Compare commits
No commits in common. "master" and "v0.4.3" have entirely different histories.
@ -1,63 +0,0 @@
|
|||||||
#!/usr/bin/env python3
|
|
||||||
|
|
||||||
import argparse
|
|
||||||
import boto3
|
|
||||||
|
|
||||||
parser = argparse.ArgumentParser(
|
|
||||||
description='Implement basic public ECR lifecycle policy')
|
|
||||||
parser.add_argument('--repo', dest='repositoryName', action='store', required=True,
|
|
||||||
help='Name of the public ECR repository')
|
|
||||||
parser.add_argument('--keep', dest='keep', action='store', default=10, type=int,
|
|
||||||
help='number of tagged images to keep, default 10')
|
|
||||||
parser.add_argument('--dev', dest='delete_dev', action='store_true',
|
|
||||||
help='also delete in-development images only having tags like v0.1.1-commitNr-githash')
|
|
||||||
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
client = boto3.client('ecr-public', region_name='us-east-1')
|
|
||||||
|
|
||||||
images = client.describe_images(repositoryName=args.repositoryName)[
|
|
||||||
"imageDetails"]
|
|
||||||
|
|
||||||
untagged = []
|
|
||||||
kept = 0
|
|
||||||
|
|
||||||
# actual Image
|
|
||||||
# imageManifestMediaType: 'application/vnd.oci.image.manifest.v1+json'
|
|
||||||
# image Index
|
|
||||||
# imageManifestMediaType: 'application/vnd.oci.image.index.v1+json'
|
|
||||||
|
|
||||||
# Sort by date uploaded
|
|
||||||
for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
|
|
||||||
# Remove all untagged
|
|
||||||
# if registry uses image index all actual images will be untagged anyways
|
|
||||||
if 'imageTags' not in image:
|
|
||||||
untagged.append({"imageDigest": image['imageDigest']})
|
|
||||||
# print("Delete untagged image {}".format(image["imageDigest"]))
|
|
||||||
continue
|
|
||||||
|
|
||||||
# check for dev tags
|
|
||||||
if args.delete_dev:
|
|
||||||
_delete = True
|
|
||||||
for tag in image["imageTags"]:
|
|
||||||
# Look for at least one tag NOT beign a SemVer dev tag
|
|
||||||
if "-" not in tag:
|
|
||||||
_delete = False
|
|
||||||
if _delete:
|
|
||||||
print("Deleting development image {}".format(image["imageTags"]))
|
|
||||||
untagged.append({"imageDigest": image['imageDigest']})
|
|
||||||
continue
|
|
||||||
|
|
||||||
if kept < args.keep:
|
|
||||||
kept = kept+1
|
|
||||||
print("Keeping tagged image {}".format(image["imageTags"]))
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
print("Deleting tagged image {}".format(image["imageTags"]))
|
|
||||||
untagged.append({"imageDigest": image['imageDigest']})
|
|
||||||
|
|
||||||
deleted_images = client.batch_delete_image(
|
|
||||||
repositoryName=args.repositoryName, imageIds=untagged)
|
|
||||||
|
|
||||||
if deleted_images["imageIds"]:
|
|
||||||
print("Deleted images: {}".format(deleted_images["imageIds"]))
|
|
@ -1,26 +1,25 @@
|
|||||||
# Parse version from latest git semver tag
|
# Parse version from latest git semver tag
|
||||||
GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
GIT_BRANCH ?= $(shell git name-rev --name-only HEAD 2>/dev/null | sed -e 's,remotes/origin/,,' -e 's/[^a-zA-Z0-9]/-/g')
|
||||||
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
|
GIT_TAG := $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||||
|
|
||||||
TAG ::= $(GIT_TAG)
|
TAG := $(GIT_TAG)
|
||||||
# append branch name to tag if NOT main nor master
|
# append branch name to tag if NOT main nor master
|
||||||
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
||||||
# If branch is substring of tag, omit branch name
|
# If branch is substring of tag, omit branch name
|
||||||
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
|
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
|
||||||
# only append branch name if not equal tag
|
