Forem: Booranasak Kanthong The latest articles on Forem by Booranasak Kanthong (@mirrorsan). https://forem.com/mirrorsan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3334681%2F65bf4092-0727-4efe-bcc3-2efe91005f44.jpeg Forem: Booranasak Kanthong https://forem.com/mirrorsan en Kong Cluster Booranasak Kanthong Sun, 14 Sep 2025 15:51:20 +0000 https://forem.com/mirrorsan/kong-cluster-1cg6 https://forem.com/mirrorsan/kong-cluster-1cg6 <h1> 🚦 Kong Cluster 101 (Beginner-friendly) </h1> <h2> What is a “Kong Cluster”? </h2> <p>In practice, a <strong>Kong Cluster</strong> just means you run <strong>multiple Kong gateway nodes</strong> side-by-side so traffic can:</p> <ul> <li>spread across nodes (<strong>load balancing</strong> for throughput), and</li> <li>keep flowing even if one node dies (<strong>high availability/failover</strong>).</li> </ul> <p>In your setup:</p> <ul> <li> <strong>kong-1</strong> and <strong>kong-2</strong> are two gateway nodes.</li> <li>They share the <strong>same Postgres database</strong> (your <code>kong-ce-database</code>) so they read/write the same configuration.</li> <li> <strong>HAProxy</strong> (<code>haproxy</code> service) sits in front to split incoming requests across kong-1 and kong-2.</li> </ul> <blockquote> <p>Enterprise note (for later): Kong Enterprise supports a “hybrid” CP/DP model. For OSS/CE, clustering typically means “multiple data planes behind a load balancer using the same DB,” which is exactly what we’re doing here.</p> </blockquote> <h2> Why put a Load Balancer in front of Kong? </h2> <p>A load balancer (LB) like <strong>HAProxy</strong>:</p> <ul> <li> <strong>Distributes</strong> requests across nodes (round-robin by default).</li> <li> <strong>Health checks</strong> each node and <strong>stops sending</strong> traffic to unhealthy nodes (automatic failover).</li> <li>Gives you <strong>one stable endpoint</strong> to point apps at (no app-side juggling of multiple Kong hosts).</li> </ul> <p>Your compose already includes HAProxy. We’ll finish it with a tiny config (your version).</p> <h1> 🧩 Use your <code>docker-compose.yml</code> (what you already have) </h1> <p>You’ve done 90% of the heavy lifting. Here’s what’s in place:</p> <ul> <li>Postgres 13 for Kong (DB mode)</li> <li>One-time migrations</li> <li>Two Kong nodes (different admin/proxy ports)</li> <li>HAProxy (front door)</li> <li>Mongo + Konga (nice UI)</li> <li>(Optional) Kong Dashboard</li> </ul> <p>We’ll add:</p> <ol> <li>a <strong>HAProxy config</strong> file (yours, including <code>X-Served-By</code> + admin LB),</li> <li>two tiny <strong>upstream services</strong> to demonstrate failover (httpbin), and</li> <li>a <strong>Kong upstream</strong> with <strong>active health checks</strong>.</li> </ol> <h2> 1) HAProxy: load-balance Kong nodes (your config) </h2> <p>Create <code>./haproxy/haproxy.cfg</code> next to your compose file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>global maxconn 4096 defaults # keep tcp as a safe default; we'll override per section mode tcp timeout connect 5s timeout client 30s timeout server 30s # ===== Proxy LB (9200) — must be HTTP to inject headers ===== frontend fe_proxy bind *:9200 mode http option forwardfor # add X-Forwarded-For for client IP default_backend be_kong backend be_kong mode http balance roundrobin http-response add-header X-Served-By %[srv_name] # &lt;-- shows kong1/kong2 server kong1 kong-1:8000 check inter 2000 rise 3 fall 2 server kong2 kong-2:18000 check inter 2000 rise 3 fall 2 # ===== Admin LB (9201) — leave as HTTP, no need to add headers here ===== frontend fe_admin bind *:9201 mode http default_backend be_admin backend be_admin mode http option httpchk GET / balance roundrobin server kong1 kong-1:8001 check inter 2000 rise 3 fall 2 server kong2 kong-2:18001 check inter 2000 rise 3 fall 2 </code></pre> </div> <ul> <li>Exposes <strong><a href="http://localhost:9200" rel="noopener noreferrer">http://localhost:9200</a></strong> (proxy LB) and <strong><a href="http://localhost:9201" rel="noopener noreferrer">http://localhost:9201</a></strong> (admin LB).</li> <li>The proxy LB injects <code>X-Served-By</code> so you can <em>see</em> which Kong node handled the request.</li> </ul> <h2> 2) Full <code>docker-compose.yml</code> (merged + test apps) </h2> <blockquote> <p>Save this as your compose file (it’s your original, plus: HAProxy port <code>9201</code> and two httpbin services).<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Shared Kong DB config (CE/OSS)</span> <span class="na">x-kong-config</span><span class="pi">:</span> <span class="nl">&amp;kong-env</span> <span class="na">KONG_DATABASE</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">KONG_PG_HOST</span><span class="pi">:</span> <span class="s">kong-ce-database</span> <span class="na">KONG_PG_DATABASE</span><span class="pi">:</span> <span class="s">kong</span> <span class="na">KONG_PG_USER</span><span class="pi">:</span> <span class="s">kong</span> <span class="na">KONG_PG_PASSWORD</span><span class="pi">:</span> <span class="s">kong</span> <span class="na">services</span><span class="pi">:</span> <span class="c1"># ------------------------------</span> <span class="c1"># Postgres 13 for Kong (CE/OSS)</span> <span class="c1"># ------------------------------</span> <span class="na">kong-ce-database</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:13</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kong-ce-database</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">kong</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">kong</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">kong</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kong_db_data:/var/lib/postgresql/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5432:5432"</span> <span class="c1"># optional: expose for local access</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">kong</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">kong"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">20</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># One-time Kong migrations</span> <span class="c1"># ------------------------------</span> <span class="na">kong-migrations</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kong:3.9.1</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kong-migrations</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">kong-ce-database</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*kong-env</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">/bin/sh -lc</span> <span class="s">"kong migrations bootstrap -v || (kong migrations up -v &amp;&amp; kong migrations finish -v)"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s2">"</span><span class="s">no"</span> <span class="c1"># ------------------------------</span> <span class="c1"># Kong Gateway node #1</span> <span class="c1"># ------------------------------</span> <span class="na">kong-1</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kong:3.9.1</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kong-1</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">kong-ce-database</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">kong-migrations</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*kong-env</span> <span class="na">KONG_ADMIN_LISTEN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0:8001,0.0.0.0:8444</span><span class="nv"> </span><span class="s">ssl"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:8000"</span> <span class="c1"># proxy</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8443:8443"</span> <span class="c1"># proxy ssl</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8001:8001"</span> <span class="c1"># admin</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8444:8444"</span> <span class="c1"># admin ssl</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">kong"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">health"</span><span class="pi">]</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># Kong Gateway node #2 (different internal ports)</span> <span class="c1"># ------------------------------</span> <span class="na">kong-2</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kong:3.9.1</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kong-2</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">kong-ce-database</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">kong-migrations</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*kong-env</span> <span class="na">KONG_ADMIN_LISTEN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0:18001,0.0.0.0:18444</span><span class="nv"> </span><span class="s">ssl"</span> <span class="na">KONG_PROXY_LISTEN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0:18000,0.0.0.0:18443</span><span class="nv"> </span><span class="s">ssl"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8002:18000"</span> <span class="c1"># proxy (host)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">18443:18443"</span> <span class="c1"># proxy ssl (host)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">18001:18001"</span> <span class="c1"># admin (host)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">18444:18444"</span> <span class="c1"># admin ssl (host)</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">kong"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">health"</span><span class="pi">]</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># HAProxy to load-balance kong-1 / kong-2</span> <span class="c1"># ------------------------------</span> <span class="na">haproxy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">haproxy:2.9</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kong-haproxy</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">kong-1</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_started</span> <span class="na">kong-2</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_started</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9200:9200"</span> <span class="c1"># proxy LB</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9201:9201"</span> <span class="c1"># admin LB</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/usr/local/sbin/haproxy"</span><span class="pi">,</span><span class="s2">"</span><span class="s">-f"</span><span class="pi">,</span><span class="s2">"</span><span class="s">/usr/local/etc/haproxy/haproxy.cfg"</span><span class="pi">,</span><span class="s2">"</span><span class="s">-db"</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># MongoDB 4.4 for Konga</span> <span class="c1"># ------------------------------</span> <span class="na">mongo</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mongo:4.4</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">mongo</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">mongo_data:/data/db</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">27017:27017"</span> <span class="c1"># optional</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">mongo"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--eval"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">db.runCommand({</span><span class="nv"> </span><span class="s">ping:</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">})"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">20</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># Konga DB prepare (Mongo)</span> <span class="c1"># ------------------------------</span> <span class="na">konga-prepare</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">pantsel/konga:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">konga-prepare</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">mongo</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">command</span><span class="pi">:</span> <span class="s">-c prepare -a mongo -u mongodb://mongo:27017/konga</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s2">"</span><span class="s">no"</span> <span class="c1"># ------------------------------</span> <span class="c1"># Konga (Admin UI) on Mongo</span> <span class="c1"># ------------------------------</span> <span class="na">konga</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">pantsel/konga:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">konga</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">mongo</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">konga-prepare</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">DB_ADAPTER</span><span class="pi">:</span> <span class="s">mongo</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s">mongo</span> <span class="na">DB_PORT</span><span class="pi">:</span> <span class="m">27017</span> <span class="na">DB_DATABASE</span><span class="pi">:</span> <span class="s">konga</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s">production</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">1337:1337"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># KongDash (optional)</span> <span class="c1"># ------------------------------</span> <span class="na">kongdash</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">pgbi/kong-dashboard:v2</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kongdash</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">start"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--kong-url"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://kong-1:8001"</span><span class="pi">]</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">kong-1</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_started</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8085:8080"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># ------------------------------</span> <span class="c1"># Test upstream apps for failover</span> <span class="c1"># ------------------------------</span> <span class="na">httpbin1</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mccutchen/go-httpbin:v2.15.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">httpbin1</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">httpbin2</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mccutchen/go-httpbin:v2.15.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">httpbin2</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">kong-ce-net</span><span class="pi">]</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">kong_db_data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># Postgres data for Kong</span> <span class="na">mongo_data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># Mongo data for Konga</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">kong-ce-net</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <p>Bring everything up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <h2> 3) Configure Kong (via Admin API) for <strong>upstream</strong> failover </h2> <p>We’ll create:</p> <ul> <li>an <strong>Upstream</strong> (logical name) with</li> <li>two <strong>Targets</strong> (<code>httpbin1</code> &amp; <code>httpbin2</code>), plus</li> <li> <strong>active health checks</strong> so Kong can remove a bad target automatically,</li> <li>a <strong>Service</strong> pointing to the upstream, and</li> <li>a <strong>Route</strong> to expose it.</li> </ul> <blockquote> <p>Run these against either Admin API (e.g. <code>http://localhost:8001</code> for kong-1 or <code>http://localhost:18001</code> for kong-2).</p> </blockquote> <h3> 3.1 Upstream with health checks </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sS</span> <span class="nt">-X</span> POST http://localhost:8001/upstreams <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "name": "demo-upstream", "healthchecks": { "active": { "http_path": "/status/200", "timeout": 1, "healthy": { "interval": 5, "successes": 1 }, "unhealthy": { "interval": 5, "http_failures": 1, "tcp_failures": 1, "timeouts": 1 } } } }'</span> </code></pre> </div> <p>In Konga -&gt; UPSTREAMS</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6ykgk8h7t7ocaiw76px.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6ykgk8h7t7ocaiw76px.png" alt=" " width="800" height="399"></a></p> <h3> 3.2 Register the two targets </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sS</span> <span class="nt">-X</span> POST http://localhost:8001/upstreams/demo-upstream/targets <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"target":"httpbin1:8080","weight":100}'</span> curl <span class="nt">-sS</span> <span class="nt">-X</span> POST http://localhost:8001/upstreams/demo-upstream/targets <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"target":"httpbin2:8080","weight":100}'</span> </code></pre> </div> <p>In Konga -&gt; UPSTREAMS -&gt; Click at Detail</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc0cea6eu0z5zh1mt6o5z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc0cea6eu0z5zh1mt6o5z.png" alt=" " width="800" height="245"></a></p> <p>Then Click Targets</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8ca0tj9fwgecwpd8cs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8ca0tj9fwgecwpd8cs.png" alt=" " width="800" height="398"></a></p> <h3> 3.3 Create a Service using the upstream </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sS</span> <span class="nt">-X</span> POST http://localhost:8001/services <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"name":"demo-svc","host":"demo-upstream","port":8080,"protocol":"http"}'</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F42hsb60kib10e3byz21d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F42hsb60kib10e3byz21d.png" alt=" " width="800" height="46"></a></p> <p>In Konga -&gt; Service</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbglxlmmcg3v10hxeyoz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbglxlmmcg3v10hxeyoz.png" alt=" " width="800" height="399"></a></p> <h3> 3.4 Expose it with a Route </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sS</span> <span class="nt">-X</span> POST http://localhost:8001/services/demo-svc/routes <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"name":"demo-route","paths":["/demo"]}'</span> </code></pre> </div> <p>In Konga -&gt; Route</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ferptfksfmvvop6lfmz1b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ferptfksfmvvop6lfmz1b.png" alt=" " width="800" height="398"></a></p> <p>demo-route will set as a Route</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbhxfmzn57bpapx1y3pw6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbhxfmzn57bpapx1y3pw6.png" alt=" " width="800" height="69"></a></p> <p>Your app endpoint (through HAProxy → Kong) is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:9200/demo/get </code></pre> </div> <p>Basic test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://localhost:9200/demo/get <span class="c"># expect 200 + an X-Served-By header from HAProxy: kong1 or kong2</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqa7kp0xkh2seoonhnjz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqa7kp0xkh2seoonhnjz.png" alt=" " width="697" height="1163"></a></p> <h1> Set up Connection in <strong>Konga</strong> (UI) </h1> <p>1). Open <strong><a href="http://localhost:1337" rel="noopener noreferrer">http://localhost:1337</a></strong> and create an admin user.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq3pm6pb8x23k2ebcacfi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq3pm6pb8x23k2ebcacfi.png" alt=" " width="800" height="665"></a></p> <p>2). Add a <strong>Connection</strong> (point Konga at the <strong>admin LB</strong>):</p> <p>In Konga -&gt; CONNECTIONS -&gt; Click button [+ NEW CONNECTION]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzx49mu9j3kzf6ff214py.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzx49mu9j3kzf6ff214py.png" alt=" " width="800" height="412"></a></p> <p>Enter the following detail</p> <ul> <li> <strong>Name:</strong> <code>Haproxy-LB</code> </li> <li> <strong>Kong Admin URL:</strong> <code>http://localhost:9201</code> </li> <li> <strong>Username:</strong> Your Konga Username</li> <li> <strong>Password:</strong> Your Konga Password</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fttvr8s1g69tuouzkjhuq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fttvr8s1g69tuouzkjhuq.png" alt=" " width="610" height="637"></a></p> <p>3). In Konga, you can build the same objects via UI:</p> <ul> <li> <strong>Upstreams → Add Upstream</strong> (<code>demo-upstream</code>)</li> <li> <strong>Targets → Add Target</strong> (<code>httpbin1:8080</code>, <code>httpbin2:8080</code>)</li> <li> <strong>Services → Add Service</strong> (<code>demo-svc</code>, host: <code>demo-upstream</code>, port <code>8080</code>)</li> <li> <strong>Routes → Add Route</strong> (<code>demo-route</code>, paths: <code>/demo</code>)</li> <li> <strong>Healthchecks</strong>: enable Active checks with path <code>/status/200</code>.</li> </ul> <p>Either method (API or Konga) updates the shared Postgres DB, so both Kong nodes use the same config.