/tree/master/maven-examples/maven-example. The contents looks like below - 


User-added image

3. Make sure the “pom.xml” file has the distribution management with the repository configuration as mentioned below. The example “pom.xml” looks like below - 

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0""
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0          http://maven.apache.org/maven-v4_0_0.xsd">;
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.jfrog.test</groupId>
    <artifactId>multi</artifactId>
    <version>3.7-SNAPSHOT</version>
    <packaging>pom</packaging>
    <name>Simple Multi Modules Build</name>

    <modules>
        <module>multi1</module>
        <module>multi2</module>
        <module>multi3</module>
    </modules>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>3.8.1</version>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-jar-plugin</artifactId>
                    <version>3.2.2</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-war-plugin</artifactId>
                    <version>3.3.2</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-source-plugin</artifactId>
                    <version>3.2.1</version>
                </plugin>
            </plugins>
        </pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
                <configuration>
                    <archive>
                        <addMavenDescriptor>false</addMavenDescriptor>
                    </archive>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-war-plugin</artifactId>
                <configuration>
                    <archive>
                        <addMavenDescriptor>false</addMavenDescriptor>
                    </archive>
                </configuration>
            </plugin>
        </plugins>
    </build>
    <distributionManagement>
    	<repository>
        	<id>releases</id>
        	<url>https://test.jfrog.io/artifactory/dct-libs-release</url>;
    	</repository>
    	<snapshotRepository>
        	<id>snapshots</id>
        	<url>https://test.jfrog.io/artifactory/dct-libs-snapshot</url>;
    	</snapshotRepository>
    </distributionManagement>
</project>
 


4. Another important file you need to have is the “settings.xml” file, which has to be generated from the “Set Me Up” button from Artifactory UI. Kindly refer to this page on how to generate the “settings.xml” file - https://www.jfrog.com/confluence/display/JFROG/Maven+Repository#MavenRepository-AutomaticallyGeneratingSettings. The example “settings.xml” looks like this - 

<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd"" xmlns="http://maven.apache.org/SETTINGS/1.2.0""
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">;
  <servers>
    <server>
      <username><username></username>
      <password><password></password>
      <id>central</id>
    </server>
    <server>
      <username><username></username>
      <password><password></password>
      <id>snapshots</id>
    </server>
  </servers>
  <profiles>
    <profile>
      <repositories>
        <repository>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
          <id>central</id>
          <name>dct-libs-release</name>
          <url>https://customer.jfrog.io/artifactory/dct-libs-release</url>;
        </repository>
        <repository>
          <snapshots />
          <id>snapshots</id>
          <name>dct-libs-snapshot</name>
          <url>https://customer.jfrog.io/artifactory/dct-libs-snapshot</url>;
        </repository>
      </repositories>
      <pluginRepositories>
        <pluginRepository>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
          <id>central</id>
          <name>dct-libs-release</name>
          <url>https://customer.jfrog.io/artifactory/dct-libs-release</url>;
        </pluginRepository>
        <pluginRepository>
          <snapshots />
          <id>snapshots</id>
          <name>dct-libs-snapshot</name>
          <url>https://customer.jfrog.io/artifactory/dct-libs-snapshot</url>;
        </pluginRepository>
      </pluginRepositories>
      <id>artifactory</id>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>artifactory</activeProfile>
  </activeProfiles>
</settings>
 


5. Click on the settings button and make sure that you have the CI/CD option enabled as shown in the screenshot below else you will not see the CI/CD option where you have to check the pipeline run status - 

User-added image

6. Now create the variables in the settings as shown below. We will use these variables in the pipeline script - 

User-added image

The defined variables are as follows - 
ART_DOCKER_PASS: <Password to access Artifactory docker repository. Generally it is the same with which you login to the JFrog UI and view docker repositories>

ART_DOCKER_REG: test.jfrog.io

ART_DOCKER_USER: <Username to access Artifactory docker repository. Generally it is the same with which you login to the JFrog UI and view docker repositories>

ART_PLAT_PASS: <Password to login to JFrog UI>

ART_PLAT_URL: https://test.jfrog.io

ART_PLAT_USER: <Username to login to JFrog UI>

ARTIFACTORY_PROJECT_KEY: <Project Key defined in the project as shown in step # 1 under JFrog Platform Setup>

7. Now add a file called “.gitlab-ci.yml” in the GitLab project. The details on how to add the file is mentioned in this document - https://docs.gitlab.com/ee/ci/quick_start/
8. Now add the below content in the yaml file that is just added - 

docker-build:
  # Use the official docker image.
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - apk add --update curl && rm -rf /var/cache/apk/*
    # docker login to Artifactory
    - docker login -u "$ART_DOCKER_USER" -p "$ART_DOCKER_PASS" $ART_DOCKER_REG
    # Installing JFrog CLI
    - curl -fL https://install-cli.jfrog.io | sh
    - chmod +x /usr/local/bin/jf
    # Configure Artifactory instance with JFrog CLI
    - pwd
    - cd /usr/local/bin/
    - ./jf --version
    - ./jf c add  artifactory-server --url=$ART_PLAT_URL --user=$ART_PLAT_USER --password=$ART_PLAT_PASS
  
  script:
# docker build  
    - docker build --pull -t "$ART_DOCKER_REG/dct-docker/test:$CI_JOB_ID" /builds/swarnendukayal/maven-docker-test
    - cd /usr/local/bin/
    # On-deman scanning
    - ./jf docker scan "$ART_DOCKER_REG/dct-docker/test:$CI_JOB_ID" --project=$ARTIFACTORY_PROJECT_KEY
    # Docker push
    - ./jf rt docker-push "$ART_DOCKER_REG/dct-docker/test:$CI_JOB_ID" dct-docker --build-name=maven-docker-jfrog --build-number=$CI_JOB_ID --project=$ARTIFACTORY_PROJECT_KEY 
    # Collect the environment variables
    - ./jf rt bce maven-docker-jfrog $CI_JOB_ID --project=$ARTIFACTORY_PROJECT_KEY
    # Pass the build information to Artifactory
    - ./jf rt bp maven-docker-jfrog $CI_JOB_ID --project=$ARTIFACTORY_PROJECT_KEY
    # Scanning the docker build
    - ./jf bs maven-docker-jfrog $CI_JOB_ID --project=$ARTIFACTORY_PROJECT_KEY

  # Run this job in a branch where a Dockerfile exists
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - Dockerfile
 

Please note that the location “/builds/swarnendukayal/maven-docker-test” marked in bold above, is configured to define the GitLab repository path from where the Dockerfile will refer the files while doing the docker build. This location will change project to project and profile to profile. 

For example: If the project URL(sample only) is as below - https://gitlab.com/abc/test-jfrog/-/blob/master/.gitlab-ci.yml, then the location would be “/builds/abc/test-jfrog”. Kindly change as per your project and repository location.

Once you save this file, it will immediately, trigger a build and you can find the build status as shown below - 

User-added image

The build shows as failed as the Xray policy has been defined to fail the build if any vulnerabilities are caught.