pipeline { agent { node { label 'docker-multi-arch' } } environment { maintainer = "t" imagename = 's' tag = 'l' DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') } stages { stage('Setting build context') { steps { script { maintainer = maintain() imagename = imagename() if(env.BRANCH_NAME == "master") { tag = "latest" } else { tag = env.BRANCH_NAME } if(!imagename){ echo "You must define an imagename in common.bash" currentBuild.result = 'FAILURE' } sh 'mkdir -p tmp && mkdir -p bin' dir('tmp'){ git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) sh 'rm -rf ../bin/*' sh 'mv ./bin/* ../bin/.' } // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. // We don't care if there are more 'tag' assignments there. The latest one wins. sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" } } } stage('Clean') { steps { script { try{ sh 'bin/destroy.sh >> debug' } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" sh "rm -f ./debug" handleError(message) } } } } stage('Build') { steps { script { try{ sh 'docker login -u tieradmin -p $DOCKERHUBPW' // fails if already exists // sh 'docker buildx create --use --name multiarch --append' sh 'docker buildx inspect --bootstrap' sh 'docker buildx ls' sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ." sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ." } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" sh "rm -f ./debug" handleError(message) } } } } stage('Test') { steps { script { try { echo "Starting tests..." sh 'bats tests' // echo "Skipping tests for now" } catch (error) { def error_details = readFile('./debug') def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" sh "rm -f ./debug" handleError(message) } } } } stage('Scan') { steps { script { try { echo "Starting security scan..." // Install trivy and HTML template sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' // Scan container for all vulnerability levels echo "Scanning for all vulnerabilities..." sh 'mkdir -p reports' // 2 commented scans below are OS-only, in case timeout issues occur sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" publishHTML target : [ allowMissing: true, alwaysLinkToLastBuild: true, keepAll: true, reportDir: 'reports', reportFiles: 'container-scan.html', reportName: 'Security Scan', reportTitles: 'Security Scan' ] publishHTML target : [ allowMissing: true, alwaysLinkToLastBuild: true, keepAll: true, reportDir: 'reports', reportFiles: 'container-scan-arm.html', reportName: 'Security Scan (ARM)', reportTitles: 'Security Scan (ARM)' ] // Scan again and fail on CRITICAL vulns //below can be temporarily commented to prevent build from failing echo "Scanning for CRITICAL vulnerabilities only (fatal)..." // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}" // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}" sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" sh "rm -f ./debug" handleError(message) } } } } stage('Push') { steps { script { sh 'docker login -u tieradmin -p $DOCKERHUBPW' // fails if already exists // sh 'docker buildx create --use --name multiarch --append' sh 'docker buildx inspect --bootstrap' sh 'docker buildx ls' echo "Pushing image to dockerhub..." sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ." } } } stage('Cleanup') { steps { script { try{ echo "Cleaning up artifacts from the build..." sh 'tests/cleanup.sh' } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" sh "rm -f ./debug" handleError(message) } } } } stage('Notify') { steps{ echo "$maintainer" slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" } } } post { always { echo 'Done Building.' } failure { // slackSend color: 'good', message: "Build failed" handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") } } } def maintain() { def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' matcher ? matcher[0][1] : 'tier' } def imagename() { def matcher = readFile('common.bash') =~ 'imagename="(.+)"' matcher ? matcher[0][1] : null } def handleError(String message){ echo "${message}" currentBuild.setResult("FAILED") slackSend color: 'danger', message: "${message}" //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) sh 'exit 1' }