</p> <h1> ✅ How to PROVE failover works (two ways) </h1> <h2> A) <strong>Gateway node</strong> failover (HAProxy removes bad Kong) </h2> <p>See which node served you:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> http://localhost:9200/status | <span class="nb">grep</span> <span class="nt">-i</span> X-Served-By </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhkdaupl7s5dqqtqp0zl8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhkdaupl7s5dqqtqp0zl8.png" alt=" " width="800" height="91"></a></p> <p>Kill one Kong node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker stop kong-1 <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..6<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-sI</span> http://localhost:9200/status | <span class="nb">grep</span> <span class="nt">-i</span> X-Served-By<span class="p">;</span> <span class="k">done</span> <span class="c"># expect only kong2 now</span> docker start kong-1 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88smcssu9my1zj20u9m8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88smcssu9my1zj20u9m8.png" alt=" " width="800" height="275"></a></p> <blockquote> <p>By killing Kong-1, only Kong-2 remains running. All the load will then go to Kong-2 instead of Kong-1, which is down. I then restarted Kong-1, and this time the load was distributed between Kong-1 and Kong-2.</p> </blockquote> <h2> B) <strong>Upstream target</strong> failover (Kong removes bad target) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># both targets healthy?</span> curl <span class="nt">-sS</span> http://localhost:8001/upstreams/demo-upstream/health | jq <span class="nb">.</span> <span class="c"># stop one target</span> docker stop httpbin1 <span class="c"># calls should still return 200 (served by httpbin2)</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..6<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}</span><span class="se">\n</span><span class="s2">"</span> http://localhost:9200/demo/get<span class="p">;</span> <span class="k">done</span> <span class="c"># health should show httpbin1 UNHEALTHY</span> curl <span class="nt">-sS</span> http://localhost:8001/upstreams/demo-upstream/health | jq <span class="nb">.</span> <span class="c"># recover</span> docker start httpbin1 </code></pre> </div> <p>First, I checked the upstream health status:<br> <code>curl -sS http://localhost:8001/upstreams/demo-upstream/health | jq .<br> </code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscvnk9kdf58wvw2xpqkx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscvnk9kdf58wvw2xpqkx.png" alt=" " width="781" height="1039"></a></p> <p>At this point, only httpbin2 was healthy and available.</p> <p>Next, I sent 6 requests to the service:</p> <p><code>for i in {1..6}; do curl -s -o /dev/null -w "%{http_code}\n" http://localhost:9200/demo/get; done</code></p> <p>All requests were routed successfully to httpbin2, since httpbin1 was still down.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8kql61p1ys1iun2sip9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8kql61p1ys1iun2sip9.png" alt=" " width="800" height="87"></a></p> <p>I then verified the upstream health again:</p> <p><code>curl -sS http://localhost:8001/upstreams/demo-upstream/health | jq .<br> </code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs75tdculzenl8pmojxmk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs75tdculzenl8pmojxmk.png" alt=" " width="782" height="1040"></a></p> <p>The results confirmed that only httpbin2 was handling traffic.</p> <p>After that, I restarted httpbin1:<br> <code>docker start httpbin1</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1tr6nz684564w7cb635a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1tr6nz684564w7cb635a.png" alt=" " width="540" height="36"></a></p> <p>Finally, I checked the upstream health one more time:<br> <code>curl -sS http://localhost:8001/upstreams/demo-upstream/health | jq .<br> </code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx48wdih2ipxiqjg4ag5r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx48wdih2ipxiqjg4ag5r.png" alt=" " width="778" height="1039"></a></p> <h2> Now both httpbin1 and httpbin2 were healthy, so the load could be distributed across both instances again. </h2> <h1> 🧭 Troubleshooting quick hits </h1> <ul> <li> <strong>Konga can’t reach Admin API?</strong> Use the admin LB: <code>http://localhost:9201</code>.</li> <li> <strong>HAProxy 503?</strong> Check <code>haproxy</code> logs and verify both admins &amp; proxies: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl http://localhost:8001/status curl http://localhost:18001/status </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjzlwttl05lo0c4xjfj2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjzlwttl05lo0c4xjfj2.png" alt=" " width="800" height="97"></a></p> <ul> <li> <strong>DB is a single point of failure in this demo.</strong> For real HA, use a managed Postgres/cluster or explore <strong>DB-less</strong> with declarative config + an external config store.</li> <li> <strong>Health checks too slow/fast?</strong> Tweak <code>interval</code>/thresholds in the Upstream <code>healthchecks.active</code>.</li> </ul> <h1> 🧠 What you just built (recap) </h1> <ul> <li>A <strong>two-node Kong cluster</strong> (OSS) sharing one Postgres DB.</li> <li> <strong>HAProxy</strong> in front for node-level <strong>load balancing and failover</strong> (proxy <code>:9200</code>, admin <code>:9201</code> with <code>X-Served-By</code>).</li> <li>A <strong>Kong Upstream</strong> with <strong>active health checks</strong> for service-level failover between two targets.</li> <li> <strong>Konga</strong> as a friendly admin UI.</li> </ul> api architecture devops beginners Building, Securing, and Deploying a Go App with GitLab CI/CD: README.md Booranasak Kanthong Tue, 05 Aug 2025 07:36:38 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-readmemd-5e6c https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-readmemd-5e6c <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Bank API</span> A simple in-memory bank account API built in Go. <span class="p"> -</span> <span class="gs">**Server listens on**</span>: <span class="sb">`:8008`</span> <span class="p">-</span> <span class="gs">**Base URL**</span>: <span class="sb">`http://localhost:8008`</span> <span class="p"> --- </span> <span class="gu">## Table of Contents</span> <span class="p"> 1.</span> <span class="p">[</span><span class="nv">Endpoints</span><span class="p">](</span><span class="sx">#endpoints</span><span class="p">)</span> <span class="p">2.</span> <span class="p">[</span><span class="nv">Mock Data</span><span class="p">](</span><span class="sx">#mock-data</span><span class="p">)</span> <span class="p">3.</span> <span class="p">[</span><span class="nv">Getting Started</span><span class="p">](</span><span class="sx">#getting-started</span><span class="p">)</span> <span class="p">4.</span> <span class="p">[</span><span class="nv">Running the Server</span><span class="p">](</span><span class="sx">#running-the-server</span><span class="p">)</span> <span class="p">5.</span> <span class="p">[</span><span class="nv">Running Tests &amp; Coverage</span><span class="p">](</span><span class="sx">#running-tests--coverage</span><span class="p">)</span> <span class="p"> --- </span> <span class="gu">## Endpoints</span> <span class="gu">### 1. Welcome Root</span> <span class="p"> -</span> <span class="gs">**Path**</span>: <span class="sb">`/`</span> <span class="p">-</span> <span class="gs">**Method**</span>: <span class="sb">`GET`</span> <span class="p">-</span> <span class="gs">**Description**</span>: Returns a friendly welcome message. <span class="p">```</span><span class="nl"> </span> bash curl http://localhost:8008/ </code></pre> </div> <h3> 2. List All Accounts </h3> <ul> <li> <strong>Path</strong>: <code>/accounts</code> </li> <li> <strong>Method</strong>: <code>GET</code> </li> <li> <strong>Description</strong>: Returns a JSON array of all accounts (ID, Name, Balance).</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash curl http://localhost:8008/accounts </code></pre> </div> <h3> 3. Create a New Account </h3> <ul> <li> <strong>Path</strong>: <code>/accounts</code> </li> <li> <strong>Method</strong>: <code>POST</code> </li> <li> <strong>Description</strong>: Opens a new account with zero (or seeded) balance.</li> <li> <strong>Body</strong>: JSON with a <code>Name</code> field.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash curl -X POST http://localhost:8008/accounts \ -H "Content-Type: application/json" \ -d '{"Name":"Zara"}' </code></pre> </div> <h3> 4. Get Single Account </h3> <ul> <li> <strong>Path</strong>: <code>/accounts/{id}</code> </li> <li> <strong>Method</strong>: <code>GET</code> </li> <li> <strong>Description</strong>: Fetches the account with the given <code>id</code>.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash curl http://localhost:8008/accounts/1 </code></pre> </div> <h3> 5. Deposit into Account </h3> <ul> <li> <strong>Path</strong>: <code>/accounts/{id}/deposit</code> </li> <li> <strong>Method</strong>: <code>POST</code> </li> <li> <strong>Description</strong>: Adds funds to the specified account.</li> <li> <strong>Body</strong>: JSON with an <code>Amount</code> field (must be &gt; 0).</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash curl -X POST http://localhost:8008/accounts/1/deposit \ -H "Content-Type: application/json" \ -d '{"Amount":100}' </code></pre> </div> <h3> 6. Withdraw from Account </h3> <ul> <li> <strong>Path</strong>: <code>/accounts/{id}/withdraw</code> </li> <li> <strong>Method</strong>: <code>POST</code> </li> <li> <strong>Description</strong>: Subtracts funds from the specified account (must have sufficient balance).</li> <li> <strong>Body</strong>: JSON with an <code>Amount</code> field (must be &gt; 0 and ≤ current balance).</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash curl -X POST http://localhost:8008/accounts/1/withdraw \ -H "Content-Type: application/json" \ -d '{"Amount":50}' </code></pre> </div> <h2> Mock Data </h2> <p>On startup, the in-memory store is seeded with 10 mock accounts:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>ID</th> <th>Name</th> <th>Balance</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Alice</td> <td>1000</td> </tr> <tr> <td>2</td> <td>Bob</td> <td>2000</td> </tr> <tr> <td>3</td> <td>Carol</td> <td>3000</td> </tr> <tr> <td>4</td> <td>Dave</td> <td>4000</td> </tr> <tr> <td>5</td> <td>Eve</td> <td>5000</td> </tr> <tr> <td>6</td> <td>Frank</td> <td>6000</td> </tr> <tr> <td>7</td> <td>Grace</td> <td>7000</td> </tr> <tr> <td>8</td> <td>Heidi</td> <td>8000</td> </tr> <tr> <td>9</td> <td>Ivan</td> <td>9000</td> </tr> <tr> <td>10</td> <td>Judy</td> <td>10000</td> </tr> </tbody> </table></div> <h2> Getting Started </h2> <ol> <li> <strong>Clone</strong> the repository and <code>cd</code> into it:</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash git clone &lt;repo-url&gt; cd bank-api </code></pre> </div> <ol> <li> <strong>Build</strong> (optional):</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash go build ./cmd/server </code></pre> </div> <h2> Running the Server </h2> <p>Start the HTTP server on port 8008:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash go run ./cmd/server/main.go </code></pre> </div> <p>Visit <code>http://localhost:8008/</code> in your browser or use the curl commands above.</p> <h2> Running Tests &amp; Coverage </h2> <p>Run all tests <strong>verbosely</strong> and display coverage:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash go test -v -cover ./... </code></pre> </div> <h2> License </h2> <p>MIT © Booranasak Kanthong</p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 5.2: Docker Hub Image Scanning with Trivy in GitLab CI/CD Booranasak Kanthong Tue, 05 Aug 2025 06:56:27 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-52-docker-hub-image-scanning-with-hfn https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-52-docker-hub-image-scanning-with-hfn <h2> <strong>Introduction</strong> </h2> <p>Welcome back! Last time, you learned how to build and push your Docker image to Google Artifact Registry (GAR) using GitLab CI/CD. But before we ship our app to production, let’s make sure our Docker image is safe by scanning it for vulnerabilities using a tool called <strong>Trivy</strong>.</p> <p>In this episode, you’ll learn:</p> <ul> <li>What Trivy is and why you need image scanning</li> <li>How to add Trivy to your GitLab CI/CD pipeline</li> <li>How to read and act on your scan results</li> </ul> <h2> <strong>1. What is Trivy and Why Scan Your Images?</strong> </h2> <p><strong>Trivy</strong> is an easy-to-use, open-source tool that scans Docker images for security vulnerabilities.<br> Just like you wouldn’t install software from an unknown source, you shouldn’t run containers with hidden risks.</p> <p><strong>Why scan?</strong></p> <ul> <li>Containers often include software from many sources</li> <li>Vulnerabilities can sneak into your images even if your code is safe</li> <li>Scanning helps you find and fix risks <em>before</em> they hit production</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13ysgf21i603e455p38g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13ysgf21i603e455p38g.png" alt=" " width="800" height="800"></a></p> <h2> <strong>2. How Trivy Fits in Your Pipeline</strong> </h2> <p>Here’s how your pipeline flow looks now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[GitLab Pipeline] | v [Build Docker Image] | v [Push Image to GAR] | v [Scan Image with Trivy] | v [Ready for Deploy!] </code></pre> </div> <h2> <strong>3. Adding Trivy to Your .gitlab-ci.yml</strong> </h2> <p>Here’s a simple Trivy job based on your previous setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sca_image</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aquasec/trivy:latest</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Scanning Docker image for vulnerabilities..."</span> <span class="pi">-</span> <span class="s">trivy image $IMAGE_TAG_DOCKERHUB</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">push_container_to_registry</span> </code></pre> </div> <p><strong>What’s happening here?</strong></p> <ul> <li>Installs Docker and Trivy</li> <li>Authenticates with Google Cloud so the image can be pulled</li> <li>Runs Trivy to scan your image in GAR</li> <li>Saves the results as <code>trivy-report.txt</code> </li> <li>The job is allowed to fail (<code>allow_failure: true</code>) so a vulnerability won’t block your learning or experimenting</li> </ul> <h2> <strong>4. Merge scripts together</strong> </h2> <p>It will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">IMAGE_USERNAME_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mirrorheart"</span> <span class="na">IMAGE_NAME_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$IMAGE_USERNAME_DOCKERHUB/$IMAGE_NAME_DOCKERHUB:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">push</span> <span class="pi">-</span> <span class="s">sca_image</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-bank-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> <span class="na">build_container</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_DOCKERHUB .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_DOCKERHUB -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">push_container_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_DOCKERHUB</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_container</span> <span class="na">image_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sca_image</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aquasec/trivy:latest</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Scanning Docker image for vulnerabilities..."</span> <span class="pi">-</span> <span class="s">trivy image $IMAGE_TAG_DOCKERHUB</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">push_container_to_registry</span> </code></pre> </div> <h2> <strong>5. Viewing and Understanding Your Trivy Scan Results</strong> </h2> <ul> <li>Go to your pipeline in GitLab.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zyc7n7mwog66hgbywrh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zyc7n7mwog66hgbywrh.png" alt=" " width="318" height="1065"></a></p> <ul> <li>Click at your recent run pipeline</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F635pkl4jfp3zk0jtxg86.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F635pkl4jfp3zk0jtxg86.png" alt=" " width="800" height="339"></a></p> <ul> <li>Click on the <code>image_scan</code> job.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqz6w98a7arh79eup507k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqz6w98a7arh79eup507k.png" alt=" " width="800" height="101"></a></p> <p>*You can view the Trivy report directly from the output logs, or configure your pipeline to save the Trivy report as an artifact. This allows you to download or preview the trivy-report.txt artifact.</p> <h4> Output logs(this from other pipeline) </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jqm2s61sspekz2aker5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jqm2s61sspekz2aker5.png" alt=" " width="800" height="293"></a></p> <p><strong>What do the results mean?</strong></p> <ul> <li>Trivy will list all detected vulnerabilities, their severity, and where they were found (like OS packages or app dependencies).</li> <li>Focus on “HIGH” or “CRITICAL” vulnerabilities—those should be fixed first.</li> <li>If the Status is fixed, you’re already protected and don’t need to take action. </li> <li>But if the status is affected, will_not_fix, or fix_deferred, you should pay close attention—these vulnerabilities are not yet resolved and may still put your project at risk. Review them carefully and patch or mitigate as soon as possible.</li> </ul> <p>In our Code and Image that being use there are no vulnerabilities</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0mon21nmugrezq2s1zg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0mon21nmugrezq2s1zg.png" alt=" " width="800" height="106"></a></p> <h2> <strong>6. What If I Find Vulnerabilities?</strong> </h2> <ul> <li> <strong>Read the Trivy output carefully</strong>—it tells you which package (and version) is affected.</li> <li>Many issues can be fixed by updating your <code>Dockerfile</code> or base image.</li> <li>Sometimes, vulnerabilities are in dependencies you don’t use directly. Research if an update or patch is available.</li> <li>If you’re not sure, search the CVE ID online for advice.</li> </ul> <h2> <strong>7. Tips and Best Practices</strong> </h2> <ul> <li> <strong>Scan every new build:</strong> Don’t skip scanning for speed; automate it!</li> <li> <strong>Keep Trivy updated:</strong> Vulnerabilities are found all the time.</li> <li> <strong>Don’t ignore “HIGH”/“CRITICAL” issues:</strong> If you must, at least understand the risk.</li> <li> <strong>Automate alerting:</strong> Advanced: send scan failures to Slack, email, etc.</li> </ul> <h2> <strong>8. What’s Next?</strong> </h2> <p>Awesome! Your pipeline now checks for vulnerabilities in every image.<br> Next, we’ll move on to <strong>deploying your image</strong> and running <strong>live API security scans</strong> with <strong>OWASP ZAP</strong>—so your app is not only safe inside, but also from the outside.</p> <h2> <strong>Summary</strong> </h2> <ul> <li>Added Trivy to your pipeline for automatic container security checks</li> <li>Learned how to read and act on Trivy results</li> <li>Set your project up for safer, more professional deployments</li> </ul> <p><em>Ready for the next step? See you in Episode 6 for deploy and API security scanning with ZAP!</em></p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 4.2: Build and Push Docker Image to Docker Hub Booranasak Kanthong Tue, 05 Aug 2025 06:05:34 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-42-build-and-push-docker-image-to-oad https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-42-build-and-push-docker-image-to-oad <h2> <strong>Introduction</strong> </h2> <p>Welcome back to our CI/CD journey! Last time, you learned how to scan your Go code for bugs and vulnerabilities with SonarQube. In this episode, we’ll take your project to the next level by <strong>packaging your app as a Docker image and pushing it to Docker Hub</strong>.</p> <p>By the end, you’ll know how to:</p> <ul> <li>Build a Docker image of your Go app in your GitLab pipeline</li> <li>Authenticate your pipeline with Docker Hub</li> <li>Push your image to Docker Hub for safe storage and sharing</li> </ul> <h2> <strong>1. What is a Docker Image and Why Use a Registry?</strong> </h2> <p>A <strong>Docker image</strong> is like a recipe that describes how to run your app.<br> It bundles your code, dependencies, and configuration so your app runs the same everywhere.</p> <p>But once you build an image, you need a place to store it. That’s where a <strong>container registry</strong> like <strong>Docker Hub</strong> comes in!<br> A registry lets you store, share, and deploy images—just like GitHub lets you store and share code.