Squashed '.ci/' changes from 56c6ad9..98c8ec1
98c8ec1 Feat: Execute tests via docker run rather than at the end of the test build process d6b2fb4 feat: improve messaging if Trivy fail is skipped b6fea5a fix: fix quotes, do not execute scan during push db97da8 feat: revert extraSteps for now 322285e feat: add ability to execute custom extraSteps ba21a45 feat: make trivy scan cause build to fail configurable ba73be4 feat: make Dockerfile.test optional, improve messaging b9aa3de chore: groovy formating f0f4af2 chore: learning the groove a3d42de chore: typing is hard git-subtree-dir: .ci git-subtree-split: 98c8ec138a895b02cadf029871b7466b4699f2a3
This commit is contained in:
parent
41846c37e2
commit
8979d74665
15
podman.mk
15
podman.mk
@ -14,16 +14,20 @@ all: test
|
||||
|
||||
|
||||
build:
|
||||
docker image exists $(IMAGE):$(TAG) || \
|
||||
@docker image exists $(IMAGE):$(TAG) || \
|
||||
docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
|
||||
|
||||
test: build rm-test-image
|
||||
docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test .
|
||||
@test -f Dockerfile.test && \
|
||||
{ docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . && \
|
||||
docker run --rm --env-host -t $(IMAGE):$(TAG)-test; } || \
|
||||
echo "No Dockerfile.test found, skipping test"
|
||||
|
||||
scan: build
|
||||
trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
|
||||
@echo "Scanning $(IMAGE):$(TAG) using Trivy"
|
||||
@trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
|
||||
|
||||
push: scan
|
||||
push: build
|
||||
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
|
||||
@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
|
||||
docker push $(REGISTRY)/$(IMAGE):$(TAG)
|
||||
@ -34,7 +38,8 @@ clean: rm-test-image rm-image
|
||||
# Delete all untagged images
|
||||
.PHONY: rm-remote-untagged
|
||||
rm-remote-untagged:
|
||||
aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
|
||||
@echo "Removing all untagged images from $(IMAGE) in $(REGION)"
|
||||
@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
|
||||
|
||||
.PHONY: rm-image
|
||||
rm-image:
|
||||
|
@ -1,61 +0,0 @@
|
||||
// Common container builder by ZeroDownTime
|
||||
|
||||
def call (Map: config) {
|
||||
pipeline {
|
||||
agent { node { label 'podman-aws-trivy' } }
|
||||
|
||||
stages {
|
||||
stage('Prepare'){
|
||||
// get tags
|
||||
steps {
|
||||
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
|
||||
}
|
||||
}
|
||||
|
||||
// Build using rootless podman
|
||||
stage('Build'){
|
||||
steps {
|
||||
sh 'make build'
|
||||
}
|
||||
}
|
||||
|
||||
stage('Test'){
|
||||
steps {
|
||||
sh 'make test'
|
||||
}
|
||||
}
|
||||
|
||||
// Scan via trivy
|
||||
stage('Scan'){
|
||||
environment {
|
||||
TRIVY_FORMAT = "template"
|
||||
TRIVY_OUTPUT = "reports/trivy.html"
|
||||
}
|
||||
steps {
|
||||
sh 'mkdir -p reports'
|
||||
sh 'make scan'
|
||||
publishHTML target : [
|
||||
allowMissing: true,
|
||||
alwaysLinkToLastBuild: true,
|
||||
keepAll: true,
|
||||
reportDir: 'reports',
|
||||
reportFiles: 'trivy.html',
|
||||
reportName: 'TrivyScan',
|
||||
reportTitles: 'TrivyScan'
|
||||
]
|
||||
|
||||
// Scan again and fail on CRITICAL vulns
|
||||
sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
|
||||
}
|
||||
}
|
||||
|
||||
// Push to ECR
|
||||
stage('Push'){
|
||||
steps {
|
||||
sh 'make push'
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
71
vars/buildPodman.groovy
Normal file
71
vars/buildPodman.groovy
Normal file
@ -0,0 +1,71 @@
|
||||
// Common container builder by ZeroDownTime
|
||||
|
||||
def call(Map config=[:]) {
|
||||
pipeline {
|
||||
agent {
|
||||
node {
|
||||
label 'podman-aws-trivy'
|
||||
}
|
||||
}
|
||||
|
||||
stages {
|
||||
stage('Prepare') {
|
||||
// get tags
|
||||
steps {
|
||||
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
|
||||
}
|
||||
}
|
||||
|
||||
// Build using rootless podman
|
||||
stage('Build') {
|
||||
steps {
|
||||
sh 'make build'
|
||||
}
|
||||
}
|
||||
|
||||
stage('Test') {
|
||||
steps {
|
||||
sh 'make test'
|
||||
}
|
||||
}
|
||||
|
||||
// Scan via trivy
|
||||
stage('Scan') {
|
||||
environment {
|
||||
TRIVY_FORMAT = "template"
|
||||
TRIVY_OUTPUT = "reports/trivy.html"
|
||||
}
|
||||
steps {
|
||||
sh 'mkdir -p reports'
|
||||
sh 'make scan'
|
||||
publishHTML target: [
|
||||
allowMissing: true,
|
||||
alwaysLinkToLastBuild: true,
|
||||
keepAll: true,
|
||||
reportDir: 'reports',
|
||||
reportFiles: 'trivy.html',
|
||||
reportName: 'TrivyScan',
|
||||
reportTitles: 'TrivyScan'
|
||||
]
|
||||
|
||||
// Scan again and fail on CRITICAL vulns, if not overridden
|
||||
script {
|
||||
if (config.trivyFail == 'NONE') {
|
||||
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
||||
} else {
|
||||
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Push to ECR
|
||||
stage('Push') {
|
||||
steps {
|
||||
sh 'make push'
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user