From f4de31996b156184c350d4071ca7dba6fce16b8f Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 7 Nov 2022 22:16:35 +0000 Subject: [PATCH] multi-arch test --- Jenkinsfile | 91 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 62 insertions(+), 29 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 29dc96e..d773d10 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -49,7 +49,7 @@ pipeline { } } } - stage('Build') { + stage('Build-Test-Push') { steps { script { try{ @@ -58,12 +58,44 @@ pipeline { // sh 'docker buildx create --use --name multiarch --append' sh 'docker buildx inspect --bootstrap' sh 'docker buildx ls' - sh "docker buildx build --platform linux/amd64 -t ${imagename} ." - sh "docker buildx build --platform linux/arm64 -t ${imagename}:arm64 ." - //sh 'docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag .' + sh "docker buildx build --platform linux/amd64 -t ${imagename} --load ." + sh "docker buildx build --platform linux/arm64 -t ${imagename}:arm64 --load ." + + echo "Starting security scan..." + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + echo "Scanning for all vulnerabilities..." + sh 'mkdir -p reports' + + sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}" + + sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}:arm64" + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + + // Scan again and fail on CRITICAL vulns + //below can be temporarily commented to prevent build from failing + echo "Scanning for CRITICAL vulnerabilities only (fatal)..." + sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}" + sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}:arm64" + //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." + + + echo "Pushing image to dockerhub + sh 'docker buildx build --push --platform linux/arm64,linux/amd64 -t i2incommon/shib-idp:$tag .' } catch(error) { def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + def message = "BUILD ERROR: There was a problem building-testing-pushing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" sh "rm -f ./debug" handleError(message) } @@ -91,31 +123,32 @@ pipeline { steps { script { try { - echo "Starting security scan..." - // Install trivy and HTML template - sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' - sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' - - // Scan container for all vulnerability levels - echo "Scanning for all vulnerabilities..." - sh 'mkdir -p reports' - // sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:${tag}" - sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}" - publishHTML target : [ - allowMissing: true, - alwaysLinkToLastBuild: true, - keepAll: true, - reportDir: 'reports', - reportFiles: 'container-scan.html', - reportName: 'Security Scan', - reportTitles: 'Security Scan' - ] + echo "Skipping security scan here, was done earlier..." +// echo "Starting security scan..." +// // Install trivy and HTML template +// sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' +// sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' - // Scan again and fail on CRITICAL vulns - //below can be temporarily commented to prevent build from failing - echo "Scanning for CRITICAL vulnerabilities only (fatal)..." - sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:${tag}" - //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." +// // Scan container for all vulnerability levels +// echo "Scanning for all vulnerabilities..." +// sh 'mkdir -p reports' +// // sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:${tag}" +// sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}" +// publishHTML target : [ +// allowMissing: true, +// alwaysLinkToLastBuild: true, +// keepAll: true, +// reportDir: 'reports', +// reportFiles: 'container-scan.html', +// reportName: 'Security Scan', +// reportTitles: 'Security Scan' +// ] + +// // Scan again and fail on CRITICAL vulns +// //below can be temporarily commented to prevent build from failing +// echo "Scanning for CRITICAL vulnerabilities only (fatal)..." +// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:${tag}" +// //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"