</p> <h3> <strong>Docker Image to Registry Flow</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">[</span><span class="nv">GitLab Pipeline Triggered</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Docker Build Job</span><span class="pi">:</span> <span class="nv">Build App Image</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Save Docker Image as .tar File</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Push Job</span><span class="pi">:</span> <span class="nv">Authenticate with Docker Hub</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Load Docker Image from .tar File</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Push Docker Image to Docker Hub</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Image Available in Docker Hub</span><span class="pi">]</span> </code></pre> </div> <h2> <strong>2. Setting Up Docker Hub</strong> </h2> <p>To push images to Docker Hub, you need:</p> <ul> <li>A Docker Hub account</li> <li>A repository created in Docker Hub under your username or organization</li> </ul> <h3> <strong>A. Create a Docker Hub Repository</strong> </h3> <p>1.) Go to <a href="https://hub.docker.com" rel="noopener noreferrer">https://hub.docker.com</a><br> 2.) Sign in and click <strong>Create Repository</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8y98hpeueufyfzln9ojf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8y98hpeueufyfzln9ojf.png" alt=" " width="800" height="298"></a></p> <p>3.) Choose visibility (Public or Private), and name it something like <code>booranasak-bank-api-golang</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuql5mwqzezsjbkumo0bg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuql5mwqzezsjbkumo0bg.png" alt=" " width="739" height="450"></a></p> <p>4.) Note the image name format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> docker.io/YOUR_DOCKERHUB_USERNAME/booranasak-bank-api-golang:1.0.0 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxm6i1f1juzqcbmyp6ha7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxm6i1f1juzqcbmyp6ha7.png" alt=" " width="713" height="710"></a></p> <h2> <strong>3. Building Your Docker Image in GitLab CI/CD</strong> </h2> <p>Here’s the job for your <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">variables</span><span class="pi">:</span> <span class="na">IMAGE_NAME_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker.io/YOUR_DOCKERHUB_USERNAME/$IMAGE_NAME_DOCKERHUB:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">build_image</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_DOCKERHUB .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_DOCKERHUB -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> </code></pre> </div> <h2> <strong>4. Authenticating GitLab CI/CD with Docker Hub</strong> </h2> <p>You’ll use GitLab CI/CD variables to store your Docker Hub credentials.</p> <h3> <strong>A. Add Docker Hub Credentials to GitLab</strong> </h3> <ol> <li>Go to your GitLab project → <strong>Settings → CI/CD → Variables</strong> </li> <li>Add the following CI/CD variables:</li> </ol> <ul> <li> <code>DOCKER_USERNAME</code>: your Docker Hub username</li> </ul> <h2> * <code>DOCKER_PASSWORD</code>: your Docker Hub password or personal access token </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7k154thqlt0llukedwsu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7k154thqlt0llukedwsu.png" alt=" " width="800" height="169"></a></p> <h2> <strong>5. Pushing the Image to Docker Hub</strong> </h2> <p>Here’s the job for pushing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">push_image_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_image</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker login -u "$DOCKER_USER" --password-stdin</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_DOCKERHUB</span> </code></pre> </div> <h2> <strong>6. Merge Scripts Together</strong> </h2> <p>Here’s how your complete <code>.gitlab-ci.yml</code> looks after replacing GAR with Docker Hub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">IMAGE_USERNAME_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mirrorheart"</span> <span class="na">IMAGE_NAME_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_DOCKERHUB</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$IMAGE_USERNAME_DOCKERHUB/$IMAGE_NAME_DOCKERHUB:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">push</span> <span class="pi">-</span> <span class="s">sca_image</span> <span class="pi">-</span> <span class="s">deploy</span> <span class="pi">-</span> <span class="s">zap_scan</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-bank-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> <span class="na">build_container</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_DOCKERHUB .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_DOCKERHUB -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">push_container_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_DOCKERHUB</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_container</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fipyy5zsinx2v0gmwai18.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fipyy5zsinx2v0gmwai18.png" alt=" " width="800" height="125"></a></p> <h2> <strong>7. Checking Your Image in Docker Hub</strong> </h2> <p>Once your pipeline finishes:</p> <ul> <li>Go to <a href="https://hub.docker.com" rel="noopener noreferrer">Docker Hub</a> </li> <li>Open your repository (e.g., <code>booranasak-bank-api-golang</code>)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0lx3v34khuqfj1oerjmx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0lx3v34khuqfj1oerjmx.png" alt=" " width="800" height="218"></a></p> <ul> <li>You should see your image with the tag <code>1.0.0</code> listed</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4s131im1q9vttj2uvq68.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4s131im1q9vttj2uvq68.png" alt=" " width="800" height="535"></a></p> <h3> <strong>Test Pulling Your Image (Optional)</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker pull docker.io/YOUR_DOCKERHUB_USERNAME/booranasak-bank-api-golang:1.0.0 </code></pre> </div> <h2> <strong>8. Troubleshooting Tips</strong> </h2> <ul> <li> <strong>Login errors?</strong> Check that <code>DOCKER_USERNAME</code> and <code>DOCKER_PASSWORD</code> are correctly set</li> <li> <strong>Pipeline fails at Docker commands?</strong> Ensure Docker-in-Docker (<code>docker:dind</code>) is enabled</li> <li> <strong>Image not visible?</strong> Double-check the tag and Docker Hub repo name</li> </ul> <h2> <strong>9. What’s Next?</strong> </h2> <p>Awesome work! Your Go app is now packaged in a Docker image and stored in Docker Hub—ready to be deployed anywhere.</p> <p>In the next episode, we’ll add <strong>Trivy</strong> to your pipeline to automatically scan your image for vulnerabilities.</p> <h2> <strong>Summary</strong> </h2> <ul> <li>You built and pushed Docker images via GitLab CI/CD</li> <li>You configured Docker Hub authentication</li> <li>Your app is now containerized and stored in a public/private registry</li> </ul> <p><strong>Ready for EP 5.2? Stay tuned — we're adding Trivy to scan Docker Hub images for vulnerabilities!</strong></p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 6: Deploy and Scan Your Go API with OWASP ZAP in GitLab CI/CD Booranasak Kanthong Mon, 04 Aug 2025 16:03:28 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-6-deploy-and-scan-your-go-api-with-ill https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-6-deploy-and-scan-your-go-api-with-ill <h2> <strong>Introduction</strong> </h2> <p>Welcome to Episode 6 of our CI/CD journey!<br> So far, you’ve built a secure pipeline: building, testing, scanning, and pushing your app image automatically. In this episode, you’ll learn how to automate the <strong>deployment</strong> of your Docker image and use <strong>OWASP ZAP</strong> to scan your running API for vulnerabilities—just like professional DevOps teams do.</p> <ul> <li> <strong>Recap:</strong> Up to now, you’ve built, tested, scanned, and pushed your app image.</li> <li> <strong>What’s next:</strong> Deploying your app, then scanning your running API for security issues using OWASP ZAP.</li> <li> <strong>Why it matters:</strong> Even a secure image can expose vulnerabilities once deployed—API scanning helps catch those.</li> </ul> <h2> <strong>1. Automated Deployment from GitLab CI/CD</strong> </h2> <p>A big step in DevOps is letting your pipeline deploy the latest app image for you—no more manual server logins!<br> We’ll use GitLab CI/CD to connect to a remote server via SSH and run our new Docker image.</p> <h3> <strong>Why Use SSH Keys?</strong> </h3> <ul> <li>SSH keys keep your connection secure without exposing passwords.</li> <li>Store your keys as GitLab CI/CD variables (like <code>SSH_PRIVATE_KEY</code>), <strong>never</strong> hard-code secrets.</li> </ul> <blockquote> <p>I’ve already covered this topic, so you can follow along using the link below.<br> <a href="https://dev.to/mirrorsan/gitlab-deploy-though-ssh-3p9l">Setup SSH Key Method</a></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjitrw2qpgsir89o7ct2u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjitrw2qpgsir89o7ct2u.png" alt=" " width="800" height="272"></a></p> <h3> <strong>Example Deployment Job</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy_to_production</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io curl ca-certificates tar gzip openssh-client</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="pi">-</span> <span class="s">eval $(ssh-agent -s)</span> <span class="pi">-</span> <span class="s">echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -</span> <span class="pi">-</span> <span class="s">mkdir -p ~/.ssh</span> <span class="pi">-</span> <span class="s">chmod 700 ~/.ssh</span> <span class="pi">-</span> <span class="s">echo "$SSH_KNOWN_HOSTS" &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">chmod 644 ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">ssh-keyscan $REMOTE_HOST &gt;&gt; ~/.ssh/known_hosts</span> <span class="c1"># Good for adding on the fly if not using a variable</span> <span class="pi">-</span> <span class="s">ls -lrta ~/.ssh</span> <span class="pi">-</span> <span class="s">cat ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">id</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh $REMOTE_USER@$REMOTE_HOST "docker run -d -p 8502:8002 $IMAGE_TAG_GOOGLE &amp;&amp; docker ps | grep uvicorn | awk '{print \$1}' &gt; CONTAINER_ID.txt &amp;"</span> </code></pre> </div> <ul> <li><strong>What this does:</strong></li> <li>Install Docker</li> <li>Authenticates with Google Cloud so the image can be pulled</li> <li>Sets up SSH, authenticates securely, and runs your Docker container on the remote host.</li> </ul> <h3> If you use Docker </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy_to_production</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine</span> <span class="na">before_script</span><span class="pi">:</span> <span class="c1"># Install openssh-client if not present in the image</span> <span class="pi">-</span> <span class="s">apk add --no-cache openssh-client</span> <span class="c1"># Set up SSH agent</span> <span class="pi">-</span> <span class="s">eval $(ssh-agent -s)</span> <span class="c1"># Add the private key from the CI/CD secret</span> <span class="pi">-</span> <span class="s">echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -</span> <span class="c1"># Create the .ssh directory and add known hosts</span> <span class="pi">-</span> <span class="s">mkdir -p ~/.ssh</span> <span class="pi">-</span> <span class="s">chmod 700 ~/.ssh</span> <span class="pi">-</span> <span class="s">echo "$SSH_KNOWN_HOSTS" &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">chmod 644 ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">ssh-keyscan $REMOTE_HOST &gt;&gt; ~/.ssh/known_hosts</span> <span class="c1"># Good for adding on the fly if not using a variable</span> <span class="pi">-</span> <span class="s">ls -lrta ~/.ssh</span> <span class="pi">-</span> <span class="s">cat ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">id</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh $REMOTE_USER@$REMOTE_HOST "docker run -d -p 8502:8002 mirrorheart/todo-api-golang &amp;&amp; docker ps | grep uvicorn | awk '{print $1}' &gt; CONTAINER_ID.txt &amp;"</span> </code></pre> </div> <h2> <strong>2. Health Checking Your API Before Scanning</strong> </h2> <p>You don’t want to scan your API until it’s actually running!<br> A health check waits for your deployed app to be up before moving forward.</p> <h3> <strong>Sample Health Check Script</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do if </span>curl <span class="nt">-sSf</span> <span class="s2">"</span><span class="nv">$APP_URL_HEALTH</span><span class="s2">"</span> <span class="o">&gt;</span> /dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Target is up."</span> <span class="nb">break </span><span class="k">else </span><span class="nb">echo</span> <span class="s2">"Waiting for target... (</span><span class="nv">$i</span><span class="s2">/10)"</span> <span class="nb">sleep </span>5 <span class="k">fi if</span> <span class="o">[</span> <span class="nv">$i</span> <span class="nt">-eq</span> 10 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Target not reachable after 50 seconds."</span> <span class="nb">exit </span>1 <span class="k">fi done</span> </code></pre> </div> <ul> <li>This script pings your app up to 10 times, waiting up to 50 seconds before failing if it can't connect.</li> </ul> <h2> <strong>3. API Security Scanning with OWASP ZAP</strong> </h2> <h3> <strong>What is OWASP ZAP?</strong> </h3> <p><strong>OWASP ZAP</strong> (Zed Attack Proxy) is a free, open-source security tool for finding vulnerabilities in web applications and APIs.<br> It checks your running app for issues that code or image scans can’t find—like missing authentication, insecure endpoints, or sensitive data leaks.</p> <h3> <strong>Why Use It in CI/CD?</strong> </h3> <ul> <li>Scans the real, running API for real-world security problems</li> <li>Catches issues before users (or attackers) find them</li> </ul> <h3> <strong>Add ZAP to Your Pipeline</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">zap_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">zap_scan</span> <span class="na">image</span><span class="pi">:</span> <span class="s">zaproxy/zap-stable</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Checking if the target is reachable..."</span> <span class="pi">-</span> <span class="c1"># (paste the health check script here)</span> <span class="pi">-</span> <span class="s">mkdir -p /zap/wrk</span> <span class="pi">-</span> <span class="s">ln -s "$CI_PROJECT_DIR" /zap/wrk</span> <span class="pi">-</span> <span class="s">echo "Starting ZAP baseline scan..."</span> <span class="pi">-</span> <span class="s">zap-baseline.py -t "$APP_URL" -r zap-report.html -I</span> <span class="pi">-</span> <span class="s">cp /zap/wrk/zap-report.html "$CI_PROJECT_DIR/" || </span><span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">zap-report.html</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">7 days</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <ul> <li> <strong>What this does:</strong> Waits for your API to be up, runs a baseline ZAP scan, and saves the full report as a downloadable artifact.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsynkdiud8jti65mv7e51.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsynkdiud8jti65mv7e51.png" alt=" " width="294" height="152"></a></p> <p>You will get file .ZIP (original name: artifact.zip)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpskdz26fkt4rndsptizp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpskdz26fkt4rndsptizp.png" alt=" " width="170" height="89"></a></p> <blockquote> <p>I have renamed the file for better clarity.</p> </blockquote> <p>Let's take a look at the report file</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxnfv6oxhv3r687mhb369.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxnfv6oxhv3r687mhb369.png" alt=" " width="800" height="902"></a></p> <blockquote> <p>Quite long</p> </blockquote> <h2> <strong>4. Reading &amp; Acting on ZAP Reports</strong> </h2> <ul> <li>Go to your pipeline in GitLab and click the <code>zap_scan</code> job.</li> <li>Download and open <code>zap-report.html</code> to see results.</li> </ul> <h3> <strong>What to Look For</strong> </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ll6o2ctlamisnf6nl5d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ll6o2ctlamisnf6nl5d.png" alt=" " width="800" height="442"></a></p> <ul> <li> <strong>High</strong> or <strong>Medium</strong> risk findings: Fix these before deploying to users!</li> <li> <strong>Auth or access control</strong> warnings: Make sure only the right people can access sensitive endpoints.</li> <li> <strong>Informational/Low</strong> findings: Good to know, but not urgent.</li> </ul> <h3> Alert Detail </h3> <p><strong>Risk Level:</strong> Low<br> <strong>Issue:</strong> Insufficient Site Isolation Against Spectre Vulnerability<br> <strong>Description:</strong> Your application does not set the Cross-Origin-Resource-Policy (CORP) header. This header is crucial for mitigating side-channel attacks like Spectre by controlling how resources are shared across origins.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4o25hbieh3t4w7z9et57.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4o25hbieh3t4w7z9et57.png" alt=" " width="800" height="395"></a></p> <p><strong>Risk Level:</strong> Low<br> <strong>Issue:</strong> X-Content-Type-Options Header Missing<br> <strong>Description:</strong>Your application does not set the X-Content-Type-Options HTTP response header to nosniff. This header is critical for preventing MIME-sniffing by older browsers (like Internet Explorer and Chrome), which may otherwise interpret the response body as a different content type than declared — potentially allowing cross-site scripting (XSS) or other injection attacks on certain responses.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F36hho5q2r3f93ace693l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F36hho5q2r3f93ace693l.png" alt=" " width="800" height="207"></a></p> <p><strong>Informational</strong><br> <strong>Risk Level:</strong> Informational<br> <strong>Issue:</strong> Storable and Cacheable Content<br> <strong>Description:</strong> The HTTP responses from your web server do not include explicit caching directives, which causes proxy or browser caches to apply heuristic expiration policies (e.g., 1 year by default). This can be a privacy risk, especially if:</p> <ul> <li>The content is sensitive, personal, or user-specific.</li> <li>Shared caches (e.g., corporate or school proxies) are involved.</li> <li>Such responses may be retrieved by others without a direct request to the origin server, risking exposure of private data or even session hijacking.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjoip6yugz4i2kyghd31r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjoip6yugz4i2kyghd31r.png" alt=" " width="800" height="377"></a></p> <h2> <strong>5. (Optional) Stopping Your App</strong> </h2> <p>You might want to stop your demo or test container after scanning.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">stop_to_production</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apk add --no-cache openssh-client</span> <span class="pi">-</span> <span class="s">eval $(ssh-agent -s)</span> <span class="pi">-</span> <span class="s">echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -</span> <span class="pi">-</span> <span class="s">mkdir -p ~/.ssh</span> <span class="pi">-</span> <span class="s">chmod 700 ~/.ssh</span> <span class="pi">-</span> <span class="s">echo "$SSH_KNOWN_HOSTS" &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">chmod 644 ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">ssh-keyscan $REMOTE_HOST &gt;&gt; ~/.ssh/known_hosts</span> <span class="c1"># Good for adding on the fly if not using a variable</span> <span class="pi">-</span> <span class="s">ls -lrta ~/.ssh</span> <span class="pi">-</span> <span class="s">cat ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">id</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh $REMOTE_USER@$REMOTE_HOST "cat CONTAINER_ID.txt | xargs docker stop"</span> <span class="na">when</span><span class="pi">:</span> <span class="s">manual</span> </code></pre> </div> <ul> <li> <strong>Tip:</strong> Mark this job as <code>manual</code> so it only runs when you trigger it.</li> </ul> <h2> <strong>6. Merge scripts together</strong> </h2> <p>It will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">IMAGE_NAME_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/$IMAGE_NAME_GOOGLE:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">REMOTE_USER</span><span class="pi">:</span> <span class="s">booranasak42545</span> <span class="na">REMOTE_HOST</span><span class="pi">:</span> <span class="s">35.209.94.73</span> <span class="na">REMOTE_APP_DIR</span><span class="pi">:</span> <span class="s">/home/booranasak42545/deploy_repo</span> <span class="na">APP_URL</span><span class="pi">:</span> <span class="s">http://35.209.94.73:8502</span> <span class="na">APP_URL_HEALTH</span><span class="pi">:</span> <span class="s">http://35.209.94.73:8502</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">push</span> <span class="pi">-</span> <span class="s">sca_image</span> <span class="pi">-</span> <span class="s">deploy</span> <span class="pi">-</span> <span class="s">zap_scan</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> <span class="na">build_image</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_GOOGLE .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_GOOGLE -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">push_image_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_image</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_GOOGLE</span> <span class="na">image_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sca_image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">TRIVY_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.54.1"</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io curl ca-certificates tar gzip</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="pi">-</span> <span class="s">curl -fsSL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz | tar -xz -C /usr/local/bin trivy</span> <span class="pi">-</span> <span class="s">trivy --version</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Scanning Docker image for vulnerabilities..."