feat: initial commit
This commit is contained in:
parent
49f2edf3b7
commit
e0747db61d
40
Dockerfile
Normal file
40
Dockerfile
Normal file
@ -0,0 +1,40 @@
|
||||
ARG BASE="latest-alpine-jdk11"
|
||||
|
||||
FROM jenkins/inbound-agent:${BASE}
|
||||
|
||||
USER root
|
||||
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
|
||||
&& apk upgrade -U -a \
|
||||
&& apk --no-cache add \
|
||||
make \
|
||||
fuse-overlayfs \
|
||||
podman \
|
||||
buildah \
|
||||
aws-cli \
|
||||
trivy
|
||||
|
||||
# Podman tweaks
|
||||
ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/
|
||||
ADD --chown=jenkins:jenkins conf/podman-containers.conf /home/jenkins/.config/containers/containers.conf
|
||||
|
||||
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
|
||||
/var/lib/shared/vfs-images /var/lib/shared/vfs-layers && \
|
||||
touch /var/lib/shared/overlay-images/images.lock /var/lib/shared/overlay-layers/layers.lock \
|
||||
/var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock
|
||||
|
||||
# Trivy html template
|
||||
ADD --chown=jenkins:jenkins html.tpl /home/jenkins/
|
||||
|
||||
# Make docker in Jenkinsfiles work
|
||||
RUN ln -s /usr/bin/podman /usr/bin/docker
|
||||
|
||||
# Rootless podman
|
||||
RUN echo jenkins:100000:65536 > /etc/subuid \
|
||||
&& echo jenkins:100000:65536 > /etc/subgid
|
||||
|
||||
ENV BUILDAH_ISOLATION=rootless
|
||||
|
||||
# Allow container layers to be stored in PVCs
|
||||
VOLUME /home/jenkins/.local/share/containers
|
||||
|
||||
USER jenkins
|
25
Makefile
Normal file
25
Makefile
Normal file
@ -0,0 +1,25 @@
|
||||
VERSION ?= 0.1.0
|
||||
BASE ?= latest-alpine-jdk11
|
||||
REGISTRY := public.ecr.aws/zero-downtime
|
||||
REPOSITORY := jenkins-podman
|
||||
TAG := $(REPOSITORY):v$(VERSION)
|
||||
|
||||
.PHONY: build push clean
|
||||
|
||||
all: build
|
||||
|
||||
build:
|
||||
podman build --rm --squash-all --build-arg BASE=$(BASE) -t $(TAG) .
|
||||
|
||||
push:
|
||||
aws ecr-public get-login-password --region us-east-1 | podman login --username AWS --password-stdin $(REGISTRY)
|
||||
podman tag $(TAG) $(REGISTRY)/$(TAG)
|
||||
podman push $(REGISTRY)/$(TAG)
|
||||
|
||||
clean:
|
||||
podman rmi -f $(TAG)
|
||||
|
||||
scan:
|
||||
podman save $(TAG) -o image.tar
|
||||
trivy image --input image.tar --format template --template @./html.tpl -o report.html
|
||||
rm -f image.tar
|
@ -1,3 +1,8 @@
|
||||
# jenkins-agent
|
||||
# jenkins-podman
|
||||
Public Repo: https://gallery.ecr.aws/zero-downtime/jenkins-podman
|
||||
|
||||
Custom Jenkins agent incl. rootless podman / buildah.
|
||||
# Resources
|
||||
- https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
|
||||
- https://github.com/jenkinsci/docker-agent/blob/master/11/alpine/Dockerfile
|
||||
- https://github.com/jenkinsci/docker-inbound-agent/tree/master/11/alpine
|
||||
- https://github.com/aquasecurity/trivy
|
||||
|
12
conf/containers.conf
Normal file
12
conf/containers.conf
Normal file
@ -0,0 +1,12 @@
|
||||
[containers]
|
||||
netns="host"
|
||||
userns="host"
|
||||
ipcns="host"
|
||||
utsns="host"
|
||||
cgroupns="host"
|
||||
cgroups="disabled"
|
||||
log_driver = "k8s-file"
|
||||
[engine]
|
||||
cgroup_manager = "cgroupfs"
|
||||
events_logger="file"
|
||||
runtime="crun"
|
4
conf/podman-containers.conf
Normal file
4
conf/podman-containers.conf
Normal file
@ -0,0 +1,4 @@
|
||||
[containers]
|
||||
volumes = [
|
||||
"/proc:/proc",
|
||||
]
|
2
conf/registries.conf
Normal file
2
conf/registries.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Note that changing the order here may break lazy devs Dockerfile
|
||||
unqualified-search-registries = [ "gcr.io", "quay.io", "docker.io", "registry.fedoraproject.org"]
|
14
conf/storage.conf
Normal file
14
conf/storage.conf
Normal file
@ -0,0 +1,14 @@
|
||||
[storage]
|
||||
driver = "overlay"
|
||||
runroot = "/run/containers/storage"
|
||||
graphroot = "/var/lib/containers/storage"
|
||||
|
||||
[storage.options]
|
||||
additionalimagestores = [
|
||||
"/var/lib/shared",
|
||||
]
|
||||
|
||||
[storage.options.overlay]
|
||||
mount_program = "/usr/bin/fuse-overlayfs"
|
||||
mountopt = "nodev,fsync=0"
|
||||
[storage.options.thinpool]
|
148
html.tpl
Normal file
148
html.tpl
Normal file
@ -0,0 +1,148 @@
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||||
{{- if . }}
|
||||
<style>
|
||||
* {
|
||||
font-family: Arial, Helvetica, sans-serif;
|
||||
}
|
||||
h1 {
|
||||
text-align: center;
|
||||
}
|
||||
.group-header th {
|
||||
