enable trivy scan

docker · Nov 2, 2022 · 093b295 · 093b295
1 parent e8ab3c2
commit 093b295
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 13 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -69,21 +69,10 @@ RUN update-ca-trust extract
 # To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
 #####     ENV TIER_BEACON_OPT_OUT True
 
-# Install Corretto Java JDK (newer more arch independent way)
+# Install Corretto Java JDK (from Amazon repo, more arch independent)
 RUN rpm --import https://yum.corretto.aws/corretto.key \
     && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \
     && yum install -y java-11-amazon-corretto-devel
-
-##### # Install Corretto Java JDK
-##### #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
-##### ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-aarch64-linux-jdk.rpm
-##### ARG CORRETTO_RPM=amazon-corretto-11-aarch64-linux-jdk.rpm
-##### COPY container_files/java-corretto/corretto-signing-key.pub .
-##### RUN curl -O -L $CORRETTO_URL_PERM \
-#####     && rpm --import corretto-signing-key.pub \
-#####     && rpm -K $CORRETTO_RPM \
-#####     && rpm -i $CORRETTO_RPM \
-#####     && rm -r corretto-signing-key.pub $CORRETTO_RPM
 ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
 
 # Copy IdP installer properties file(s)

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -89,7 +89,43 @@ pipeline {
                 }    
              }
         }
-
+        stage('Scan') {
+            steps {
+                script {
+                   try {
+                         echo "Starting security scan..."
+                         // Install trivy and HTML template
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1'
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
+
+                         // Scan container for all vulnerability levels
+                         echo "Scanning for all vulnerabilities..."
+                         sh 'mkdir -p reports'
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan.html',
+                             reportName: 'Security Scan',
+                             reportTitles: 'Security Scan'
+                          ]
+
+                         // Scan again and fail on CRITICAL vulns
+                         //below is temporarily commented to prevent build from failing
+                         //echo "Scanning for CRITICAL vulnerabilities only..."
+                         //sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest'
+                         echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
+                   } catch(error) {
+                           def error_details = readFile('./debug');
+                           def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+                           sh "rm -f ./debug"
+                           handleError(message)
+                   }
+                }
+            }
+        }
         stage('Push') {
             steps {
                 script {