</span> <span class="pi">-</span> <span class="s">trivy image $IMAGE_TAG_GOOGLE</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">deploy_to_production</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io curl ca-certificates tar gzip openssh-client</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="pi">-</span> <span class="s">eval $(ssh-agent -s)</span> <span class="pi">-</span> <span class="s">echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -</span> <span class="pi">-</span> <span class="s">mkdir -p ~/.ssh</span> <span class="pi">-</span> <span class="s">chmod 700 ~/.ssh</span> <span class="pi">-</span> <span class="s">echo "$SSH_KNOWN_HOSTS" &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">chmod 644 ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">ssh-keyscan $REMOTE_HOST &gt;&gt; ~/.ssh/known_hosts</span> <span class="c1"># Good for adding on the fly if not using a variable</span> <span class="pi">-</span> <span class="s">ls -lrta ~/.ssh</span> <span class="pi">-</span> <span class="s">cat ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">id</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh $REMOTE_USER@$REMOTE_HOST "docker run -d -p 8502:8002 $IMAGE_TAG_GOOGLE &amp;&amp; docker ps | grep uvicorn | awk '{print \$1}' &gt; CONTAINER_ID.txt &amp;"</span> <span class="na">stop_to_production</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apk add --no-cache openssh-client</span> <span class="pi">-</span> <span class="s">eval $(ssh-agent -s)</span> <span class="pi">-</span> <span class="s">echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -</span> <span class="pi">-</span> <span class="s">mkdir -p ~/.ssh</span> <span class="pi">-</span> <span class="s">chmod 700 ~/.ssh</span> <span class="pi">-</span> <span class="s">echo "$SSH_KNOWN_HOSTS" &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">chmod 644 ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">ssh-keyscan $REMOTE_HOST &gt;&gt; ~/.ssh/known_hosts</span> <span class="c1"># Good for adding on the fly if not using a variable</span> <span class="pi">-</span> <span class="s">ls -lrta ~/.ssh</span> <span class="pi">-</span> <span class="s">cat ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="s">id</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh $REMOTE_USER@$REMOTE_HOST "cat CONTAINER_ID.txt | xargs docker stop"</span> <span class="na">when</span><span class="pi">:</span> <span class="s">manual</span> <span class="na">zap_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">zap_scan</span> <span class="na">image</span><span class="pi">:</span> <span class="s">zaproxy/zap-stable</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Checking if the target is reachable..."</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">for i in {1..10}; do</span> <span class="s">if curl -sSf "$APP_URL_HEALTH" &gt; /dev/null; then</span> <span class="s">echo "Target is up."</span> <span class="s">break</span> <span class="s">else</span> <span class="s">echo "Waiting for target... ($i/10)"</span> <span class="s">sleep 5</span> <span class="s">fi</span> <span class="s">if [ $i -eq 10 ]; then</span> <span class="s">echo "Target not reachable after 50 seconds."</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="s">done</span> <span class="pi">-</span> <span class="s">mkdir -p /zap/wrk</span> <span class="pi">-</span> <span class="s">ln -s "$CI_PROJECT_DIR" /zap/wrk</span> <span class="pi">-</span> <span class="s">echo "Starting ZAP baseline scan..."</span> <span class="pi">-</span> <span class="s">zap-baseline.py -t "$APP_URL" -r zap-report.html -I</span> <span class="pi">-</span> <span class="s">cp /zap/wrk/zap-report.html "$CI_PROJECT_DIR/" || </span><span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">zap-report.html</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">7 days</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnnfj9lztjf2z1dmykzik.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnnfj9lztjf2z1dmykzik.png" alt=" " width="800" height="87"></a></p> <h2> <strong>7. Wrap Up and What’s Next</strong> </h2> <p>Congrats—you’ve now automated <strong>deployment</strong> and <strong>API scanning</strong> for your Go app using GitLab CI/CD and OWASP ZAP!<br> This means every change you make gets checked for code bugs, image vulnerabilities, and live API security—all before users ever see it.</p> <p><strong>What else can you automate?</strong></p> <ul> <li>Slack/email notifications for new vulnerabilities</li> <li>Deploying to cloud platforms like GCP or AWS</li> </ul> <p><strong>Thank you for following along!<br> Be sure to check out the earlier episodes and stay tuned for the next one.</strong></p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 5.1: Container Image Scanning(GAR) with Trivy in GitLab CI/CD Booranasak Kanthong Mon, 04 Aug 2025 09:50:11 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-5-container-image-scanning-with-anb https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-5-container-image-scanning-with-anb <h2> <strong>Introduction</strong> </h2> <p>Welcome back! Last time, you learned how to build and push your Docker image to Google Artifact Registry (GAR) using GitLab CI/CD. But before we ship our app to production, let’s make sure our Docker image is safe by scanning it for vulnerabilities using a tool called <strong>Trivy</strong>.</p> <p>In this episode, you’ll learn:</p> <ul> <li>What Trivy is and why you need image scanning</li> <li>How to add Trivy to your GitLab CI/CD pipeline</li> <li>How to read and act on your scan results</li> </ul> <h2> <strong>1. What is Trivy and Why Scan Your Images?</strong> </h2> <p><strong>Trivy</strong> is an easy-to-use, open-source tool that scans Docker images for security vulnerabilities.<br> Just like you wouldn’t install software from an unknown source, you shouldn’t run containers with hidden risks.</p> <p><strong>Why scan?</strong></p> <ul> <li>Containers often include software from many sources</li> <li>Vulnerabilities can sneak into your images even if your code is safe</li> <li>Scanning helps you find and fix risks <em>before</em> they hit production</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13ysgf21i603e455p38g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13ysgf21i603e455p38g.png" alt=" " width="800" height="800"></a></p> <h2> <strong>2. How Trivy Fits in Your Pipeline</strong> </h2> <p>Here’s how your pipeline flow looks now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[GitLab Pipeline] | v [Build Docker Image] | v [Push Image to GAR] | v [Scan Image with Trivy] | v [Ready for Deploy!] </code></pre> </div> <h2> <strong>3. Adding Trivy to Your .gitlab-ci.yml</strong> </h2> <p>Here’s a simple Trivy job based on your previous setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sca_image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">TRIVY_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.54.1"</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io curl ca-certificates tar gzip</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project YOUR_PROJECT_ID</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="pi">-</span> <span class="s">curl -fsSL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz | tar -xz -C /usr/local/bin trivy</span> <span class="pi">-</span> <span class="s">trivy --version</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Scanning Docker image for vulnerabilities..."</span> <span class="pi">-</span> <span class="s">trivy image $IMAGE_TAG_GOOGLE | tee trivy-report.txt</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">trivy-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">trivy-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> </code></pre> </div> <p><strong>What’s happening here?</strong></p> <ul> <li>Installs Docker and Trivy</li> <li>Authenticates with Google Cloud so the image can be pulled</li> <li>Runs Trivy to scan your image in GAR</li> <li>Saves the results as <code>trivy-report.txt</code> </li> <li>The job is allowed to fail (<code>allow_failure: true</code>) so a vulnerability won’t block your learning or experimenting</li> </ul> <h2> <strong>4. Merge scripts together</strong> </h2> <p>It will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">IMAGE_NAME_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/$IMAGE_NAME_GOOGLE:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">push</span> <span class="pi">-</span> <span class="s">sca_image</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> <span class="na">build_image</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_GOOGLE .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_GOOGLE -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">push_image_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_image</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_GOOGLE</span> <span class="na">image_scan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sca_image</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">TRIVY_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.54.1"</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io curl ca-certificates tar gzip</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="pi">-</span> <span class="s">curl -fsSL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz | tar -xz -C /usr/local/bin trivy</span> <span class="pi">-</span> <span class="s">trivy --version</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Scanning Docker image for vulnerabilities..."</span> <span class="pi">-</span> <span class="s">trivy image $IMAGE_TAG_GOOGLE</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> <strong>5. Viewing and Understanding Your Trivy Scan Results</strong> </h2> <ul> <li>Go to your pipeline in GitLab.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zyc7n7mwog66hgbywrh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zyc7n7mwog66hgbywrh.png" alt=" " width="318" height="1065"></a></p> <ul> <li>Click at your recent run pipeline</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F635pkl4jfp3zk0jtxg86.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F635pkl4jfp3zk0jtxg86.png" alt=" " width="800" height="339"></a></p> <ul> <li>Click on the <code>image_scan</code> job.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqz6w98a7arh79eup507k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqz6w98a7arh79eup507k.png" alt=" " width="800" height="101"></a></p> <p>*You can view the Trivy report directly from the output logs, or configure your pipeline to save the Trivy report as an artifact. This allows you to download or preview the trivy-report.txt artifact.</p> <h4> Output logs(this from other pipeline) </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jqm2s61sspekz2aker5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jqm2s61sspekz2aker5.png" alt=" " width="800" height="293"></a></p> <p><strong>What do the results mean?</strong></p> <ul> <li>Trivy will list all detected vulnerabilities, their severity, and where they were found (like OS packages or app dependencies).</li> <li>Focus on “HIGH” or “CRITICAL” vulnerabilities—those should be fixed first.</li> <li>If the Status is fixed, you’re already protected and don’t need to take action. </li> <li>But if the status is affected, will_not_fix, or fix_deferred, you should pay close attention—these vulnerabilities are not yet resolved and may still put your project at risk. Review them carefully and patch or mitigate as soon as possible.</li> </ul> <p>In our Code and Image that being use there are no vulnerabilities</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0mon21nmugrezq2s1zg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0mon21nmugrezq2s1zg.png" alt=" " width="800" height="106"></a></p> <h2> <strong>6. What If I Find Vulnerabilities?</strong> </h2> <ul> <li> <strong>Read the Trivy output carefully</strong>—it tells you which package (and version) is affected.</li> <li>Many issues can be fixed by updating your <code>Dockerfile</code> or base image.</li> <li>Sometimes, vulnerabilities are in dependencies you don’t use directly. Research if an update or patch is available.</li> <li>If you’re not sure, search the CVE ID online for advice.</li> </ul> <h2> <strong>7. Tips and Best Practices</strong> </h2> <ul> <li> <strong>Scan every new build:</strong> Don’t skip scanning for speed; automate it!</li> <li> <strong>Keep Trivy updated:</strong> Vulnerabilities are found all the time.</li> <li> <strong>Don’t ignore “HIGH”/“CRITICAL” issues:</strong> If you must, at least understand the risk.</li> <li> <strong>Automate alerting:</strong> Advanced: send scan failures to Slack, email, etc.</li> </ul> <h2> <strong>8. What’s Next?</strong> </h2> <p>Awesome! Your pipeline now checks for vulnerabilities in every image.<br> Next, we’ll move on to <strong>deploying your image</strong> and running <strong>live API security scans</strong> with <strong>OWASP ZAP</strong>—so your app is not only safe inside, but also from the outside.</p> <h2> <strong>Summary</strong> </h2> <ul> <li>Added Trivy to your pipeline for automatic container security checks</li> <li>Learned how to read and act on Trivy results</li> <li>Set your project up for safer, more professional deployments</li> </ul> <p><em>Ready for the next step? See you in Episode 6 for deploy and API security scanning with ZAP!</em></p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 4.1: Build and Push Docker Image to GAR Booranasak Kanthong Mon, 04 Aug 2025 09:34:49 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-4-build-and-push-docker-image-to-395h https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-4-build-and-push-docker-image-to-395h <h2> <strong>Introduction</strong> </h2> <p>Welcome back to our CI/CD journey! Last time, you learned how to scan your Go code for bugs and vulnerabilities with SonarQube. In this episode, we’ll take your project to the next level by <strong>packaging your app as a Docker image and pushing it to Google Artifact Registry (GAR)</strong>.</p> <p>By the end, you’ll know how to:</p> <ul> <li>Build a Docker image of your Go app in your GitLab pipeline</li> <li>Authenticate your pipeline with Google Cloud</li> <li>Push your image to GAR for safe storage and sharing</li> </ul> <h2> <strong>1. What is a Docker Image and Why Use a Registry?</strong> </h2> <p>A <strong>Docker image</strong> is like a recipe that describes how to run your app.<br> It bundles your code, dependencies, and configuration so your app runs the same everywhere.</p> <p>But once you build an image, you need a place to store it. That’s where a <strong>container registry</strong> like <strong>Google Artifact Registry (GAR)</strong> comes in!<br> A registry lets you store, share, and deploy images—just like how GitHub lets you store and share code.</p> <h3> <strong>Docker Image to Registry Flow</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">[</span><span class="nv">GitLab Pipeline Triggered</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Docker Build Job</span><span class="pi">:</span> <span class="nv">Build App Image</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Save Docker Image as .tar File</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Push Job</span><span class="pi">:</span> <span class="nv">Authenticate with Google Cloud</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Load Docker Image from .tar File</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Push Docker Image to Google Artifact Registry</span><span class="pi">]</span> <span class="pi">|</span> <span class="s">v</span> <span class="pi">[</span><span class="nv">Image Available in Google Artifact Registry</span><span class="pi">]</span> </code></pre> </div> <h2> <strong>2. Setting Up Google Artifact Registry (GAR)</strong> </h2> <p>To push images to GAR, you need:</p> <ul> <li>A Google Cloud account</li> <li>A Docker repository set up in Artifact Registry</li> </ul> <h3> <strong>A. Enable Artifact Registry</strong> </h3> <p>1.) Go to the <a href="https://console.cloud.google.com/" rel="noopener noreferrer">Google Cloud Console</a>.<br> 2.) Make sure your project is selected.<br> 3.) Enable the <strong>Artifact Registry API</strong> (search for it in “APIs &amp; Services”).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq9u6dyf81afumjr11dym.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq9u6dyf81afumjr11dym.png" alt=" " width="468" height="152"></a></p> <h3> <strong>B. Create a Docker Repository</strong> </h3> <p>1.) In the Cloud Console sidebar, find <strong>Artifact Registry</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3eabnxxifxzril8ld3x0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3eabnxxifxzril8ld3x0.png" alt="You can search from Search Bar" width="711" height="172"></a></p> <blockquote> <p>You can search from <strong>Search Bar</strong></p> </blockquote> <p>2.) Click <strong>Repositories → CREATE REPOSITORY</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5098sn55uafrjxjzhxt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5098sn55uafrjxjzhxt.png" alt=" " width="800" height="67"></a></p> <p>3.) Choose type: <strong>Docker</strong>.<br> 4.) Pick a region (e.g., <code>asia-southeast1</code>).<br> 5.) Give it a name, like <code>booranasak-artifact-registry-docker</code>.</p> <h3> <strong>C. Note Your Repository URL</strong> </h3> <p>It will look something like:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsa2iph6g5vwrsit88d5z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsa2iph6g5vwrsit88d5z.png" alt=" " width="499" height="133"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>asia-southeast1-docker.pkg.dev/YOUR_PROJECT/YOUR_REPO/YOUR_IMAGE:TAG </code></pre> </div> <h2> <strong>3. Building Your Docker Image in GitLab CI/CD</strong> </h2> <p>You can automate Docker image builds using GitLab pipelines with <strong>Docker-in-Docker</strong>.</p> <p>Here’s the job from your <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">variables</span><span class="pi">:</span> <span class="na">IMAGE_NAME_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/$IMAGE_NAME_GOOGLE:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">build_image</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_GOOGLE .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_GOOGLE -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> </code></pre> </div> <p><strong>What’s happening here?</strong></p> <ul> <li> <code>docker build</code>: Builds your image and tags it for GAR</li> <li> <code>docker save</code>: Packages the image as a <code>.tar</code> file so you can use it in the next stage</li> </ul> <h2> <strong>4. Authenticating GitLab CI/CD with Google Cloud</strong> </h2> <p>To push images to GAR, your pipeline needs permission.<br> You do this with a <strong>Google Service Account</strong> and a GitLab CI/CD variable.</p> <h3> <strong>A. Create a Service Account and Key</strong> </h3> <p>1.) In Google Cloud, go to <strong>IAM &amp; Admin → Service Accounts</strong>.<br> 2.) Click <strong>Create Service Account</strong>.<br> 3.) Give it Artifact Registry permissions (<code>roles/artifactregistry.writer</code>).<br> 4.) Create and download a JSON key.</p> <h3> <strong>B. Add Service Account Key to GitLab</strong> </h3> <p>1.) In GitLab, go to your project → <strong>Settings → CI/CD → Variables</strong>.<br> 2.) Add a variable named <code>GCP_SA_KEY</code>.<br> 3.) Paste your JSON key as the value. (In my case, I convert it to base64 and save it. when I need to use it, I decode it from base64.)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9a5y6u5xol8ba6p7emmf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9a5y6u5xol8ba6p7emmf.png" alt=" " width="800" height="209"></a></p> <h2> <strong>5. Pushing the Image to GAR</strong> </h2> <p>Here’s the next job in your <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">push_image_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_image</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project YOUR_PROJECT_ID</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_GOOGLE</span> </code></pre> </div> <p><strong>What’s happening here?</strong></p> <ul> <li>Installs Docker CLI (needed for pushing)</li> <li>Sets up Google authentication using your service account key</li> <li>Authenticates Docker to GAR</li> <li>Loads the built image from the previous stage</li> <li>Pushes the image to your GAR repository</li> </ul> <p><em>(Insert screenshot: GitLab pipeline with push_image_to_registry job)</em></p> <h2> <strong>6. Merge scripts together</strong> </h2> <p>It will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">IMAGE_NAME_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">booranasak-bank-api-golang"</span> <span class="na">IMAGE_VERSION_TAG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">IMAGE_TAG_GOOGLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/$IMAGE_NAME_GOOGLE:$IMAGE_VERSION_TAG"</span> <span class="na">IMAGE_TAR</span><span class="pi">:</span> <span class="s">todo-api.tar</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">push</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> <span class="na">build_image</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker build -t $IMAGE_TAG_GOOGLE .