# only append branch name if not equal tag
|
||||||
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
||||||
# Sanitize GIT_BRANCH to allowed Docker tag character set
|
TAG = $(GIT_TAG)-$(GIT_BRANCH)
|
||||||
TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
|
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ARCH ::= amd64
|
ARCH := amd64
|
||||||
ALL_ARCHS ::= amd64 arm64
|
ALL_ARCHS := amd64 arm64
|
||||||
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
||||||
|
|
||||||
ifneq ($(TRIVY_REMOTE),)
|
ifneq ($(TRIVY_REMOTE),)
|
||||||
TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
|
TRIVY_OPTS := --server $(TRIVY_REMOTE)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
.SILENT: ; # no need for @
|
.SILENT: ; # no need for @
|
||||||
@ -33,20 +32,18 @@ endif
|
|||||||
help: ## Show Help
|
help: ## Show Help
|
||||||
grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
|
grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
|
||||||
|
|
||||||
prepare:: ## custom step on the build agent before building
|
|
||||||
|
|
||||||
fmt:: ## auto format source
|
|
||||||
|
|
||||||
lint:: ## Lint source
|
|
||||||
|
|
||||||
build: ## Build the app
|
build: ## Build the app
|
||||||
buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
|
buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
|
||||||
|
|
||||||
test:: ## test built artificats
|
test: rm-test-image ## Execute Dockerfile.test
|
||||||
|
test -f Dockerfile.test && \
|
||||||
|
{ buildah build --rm --layers -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(_ARCH) . && \
|
||||||
|
podman run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test; } || \
|
||||||
|
echo "No Dockerfile.test found, skipping test"
|
||||||
|
|
||||||
scan: ## Scan image using trivy
|
scan: ## Scan image using trivy
|
||||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||||
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||||
|
|
||||||
# first tag and push all actual images
|
# first tag and push all actual images
|
||||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||||
@ -66,19 +63,24 @@ push: ecr-login ## push images to registry
|
|||||||
ecr-login: ## log into AWS ECR public
|
ecr-login: ## log into AWS ECR public
|
||||||
aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
|
aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
|
||||||
|
|
||||||
rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tagged
|
clean: rm-test-image rm-image ## delete local built container and test images
|
||||||
echo "Removing all untagged and in-dev images from $(IMAGE) in $(REGION)"
|
|
||||||
.ci/ecr_public_lifecycle.py --repo $(IMAGE) --dev
|
|
||||||
|
|
||||||
clean:: ## clean up source folder
|
rm-remote-untagged: ## delete all remote untagged images
|
||||||
|
echo "Removing all untagged images from $(IMAGE) in $(REGION)"
|
||||||
|
IMAGE_IDS=$$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) ; \
|
||||||
|
[ -n "$$IMAGE_IDS" ] && aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$IMAGE_IDS | jq -r '.imageIds[]' || echo "No image to remove"
|
||||||
|
|
||||||
rm-image:
|
rm-image:
|
||||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
|
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
|
||||||
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
|
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
|
||||||
|
|
||||||
## some useful tasks during development
|
# Ensure we run the tests by removing any previous runs
|
||||||
|
rm-test-image:
|
||||||
|
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH)-test)" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH)-test > /dev/null
|
||||||
|
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH)-test)" || echo "Error: Removing test image failed"
