Squashed '.ci/' changes from 227e39f..2c44e4f
2c44e4f Disable concurrent builds 7144a42 Improve Trivy scanning logic c1a48a6 Remove auto stash push / pop as being too dangerous 318c19e Add merge comment for subtree 22ed100 Fix custom branch docker tags git-subtree-dir: .ci git-subtree-split: 2c44e4fd8550d30fba503a2bcccec8e0bac1c151
This commit is contained in:
parent
b7027df025
commit
5dff2c18d4
@ -1,25 +1,26 @@
|
|||||||
# Parse version from latest git semver tag
|
# Parse version from latest git semver tag
|
||||||
GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||||
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null | sed -e 's/[^a-zA-Z0-9]/-/g')
|
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
|
||||||
|
|
||||||
TAG := $(GIT_TAG)
|
TAG ::= $(GIT_TAG)
|
||||||
# append branch name to tag if NOT main nor master
|
# append branch name to tag if NOT main nor master
|
||||||
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
||||||
# If branch is substring of tag, omit branch name
|
# If branch is substring of tag, omit branch name
|
||||||
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
|
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
|
||||||
# only append branch name if not equal tag
|
# only append branch name if not equal tag
|
||||||
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
||||||
TAG = $(GIT_TAG)-$(GIT_BRANCH)
|
# Sanitize GIT_BRANCH to allowed Docker tag character set
|
||||||
|
TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ARCH := amd64
|
ARCH ::= amd64
|
||||||
ALL_ARCHS := amd64 arm64
|
ALL_ARCHS ::= amd64 arm64
|
||||||
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
||||||
|
|
||||||
ifneq ($(TRIVY_REMOTE),)
|
ifneq ($(TRIVY_REMOTE),)
|
||||||
TRIVY_OPTS := --server $(TRIVY_REMOTE)
|
TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
.SILENT: ; # no need for @
|
.SILENT: ; # no need for @
|
||||||
@ -45,7 +46,7 @@ test:: ## test built artificats
|
|||||||
|
|
||||||
scan: ## Scan image using trivy
|
scan: ## Scan image using trivy
|
||||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||||
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||||
|
|
||||||
# first tag and push all actual images
|
# first tag and push all actual images
|
||||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||||
@ -77,7 +78,7 @@ rm-image:
|
|||||||
|
|
||||||
## some useful tasks during development
|
## some useful tasks during development
|
||||||
ci-pull-upstream: ## pull latest shared .ci subtree
|
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||||
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
|
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
|
||||||
|
|
||||||
create-repo: ## create new AWS ECR public repository
|
create-repo: ## create new AWS ECR public repository
|
||||||
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
||||||
|
@ -2,6 +2,9 @@
|
|||||||
|
|
||||||
def call(Map config=[:]) {
|
def call(Map config=[:]) {
|
||||||
pipeline {
|
pipeline {
|
||||||
|
options {
|
||||||
|
disableConcurrentBuilds()
|
||||||
|
}
|
||||||
agent {
|
agent {
|
||||||
node {
|
node {
|
||||||
label 'podman-aws-trivy'
|
label 'podman-aws-trivy'
|
||||||
@ -10,6 +13,8 @@ def call(Map config=[:]) {
|
|||||||
stages {
|
stages {
|
||||||
stage('Prepare') {
|
stage('Prepare') {
|
||||||
steps {
|
steps {
|
||||||
|
sh 'mkdir -p reports'
|
||||||
|
|
||||||
// we set pull tags as project adv. options
|
// we set pull tags as project adv. options
|
||||||
// pull tags
|
// pull tags
|
||||||
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||||
@ -35,12 +40,13 @@ def call(Map config=[:]) {
|
|||||||
|
|
||||||
// Scan via trivy
|
// Scan via trivy
|
||||||
stage('Scan') {
|
stage('Scan') {
|
||||||
environment {
|
|
||||||
TRIVY_FORMAT = "template"
|
|
||||||
TRIVY_OUTPUT = "reports/trivy.html"
|
|
||||||
}
|
|
||||||
steps {
|
steps {
|
||||||
sh 'mkdir -p reports && make scan'
|
// we always scan and create the full json report
|
||||||
|
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
||||||
|
|
||||||
|
// render custom full html report
|
||||||
|
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
||||||
|
|
||||||
publishHTML target: [
|
publishHTML target: [
|
||||||
allowMissing: true,
|
allowMissing: true,
|
||||||
alwaysLinkToLastBuild: true,
|
alwaysLinkToLastBuild: true,
|
||||||
@ -50,13 +56,12 @@ def call(Map config=[:]) {
|
|||||||
reportName: 'TrivyScan',
|
reportName: 'TrivyScan',
|
||||||
reportTitles: 'TrivyScan'
|
reportTitles: 'TrivyScan'
|
||||||
]
|
]
|
||||||
|
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
||||||
|
|
||||||
// Scan again and fail on CRITICAL vulns, if not overridden
|
// fail build if issues found above trivy threshold
|
||||||
script {
|
script {
|
||||||
if (config.trivyFail == 'NONE') {
|
if ( config.trivyFail ) {
|
||||||
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
||||||
} else {
|
|
||||||
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user