</span> <span class="pi">-</span> <span class="s">docker save $IMAGE_TAG_GOOGLE -o $IMAGE_TAR</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image-tar"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$IMAGE_TAR</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">push_image_to_registry</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">push</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:latest</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build_image</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Install Docker"</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y docker.io</span> <span class="pi">-</span> <span class="s">echo "Setting up Google Cloud authentication..."</span> <span class="pi">-</span> <span class="s">echo "$GCP_SA_KEY" | base64 -d &gt; $CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud auth activate-service-account --key-file=$CI_PROJECT_DIR/gcp-key.json</span> <span class="pi">-</span> <span class="s">gcloud config set project escian</span> <span class="pi">-</span> <span class="s">gcloud auth configure-docker asia-southeast1-docker.pkg.dev --quiet</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker load -i $IMAGE_TAR</span> <span class="pi">-</span> <span class="s">docker push $IMAGE_TAG_GOOGLE</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F70kh2fe26s15wny30yo5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F70kh2fe26s15wny30yo5.png" alt=" " width="800" height="126"></a></p> <h2> <strong>7. Checking Your Image in Google Cloud</strong> </h2> <p>Once your pipeline finishes:</p> <ul> <li>Go to <strong>Artifact Registry</strong> in Google Cloud Console</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3eabnxxifxzril8ld3x0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3eabnxxifxzril8ld3x0.png" alt="You can search from Search Bar" width="711" height="172"></a></p> <ul> <li>Click your Docker repository</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpklxkpsqljihv5syxep3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpklxkpsqljihv5syxep3.png" alt=" " width="762" height="208"></a></p> <ul> <li>You should see your image (with its tag) listed!</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwgh6ylwfyv4atwnw1b3l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwgh6ylwfyv4atwnw1b3l.png" alt=" " width="800" height="542"></a></p> <h3> <strong>Test Pulling Your Image (Optional)</strong> </h3> <p>On your local machine (with gcloud and Docker installed):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud auth configure-docker asia-southeast1-docker.pkg.dev docker pull asia-southeast1-docker.pkg.dev/YOUR_PROJECT/YOUR_REPO/YOUR_IMAGE:TAG </code></pre> </div> <h2> <strong>8. Troubleshooting Tips</strong> </h2> <ul> <li> <strong>Auth errors?</strong> Double-check your service account’s permissions and the <code>GCP_SA_KEY</code> variable.</li> <li> <strong>Pipeline fails at Docker commands?</strong> Make sure Docker-in-Docker (<code>docker:dind</code>) is running and your job uses the correct image.</li> <li> <strong>Image not visible in GAR?</strong> Double-check your image tags and repository URL.</li> </ul> <h2> <strong>9. What’s Next?</strong> </h2> <p>Awesome work! Your Go app is now packaged in a Docker image and stored in Google Artifact Registry—ready to be deployed anywhere.</p> <p>But before we go live, let’s <strong>scan your image for vulnerabilities</strong>.<br> In the next episode, we’ll add <strong>Trivy</strong> to your pipeline to automatically check for security issues in your Docker image.</p> <h2> <strong>Summary</strong> </h2> <ul> <li>You learned how to build and push Docker images in GitLab CI/CD</li> <li>You configured authentication for secure image uploads to GAR</li> <li>Your app is ready for secure deployment and scanning!</li> </ul> <h2> <strong>Ready for EP 5.1? Stay tuned — we’re adding Trivy to scan images in Google Artifact Registry (GAR) for vulnerabilities!</strong> </h2> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 3: SonarQube Booranasak Kanthong Fri, 01 Aug 2025 10:59:27 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-3-sonarqube-b7a https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-3-sonarqube-b7a <p>Welcome back to EP 3 of my CI/CD Security Series!</p> <p>In this episode, we’ll focus entirely on integrating SonarQube into your GitLab CI/CD pipeline. SonarQube is a powerful tool for automatically scanning your code for bugs, vulnerabilities, and code smells—right inside your pipeline.</p> <p>If you missed EP 1 and 2, make sure to check it out for a full overview of the complete CI/CD security flow. Now, let’s get our hands dirty and bring SonarQube into the pipeline!</p> <h2> <strong>Getting Started with SonarQube</strong> </h2> <p>After you log in to SonarQube, you’ll land on this dashboard:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7cxws0tki81rbfbx5u74.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7cxws0tki81rbfbx5u74.png" alt=" " width="800" height="416"></a></p> <p>Start by clicking <strong>Create Project → Local Project</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0uoteb1b3z31k9apcthe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0uoteb1b3z31k9apcthe.png" alt=" " width="293" height="178"></a></p> <p>Now, <strong>name your project</strong> as you like.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frl62wtg9cfsxbr7ln772.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frl62wtg9cfsxbr7ln772.png" alt=" " width="438" height="443"></a></p> <p>It’s a good idea to check your <strong>global settings</strong> here, too:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqzu6qau1jkk0kwmhqgv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqzu6qau1jkk0kwmhqgv.png" alt=" " width="800" height="523"></a></p> <h2> <strong>Integrating SonarQube with GitLab CI/CD</strong> </h2> <p>For this project, we’ll be using <strong>GitLab</strong> to build our CI/CD pipeline.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9v10si8w8uzgrvp2fbox.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9v10si8w8uzgrvp2fbox.png" alt=" " width="800" height="523"></a></p> <p>Click <strong>With GitLab CI</strong> to get started.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ddp1as1shug9rhhcl7k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ddp1as1shug9rhhcl7k.png" alt=" " width="519" height="126"></a></p> <p>You’ll see a setup page like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx11k54dvifc0oyfscvl3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx11k54dvifc0oyfscvl3.png" alt=" " width="800" height="412"></a></p> <p>You can follow these steps directly, but I’ll break them down for you for clarity.</p> <h3> <strong>Step 1: Add Environment Variables in GitLab</strong> </h3> <p>First, let’s add the necessary environment variables.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ovuwr760lk20pojq2u8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ovuwr760lk20pojq2u8.png" alt=" " width="800" height="168"></a></p> <p>Head to your project in GitLab. On the sidebar, go to <strong>Settings</strong> (hover if you don’t see the label):</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fza9qi1rwn3ctqbdbqpkb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fza9qi1rwn3ctqbdbqpkb.png" alt=" " width="445" height="1046"></a></p> <p>Then click <strong>CI/CD → Variables</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmobqolb6uqbnqc3785m0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmobqolb6uqbnqc3785m0.png" alt=" " width="800" height="524"></a></p> <p>Now, click <strong>Add variable</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F96ds8voe5b08y8os1hka.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F96ds8voe5b08y8os1hka.png" alt=" " width="800" height="461"></a></p> <p>A sidebar will pop up:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftccyxz4mcdj1dlju2qqo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftccyxz4mcdj1dlju2qqo.png" alt=" " width="405" height="1019"></a></p> <ul> <li>For <strong>Key</strong>, use the value from SonarQube (e.g., <code>SONAR_TOKEN</code>).</li> <li>For <strong>Value</strong>, go back to SonarQube and click <strong>Generate Token</strong>:</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5z6ygmcrcbimvi8knrh7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5z6ygmcrcbimvi8knrh7.png" alt=" " width="576" height="527"></a></p> <p>Choose your expiration date—although I usually set it to “No Expiration” for testing, I recommend setting an expiration for security reasons.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhib8rkcs9w78j5yc4auv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhib8rkcs9w78j5yc4auv.png" alt=" " width="568" height="460"></a></p> <p>Copy your token and paste it into GitLab:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn5s1lod6975vyiutfbk4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn5s1lod6975vyiutfbk4.png" alt=" " width="393" height="1005"></a></p> <p>If you are working on branches other than main (for example, develop, feature, etc.), you also need to configure those branches as <strong>Protected branches</strong>.</p> <p>Go to <strong>Settings → Repository</strong>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvesudo5j8qvugk4pk98n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvesudo5j8qvugk4pk98n.png" alt=" " width="248" height="381"></a></p> <p>Add a <strong>Protected Branch</strong>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgbxuju04n2utfta2s9eb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgbxuju04n2utfta2s9eb.png" alt=" " width="800" height="291"></a></p> <p>Type in your branch name:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fie0sd0f6t2tm1uw286m5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fie0sd0f6t2tm1uw286m5.png" alt=" " width="800" height="571"></a></p> <p>Click <strong>Protect</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqjzag0f7dm7uby4d3il2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqjzag0f7dm7uby4d3il2.png" alt=" " width="800" height="325"></a></p> <blockquote> <p>Now, you’ll be able to use protected variables on these branches!</p> </blockquote> <h3> <strong>Step 2: Add SonarQube Config to Your Pipeline</strong> </h3> <p>Next, grab your project key from SonarQube and add it as a GitLab variable:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fellgz2fug1z4c287kgwb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fellgz2fug1z4c287kgwb.png" alt=" " width="800" height="158"></a></p> <p>It should look like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbobvr1vgq3jypdiquv3l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbobvr1vgq3jypdiquv3l.png" alt=" " width="397" height="1018"></a></p> <p>Pick your programming language. I’m using Go for this demo:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj2ujqliie6qamdx6htu4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj2ujqliie6qamdx6htu4.png" alt=" " width="564" height="158"></a></p> <p>If you don’t have a <code>sonar-project.properties</code> file, create one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sonar.projectKey=booranasak-bank-golang-sast sonar.qualitygate.wait=true </code></pre> </div> <h3> <strong>Step 3: Update Your .gitlab-ci.yml</strong> </h3> <p>Now, update your <code>.gitlab-ci.yml</code> with the following content.<br> <em>(Make sure your rules include the branches you want SonarQube to run on!)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonarqube-check</span> <span class="pi">-</span> <span class="s">sonarqube-vulnerability-report</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sonarqube-check</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sonarqube-vulnerability-report</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-bank-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> </code></pre> </div> <p><strong>Note:</strong><br> By default, this pipeline only runs SonarQube on these branches:</p> <ul> <li><code>master</code></li> <li><code>main</code></li> <li> <code>develop</code> Or on merge requests.</li> </ul> <p>If you want to run SonarQube on another branch (like <code>feature/sonarqube</code> for testing), simply update the rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'feature/sonarqube'</span> </code></pre> </div> <p>That’s it! Just adjust your rules for any branches you want to include.</p> <h3> And now, your .gitlab-ci.yml should look something like this (I merge SonarQube into one stage but the job still separate for clarity and easier management): </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> </code></pre> </div> <p>And when you merge everything together, It will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">SONAR_USER_HOME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${CI_PROJECT_DIR}/.sonar"</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> <span class="na">sonarqube-check</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">unit_test_and_coverage</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}" -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.exclusions=**/*_test.go</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">sonarqube-vulnerability-report</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">sast</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sonarsource/sonar-scanner-cli:11</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-u</span><span class="nv"> </span><span class="s">"${SONAR_TOKEN}:"</span><span class="nv"> </span><span class="s">"${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=booranasak-golang-sast&amp;branch=${CI_COMMIT_BRANCH}&amp;pullRequest=${CI_MERGE_REQUEST_IID}"</span><span class="nv"> </span><span class="s">-o</span><span class="nv"> </span><span class="s">gl-sast-sonar-report.json'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == 'merge_request_event'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'master'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'main'</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == 'develop'</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 day</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">gl-sast-sonar-report.json</span> </code></pre> </div> <h4> Pipeline Example </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x2qzrucjawv9ovjuecp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x2qzrucjawv9ovjuecp.png" alt=" " width="800" height="208"></a></p> <h4> Sonarqube Example </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furg0ag50z3cy4klu0fi9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furg0ag50z3cy4klu0fi9.png" alt=" " width="800" height="142"></a></p> <h4> Failed Example </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiobkjuyct2oamigmb1fr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiobkjuyct2oamigmb1fr.png" alt=" " width="800" height="536"></a></p> <ul> <li>First issue are code coverage below 80 percent</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faoxh5x9h7lbos8khk6oc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faoxh5x9h7lbos8khk6oc.png" alt=" " width="800" height="459"></a></p> <ul> <li>Second issue are Duplicated string literals</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5753rxhgo0lzqo00eze.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5753rxhgo0lzqo00eze.png" alt=" " width="800" height="169"></a></p> <p>You can also view more detail</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fupehc9c32umx1ghdn2z6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fupehc9c32umx1ghdn2z6.png" alt=" " width="800" height="787"></a></p> <p>even explain why it was an issue</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp5yv3m9yktm7tb8xmrvn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp5yv3m9yktm7tb8xmrvn.png" alt=" " width="800" height="293"></a></p> <p>Even more!!!, Explain how to fix it</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd0nyllcrc1d3hd3137hw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd0nyllcrc1d3hd3137hw.png" alt=" " width="800" height="585"></a></p> <p><strong>Simple, right?</strong> With these steps, you can integrate <strong>SonarQube</strong> into your GitLab CI/CD pipeline and customize it to fit your workflow.</p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 2: Linting, and Coverage Test in Your Go Pipeline Booranasak Kanthong Fri, 01 Aug 2025 10:48:06 +0000 https://forem.com/mirrorsan/ep-2-linting-testing-and-coverage-in-your-first-go-project-pipeline-27hn https://forem.com/mirrorsan/ep-2-linting-testing-and-coverage-in-your-first-go-project-pipeline-27hn <h2> <strong>Introduction</strong> </h2> <p>Welcome back! In the last episode, we learned what CI/CD is and how to set up a simple pipeline in GitLab using Docker-in-Docker. Now, let’s make things more interesting by adding real Go code to our project.</p> <p>In this post, you’ll:</p> <ul> <li>Create a new file and paste in the Go code below:</li> <li>Set up a pipeline to lint (check) your code style automatically</li> <li>Run tests with coverage and see how well your code is tested</li> <li>Learn how to store and view these results in GitLab</li> </ul> <p>By the end, you’ll have a working Go app in CI/CD with code quality checks—just like a real pro!</p> <h2> <strong>Step 1: Get the Example Go Project</strong> </h2> <p>So you can follow along with exactly what I’m doing, here’s the same code I use:</p> <p><strong>File Stucture</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu8vjpw4p7mqkz809644a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu8vjpw4p7mqkz809644a.png" alt=" " width="310" height="458"></a></p> <p>Create a new file and paste in the Go code below:</p> <blockquote> <p><strong>bank-api\cmd\server\main.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bank-api/internal/handler"</span> <span class="s">"log"</span> <span class="s">"net/http"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">handler</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">log</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"✅ Bank API listening on :8508"</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8508"</span><span class="p">,</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()))</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\handler\handler_test.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">handler</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bytes"</span> <span class="s">"encoding/json"</span> <span class="s">"net/http"</span> <span class="s">"net/http/httptest"</span> <span class="s">"strconv"</span> <span class="s">"testing"</span> <span class="p">)</span> <span class="c">// helper to open a new account and return its ID</span> <span class="k">func</span> <span class="n">createAccount</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">,</span> <span class="n">router</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">,</span> <span class="n">name</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">int64</span> <span class="p">{</span> <span class="n">body</span> <span class="o">:=</span> <span class="s">`{"name":"`</span> <span class="o">+</span> <span class="n">name</span> <span class="o">+</span> <span class="s">`"}`</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">router</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusCreated</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"open account: want 201 got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">resp</span> <span class="k">struct</span><span class="p">{</span> <span class="n">ID</span> <span class="kt">int64</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">rec</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">resp</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"decode id: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">resp</span><span class="o">.</span><span class="n">ID</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestGetAllAccounts</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="c">// we seeded 10 mock accounts in NewMemory()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="s">"/accounts"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"get all accounts: want 200 got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">list</span> <span class="p">[]</span><span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">int64</span> <span class="n">Name</span> <span class="kt">string</span> <span class="n">Balance</span> <span class="kt">float64</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">rec</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">list</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"decode list: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">list</span><span class="p">)</span> <span class="o">!=</span> <span class="m">10</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 10 accounts, got %d"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">list</span><span class="p">))</span> <span class="p">}</span> <span class="c">// spot-check first seeded account</span> <span class="k">if</span> <span class="n">list</span><span class="p">[</span><span class="m">0</span><span class="p">]</span><span class="o">.</span><span class="n">ID</span> <span class="o">!=</span> <span class="m">1</span> <span class="o">||</span> <span class="n">list</span><span class="p">[</span><span class="m">0</span><span class="p">]</span><span class="o">.</span><span class="n">Name</span> <span class="o">!