Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
ShibbIdP_ConfigBuilder_Container/Jenkinsfile
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
174 lines (166 sloc)
8.54 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pipeline { | |
agent { node { label 'docker-multi-arch' } } | |
environment { | |
maintainer = "t" | |
imagename = 's' | |
tag = 'l' | |
DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') | |
} | |
stages { | |
stage('Setting build context') { | |
steps { | |
script { | |
maintainer = maintain() | |
imagename = imagename() | |
if(env.BRANCH_NAME == "master") { | |
tag = "latest" | |
} else { | |
tag = env.BRANCH_NAME.toLowerCase() | |
} | |
if(!imagename){ | |
echo "You must define an imagename in common.bash" | |
currentBuild.result = 'FAILURE' | |
} | |
sh 'mkdir -p tmp && mkdir -p bin' | |
dir('tmp'){ | |
git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) | |
sh 'rm -rf ../bin/*' | |
sh 'mv ./bin/* ../bin/.' | |
} | |
// Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. | |
// We don't care if there are more 'tag' assignments there. The latest one wins. | |
sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" | |
} | |
} | |
} | |
stage('Clean') { | |
steps { | |
script { | |
try{ | |
sh 'bin/destroy.sh >> debug' | |
} catch(error) { | |
def error_details = readFile('./debug'); | |
def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" | |
sh "rm -f ./debug" | |
handleError(message) | |
} | |
} | |
} | |
} | |
stage('Build') { | |
steps { | |
script { | |
try{ | |
sh 'docker login -u tieradmin -p $DOCKERHUBPW' | |
// fails if already exists | |
// sh 'docker buildx create --use --name multiarch --append' | |
sh 'docker buildx inspect --bootstrap' | |
sh 'docker buildx ls' | |
sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ." | |
sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ." | |
} catch(error) { | |
def error_details = readFile('./debug'); | |
def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" | |
sh "rm -f ./debug" | |
handleError(message) | |
} | |
} | |
} | |
} | |
stage('Scan') { | |
steps { | |
script { | |
try { | |
echo "Starting security scan..." | |
// Install trivy and HTML template | |
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' | |
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' | |
// Scan container for all vulnerability levels | |
echo "Scanning for all vulnerabilities..." | |
sh 'mkdir -p reports' | |
// 2 commented scans below are OS-only, in case timeout issues occur | |
sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" | |
// sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" | |
sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" | |
// sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" | |
publishHTML target : [ | |
allowMissing: true, | |
alwaysLinkToLastBuild: true, | |
keepAll: true, | |
reportDir: 'reports', | |
reportFiles: 'container-scan.html', | |
reportName: 'Security Scan', | |
reportTitles: 'Security Scan' | |
] | |
publishHTML target : [ | |
allowMissing: true, | |
alwaysLinkToLastBuild: true, | |
keepAll: true, | |
reportDir: 'reports', | |
reportFiles: 'container-scan-arm.html', | |
reportName: 'Security Scan (ARM)', | |
reportTitles: 'Security Scan (ARM)' | |
] | |
// Scan again and fail on CRITICAL vulns | |
//below can be temporarily commented to prevent build from failing | |
echo "Scanning for CRITICAL vulnerabilities only (fatal)..." | |
// 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked | |
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}" | |
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" | |
sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}" | |
sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" | |
//echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." | |
} catch(error) { | |
def error_details = readFile('./debug'); | |
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" | |
sh "rm -f ./debug" | |
handleError(message) | |
} | |
} | |
} | |
} | |
stage('Push') { | |
steps { | |
script { | |
sh 'docker login -u tieradmin -p $DOCKERHUBPW' | |
// fails if already exists | |
// sh 'docker buildx create --use --name multiarch --append' | |
sh 'docker buildx inspect --bootstrap' | |
sh 'docker buildx ls' | |
echo "Pushing image to dockerhub..." | |
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ." | |
} | |
} | |
} | |
stage('Notify') { | |
steps{ | |
echo "$maintainer" | |
slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" | |
} | |
} | |
} | |
post { | |
always { | |
echo 'Done Building.' | |
} | |
failure { | |
// slackSend color: 'good', message: "Build failed" | |
handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") | |
} | |
} | |
} | |
def maintain() { | |
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' | |
matcher ? matcher[0][1] : 'tier' | |
} | |
def imagename() { | |
def matcher = readFile('common.bash') =~ 'imagename="(.+)"' | |
matcher ? matcher[0][1] : null | |
} | |
def handleError(String message){ | |
echo "${message}" | |
currentBuild.setResult("FAILED") | |
slackSend color: 'danger', message: "${message}" | |
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) | |
sh 'exit 1' | |
} | |