diff --git a/podman.mk b/podman.mk index ebb5a90..9435847 100644 --- a/podman.mk +++ b/podman.mk @@ -14,16 +14,20 @@ all: test build: - docker image exists $(IMAGE):$(TAG) || \ + @docker image exists $(IMAGE):$(TAG) || \ docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) . test: build rm-test-image - docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . + @test -f Dockerfile.test && \ + { docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . && \ + docker run --rm --env-host -t $(IMAGE):$(TAG)-test; } || \ + echo "No Dockerfile.test found, skipping test" scan: build - trivy $(TRIVY_OPTS) $(IMAGE):$(TAG) + @echo "Scanning $(IMAGE):$(TAG) using Trivy" + @trivy $(TRIVY_OPTS) $(IMAGE):$(TAG) -push: scan +push: build @aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY) @docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest docker push $(REGISTRY)/$(IMAGE):$(TAG) @@ -34,7 +38,8 @@ clean: rm-test-image rm-image # Delete all untagged images .PHONY: rm-remote-untagged rm-remote-untagged: - aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) + @echo "Removing all untagged images from $(IMAGE) in $(REGION)" + @aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) .PHONY: rm-image rm-image: diff --git a/vars/buildPodman.goovy b/vars/buildPodman.goovy deleted file mode 100644 index 4e23229..0000000 --- a/vars/buildPodman.goovy +++ /dev/null @@ -1,61 +0,0 @@ -// Common container builder by ZeroDownTime - -def call (Map: config) { - pipeline { - agent { node { label 'podman-aws-trivy' } } - - stages { - stage('Prepare'){ - // get tags - steps { - sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}' - } - } - - // Build using rootless podman - stage('Build'){ - steps { - sh 'make build' - } - } - - stage('Test'){ - steps { - sh 'make test' - } - } - - // Scan via trivy - stage('Scan'){ - environment { - TRIVY_FORMAT = "template" - TRIVY_OUTPUT = "reports/trivy.html" - } - steps { - sh 'mkdir -p reports' - sh 'make scan' - publishHTML target : [ - allowMissing: true, - alwaysLinkToLastBuild: true, - keepAll: true, - reportDir: 'reports', - reportFiles: 'trivy.html', - reportName: 'TrivyScan', - reportTitles: 'TrivyScan' - ] - - // Scan again and fail on CRITICAL vulns - sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan' - } - } - - // Push to ECR - stage('Push'){ - steps { - sh 'make push' - } - } - } - } - -} diff --git a/vars/buildPodman.groovy b/vars/buildPodman.groovy new file mode 100644 index 0000000..14a1b90 --- /dev/null +++ b/vars/buildPodman.groovy @@ -0,0 +1,71 @@ +// Common container builder by ZeroDownTime + +def call(Map config=[:]) { + pipeline { + agent { + node { + label 'podman-aws-trivy' + } + } + + stages { + stage('Prepare') { + // get tags + steps { + sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}' + } + } + + // Build using rootless podman + stage('Build') { + steps { + sh 'make build' + } + } + + stage('Test') { + steps { + sh 'make test' + } + } + + // Scan via trivy + stage('Scan') { + environment { + TRIVY_FORMAT = "template" + TRIVY_OUTPUT = "reports/trivy.html" + } + steps { + sh 'mkdir -p reports' + sh 'make scan' + publishHTML target: [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'trivy.html', + reportName: 'TrivyScan', + reportTitles: 'TrivyScan' + ] + + // Scan again and fail on CRITICAL vulns, if not overridden + script { + if (config.trivyFail == 'NONE') { + echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...' + } else { + sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan" + } + } + } + } + + // Push to ECR + stage('Push') { + steps { + sh 'make push' + } + } + + } + } + }