=</span> <span class="s">"Alice"</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"first account = %+v; want ID=1, Name=Alice"</span><span class="p">,</span> <span class="n">list</span><span class="p">[</span><span class="m">0</span><span class="p">])</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestOpenGetDepositWithdrawFlow</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createAccount</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="s">"Alice"</span><span class="p">)</span> <span class="c">// deposit</span> <span class="n">depBody</span> <span class="o">:=</span> <span class="s">`{"amount":100}`</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span><span class="o">+</span><span class="s">"/deposit"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="n">depBody</span><span class="p">),</span> <span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="c">// withdraw</span> <span class="n">withBody</span> <span class="o">:=</span> <span class="s">`{"amount":30}`</span> <span class="n">req</span> <span class="o">=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span><span class="o">+</span><span class="s">"/withdraw"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="n">withBody</span><span class="p">),</span> <span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="c">// get balance</span> <span class="n">req</span> <span class="o">=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">),</span> <span class="no">nil</span><span class="p">,</span> <span class="p">)</span> <span class="n">rec</span> <span class="o">=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">var</span> <span class="n">acc</span> <span class="k">struct</span><span class="p">{</span> <span class="n">Balance</span> <span class="kt">float64</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">rec</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">acc</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"decode account: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">acc</span><span class="o">.</span><span class="n">Balance</span> <span class="o">!=</span> <span class="m">70</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected balance 70 got %f"</span><span class="p">,</span> <span class="n">acc</span><span class="o">.</span><span class="n">Balance</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestDepositInvalidAmount</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createAccount</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="s">"Bob"</span><span class="p">)</span> <span class="n">neg</span> <span class="o">:=</span> <span class="s">`{"amount":-5}`</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span><span class="o">+</span><span class="s">"/deposit"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="n">neg</span><span class="p">),</span> <span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"neg deposit: want 400 got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestWithdrawInsufficientFunds</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createAccount</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="s">"Charlie"</span><span class="p">)</span> <span class="n">withBody</span> <span class="o">:=</span> <span class="s">`{"amount":50}`</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span><span class="o">+</span><span class="s">"/withdraw"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="n">withBody</span><span class="p">),</span> <span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"withdraw no money: want 400 got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestInvalidAccountID</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="s">"/accounts/abc"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"invalid id: want 400 got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestMethodNotAllowed</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="c">// PUT /accounts is not supported (only GET, POST)</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPut</span><span class="p">,</span> <span class="s">"/accounts"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"method not allowed: want 405 got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestInvalidJSONInOpenAccount</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="s">"{"</span><span class="p">))</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 400 for bad JSON, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestInvalidJSONInDeposit</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createAccount</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="s">"BrokenDeposit"</span><span class="p">)</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span><span class="o">+</span><span class="s">"/deposit"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBufferString</span><span class="p">(</span><span class="s">"{"</span><span class="p">),</span> <span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 400 for bad JSON, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestInvalidSubRoute</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createAccount</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="s">"UnknownPath"</span><span class="p">)</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="o">+</span><span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span><span class="o">+</span><span class="s">"/unexpected"</span><span class="p">,</span> <span class="no">nil</span><span class="p">,</span> <span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusNotFound</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 404 for unknown subroute, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestReadRootAllowed</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="s">"/"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 200, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">body</span> <span class="o">:=</span> <span class="n">rec</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">String</span><span class="p">();</span> <span class="n">body</span> <span class="o">!=</span> <span class="s">"👋 Welcome to the Bank API!"</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unexpected body: %s"</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestReadRootMethodNotAllowed</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 405, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestOpenAccountWrongMethod</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="s">"/accounts"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="c">// simulate direct call to openAccount handler method</span> <span class="n">h</span><span class="o">.</span><span class="n">openAccount</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 405, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestAccountsMethodNotAllowed</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">New</span><span class="p">()</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">Router</span><span class="p">()</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPut</span><span class="p">,</span> <span class="s">"/accounts"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 405, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\handler\handler.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/handler/handler.go</span> <span class="k">package</span> <span class="n">handler</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bank-api/internal/repository"</span> <span class="s">"bank-api/internal/service"</span> <span class="s">"encoding/json"</span> <span class="s">"net/http"</span> <span class="s">"strconv"</span> <span class="s">"strings"</span> <span class="p">)</span> <span class="k">const</span> <span class="n">errMethodNotAllowed</span> <span class="o">=</span> <span class="s">"method not allowed"</span> <span class="k">type</span> <span class="n">Handler</span> <span class="k">struct</span><span class="p">{</span> <span class="n">bank</span> <span class="o">*</span><span class="n">service</span><span class="o">.</span><span class="n">Bank</span> <span class="p">}</span> <span class="c">// New returns Handler with in-memory backend and seeds 10 mock accounts.</span> <span class="k">func</span> <span class="n">New</span><span class="p">()</span> <span class="o">*</span><span class="n">Handler</span> <span class="p">{</span> <span class="n">mem</span> <span class="o">:=</span> <span class="n">repository</span><span class="o">.</span><span class="n">NewMemory</span><span class="p">()</span> <span class="n">b</span> <span class="o">:=</span> <span class="n">service</span><span class="o">.</span><span class="n">NewBank</span><span class="p">(</span><span class="n">mem</span><span class="p">)</span> <span class="n">names</span> <span class="o">:=</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"Alice"</span><span class="p">,</span> <span class="s">"Bob"</span><span class="p">,</span> <span class="s">"Carol"</span><span class="p">,</span> <span class="s">"Dave"</span><span class="p">,</span> <span class="s">"Eve"</span><span class="p">,</span> <span class="s">"Frank"</span><span class="p">,</span> <span class="s">"Grace"</span><span class="p">,</span> <span class="s">"Heidi"</span><span class="p">,</span> <span class="s">"Ivan"</span><span class="p">,</span> <span class="s">"Judy"</span><span class="p">,</span> <span class="p">}</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">name</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">names</span> <span class="p">{</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">b</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="kt">float64</span><span class="p">((</span><span class="n">i</span><span class="o">+</span><span class="m">1</span><span class="p">)</span><span class="o">*</span><span class="m">1000</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">Handler</span><span class="p">{</span><span class="n">bank</span><span class="o">:</span> <span class="n">b</span><span class="p">}</span> <span class="p">}</span> <span class="c">// Router wires endpoints in an organized way.</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Handler</span><span class="p">)</span> <span class="n">Router</span><span class="p">()</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">ServeMux</span> <span class="p">{</span> <span class="n">mux</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewServeMux</span><span class="p">()</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="n">h</span><span class="o">.</span><span class="n">readRoot</span><span class="p">)</span> <span class="c">// GET /</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/accounts"</span><span class="p">,</span> <span class="n">h</span><span class="o">.</span><span class="n">accounts</span><span class="p">)</span> <span class="c">// GET /accounts, POST /accounts</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/accounts/"</span><span class="p">,</span> <span class="n">h</span><span class="o">.</span><span class="n">accountActions</span><span class="p">)</span> <span class="c">// GET /accounts/{id}, POST …/deposit, …/withdraw</span> <span class="k">return</span> <span class="n">mux</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Handler</span><span class="p">)</span> <span class="n">readRoot</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">errMethodNotAllowed</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"text/plain"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">"👋 Welcome to the Bank API!"</span><span class="p">))</span> <span class="p">}</span> <span class="c">// accounts handles GET all and POST create on /accounts</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Handler</span><span class="p">)</span> <span class="n">accounts</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="p">{</span> <span class="k">case</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="o">:</span> <span class="n">list</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">bank</span><span class="o">.</span><span class="n">All</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">writeJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">list</span><span class="p">)</span> <span class="k">case</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="o">:</span> <span class="n">h</span><span class="o">.</span><span class="n">openAccount</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="k">default</span><span class="o">:</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">errMethodNotAllowed</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Handler</span><span class="p">)</span> <span class="n">openAccount</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">errMethodNotAllowed</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">var</span> <span class="n">req</span> <span class="k">struct</span><span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">bank</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="n">writeJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusCreated</span><span class="p">,</span> <span class="n">acc</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Handler</span><span class="p">)</span> <span class="n">accountActions</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">parts</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">Split</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">TrimPrefix</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">,</span> <span class="s">"/accounts/"</span><span class="p">),</span> <span class="s">"/"</span><span class="p">)</span> <span class="n">id</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">ParseInt</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="m">0</span><span class="p">],</span> <span class="m">10</span><span class="p">,</span> <span class="m">64</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"invalid id"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">switch</span> <span class="p">{</span> <span class="k">case</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">==</span> <span class="m">1</span><span class="o">:</span> <span class="n">acc</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">bank</span><span class="o">.</span><span class="n">Lookup</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">writeJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">acc</span><span class="p">)</span> <span class="k">case</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">==</span> <span class="m">2</span> <span class="o">&amp;&amp;</span> <span class="n">parts</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="o">==</span> <span class="s">"deposit"</span><span class="o">:</span> <span class="k">var</span> <span class="n">body</span> <span class="k">struct</span><span class="p">{</span> <span class="n">Amount</span> <span class="kt">float64</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">body</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">acc</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">bank</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">body</span><span class="o">.</span><span class="n">Amount</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">writeJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">acc</span><span class="p">)</span> <span class="k">case</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">==</span> <span class="m">2</span> <span class="o">&amp;&amp;</span> <span class="n">parts</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="o">==</span> <span class="s">"withdraw"</span><span class="o">:</span> <span class="k">var</span> <span class="n">body</span> <span class="k">struct</span><span class="p">{</span> <span class="n">Amount</span> <span class="kt">float64</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">body</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">acc</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">bank</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">body</span><span class="o">.</span><span class="n">Amount</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">writeJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">acc</span><span class="p">)</span> <span class="k">default</span><span class="o">:</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"not found"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">writeJSON</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">code</span> <span class="kt">int</span><span class="p">,</span> <span class="n">v</span> <span class="n">any</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="n">_</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\model\account.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">model</span> <span class="c">// Account represents a simple bank account.</span> <span class="k">type</span> <span class="n">Account</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">int64</span> <span class="s">`json:"id"`</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name"`</span> <span class="n">Balance</span> <span class="kt">float64</span> <span class="s">`json:"balance"`</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\repository\memory.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/repository/memory.go</span> <span class="k">package</span> <span class="n">repository</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"errors"</span> <span class="s">"sort"</span> <span class="s">"sync"</span> <span class="s">"bank-api/internal/model"</span> <span class="p">)</span> <span class="k">var</span> <span class="p">(</span> <span class="n">ErrNotFound</span> <span class="o">=</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"account not found"</span><span class="p">)</span> <span class="n">ErrInvalidAmount</span> <span class="o">=</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"amount must be positive"</span><span class="p">)</span> <span class="n">ErrInsufficientFund</span> <span class="o">=</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"insufficient funds"</span><span class="p">)</span> <span class="p">)</span> <span class="c">// MemoryRepo is an in-memory store implementing basic CRUD for accounts.</span> <span class="k">type</span> <span class="n">MemoryRepo</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">nextID</span> <span class="kt">int64</span> <span class="n">records</span> <span class="k">map</span><span class="p">[</span><span class="kt">int64</span><span class="p">]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span> <span class="p">}</span> <span class="c">// NewMemory returns a fresh, empty MemoryRepo.</span> <span class="k">func</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="o">*</span><span class="n">MemoryRepo</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">MemoryRepo</span><span class="p">{</span> <span class="n">records</span><span class="o">:</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">int64</span><span class="p">]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">),</span> <span class="n">nextID</span><span class="o">:</span> <span class="m">1</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Create opens a new account with zero balance.</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">MemoryRepo</span><span class="p">)</span> <span class="n">Create</span><span class="p">(</span><span class="n">name</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span> <span class="p">{</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">acc</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">{</span><span class="n">ID</span><span class="o">:</span> <span class="n">m</span><span class="o">.</span><span class="n">nextID</span><span class="p">,</span> <span class="n">Name</span><span class="o">:</span> <span class="n">name</span><span class="p">}</span> <span class="n">m</span><span class="o">.</span><span class="n">records</span><span class="p">[</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">]</span> <span class="o">=</span> <span class="n">acc</span> <span class="n">m</span><span class="o">.</span><span class="n">nextID</span><span class="o">++</span> <span class="k">return</span> <span class="n">acc</span> <span class="p">}</span> <span class="c">// Get fetches account by id.</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">MemoryRepo</span><span class="p">)</span> <span class="n">Get</span><span class="p">(</span><span class="n">id</span> <span class="kt">int64</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="n">acc</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">m</span><span class="o">.</span><span class="n">records</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrNotFound</span> <span class="p">}</span> <span class="k">return</span> <span class="n">acc</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// All returns all accounts, sorted by ascending ID.</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">MemoryRepo</span><span class="p">)</span> <span class="n">All</span><span class="p">()</span> <span class="p">([]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="n">list</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">m</span><span class="o">.</span><span class="n">records</span><span class="p">))</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">acc</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">m</span><span class="o">.</span><span class="n">records</span> <span class="p">{</span> <span class="n">list</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">list</span><span class="p">,</span> <span class="n">acc</span><span class="p">)</span> <span class="p">}</span> <span class="c">// sort by ID so callers always see [ID=1,2,3…]</span> <span class="n">sort</span><span class="o">.