Skip to content

Commit

Permalink
mod Jenkinsfile, multi-stage
Browse files Browse the repository at this point in the history
  • Loading branch information
@pcaskey
pcaskey committed Nov 7, 2022
1 parent 5d9c6e4 commit c89dd8a
Showing 1 changed file with 68 additions and 57 deletions.
125 changes: 68 additions & 57 deletions Jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,38 +61,38 @@ pipeline {
sh "docker buildx build --platform linux/amd64 -t ${imagename} --load ."
sh "docker buildx build --platform linux/arm64 -t ${imagename}:arm64 --load ."

echo "Starting security scan..."
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
echo "Scanning for all vulnerabilities..."
sh 'mkdir -p reports'

sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}"

sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}:arm64"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]
// echo "Starting security scan..."
// // Install trivy and HTML template
// sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
// sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// // Scan container for all vulnerability levels
// echo "Scanning for all vulnerabilities..."
// sh 'mkdir -p reports'

// sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}"

// sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}:arm64"
// publishHTML target : [
// allowMissing: true,
// alwaysLinkToLastBuild: true,
// keepAll: true,
// reportDir: 'reports',
// reportFiles: 'container-scan.html',
// reportName: 'Security Scan',
// reportTitles: 'Security Scan'
// ]

// Scan again and fail on CRITICAL vulns
//below can be temporarily commented to prevent build from failing
echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}"
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}:arm64"
//echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
// // Scan again and fail on CRITICAL vulns
// //below can be temporarily commented to prevent build from failing
// echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}"
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}:arm64"
// //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."


echo "Pushing image to dockerhub..."
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
// echo "Pushing image to dockerhub..."
// sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building-testing-pushing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
Expand Down Expand Up @@ -123,32 +123,42 @@ pipeline {
steps {
script {
try {
echo "Skipping security scan here, was done earlier..."
// echo "Starting security scan..."
// // Install trivy and HTML template
// sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
// sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// // Scan container for all vulnerability levels
// echo "Scanning for all vulnerabilities..."
// sh 'mkdir -p reports'
// // sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:${tag}"
// sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}"
// publishHTML target : [
// allowMissing: true,
// alwaysLinkToLastBuild: true,
// keepAll: true,
// reportDir: 'reports',
// reportFiles: 'container-scan.html',
// reportName: 'Security Scan',
// reportTitles: 'Security Scan'
// ]

// // Scan again and fail on CRITICAL vulns
// //below can be temporarily commented to prevent build from failing
// echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:${tag}"
// //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
// echo "Skipping security scan here, was done earlier..."
echo "Starting security scan..."
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
echo "Scanning for all vulnerabilities..."
sh 'mkdir -p reports'
// sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:${tag}"
sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}"
sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}:arm64"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan-arm.html',
reportName: 'Security Scan (ARM)',
reportTitles: 'Security Scan (ARM)'
]
// Scan again and fail on CRITICAL vulns
//below can be temporarily commented to prevent build from failing
echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}"
sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}:arm64"
//echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
Expand All @@ -165,8 +175,9 @@ pipeline {
docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-tier") {
// baseImg.push("$tag")
// echo "already pushed to Dockerhub"
// echo "Pushing image to Docker hub"
// sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:$tag ."
sh 'docker login -u tieradmin -p $DOCKERHUBPW'
echo "Pushing image to dockerhub..."
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag ."
}
}
}
Expand Down

0 comments on commit c89dd8a

Please sign in to comment.