|
||||||
|
|
||||||
ci-pull-upstream: ## pull latest shared .ci subtree
|
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||||
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
|
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
|
||||||
|
|
||||||
create-repo: ## create new AWS ECR public repository
|
create-repo: ## create new AWS ECR public repository
|
||||||
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
||||||
|
@ -2,9 +2,6 @@
|
|||||||
|
|
||||||
def call(Map config=[:]) {
|
def call(Map config=[:]) {
|
||||||
pipeline {
|
pipeline {
|
||||||
options {
|
|
||||||
disableConcurrentBuilds()
|
|
||||||
}
|
|
||||||
agent {
|
agent {
|
||||||
node {
|
node {
|
||||||
label 'podman-aws-trivy'
|
label 'podman-aws-trivy'
|
||||||
@ -13,22 +10,18 @@ def call(Map config=[:]) {
|
|||||||
stages {
|
stages {
|
||||||
stage('Prepare') {
|
stage('Prepare') {
|
||||||
steps {
|
steps {
|
||||||
sh 'mkdir -p reports'
|
|
||||||
|
|
||||||
// we set pull tags as project adv. options
|
|
||||||
// pull tags
|
// pull tags
|
||||||
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||||
// sh 'git fetch -q --tags ${GIT_URL}'
|
sh 'git fetch -q --tags ${GIT_URL}'
|
||||||
//}
|
}
|
||||||
// Optional project specific preparations
|
sh 'make prepare || true'
|
||||||
sh 'make prepare'
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Build using rootless podman
|
// Build using rootless podman
|
||||||
stage('Build') {
|
stage('Build') {
|
||||||
steps {
|
steps {
|
||||||
sh 'make build GIT_BRANCH=$GIT_BRANCH'
|
sh 'make build'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -40,13 +33,12 @@ def call(Map config=[:]) {
|
|||||||
|
|
||||||
// Scan via trivy
|
// Scan via trivy
|
||||||
stage('Scan') {
|
stage('Scan') {
|
||||||
|
environment {
|
||||||
|
TRIVY_FORMAT = "template"
|
||||||
|
TRIVY_OUTPUT = "reports/trivy.html"
|
||||||
|
}
|
||||||
steps {
|
steps {
|
||||||
// we always scan and create the full json report
|
sh 'mkdir -p reports && make scan'
|
||||||
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
|
||||||
|
|
||||||
// render custom full html report
|
|
||||||
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
|
||||||
|
|
||||||
publishHTML target: [
|
publishHTML target: [
|
||||||
allowMissing: true,
|
allowMissing: true,
|
||||||
alwaysLinkToLastBuild: true,
|
alwaysLinkToLastBuild: true,
|
||||||
@ -56,31 +48,31 @@ def call(Map config=[:]) {
|
|||||||
reportName: 'TrivyScan',
|
reportName: 'TrivyScan',
|
||||||
reportTitles: 'TrivyScan'
|
reportTitles: 'TrivyScan'
|
||||||
]
|
]
|
||||||
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
|
||||||
|
|
||||||
// fail build if issues found above trivy threshold
|
// Scan again and fail on CRITICAL vulns, if not overridden
|
||||||
script {
|
script {
|
||||||
if ( config.trivyFail ) {
|
if (config.trivyFail == 'NONE') {
|
||||||
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
||||||
|
} else {
|
||||||
|
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Push to container registry if not PR
|
// Push to container registry, skip if PR
|
||||||
// incl. basic registry retention removing any untagged images
|
|
||||||
stage('Push') {
|
stage('Push') {
|
||||||
when { not { changeRequest() } }
|
when { not { changeRequest() } }
|
||||||
steps {
|
steps {
|
||||||
sh 'make push'
|
sh 'make push'
|
||||||
sh 'make rm-remote-untagged'
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// generic clean
|
// Basic registry retention removing untagged images
|
||||||
stage('cleanup') {
|
stage('cleanup') {
|
||||||
|
when { not { changeRequest() } }
|
||||||
steps {
|
steps {
|
||||||
sh 'make clean'
|
sh 'make rm-remote-untagged'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