</span><span class="n">Slice</span><span class="p">(</span><span class="n">list</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="n">list</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">.</span><span class="n">ID</span> <span class="o">&lt;</span> <span class="n">list</span><span class="p">[</span><span class="n">j</span><span class="p">]</span><span class="o">.</span><span class="n">ID</span> <span class="p">})</span> <span class="k">return</span> <span class="n">list</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Deposit increases balance.</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">MemoryRepo</span><span class="p">)</span> <span class="n">Deposit</span><span class="p">(</span><span class="n">id</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">amt</span> <span class="kt">float64</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">amt</span> <span class="o">&lt;=</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrInvalidAmount</span> <span class="p">}</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">acc</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">m</span><span class="o">.</span><span class="n">records</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrNotFound</span> <span class="p">}</span> <span class="n">acc</span><span class="o">.</span><span class="n">Balance</span> <span class="o">+=</span> <span class="n">amt</span> <span class="k">return</span> <span class="n">acc</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Withdraw decreases balance.</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">MemoryRepo</span><span class="p">)</span> <span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">amt</span> <span class="kt">float64</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">amt</span> <span class="o">&lt;=</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrInvalidAmount</span> <span class="p">}</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">m</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">acc</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">m</span><span class="o">.</span><span class="n">records</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrNotFound</span> <span class="p">}</span> <span class="k">if</span> <span class="n">acc</span><span class="o">.</span><span class="n">Balance</span> <span class="o">&lt;</span> <span class="n">amt</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrInsufficientFund</span> <span class="p">}</span> <span class="n">acc</span><span class="o">.</span><span class="n">Balance</span> <span class="o">-=</span> <span class="n">amt</span> <span class="k">return</span> <span class="n">acc</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\repository\repository_test.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">repository</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"testing"</span> <span class="p">)</span> <span class="c">// createTestRepo returns a new MemoryRepo with one account.</span> <span class="k">func</span> <span class="n">createTestRepo</span><span class="p">()</span> <span class="p">(</span><span class="o">*</span><span class="n">MemoryRepo</span><span class="p">,</span> <span class="kt">int64</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="s">"Test"</span><span class="p">)</span> <span class="k">return</span> <span class="n">repo</span><span class="p">,</span> <span class="n">acc</span><span class="o">.</span><span class="n">ID</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestCreateAndGet</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="s">"Alice"</span><span class="p">)</span> <span class="c">// Check Create()</span> <span class="k">if</span> <span class="n">acc</span><span class="o">.</span><span class="n">ID</span> <span class="o">!=</span> <span class="m">1</span> <span class="o">||</span> <span class="n">acc</span><span class="o">.</span><span class="n">Name</span> <span class="o">!=</span> <span class="s">"Alice"</span> <span class="o">||</span> <span class="n">acc</span><span class="o">.</span><span class="n">Balance</span> <span class="o">!=</span> <span class="m">0</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unexpected account after Create(): %+v"</span><span class="p">,</span> <span class="n">acc</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Check Get() returns the same pointer</span> <span class="n">got</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"Get() failed: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">got</span> <span class="o">!=</span> <span class="n">acc</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"Get() returned a different pointer than Create()"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestGetNotFound</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="m">999</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrNotFound</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Get(999): want ErrNotFound, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestDepositSuccess</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span><span class="p">,</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createTestRepo</span><span class="p">()</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">50</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Deposit() error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">got</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">if</span> <span class="n">got</span><span class="o">.</span><span class="n">Balance</span> <span class="o">!=</span> <span class="m">50</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"after Deposit, Balance = %f; want 50"</span><span class="p">,</span> <span class="n">got</span><span class="o">.</span><span class="n">Balance</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestDepositNegative</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span><span class="p">,</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createTestRepo</span><span class="p">()</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="o">-</span><span class="m">10</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrInvalidAmount</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Deposit(-10): want ErrInvalidAmount, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestDepositNotFound</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="m">999</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrNotFound</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Deposit on missing ID: want ErrNotFound, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestWithdrawSuccess</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span><span class="p">,</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createTestRepo</span><span class="p">()</span> <span class="n">repo</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">100</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">30</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Withdraw() error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">got</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">if</span> <span class="n">got</span><span class="o">.</span><span class="n">Balance</span> <span class="o">!=</span> <span class="m">70</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"after Withdraw, Balance = %f; want 70"</span><span class="p">,</span> <span class="n">got</span><span class="o">.</span><span class="n">Balance</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestWithdrawNegative</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span><span class="p">,</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createTestRepo</span><span class="p">()</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="o">-</span><span class="m">5</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrInvalidAmount</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Withdraw(-5): want ErrInvalidAmount, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestWithdrawNotFound</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="m">999</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrNotFound</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Withdraw on missing ID: want ErrNotFound, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestWithdrawInsufficientFund</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span><span class="p">,</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">createTestRepo</span><span class="p">()</span> <span class="n">repo</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="m">50</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrInsufficientFund</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Withdraw(50) with only 20 balance: want ErrInsufficientFund, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// --- New tests for All() ---</span> <span class="k">func</span> <span class="n">TestAllEmpty</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="n">list</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">All</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"All() on empty repo returned error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">list</span><span class="p">)</span> <span class="o">!=</span> <span class="m">0</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"All() on empty repo = %d accounts; want 0"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">list</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestAllSortedByID</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">NewMemory</span><span class="p">()</span> <span class="c">// Create three accounts; IDs will be 1,2,3</span> <span class="n">a</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="s">"Zeta"</span><span class="p">)</span> <span class="n">b</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="s">"Alpha"</span><span class="p">)</span> <span class="n">c</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="s">"Omega"</span><span class="p">)</span> <span class="n">list</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">All</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"All() returned error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">list</span><span class="p">)</span> <span class="o">!=</span> <span class="m">3</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"All() = %d accounts; want 3"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">list</span><span class="p">))</span> <span class="p">}</span> <span class="c">// Expect ascending ID order: [1,2,3]</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">acc</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">list</span> <span class="p">{</span> <span class="n">wantID</span> <span class="o">:=</span> <span class="kt">int64</span><span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="m">1</span><span class="p">)</span> <span class="k">if</span> <span class="n">acc</span><span class="o">.</span><span class="n">ID</span> <span class="o">!=</span> <span class="n">wantID</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"All()[%d].ID = %d; want %d"</span><span class="p">,</span> <span class="n">i</span><span class="p">,</span> <span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">wantID</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Ensure pointers match the ones returned by Create</span> <span class="k">if</span> <span class="n">list</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="o">!=</span> <span class="n">a</span> <span class="o">||</span> <span class="n">list</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="o">!=</span> <span class="n">b</span> <span class="o">||</span> <span class="n">list</span><span class="p">[</span><span class="m">2</span><span class="p">]</span> <span class="o">!=</span> <span class="n">c</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"All() did not preserve account pointers in ID order"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\service\service.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">service</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bank-api/internal/model"</span> <span class="s">"bank-api/internal/repository"</span> <span class="p">)</span> <span class="c">// Bank provides high-level business operations.</span> <span class="k">type</span> <span class="n">Bank</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">repo</span> <span class="o">*</span><span class="n">repository</span><span class="o">.</span><span class="n">MemoryRepo</span> <span class="p">}</span> <span class="c">// NewBank creates a Bank with the supplied repo.</span> <span class="k">func</span> <span class="n">NewBank</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">repository</span><span class="o">.</span><span class="n">MemoryRepo</span><span class="p">)</span> <span class="o">*</span><span class="n">Bank</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">Bank</span><span class="p">{</span><span class="n">repo</span><span class="o">:</span> <span class="n">r</span><span class="p">}</span> <span class="p">}</span> <span class="c">// Open opens a new account.</span> <span class="k">func</span> <span class="p">(</span><span class="n">b</span> <span class="o">*</span><span class="n">Bank</span><span class="p">)</span> <span class="n">Open</span><span class="p">(</span><span class="n">name</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span> <span class="p">{</span> <span class="k">return</span> <span class="n">b</span><span class="o">.</span><span class="n">repo</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Lookup fetches account.</span> <span class="k">func</span> <span class="p">(</span><span class="n">b</span> <span class="o">*</span><span class="n">Bank</span><span class="p">)</span> <span class="n">Lookup</span><span class="p">(</span><span class="n">id</span> <span class="kt">int64</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">b</span><span class="o">.</span><span class="n">repo</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Deposit adds amount.</span> <span class="k">func</span> <span class="p">(</span><span class="n">b</span> <span class="o">*</span><span class="n">Bank</span><span class="p">)</span> <span class="n">Deposit</span><span class="p">(</span><span class="n">id</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">amt</span> <span class="kt">float64</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">b</span><span class="o">.</span><span class="n">repo</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">amt</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Withdraw subtracts amount.</span> <span class="k">func</span> <span class="p">(</span><span class="n">b</span> <span class="o">*</span><span class="n">Bank</span><span class="p">)</span> <span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">amt</span> <span class="kt">float64</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">b</span><span class="o">.</span><span class="n">repo</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">amt</span><span class="p">)</span> <span class="p">}</span> <span class="c">// All fetches all accounts.</span> <span class="k">func</span> <span class="p">(</span><span class="n">b</span> <span class="o">*</span><span class="n">Bank</span><span class="p">)</span> <span class="n">All</span><span class="p">()</span> <span class="p">([]</span><span class="o">*</span><span class="n">model</span><span class="o">.</span><span class="n">Account</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">b</span><span class="o">.</span><span class="n">repo</span><span class="o">.</span><span class="n">All</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\internal\service\service_test.go</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">service</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bank-api/internal/repository"</span> <span class="s">"testing"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">newBank</span><span class="p">()</span> <span class="o">*</span><span class="n">Bank</span> <span class="p">{</span> <span class="k">return</span> <span class="n">NewBank</span><span class="p">(</span><span class="n">repository</span><span class="o">.</span><span class="n">NewMemory</span><span class="p">())</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestDepositWithdrawFlow</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="n">newBank</span><span class="p">()</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"Alice"</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="m">100</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"deposit error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="m">30</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"withdraw error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">got</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Lookup</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">)</span> <span class="k">if</span> <span class="n">got</span><span class="o">.</span><span class="n">Balance</span> <span class="o">!=</span> <span class="m">70</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected balance 70 got %f"</span><span class="p">,</span> <span class="n">got</span><span class="o">.</span><span class="n">Balance</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestInvalidAmount</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="n">newBank</span><span class="p">()</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"Bob"</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Deposit</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="o">-</span><span class="m">1</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"expected error on negative deposit"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestInsufficientFund</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="n">newBank</span><span class="p">()</span> <span class="n">acc</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"Charlie"</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">b</span><span class="o">.</span><span class="n">Withdraw</span><span class="p">(</span><span class="n">acc</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="m">10</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"expected insufficient funds error"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>bank-api\go.mod</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module bank-api go 1.22 </code></pre> </div> <blockquote> <p><strong>bank-api/.gitlab-ci.yml</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ul> <li> Installs <code>golint</code> using Go’s install command directly in the pipeline.</li> <li> Updates your system’s <code>PATH</code> so the <code>golint</code> binary can be used right away.</li> <li> Searches for all <code>.go</code> files in your project (just for info).</li> <li> Runs <code>golint</code> on your entire codebase and saves the output to <code>lint-report.txt</code>.</li> <li> Shows a quick preview of the lint report in the job logs—even if the report is empty, you’ll get a message.</li> <li> Marks the job as <strong>optional</strong> (<code>allow_failure: true</code>), so lint warnings won’t break your pipeline while you’re still getting set up.</li> <li> Stores the lint report as an artifact, so you can view or download it from GitLab after the pipeline completes.</li> </ul> <p><strong>Viewing lint results:</strong><br> After the pipeline runs, open the pipeline details, click on the <strong>lint job</strong>, and download or preview <code>lint-report.txt</code> to see your linting feedback.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegh5jq0xb1zfsvz54mbl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegh5jq0xb1zfsvz54mbl.png" alt="This picture are from my other project but you will see something similar here" width="800" height="454"></a></p> <h2> <strong>Step 3: Automated Testing with Coverage</strong> </h2> <p><strong>Why test with coverage?</strong><br> Tests make sure your code works as expected. Coverage shows what percent of your code is tested.</p> <h3> <strong>Add a Test and Coverage Job</strong> </h3> <p>Add this job under the <code>test</code> stage in <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> </code></pre> </div> <blockquote> <p>README.md <br> <a href="https://dev.to/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-readmemd-5e6c">README.md</a></p> </blockquote> <h3> How it works: </h3> <ul> <li>Runs all your unit tests with detailed output, so you can see exactly what’s happening.</li> <li>Calculates your test coverage and prints it right in the pipeline logs.</li> <li>Generates a coverage.out file, which is saved as an artifact—handy for later steps like code quality checks or security scans.</li> </ul> <h4> Where to find it: </h4> <p>After the pipeline finishes, click into the test job to check the logs and download coverage.out if you want a closer look.</p> <h2> <strong>How Artifacts are Shared</strong> </h2> <p>GitLab <strong>artifacts</strong> let you share files between jobs. For example, the <code>coverage.out</code> file will be used by SAST tools in the next episode.