Compare commits
1 Commits
main
...
renovate/g
Author | SHA1 | Date | |
---|---|---|---|
6ad6ae43d3 |
|
@ -46,7 +46,7 @@ test:: ## test built artificats
|
||||||
|
|
||||||
scan: ## Scan image using trivy
|
scan: ## Scan image using trivy
|
||||||
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||||
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||||
|
|
||||||
# first tag and push all actual images
|
# first tag and push all actual images
|
||||||
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||||
|
|
|
@ -2,9 +2,6 @@
|
||||||
|
|
||||||
def call(Map config=[:]) {
|
def call(Map config=[:]) {
|
||||||
pipeline {
|
pipeline {
|
||||||
options {
|
|
||||||
disableConcurrentBuilds()
|
|
||||||
}
|
|
||||||
agent {
|
agent {
|
||||||
node {
|
node {
|
||||||
label 'podman-aws-trivy'
|
label 'podman-aws-trivy'
|
||||||
|
@ -13,8 +10,6 @@ def call(Map config=[:]) {
|
||||||
stages {
|
stages {
|
||||||
stage('Prepare') {
|
stage('Prepare') {
|
||||||
steps {
|
steps {
|
||||||
sh 'mkdir -p reports'
|
|
||||||
|
|
||||||
// we set pull tags as project adv. options
|
// we set pull tags as project adv. options
|
||||||
// pull tags
|
// pull tags
|
||||||
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||||
|
@ -40,13 +35,12 @@ def call(Map config=[:]) {
|
||||||
|
|
||||||
// Scan via trivy
|
// Scan via trivy
|
||||||
stage('Scan') {
|
stage('Scan') {
|
||||||
|
environment {
|
||||||
|
TRIVY_FORMAT = "template"
|
||||||
|
TRIVY_OUTPUT = "reports/trivy.html"
|
||||||
|
}
|
||||||
steps {
|
steps {
|
||||||
// we always scan and create the full json report
|
sh 'mkdir -p reports && make scan'
|
||||||
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
|
||||||
|
|
||||||
// render custom full html report
|
|
||||||
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
|
||||||
|
|
||||||
publishHTML target: [
|
publishHTML target: [
|
||||||
allowMissing: true,
|
allowMissing: true,
|
||||||
alwaysLinkToLastBuild: true,
|
alwaysLinkToLastBuild: true,
|
||||||
|
@ -56,12 +50,13 @@ def call(Map config=[:]) {
|
||||||
reportName: 'TrivyScan',
|
reportName: 'TrivyScan',
|
||||||
reportTitles: 'TrivyScan'
|
reportTitles: 'TrivyScan'
|
||||||
]
|
]
|
||||||
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
|
||||||
|
|
||||||
// fail build if issues found above trivy threshold
|
// Scan again and fail on CRITICAL vulns, if not overridden
|
||||||
script {
|
script {
|
||||||
if ( config.trivyFail ) {
|
if (config.trivyFail == 'NONE') {
|
||||||
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
||||||
|
} else {
|
||||||
|
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
15
Dockerfile
15
Dockerfile
|
@ -1,16 +1,21 @@
|
||||||
FROM golang:1.20-alpine as builder
|
FROM golang:1.19-alpine3.17 as builder
|
||||||
|
|
||||||
|
RUN apk add --no-cache git make gcc libc-dev
|
||||||
|
|
||||||
|
WORKDIR /github.com/vadv/prometheus-exporter-merger
|
||||||
|
COPY go.mod .
|
||||||
|
COPY go.sum .
|
||||||
|
RUN go mod download
|
||||||
|
|
||||||
WORKDIR /prometheus-exporter-merger
|
|
||||||
COPY . .
|
COPY . .
|
||||||
|
RUN go build --ldflags "-s -w -linkmode external -extldflags -static" --tags netcgo -o /prometheus-exporter-merger
|
||||||
RUN CGO_ENABLED=0 go build -ldflags "-s -w" .
|
|
||||||
|
|
||||||
FROM scratch
|
FROM scratch
|
||||||
USER nobody
|
USER nobody
|
||||||
|
|
||||||
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
|
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
|
||||||
COPY --from=builder /etc/passwd /etc/passwd
|
COPY --from=builder /etc/passwd /etc/passwd
|
||||||
COPY --from=builder /prometheus-exporter-merger/prometheus-exporter-merger /prometheus-exporter-merger
|
COPY --from=builder /prometheus-exporter-merger /prometheus-exporter-merger
|
||||||
|
|
||||||
EXPOSE 8080
|
EXPOSE 8080
|
||||||
CMD ["/prometheus-exporter-merger", "--config", "/config/prometheus-exporter-merger.yaml"]
|
CMD ["/prometheus-exporter-merger", "--config", "/config/prometheus-exporter-merger.yaml"]
|
||||||
|
|
4
go.mod
4
go.mod
|
@ -3,9 +3,9 @@ module github.com/vadv/prometheus-exporter-merger
|
||||||
go 1.14
|
go 1.14
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/pkg/errors v0.8.1
|
github.com/pkg/errors v0.9.1
|
||||||
github.com/prometheus/client_model v0.2.0
|
github.com/prometheus/client_model v0.2.0
|
||||||
github.com/prometheus/common v0.10.0
|
github.com/prometheus/common v0.10.0
|
||||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
|
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
|
||||||
gopkg.in/yaml.v2 v2.4.0
|
gopkg.in/yaml.v2 v2.2.4
|
||||||
)
|
)
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -28,6 +28,8 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW
|
||||||
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||||
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
|
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
|
||||||
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||||
|
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||||
|
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
|
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
|
||||||
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
|
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
|
||||||
|
@ -63,5 +65,3 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
|
||||||
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
|
gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
|
||||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
|
||||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user