From 30a4548b2c53b92b049a0bb2ce6033dbb7d0cde5 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 3 Nov 2022 15:36:45 +0000
Subject: [PATCH] tweak image scanning

---
 Jenkinsfile | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 827d490..9f75e76 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -60,7 +60,7 @@ pipeline {
                         sh 'docker buildx ls'
                         sh 'docker buildx build --platform linux/amd64 -t shib-idp  .'
                         sh 'docker buildx build --platform linux/arm64 -t shib-idp:arm64 .'
-                        sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
+                        sh 'docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag .'
                         // test the environment 
                         // sh 'cd test-compose && ./compose.sh'
                         // bring down after testing
@@ -102,7 +102,8 @@ pipeline {
                          // Scan container for all vulnerability levels
                          echo "Scanning for all vulnerabilities..."
                          sh 'mkdir -p reports'
-                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
+                         sh 'docker pull ${maintainer}/${imagename}:${tag}'
+                         sh 'trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template \'@html.tpl\' -o reports/container-scan.html ${maintainer}/${imagename}:${tag}'
                          publishHTML target : [
                              allowMissing: true,
                              alwaysLinkToLastBuild: true,
@@ -115,8 +116,8 @@ pipeline {
 
                          // Scan again and fail on CRITICAL vulns
                          //below can be temporarily commented to prevent build from failing
-                         echo "Scanning for CRITICAL vulnerabilities onlyi (fatal)..."
-                         sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest'
+                         echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+                         sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:${tag}'
                          //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
                    } catch(error) {
                            def error_details = readFile('./debug');