16
Dockerfile
16
Dockerfile
@ -2,7 +2,7 @@
|
|||||||
# https://hub.docker.com/r/jenkins/inbound-agent/tags
|
# https://hub.docker.com/r/jenkins/inbound-agent/tags
|
||||||
|
|
||||||
|
|
||||||
FROM jenkins/inbound-agent:alpine-jdk21@sha256:ce5fe247069abd73c82d40ae5c6c400ead2c12f7be854be368d64893afc2663a
|
FROM jenkins/inbound-agent:alpine-jdk17@sha256:9ffaf2ae447d87b274be28958432070a7b980eca99287bb8bb4f58125364071b
|
||||||
|
|
||||||
ARG BUILDUSER=jenkins
|
ARG BUILDUSER=jenkins
|
||||||
|
|
||||||
@ -15,10 +15,8 @@ RUN echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /e
|
|||||||
jq \
|
jq \
|
||||||
yq \
|
yq \
|
||||||
strace \
|
strace \
|
||||||
fuse-overlayfs \
|
|
||||||
podman \
|
podman \
|
||||||
buildah \
|
buildah \
|
||||||
py-boto3 \
|
|
||||||
aws-cli \
|
aws-cli \
|
||||||
trivy@edge-testing
|
trivy@edge-testing
|
||||||
|
|
||||||
@ -32,8 +30,8 @@ ADD entrypoint.sh /usr/local/bin/entrypoint.sh
|
|||||||
# conf/registries.conf will be mounted RO at runtime to inherit worker settings incl. caching proxies
|
# conf/registries.conf will be mounted RO at runtime to inherit worker settings incl. caching proxies
|
||||||
ADD --chown=$BUILDUSER:$BUILDUSER conf/containers.conf conf/storage.conf /home/$BUILDUSER/.config/containers
|
ADD --chown=$BUILDUSER:$BUILDUSER conf/containers.conf conf/storage.conf /home/$BUILDUSER/.config/containers
|
||||||
|
|
||||||
RUN echo -e "$BUILDUSER:100000:65535" > /etc/subuid && \
|
RUN echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \
|
||||||
echo -e "$BUILDUSER:100000:65535" > /etc/subgid && \
|
echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \
|
||||||
cd /usr/bin && ln -s podman docker && \
|
cd /usr/bin && ln -s podman docker && \
|
||||||
chown $BUILDUSER:$BUILDUSER -R /home/$BUILDUSER
|
chown $BUILDUSER:$BUILDUSER -R /home/$BUILDUSER
|
||||||
|
|
||||||
@ -41,14 +39,10 @@ RUN echo -e "$BUILDUSER:100000:65535" > /etc/subuid && \
|
|||||||
RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
|
RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
|
||||||
|
|
||||||
ENV XDG_RUNTIME_DIR=/home/$BUILDUSER/agent/xdg-run
|
ENV XDG_RUNTIME_DIR=/home/$BUILDUSER/agent/xdg-run
|
||||||
ENV XDG_CONFIG_HOME=/home/$BUILDUSER/.config
|
|
||||||
|
|
||||||
ENV BUILDAH_ISOLATION=chroot
|
ENV BUILDAH_ISOLATION=chroot
|
||||||
ENV _CONTAINERS_USERNS_CONFIGURED=""
|
ENV _CONTAINERS_USERNS_CONFIGURED=""
|
||||||
|
ENV TRIVY_TEMPLATE="@/home/jenkins/html.tpl"
|
||||||
# Until we setup the logging and metrics pipelines in OTEL
|
ENV HOME=/home/$BUILDUSER
|
||||||
ENV OTEL_LOGS_EXPORTER=none
|
|
||||||
ENV OTEL_METRICS_EXPORTER=none
|
|
||||||
|
|
||||||
USER $BUILDUSER
|
USER $BUILDUSER
|
||||||
|
|
||||||
|
2
Jenkinsfile
vendored
2
Jenkinsfile
vendored
@ -2,4 +2,4 @@ library identifier: 'zdt-lib@master', retriever: modernSCM(
|
|||||||
[$class: 'GitSCMSource',
|
[$class: 'GitSCMSource',
|
||||||
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
|
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
|
||||||
|
|
||||||
buildPodman name: 'jenkins-podman'
|
buildPodman name: 'jenkins-podman', trivyFail: 'NONE'
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
mkdir -p $XDG_RUNTIME_DIR
|
mkdir -p $HOME/agent/xdg-run $HOME/agent/containers/run $HOME/agent/containers/storage
|
||||||
/usr/local/bin/jenkins-agent
|
/usr/local/bin/jenkins-agent
|
||||||
|
32
html.tpl
32
html.tpl
@ -83,13 +83,11 @@
|
|||||||
</script>
|
</script>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
|
||||||
|
Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
|
||||||
<table>
|
<table>
|
||||||
<tr><td colspan="7">
|
|
||||||
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding:10px;float:left";>
