2022-01-13 13:30:51 +00:00
|
|
|
pipeline {
|
2022-01-14 00:35:17 +00:00
|
|
|
agent { node { label 'podman-aws-trivy' } }
|
2022-02-03 18:29:47 +00:00
|
|
|
|
2022-01-13 13:30:51 +00:00
|
|
|
stages {
|
2022-01-16 10:55:02 +00:00
|
|
|
stage('Prepare'){
|
2022-02-03 18:29:47 +00:00
|
|
|
// get tags
|
2022-01-16 10:55:02 +00:00
|
|
|
steps {
|
2022-01-16 11:04:33 +00:00
|
|
|
sh 'git fetch --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
|
2022-01-16 10:55:02 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-13 14:31:35 +00:00
|
|
|
// Build using rootless podman
|
2022-01-13 13:30:51 +00:00
|
|
|
stage('Build'){
|
|
|
|
|
steps {
|
|
|
|
|
sh 'make build'
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-01-13 14:31:35 +00:00
|
|
|
|
2022-01-16 10:55:02 +00:00
|
|
|
stage('Test'){
|
|
|
|
|
steps {
|
|
|
|
|
sh 'make test'
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-13 14:31:35 +00:00
|
|
|
// Scan via trivy
|
2022-01-13 13:30:51 +00:00
|
|
|
stage('Scan'){
|
|
|
|
|
environment {
|
2022-02-03 18:29:47 +00:00
|
|
|
TRIVY_FORMAT = "template"
|
|
|
|
|
TRIVY_OUTPUT = "reports/trivy.html"
|
2022-01-13 13:30:51 +00:00
|
|
|
}
|
|
|
|
|
steps {
|
|
|
|
|
sh 'mkdir -p reports'
|
|
|
|
|
sh 'make scan'
|
|
|
|
|
publishHTML target : [
|
|
|
|
|
allowMissing: true,
|
|
|
|
|
alwaysLinkToLastBuild: true,
|
|
|
|
|
keepAll: true,
|
|
|
|
|
reportDir: 'reports',
|
|
|
|
|
reportFiles: 'trivy.html',
|
2022-01-13 14:17:18 +00:00
|
|
|
reportName: 'TrivyScan',
|
|
|
|
|
reportTitles: 'TrivyScan'
|
2022-01-13 13:30:51 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
// Scan again and fail on CRITICAL vulns
|
|
|
|
|
sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-01-13 14:31:35 +00:00
|
|
|
|
|
|
|
|
// Push to ECR
|
2022-01-13 13:30:51 +00:00
|
|
|
stage('Push'){
|
|
|
|
|
steps {
|
2022-01-13 14:31:35 +00:00
|
|
|
sh 'make push'
|
2022-01-13 13:30:51 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
