From 7b7b2ca3b5a0bf602ecda291324f26fd60937a03 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 2 Oct 2023 11:20:21 +0000 Subject: [PATCH] Squashed '.ci/' changes from c1a48a6..7144a42 7144a42 Improve Trivy scanning logic git-subtree-dir: .ci git-subtree-split: 7144a42a3c436996722f1e67c3cce5c87fdbf464 --- podman.mk | 2 +- vars/buildPodman.groovy | 22 ++++++++++++---------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/podman.mk b/podman.mk index 817d524..b51b762 100644 --- a/podman.mk +++ b/podman.mk @@ -46,7 +46,7 @@ test:: ## test built artificats scan: ## Scan image using trivy echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)" - trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH) + trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH) # first tag and push all actual images # create new manifest for each tag and add all available TAG-ARCH before pushing diff --git a/vars/buildPodman.groovy b/vars/buildPodman.groovy index e33c2cf..7d9887f 100644 --- a/vars/buildPodman.groovy +++ b/vars/buildPodman.groovy @@ -10,6 +10,8 @@ def call(Map config=[:]) { stages { stage('Prepare') { steps { + sh 'mkdir -p reports' + // we set pull tags as project adv. options // pull tags //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) { @@ -35,12 +37,13 @@ def call(Map config=[:]) { // Scan via trivy stage('Scan') { - environment { - TRIVY_FORMAT = "template" - TRIVY_OUTPUT = "reports/trivy.html" - } steps { - sh 'mkdir -p reports && make scan' + // we always scan and create the full json report + sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan' + + // render custom full html report + sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json' + publishHTML target: [ allowMissing: true, alwaysLinkToLastBuild: true, @@ -50,13 +53,12 @@ def call(Map config=[:]) { reportName: 'TrivyScan', reportTitles: 'TrivyScan' ] + sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"' - // Scan again and fail on CRITICAL vulns, if not overridden + // fail build if issues found above trivy threshold script { - if (config.trivyFail == 'NONE') { - echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...' - } else { - sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan" + if ( config.trivyFail ) { + sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json" } } }