Skip to content

Commit

Permalink
add security scan
Browse files Browse the repository at this point in the history
  • Loading branch information
@pcaskey
pcaskey committed Aug 16, 2022
1 parent 140d278 commit 8c274d8
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 9 deletions.
17 changes: 10 additions & 7 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
FROM rockylinux/rockylinux:8.4
FROM rockylinux/rockylinux:8.6

########################
### VERSION SETTINGS ###
########################
#
##tomcat \
ENV TOMCAT_MAJOR=9 \
TOMCAT_VERSION=9.0.52 \
TOMCAT_VERSION=9.0.65 \
##shib-idp \
VERSION=4.1.4 \
VERSION=4.2.1 \
##TIER \
TIERVERSION=20210811_rocky84 \
TIERVERSION=20220815_rocky8 \
#################### \
#### OTHER VARS #### \
#################### \
Expand Down Expand Up @@ -160,9 +160,9 @@ ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml

#use log4j for tomcat logging
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/
RUN cd /usr/local/tomcat/; \
chmod +r bin/log4j-*.jar;
ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
Expand All @@ -189,6 +189,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
#set cron to not require a login session
RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond

#upgrade pip to remove sec vuln
RUN pip3 install --upgrade pip

# Expose the port tomcat will be serving on
EXPOSE 443

Expand Down
27 changes: 26 additions & 1 deletion Jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,32 @@ node('docker') {
sh "rm -f ./debug"
handleError(message)
}


stage('Scan') {
steps {
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
sh 'mkdir -p reports'
sh 'trivy image --ignore-unfixed --vuln-type os,library --no-progress --format template --template "@html.tpl" -o reports/container-scan.html ${imagename}:${tag}'
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]

// Scan again and fail on CRITICAL vulns
sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}:${tag}'

}
}

stage 'Push'

docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
Expand Down
2 changes: 1 addition & 1 deletion container_files/idp/idp.installer.properties
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.1.4
idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.2.1
idp.target.dir=/opt/shibboleth-idp
idp.host.name=idp.example.org
idp.sealer.password=changeit
Expand Down

0 comments on commit 8c274d8

Please sign in to comment.