font-size: 200%;
|
||||
}
|
||||
.sub-header th {
|
||||
font-size: 150%;
|
||||
}
|
||||
table, th, td {
|
||||
border: 1px solid black;
|
||||
border-collapse: collapse;
|
||||
white-space: nowrap;
|
||||
padding: .3em;
|
||||
}
|
||||
table {
|
||||
margin: 0 auto;
|
||||
}
|
||||
.severity {
|
||||
text-align: center;
|
||||
font-weight: bold;
|
||||
color: #fafafa;
|
||||
}
|
||||
.severity-LOW .severity { background-color: #5fbb31; }
|
||||
.severity-MEDIUM .severity { background-color: #e9c600; }
|
||||
.severity-HIGH .severity { background-color: #ff8800; }
|
||||
.severity-CRITICAL .severity { background-color: #e40000; }
|
||||
.severity-UNKNOWN .severity { background-color: #747474; }
|
||||
.severity-LOW { background-color: #5fbb3160; }
|
||||
.severity-MEDIUM { background-color: #e9c60060; }
|
||||
.severity-HIGH { background-color: #ff880060; }
|
||||
.severity-CRITICAL { background-color: #e4000060; }
|
||||
.severity-UNKNOWN { background-color: #74747460; }
|
||||
table tr td:first-of-type {
|
||||
font-weight: bold;
|
||||
}
|
||||
.links a,
|
||||
.links[data-more-links=on] a {
|
||||
display: block;
|
||||
}
|
||||
.links[data-more-links=off] a:nth-of-type(1n+5) {
|
||||
display: none;
|
||||
}
|
||||
a.toggle-more-links { cursor: pointer; }
|
||||
</style>
|
||||
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
|
||||
<script>
|
||||
window.onload = function() {
|
||||
document.querySelectorAll('td.links').forEach(function(linkCell) {
|
||||
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
|
||||
[].sort.apply(links, function(a, b) {
|
||||
return a.href > b.href ? 1 : -1;
|
||||
});
|
||||
links.forEach(function(link, idx) {
|
||||
if (links.length > 3 && 3 === idx) {
|
||||
var toggleLink = document.createElement('a');
|
||||
toggleLink.innerText = "Toggle more links";
|
||||
toggleLink.href = "#toggleMore";
|
||||
toggleLink.setAttribute("class", "toggle-more-links");
|
||||
linkCell.appendChild(toggleLink);
|
||||
}
|
||||
linkCell.appendChild(link);
|
||||
});
|
||||
});
|
||||
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
|
||||
toggleLink.onclick = function() {
|
||||
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
|
||||
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
|
||||
return false;
|
||||
};
|
||||
});
|
||||
};
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
|
||||
<table>
|
||||
{{- range . }}
|
||||
<tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
|
||||
{{- if (eq (len .Vulnerabilities) 0) }}
|
||||
<tr><th colspan="6">No Vulnerabilities found</th></tr>
|
||||
{{- else }}
|
||||
<tr class="sub-header">
|
||||
<th>Package</th>
|
||||
<th>Vulnerability ID</th>
|
||||
<th>Severity</th>
|
||||
<th>Installed Version</th>
|
||||
<th>Fixed Version</th>
|
||||
<th>Links</th>
|
||||
</tr>
|
||||
{{- range .Vulnerabilities }}
|
||||
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
|
||||
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
|
||||
<td>{{ escapeXML .VulnerabilityID }}</td>
|
||||
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
|
||||
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
|
||||
<td>{{ escapeXML .FixedVersion }}</td>
|
||||
<td class="links" data-more-links="off">
|
||||
{{- range .Vulnerability.References }}
|
||||
<a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
|
||||
{{- end }}
|
||||
</td>
|
||||
</tr>
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (eq (len .Misconfigurations ) 0) }}
|
||||
<tr><th colspan="6">No Misconfigurations found</th></tr>
|
||||
{{- else }}
|
||||
<tr class="sub-header">
|
||||
<th>Type</th>
|
||||
<th>Misconf ID</th>
|
||||
<th>Check</th>
|
||||
<th>Severity</th>
|
||||
<th>Message</th>
|
||||
</tr>
|
||||
{{- range .Misconfigurations }}
|
||||
<tr class="severity-{{ escapeXML .Severity }}">
|
||||
<td class="misconf-type">{{ escapeXML .Type }}</td>
|
||||
<td>{{ escapeXML .ID }}</td>
|
||||
<td class="misconf-check">{{ escapeXML .Title }}</td>
|
||||
<td class="severity">{{ escapeXML .Severity }}</td>
|
||||
<td class="link" data-more-links="off" style="white-space:normal;"">
|
||||
{{ escapeXML .Message }}
|
||||
<br>
|
||||
<a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
|
||||
</br>
|
||||
</td>
|
||||
</tr>
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
</table>
|
||||
{{- else }}
|
||||
</head>
|
||||
<body>
|
||||
<h1>Trivy Returned Empty Report</h1>
|
||||
{{- end }}
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user