|
|
||||||
{{- escapeXML ( index . 0 ).Target }}<br/>Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
|
|
||||||
</td></tr>
|
|
||||||
{{- range . }}
|
{{- range . }}
|
||||||
<tr class="group-header"><th colspan="7">{{ escapeXML .Target }} ({{ .Type | toString | escapeXML }})</th></tr>
|
<tr class="group-header"><th colspan="7">{{ escapeXML .Target }}({{ escapeXML .Type }})</th></tr>
|
||||||
{{- if (eq (len .Vulnerabilities) 0) }}
|
{{- if (eq (len .Vulnerabilities) 0) }}
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -103,10 +101,10 @@
|
|||||||
<th>Links</th>
|
<th>Links</th>
|
||||||
</tr>
|
</tr>
|
||||||
{{- range .Vulnerabilities }}
|
{{- range .Vulnerabilities }}
|
||||||
<tr class="severity-{{ escapeXML .Severity }}">
|
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
|
||||||
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
|
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
|
||||||
<td>{{ escapeXML .VulnerabilityID }}</td>
|
<td>{{ escapeXML .VulnerabilityID }}</td>
|
||||||
<td class="severity">{{ escapeXML .Severity }}</td>
|
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
|
||||||
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
|
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
|
||||||
<td>{{ escapeXML .FixedVersion }}</td>
|
<td>{{ escapeXML .FixedVersion }}</td>
|
||||||
<td>{{ escapeXML .Title }}</td>
|
<td>{{ escapeXML .Title }}</td>
|
||||||
@ -147,26 +145,6 @@
|
|||||||
</tr>
|
</tr>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if (eq (len .Secrets) 0) }}
|
|
||||||
<tr><th colspan="7">No Secrets found</th></tr>
|
|
||||||
{{- else }}
|
|
||||||
<tr class="sub-header">
|
|
||||||
<th colspan="2">Rule ID</th>
|
|
||||||
<th>Severity</th>
|
|
||||||
<th>Category</th>
|
|
||||||
<th colspan="2">Title</th>
|
|
||||||
<th>Lines</th>
|
|
||||||
</tr>
|
|
||||||
{{- range .Secrets }}
|
|
||||||
<tr class="severity-{{ escapeXML .Severity }}">
|
|
||||||
<td colspan="2">{{ escapeXML .RuleID }}</td>
|
|
||||||
<td class="severity">{{ escapeXML .Severity }}</td>
|
|
||||||
<td>{{ .Category | toString | escapeXML }}</td>
|
|
||||||
<td colspan="2">{{ escapeXML .Title }}</td>
|
|
||||||
<td>{{ .StartLine | toString }} - {{ .EndLine | toString }}</td>
|
|
||||||
</tr>
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</table>
|
</table>
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
10
junit.tpl
10
junit.tpl
@ -14,12 +14,8 @@
|
|||||||
</testcase>
|
</testcase>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</testsuite>
|
</testsuite>
|
||||||
|
{{- $failures := len .Misconfigurations }}
|
||||||
{{- if .MisconfSummary }}
|
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
|
||||||
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
|
|
||||||
{{- else }}
|
|
||||||
<testsuite tests="0" failures="0" name="{{ .Target }}" errors="0" skipped="0" time="">
|
|
||||||
{{- end }}
|
|
||||||
{{- if not (eq .Type "") }}
|
{{- if not (eq .Type "") }}
|
||||||
<properties>
|
<properties>
|
||||||
<property name="type" value="{{ .Type }}"></property>
|
<property name="type" value="{{ .Type }}"></property>
|
||||||
@ -27,9 +23,7 @@
|
|||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{ range .Misconfigurations }}
|
{{ range .Misconfigurations }}
|
||||||
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
|
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
|
||||||
{{- if (eq .Status "FAIL") }}
|
|
||||||
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
|
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
|
||||||
{{- end }}
|
|
||||||
</testcase>
|
</testcase>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</testsuite>
|
</testsuite>
|
||||||
|
Loading…
Reference in New Issue
Block a user