</p> <ul> <li> <strong>Lint job</strong> produces <code>lint-report.txt</code> </li> <li> <strong>Test job</strong> produces <code>coverage.out</code> </li> <li>Both are available for download and use in later jobs</li> </ul> <h2> <strong>Tips &amp; Best Practices</strong> </h2> <ul> <li> <strong>allow_failure: true</strong> lets you try linting without breaking the pipeline if there are issues. This is great for beginners or teams just getting started.</li> <li>Always review lint and test results! Fixing issues early saves lots of pain later.</li> <li>Keep your pipeline simple at first—add complexity as you go.</li> </ul> <p>And when you merge everything together, It will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375/</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">GO_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="na">GIT_DEPTH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint</span> <span class="pi">-</span> <span class="s">test</span> <span class="pi">-</span> <span class="s">sast</span> <span class="na">.go-job-template</span><span class="pi">:</span> <span class="nl">&amp;go-job-template</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debian:bullseye</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update &amp;&amp; apt install -y curl git tar gzip</span> <span class="pi">-</span> <span class="s">curl -LO https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">rm -rf /usr/local/go &amp;&amp; tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go version</span> <span class="na">lint_golint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go install golang.org/x/lint/golint@latest</span> <span class="pi">-</span> <span class="s">export PATH="$PATH:$(go env GOPATH)/bin"</span> <span class="pi">-</span> <span class="s">echo "Linting files:"</span> <span class="pi">-</span> <span class="s">find . -name '*.go'</span> <span class="pi">-</span> <span class="s">golint ./... | tee lint-report.txt</span> <span class="pi">-</span> <span class="s">echo "--- Lint report preview ---"</span> <span class="pi">-</span> <span class="s">cat lint-report.txt || echo "lint-report.txt is empty"</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">golint-report"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lint-report.txt</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 week</span> <span class="na">unit_test_and_coverage</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">&lt;&lt;</span><span class="pi">:</span> <span class="nv">*go-job-template</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export PATH="/usr/local/go/bin:$PATH"</span> <span class="pi">-</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="s">go test -v -cover ./...</span> <span class="pi">-</span> <span class="s">go test -v -coverprofile=coverage.out ./...</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">coverage.out</span> <span class="na">expire_in</span><span class="pi">:</span> <span class="s">1 hour</span> </code></pre> </div> <h2> <strong>Pipeline Example</strong> </h2> <p>Here’s what your pipeline might look like after adding these jobs:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F42zakk0xb7lk96rtbz3j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F42zakk0xb7lk96rtbz3j.png" alt=" " width="800" height="269"></a></p> <h2> <strong>Preview: Next Episode</strong> </h2> <p>Awesome! You now have a Go project with real code, automatic style checks, and testing with coverage—all running in GitLab CI/CD.</p> <p>In the next episode, we’ll:</p> <ul> <li>Add <strong>SonarQube</strong> to check your code for bugs and security issues</li> <li>Use your coverage reports to get even better insights</li> </ul> <p>Stay tuned, and happy coding!</p> Building, Securing, and Deploying a Go App with GitLab CI/CD EP 1: Getting Started with GitLab CI/CD and Docker-in-Docker Booranasak Kanthong Fri, 01 Aug 2025 09:23:22 +0000 https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-1-getting-started-with-gitlab-272e https://forem.com/mirrorsan/building-securing-and-deploying-a-go-app-with-gitlab-cicd-ep-1-getting-started-with-gitlab-272e <h2> <strong>Introduction</strong> </h2> <p>Welcome to the first episode of our CI/CD journey!<br> In this guide, I’ll help you understand how to automate your software development using <strong>GitLab CI/CD</strong>. We’ll also talk about a key concept called <strong>Docker-in-Docker</strong>—but don’t worry, I’ll break everything down in simple steps.</p> <p>By the end of this post, you’ll know:</p> <ul> <li>What GitLab CI/CD is and why it’s useful</li> <li>What a pipeline is (and why we need one)</li> <li>How Docker and Docker-in-Docker help us build and test code in CI/CD</li> </ul> <p>Ready? Let’s dive in!</p> <h2> <strong>1. What is GitLab CI/CD?</strong> </h2> <p><strong>CI/CD</strong> stands for <strong>Continuous Integration and Continuous Deployment</strong>.<br> It’s a way to automate all those repetitive tasks that happen after you push code—like checking for errors, running tests, and even deploying your app.</p> <p><strong>GitLab CI/CD</strong> is a feature of <a href="https://about.gitlab.com/" rel="noopener noreferrer">GitLab</a> (a platform for hosting your code), which lets you build these automation “pipelines” right alongside your code.</p> <p><strong>Why use it?</strong></p> <ul> <li> <strong>Saves time</strong>: No more manual testing or deployment</li> <li> <strong>Catches bugs early</strong>: Automated checks run every time you push code</li> <li> <strong>Works for every project</strong>: From small scripts to big apps</li> </ul> <h2> <strong>2. What is a Pipeline?</strong> </h2> <p>A <strong>pipeline</strong> is just a series of steps (called “jobs”) that run automatically every time you push code.<br> Each job does one thing—like checking your code style, running tests, or building your app.</p> <p>Think of a pipeline like a factory assembly line:</p> <ul> <li>First, your code is checked for errors</li> <li>Next, it’s tested</li> <li>Then, it’s built and sent where it needs to go</li> </ul> <p>Here’s what a simple pipeline might look like:</p> <ul> <li> <strong>Lint</strong>: Check your code style</li> <li> <strong>Test</strong>: Run your tests</li> <li> <strong>Build</strong>: Make your app ready to run</li> <li> <strong>Deploy</strong>: Send your app to a server</li> </ul> <p>In GitLab, you control your pipeline with a special file called <code>.gitlab-ci.yml</code>.</p> <h2> <strong>3. What is Docker and Docker-in-Docker?</strong> </h2> <p><strong>Docker</strong> is a tool that lets you package your app and everything it needs to run (like code, settings, libraries) into a “container.”<br> Containers are like lightweight, portable computers for your app—they make sure it runs the same way everywhere.</p> <p><strong>Docker-in-Docker (DinD)</strong><br> Usually, Docker runs on your computer or server. But in CI/CD, you often need to use Docker <em>inside</em> another Docker container—this is called <strong>Docker-in-Docker</strong>.</p> <p><strong>Why do we use it in CI/CD?</strong></p> <ul> <li>So the pipeline can build, test, and run containers automatically—without needing a full server for each job</li> <li>It keeps your builds isolated and clean</li> </ul> <p><strong>Visual Example:</strong><br> Imagine a Russian nesting doll—one Docker container (the CI job) runs another Docker container (your app or build).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fziqwuentvu0govlweruw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fziqwuentvu0govlweruw.png" alt=" " width="800" height="1200"></a></p> <h3> Breakdown of the Image </h3> <ul> <li><p>Big Blue Creature (CI Job):<br> Represents a CI (Continuous Integration) job or runner. In most CI/CD platforms (like GitLab CI, GitHub Actions, Jenkins, etc.), jobs are executed in containers or virtual machines.</p></li> <li><p>Small Docker Whale Inside:<br> Inside the CI job, you see the familiar Docker whale. This shows that the CI job itself is running a Docker daemon inside the CI environment.</p></li> <li><p>Containers/Blocks Inside the Whale:<br> These represent your app or build containers, which are being created and managed inside this inner Docker daemon.</p></li> </ul> <p><strong>Note:</strong><br> Docker-in-Docker is super useful, but it does have some security considerations. For beginner projects, it’s usually just fine!</p> <h2> <strong>4. Setting Up Your GitLab Project</strong> </h2> <p>Let’s get started step by step:</p> <h3> <strong>A. Create a New Project</strong> </h3> <p><strong>4.1.1) Go to <a href="https://gitlab.com/" rel="noopener noreferrer">GitLab</a> and log in (sign up if you don’t have an account).</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funvsyj8vi7jhuff9gat1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funvsyj8vi7jhuff9gat1.png" alt=" " width="634" height="478"></a></p> <p><strong>4.1.2) Click the **“New project”</strong> button.**<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxwuoo3ypjz1ngrcijv9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxwuoo3ypjz1ngrcijv9.png" alt=" " width="800" height="120"></a></p> <p><strong>4.1.3) Select how you want to create your project</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnou9yaj9d4sbdws8z39q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnou9yaj9d4sbdws8z39q.png" alt=" " width="800" height="408"></a></p> <p><strong>4.1.4) Name your project and choose your settings (public or private).</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhz4dpcyz17zflnmo798s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhz4dpcyz17zflnmo798s.png" alt=" " width="800" height="445"></a></p> <h3> <strong>B. Push Your Local Project to GitLab</strong> </h3> <p>Now that your project is created, let’s upload your code from your computer to GitLab.</p> <p><strong>4.2.1) Open your terminal and navigate to your project folder</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">cd </span>path/to/your/project </code></pre> </div> <p><strong>4.2.2) Initialize a Git repository (if you haven’t already):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git init </code></pre> </div> <p><strong>4.2.3) Add the GitLab repository as a remote:</strong><br> Replace <code>YOUR-USERNAME</code> and <code>YOUR-PROJECT</code> with your actual GitLab info.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git remote add origin https://gitlab.com/YOUR-USERNAME/YOUR-PROJECT.git </code></pre> </div> <p><strong>4.2.4) Change branch master to main</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git branch <span class="nt">-M</span> main </code></pre> </div> <p>Optional If your Auto generate Gitlab repo have readme.md you can pull it down and have it modifies before push it back as well<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git pull origin YOUR-PROJECT-BRANCH </code></pre> </div> <p>For example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git pull origin develop </code></pre> </div> <p><strong>4.2.5) Add, commit, and push your code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Initial commit"</span> git push <span class="nt">-u</span> origin master </code></pre> </div> <p><strong>That’s it!</strong> Your code is now on GitLab, and you’re ready to start using CI/CD.</p> <h3> <strong>C. Explore the Interface</strong> </h3> <ul> <li>The sidebar lets you see your code, pipelines, CI/CD, and more.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgd2qsr9t74oweydm1wcp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgd2qsr9t74oweydm1wcp.png" alt=" " width="260" height="700"></a></p> <ul> <li>Under “Build”, you’ll see pipelines and jobs as you build them.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F10zorhmdftefsjk8h3g6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F10zorhmdftefsjk8h3g6.png" alt=" " width="260" height="860"></a></p> <h2> <strong>5. Your First <code>.gitlab-ci.yml</code> File</strong> </h2> <p>This file tells GitLab how to run your pipeline.<br> Let’s start with a basic version that just runs Docker commands (using Docker-in-Docker):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:latest</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="na">build_image</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Hello from inside Docker-in-Docker!"</span> <span class="pi">-</span> <span class="s">docker version</span> <span class="pi">-</span> <span class="s">docker info</span> </code></pre> </div> <ul> <li> <code>image: docker:latest</code>: Use Docker in the pipeline.</li> <li> <code>services: - docker:dind</code>: Start the Docker-in-Docker service so we can use Docker commands.</li> <li> <code>stages: - build</code>: We’ll just have a build stage for now.</li> <li>The job <code>build_image</code> just prints out Docker info to show it works.</li> </ul> <p><strong>How to use:</strong></p> <ol> <li>Copy and paste this into a file called <code>.gitlab-ci.yml</code> in the root of your project.</li> <li>Commit and push your code.</li> <li>Go to your project’s <strong>CI/CD → Pipelines</strong> page and watch your first pipeline run!</li> </ol> <h2> <strong>6. What’s Next?</strong> </h2> <p>Now you’ve created your first pipeline and learned what Docker-in-Docker is all about!</p> <p>In the next episode, we’ll:</p> <ul> <li>Set up Go on the pipeline</li> <li>Add linting to automatically check your code style</li> <li>Store and view lint reports</li> </ul> <p>Stay tuned—and congrats on starting your CI/CD journey!</p> Pulling Docker Images from Google Artifact Registry (GAR) in GitLab CI/CD Booranasak Kanthong Fri, 25 Jul 2025 03:12:46 +0000 https://forem.com/mirrorsan/pulling-docker-images-from-google-artifact-registry-gar-in-gitlab-cicd-fme https://forem.com/mirrorsan/pulling-docker-images-from-google-artifact-registry-gar-in-gitlab-cicd-fme <h3> Step 1: Activate a Google Cloud Service Account for Secure CI/CD on Linux </h3> <p>When working with cloud-native CI/CD pipelines or Dockerized workloads on Google Cloud Platform (GCP), you often need a service account to authenticate your scripts or tools like gcloud, Docker, or Terraform. In this post, we’ll walk through how to activate a service account using a JSON key file on a Linux machine — the foundational step to enabling automated, authenticated access to GCP resources.</p> <p><strong>This guide is particularly useful if:</strong></p> <ul> <li>You're running a self-hosted GitLab Runner</li> <li>You want to pull private images from Google Artifact Registry</li> <li>You need secure access to GCP from a server or VM</li> </ul> <p>Step 1: Prerequisites<br> Before starting, make sure you have:</p> <ul> <li>A Linux machine (e.g., GCP VM, local server)</li> <li>gcloud CLI installed (see <a href="https://cloud.google.com/sdk/docs/install" rel="noopener noreferrer">official docs</a> if not)</li> <li>A service account JSON key file, e.g.: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>escian-bb074f590610.json </code></pre> </div> <blockquote> <p>Your key name will be different from mine.</p> </blockquote> <p><strong>Place this file somewhere secure — for example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/etc/gitlab-runner/escian-bb074f590610.json </code></pre> </div> <blockquote> <p>Don't put this on <code>tmp</code> folder because It gets <strong>wiped on reboot</strong> or by system cleanup jobs</p> </blockquote> <h3> Step 2: Activate the Service Account </h3> <p><strong>Use the following command to activate your service account:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcloud auth activate-service-account --key-file=/etc/gitlab-runner/escian-bb074f590610.json </code></pre> </div> <p><strong>If successful, you'll see:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Activated service account credentials for: [your-service-account@your-project.iam.gserviceaccount.com] </code></pre> </div> <blockquote> <p>Your key file name will likely be different from mine. Adjust the path as needed.</p> </blockquote> <p><strong>How to Check Which User GitLab Runner Uses</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ps -o user:20,pid,cmd -C gitlab-runner </code></pre> </div> <p><strong>If you see something like this:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>USER PID CMD root 435 /usr/bin/gitlab-runner run ... </code></pre> </div> <p>Then GitLab Runner is running as <code>root</code>, and you must activate and configure Docker as root.</p> <p><strong>To Auth as root, do this:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo su - gcloud auth activate-service-account --key-file=/etc/gitlab-runner/your-key.json gcloud auth configure-docker asia-southeast1-docker.pkg.dev </code></pre> </div> <blockquote> <p>This writes credentials to /root/.docker/config.json, where the runner (running as root) can access them.</p> </blockquote> <h3> In shot, Runner and Auth User Must Match </h3> <blockquote> <p>GitLab Runner uses the Docker config of the user it runs as. So you must activate the service account and run gcloud auth configure-docker as that same user.</p> </blockquote> <p>Otherwise, your CI jobs will fail to pull private images — even though your manual tests "worked fine" under a different user.</p> GAR Cloud on GCP VM Booranasak Kanthong Tue, 22 Jul 2025 11:14:22 +0000 https://forem.com/mirrorsan/gar-cloud-on-gcp-vm-4m7e https://forem.com/mirrorsan/gar-cloud-on-gcp-vm-4m7e <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp42n2qzg8zpnf1zo5jca.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp42n2qzg8zpnf1zo5jca.png" alt=" " width="800" height="800"></a></p> <p>summary of the commands and steps I executed - until I have successfully pulled Docker images from Google Artifact Registry (GAR):</p> <h2> <strong>Final Outcome</strong> </h2> <p>You successfully pulled:</p> <ul> <li><code>asia-southeast1-docker.pkg.dev/escian/todoapp/hello-app:1.0</code></li> <li><code>asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/fastapi-app:v1</code></li> </ul> <h2> 📜 Step-by-Step Command Summary </h2> <h3> 🔸 1. <strong>Initial Setup Attempts</strong> </h3> <ul> <li>Tried interactive login (but canceled): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> gcloud auth login gcloud init </code></pre> </div> <h3> 🔸 2. <strong>Created and Prepared Service Account</strong> </h3> <ul> <li>Saved service account credentials to <code>escian-bb074f590610.json</code> </li> <li>Confirmed it’s the correct service account for GAR access: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"client_email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"escian-devops-artifact@escian.iam.gserviceaccount.com"</span><span class="w"> </span></code></pre> </div> <h3> 🔸 3. <strong>Activated the Service Account</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud auth activate-service-account <span class="nt">--key-file</span><span class="o">=</span>escian-bb074f590610.json </code></pre> </div> <blockquote> <p>✅ This set the service account as the active credential.</p> </blockquote> <h3> 🔸 4. <strong>Set GCP Project (Partial Success)</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud config <span class="nb">set </span>project escian </code></pre> </div> <blockquote> <p>⚠️ Warned that <strong>Cloud Resource Manager API</strong> was disabled (can ignore for image pull).</p> </blockquote> <h3> 🔸 5. <strong>Configured Docker to Authenticate with GAR</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud auth configure-docker asia-southeast1-docker.pkg.dev <span class="nt">--quiet</span> </code></pre> </div> <blockquote> <p>✅ This added the necessary section to <code>~/.docker/config.json</code>:<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"credHelpers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"asia-southeast1-docker.pkg.dev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gcloud"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 🔸 6. <strong>Verified Docker Credential Helper</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-credential-gcloud list </code></pre> </div> <blockquote> <p>🟡 Note: <code>asia-southeast1-docker.pkg.dev</code> is NOT shown here – but that's expected because <code>docker-credential-gcloud</code> doesn’t show Artifact Registry entries.</p> </blockquote> <h3> 🔸 7. <strong>First Pull Attempts (Failed)</strong> </h3> <p>You ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker pull asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/fastapi-app:v1 </code></pre> </div> <blockquote> <p>❌ Failed with: <code>Unauthenticated request</code> — this was before proper configuration.</p> </blockquote> <h3> 🔸 8. <strong>Final Successful Pulls</strong> </h3> <p>Once everything was configured:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker pull asia-southeast1-docker.pkg.dev/escian/todoapp/hello-app:1.0 docker pull asia-southeast1-docker.pkg.dev/escian/booranasak-artifact-registry-docker/fastapi-app:v1 </code></pre> </div> <blockquote> <p>✅ Both images pulled successfully!</p> </blockquote> <h2> 🧠 Lessons Learned / Tips </h2> <ul> <li> <code>gcloud auth configure-docker</code> + <code>gcloud auth activate-service-account</code> is enough if the service account has permission.</li> <li> <strong>No need for <code>docker login</code> manually</strong> if Docker reads from <code>~/.docker/config.json</code> via <code>credHelpers</code>.</li> <li> <code>docker-credential-gcloud list</code> doesn’t reflect Artifact Registry — don't rely on it for GAR validation.</li> <li>If all fails, use: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> gcloud auth print-access-token | docker login <span class="nt">-u</span> oauth2accesstoken <span class="nt">--password-stdin</span> https://asia-southeast1-docker.pkg.dev </code></pre> </div>