Compare commits
10 Commits
d7bf6542ce
...
de3df61608
| Author | SHA1 | Date | |
|---|---|---|---|
| de3df61608 | |||
| 208749d01e | |||
| 6124f0454b | |||
| 565cf4d664 | |||
| db2d719f34 | |||
| cd1165690a | |||
| 03a88e01b2 | |||
| c324ab03bb | |||
| bf204c8fb4 | |||
| 1175a38d8b |
@ -46,7 +46,7 @@ test:: ## test built artificats
|
||||
|
||||
scan: ## Scan image using trivy
|
||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||
|
||||
# first tag and push all actual images
|
||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||
@ -78,7 +78,7 @@ rm-image:
|
||||
|
||||
## some useful tasks during development
|
||||
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
|
||||
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
|
||||
|
||||
create-repo: ## create new AWS ECR public repository
|
||||
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
||||
|
||||
@ -2,6 +2,9 @@
|
||||
|
||||
def call(Map config=[:]) {
|
||||
pipeline {
|
||||
options {
|
||||
disableConcurrentBuilds()
|
||||
}
|
||||
agent {
|
||||
node {
|
||||
label 'podman-aws-trivy'
|
||||
@ -10,6 +13,8 @@ def call(Map config=[:]) {
|
||||
stages {
|
||||
stage('Prepare') {
|
||||
steps {
|
||||
sh 'mkdir -p reports'
|
||||
|
||||
// we set pull tags as project adv. options
|
||||
// pull tags
|
||||
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||
@ -35,12 +40,13 @@ def call(Map config=[:]) {
|
||||
|
||||
// Scan via trivy
|
||||
stage('Scan') {
|
||||
environment {
|
||||
TRIVY_FORMAT = "template"
|
||||
TRIVY_OUTPUT = "reports/trivy.html"
|
||||
}
|
||||
steps {
|
||||
sh 'mkdir -p reports && make scan'
|
||||
// we always scan and create the full json report
|
||||
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
||||
|
||||
// render custom full html report
|
||||
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
||||
|
||||
publishHTML target: [
|
||||
allowMissing: true,
|
||||
alwaysLinkToLastBuild: true,
|
||||
@ -50,13 +56,12 @@ def call(Map config=[:]) {
|
||||
reportName: 'TrivyScan',
|
||||
reportTitles: 'TrivyScan'
|
||||
]
|
||||
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
||||
|
||||
// Scan again and fail on CRITICAL vulns, if not overridden
|
||||
// fail build if issues found above trivy threshold
|
||||
script {
|
||||
if (config.trivyFail == 'NONE') {
|
||||
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
||||
} else {
|
||||
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
||||
if ( config.trivyFail ) {
|
||||
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
23
Dockerfile
23
Dockerfile
@ -1,12 +1,13 @@
|
||||
# https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/
|
||||
# libexec is missing from >=3.17
|
||||
|
||||
# Stage 1 - bundle base image + runtime
|
||||
FROM python:3.11-alpine3.16 AS python-alpine
|
||||
FROM python:3.12-alpine3.20 AS python-alpine
|
||||
ARG ALPINE="v3.20"
|
||||
|
||||
# Install GCC (Alpine uses musl but we compile and link dependencies with GCC)
|
||||
RUN apk upgrade -U --available --no-cache && \
|
||||
apk add --no-cache \
|
||||
RUN echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
|
||||
wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub
|
||||
|
||||
RUN apk -U --no-cache upgrade && \
|
||||
apk --no-cache add \
|
||||
libstdc++
|
||||
|
||||
|
||||
@ -15,8 +16,7 @@ FROM python-alpine AS build-image
|
||||
ARG TAG="latest"
|
||||
|
||||
# Install aws-lambda-cpp build dependencies
|
||||
RUN apk upgrade -U --available --no-cache && \
|
||||
apk add --no-cache \
|
||||
RUN apk --no-cache add \
|
||||
build-base \
|
||||
libtool \
|
||||
autoconf \
|
||||
@ -25,8 +25,8 @@ RUN apk upgrade -U --available --no-cache && \
|
||||
cmake \
|
||||
libcurl \
|
||||
libffi-dev \
|
||||
libexecinfo-dev \
|
||||
openssl-dev
|
||||
openssl-dev \
|
||||
elfutils-dev
|
||||
# cargo
|
||||
|
||||
# Install requirements
|
||||
@ -43,6 +43,9 @@ RUN sed -i -e "s/^__version__ =.*/__version__ = \"${TAG}\"/" /app/app.py
|
||||
# Stage 3 - final runtime image
|
||||
FROM python-alpine
|
||||
|
||||
RUN apk --no-cache add \
|
||||
zstd-libs
|
||||
|
||||
WORKDIR /app
|
||||
COPY --from=build-image /app /app
|
||||
|
||||
|
||||
9
app.py
9
app.py
@ -261,6 +261,15 @@ def handler(event, context):
|
||||
title = "ElastiCache fail over complete"
|
||||
body = "for node {}".format(msg["ElastiCache:FailoverComplete"])
|
||||
|
||||
# ElasticCache update notifications
|
||||
elif "ElastiCache:ServiceUpdateAvailableForNode" in msg:
|
||||
title = "ElastiCache update available"
|
||||
body = "for node {}".format(msg["ElastiCache:ServiceUpdateAvailableForNode"])
|
||||
|
||||
elif "ElastiCache:ServiceUpdateAvailable" in msg:
|
||||
title = "ElastiCache update available"
|
||||
body = "for Group {}".format(msg["ElastiCache:ServiceUpdateAvailable"])
|
||||
|
||||
# known RDS events
|
||||
elif "Event Source" in msg and msg['Event Source'] in ["db-instance", "db-cluster-snapshot", "db-snapshot"]:
|
||||
try:
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
boto3==1.34.78
|
||||
apprise==1.7.5
|
||||
humanize==4.9.0
|
||||
awslambdaric==2.0.11
|
||||
boto3==1.35.17
|
||||
apprise==1.9.0
|
||||
humanize==4.10.0
|
||||
awslambdaric==2.2.1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user