feat: initial commit

This commit is contained in:
Stefan Reimer 2022-01-13 12:41:17 +01:00
parent 49f2edf3b7
commit e0747db61d
8 changed files with 252 additions and 2 deletions

40
Dockerfile Normal file
View File

@ -0,0 +1,40 @@
ARG BASE="latest-alpine-jdk11"
FROM jenkins/inbound-agent:${BASE}
USER root
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
&& apk upgrade -U -a \
&& apk --no-cache add \
make \
fuse-overlayfs \
podman \
buildah \
aws-cli \
trivy
# Podman tweaks
ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/
ADD --chown=jenkins:jenkins conf/podman-containers.conf /home/jenkins/.config/containers/containers.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
/var/lib/shared/vfs-images /var/lib/shared/vfs-layers && \
touch /var/lib/shared/overlay-images/images.lock /var/lib/shared/overlay-layers/layers.lock \
/var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock
# Trivy html template
ADD --chown=jenkins:jenkins html.tpl /home/jenkins/
# Make docker in Jenkinsfiles work
RUN ln -s /usr/bin/podman /usr/bin/docker
# Rootless podman
RUN echo jenkins:100000:65536 > /etc/subuid \
&& echo jenkins:100000:65536 > /etc/subgid
ENV BUILDAH_ISOLATION=rootless
# Allow container layers to be stored in PVCs
VOLUME /home/jenkins/.local/share/containers
USER jenkins

25
Makefile Normal file
View File

@ -0,0 +1,25 @@
VERSION ?= 0.1.0
BASE ?= latest-alpine-jdk11
REGISTRY := public.ecr.aws/zero-downtime
REPOSITORY := jenkins-podman
TAG := $(REPOSITORY):v$(VERSION)
.PHONY: build push clean
all: build
build:
podman build --rm --squash-all --build-arg BASE=$(BASE) -t $(TAG) .
push:
aws ecr-public get-login-password --region us-east-1 | podman login --username AWS --password-stdin $(REGISTRY)
podman tag $(TAG) $(REGISTRY)/$(TAG)
podman push $(REGISTRY)/$(TAG)
clean:
podman rmi -f $(TAG)
scan:
podman save $(TAG) -o image.tar
trivy image --input image.tar --format template --template @./html.tpl -o report.html
rm -f image.tar

View File

@ -1,3 +1,8 @@
# jenkins-agent
# jenkins-podman
Public Repo: https://gallery.ecr.aws/zero-downtime/jenkins-podman
Custom Jenkins agent incl. rootless podman / buildah.
# Resources
- https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
- https://github.com/jenkinsci/docker-agent/blob/master/11/alpine/Dockerfile
- https://github.com/jenkinsci/docker-inbound-agent/tree/master/11/alpine
- https://github.com/aquasecurity/trivy

12
conf/containers.conf Normal file
View File

@ -0,0 +1,12 @@
[containers]
netns="host"
userns="host"
ipcns="host"
utsns="host"
cgroupns="host"
cgroups="disabled"
log_driver = "k8s-file"
[engine]
cgroup_manager = "cgroupfs"
events_logger="file"
runtime="crun"

View File

@ -0,0 +1,4 @@
[containers]
volumes = [
"/proc:/proc",
]

2
conf/registries.conf Normal file
View File

@ -0,0 +1,2 @@
# Note that changing the order here may break lazy devs Dockerfile
unqualified-search-registries = [ "gcr.io", "quay.io", "docker.io", "registry.fedoraproject.org"]

14
conf/storage.conf Normal file
View File

@ -0,0 +1,14 @@
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
"/var/lib/shared",
]
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,fsync=0"
[storage.options.thinpool]

148
html.tpl Normal file
View File

@ -0,0 +1,148 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
{{- if . }}
<style>
* {
font-family: Arial, Helvetica, sans-serif;
}
h1 {
text-align: center;
}
.group-header th {
font-size: 200%;
}
.sub-header th {
font-size: 150%;
}
table, th, td {
border: 1px solid black;
border-collapse: collapse;
white-space: nowrap;
padding: .3em;
}
table {
margin: 0 auto;
}
.severity {
text-align: center;
font-weight: bold;
color: #fafafa;
}
.severity-LOW .severity { background-color: #5fbb31; }
.severity-MEDIUM .severity { background-color: #e9c600; }
.severity-HIGH .severity { background-color: #ff8800; }
.severity-CRITICAL .severity { background-color: #e40000; }
.severity-UNKNOWN .severity { background-color: #747474; }
.severity-LOW { background-color: #5fbb3160; }
.severity-MEDIUM { background-color: #e9c60060; }
.severity-HIGH { background-color: #ff880060; }
.severity-CRITICAL { background-color: #e4000060; }
.severity-UNKNOWN { background-color: #74747460; }
table tr td:first-of-type {
font-weight: bold;
}
.links a,
.links[data-more-links=on] a {
display: block;
}
.links[data-more-links=off] a:nth-of-type(1n+5) {
display: none;
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
[].sort.apply(links, function(a, b) {
return a.href > b.href ? 1 : -1;
});
links.forEach(function(link, idx) {
if (links.length > 3 && 3 === idx) {
var toggleLink = document.createElement('a');
toggleLink.innerText = "Toggle more links";
toggleLink.href = "#toggleMore";
toggleLink.setAttribute("class", "toggle-more-links");
linkCell.appendChild(toggleLink);
}
linkCell.appendChild(link);
});
});
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
toggleLink.onclick = function() {
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
return false;
};
});
};
</script>
</head>
<body>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
<table>
{{- range . }}
<tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
{{- if (eq (len .Vulnerabilities) 0) }}
<tr><th colspan="6">No Vulnerabilities found</th></tr>
{{- else }}
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Links</th>
</tr>
{{- range .Vulnerabilities }}
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
<td>{{ escapeXML .VulnerabilityID }}</td>
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
<td>{{ escapeXML .FixedVersion }}</td>
<td class="links" data-more-links="off">
{{- range .Vulnerability.References }}
<a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
{{- end }}
</td>
</tr>
{{- end }}
{{- end }}
{{- if (eq (len .Misconfigurations ) 0) }}
<tr><th colspan="6">No Misconfigurations found</th></tr>
{{- else }}
<tr class="sub-header">
<th>Type</th>
<th>Misconf ID</th>
<th>Check</th>
<th>Severity</th>
<th>Message</th>
</tr>
{{- range .Misconfigurations }}
<tr class="severity-{{ escapeXML .Severity }}">
<td class="misconf-type">{{ escapeXML .Type }}</td>
<td>{{ escapeXML .ID }}</td>
<td class="misconf-check">{{ escapeXML .Title }}</td>
<td class="severity">{{ escapeXML .Severity }}</td>
<td class="link" data-more-links="off" style="white-space:normal;"">
{{ escapeXML .Message }}
<br>
<a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
</br>
</td>
</tr>
{{- end }}
{{- end }}
{{- end }}
</table>
{{- else }}
</head>
<body>
<h1>Trivy Returned Empty Report</h1>
{{- end }}
</body>
</html>