tweak image scanning

docker · Nov 3, 2022 · 30a4548 · 30a4548
1 parent afcd5c4
commit 30a4548
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -60,7 +60,7 @@ pipeline {
                         sh 'docker buildx ls'
                         sh 'docker buildx build --platform linux/amd64 -t shib-idp  .'
                         sh 'docker buildx build --platform linux/arm64 -t shib-idp:arm64 .'
-                        sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
+                        sh 'docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag .'
                         // test the environment 
                         // sh 'cd test-compose && ./compose.sh'
                         // bring down after testing
@@ -102,7 +102,8 @@ pipeline {
                          // Scan container for all vulnerability levels
                          echo "Scanning for all vulnerabilities..."
                          sh 'mkdir -p reports'
-                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
+                         sh 'docker pull ${maintainer}/${imagename}:${tag}'
+                         sh 'trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template \'@html.tpl\' -o reports/container-scan.html ${maintainer}/${imagename}:${tag}'
                          publishHTML target : [
                              allowMissing: true,
                              alwaysLinkToLastBuild: true,
@@ -115,8 +116,8 @@ pipeline {
 
                          // Scan again and fail on CRITICAL vulns
                          //below can be temporarily commented to prevent build from failing
-                         echo "Scanning for CRITICAL vulnerabilities onlyi (fatal)..."
-                         sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest'
+                         echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+                         sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:${tag}'
                          //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
                    } catch(error) {
                            def error_details = readFile('./debug');