From 093b2952533f77c7fadc8ff940cba97e8a28cc42 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 2 Nov 2022 21:00:56 +0000 Subject: [PATCH] enable trivy scan --- Dockerfile | 13 +------------ Jenkinsfile | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 38 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2ccff3c..bde2679 100644 --- a/Dockerfile +++ b/Dockerfile @@ -69,21 +69,10 @@ RUN update-ca-trust extract # To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it). ##### ENV TIER_BEACON_OPT_OUT True -# Install Corretto Java JDK (newer more arch independent way) +# Install Corretto Java JDK (from Amazon repo, more arch independent) RUN rpm --import https://yum.corretto.aws/corretto.key \ && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \ && yum install -y java-11-amazon-corretto-devel - -##### # Install Corretto Java JDK -##### #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html -##### ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-aarch64-linux-jdk.rpm -##### ARG CORRETTO_RPM=amazon-corretto-11-aarch64-linux-jdk.rpm -##### COPY container_files/java-corretto/corretto-signing-key.pub . -##### RUN curl -O -L $CORRETTO_URL_PERM \ -##### && rpm --import corretto-signing-key.pub \ -##### && rpm -K $CORRETTO_RPM \ -##### && rpm -i $CORRETTO_RPM \ -##### && rm -r corretto-signing-key.pub $CORRETTO_RPM ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto # Copy IdP installer properties file(s) diff --git a/Jenkinsfile b/Jenkinsfile index 20644dd..c519310 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -89,7 +89,43 @@ pipeline { } } } - + stage('Scan') { + steps { + script { + try { + echo "Starting security scan..." + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + echo "Scanning for all vulnerabilities..." + sh 'mkdir -p reports' + sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest" + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + + // Scan again and fail on CRITICAL vulns + //below is temporarily commented to prevent build from failing + //echo "Scanning for CRITICAL vulnerabilities only..." + //sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest' + echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } stage('Push') { steps { script {