-
Notifications
You must be signed in to change notification settings - Fork 6
/
container-scan.groovy
103 lines (97 loc) · 4.33 KB
/
container-scan.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!groovy
pipeline {
agent any
options {
disableConcurrentBuilds()
buildDiscarder(logRotator(numToKeepStr: '5'))
}
stages {
stage('Build Images'){
steps {
dir("sample_projects/eShopOnWeb"){
sh 'docker-compose build'
}
}
}
/*
Trivy is an Aqua Securtiy's open source cli image scanner. (https://github.com/aquasecurity/trivy)
See trivy -h for commands and trivy <COMMAND> -h for options on commands.
- To make trivy fail the build when finding vulnerabilities. User option --exit-code=1
- Use --serverity to filter out results. UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL
- Combine --severity with --exit-code for granularity.
- Use --ignore-unfixed option to filter out vulnerabilities where there is no fix version.
- Use a .trivyignore file to filter out false positives.
*/
stage('Trivy Scan') {
steps {
dir("sample_projects/eShopOnWeb"){
// Trivy from the command line. See Jenkins docker file for install.
sh 'trivy -q image --severity=HIGH eshopwebmvc'
// Trivy can also be ran from a docker image.
// sh 'docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.cache:/root/.cache/ aquasec/trivy eshopwebmvc'
}
}
}
/*
Grype is Anchores cli image scanner and part of its open source tool box. (https://toolbox.anchore.io/)
See grype -h for commands and trivy <COMMAND> -h for options on commands.
- They do not provide an official container image. See Jenkins docker file for install.
- Use --fail-on to fail the build based on severity. negligible, low, medium, high, critical
- Use --scope AllLayers to analyze all layers of the image.
*/
stage('Grype Scan') {
steps {
dir("sample_projects/eShopOnWeb"){
sh 'grype eshopwebmvc:latest --quiet --fail-on critical --scope AllLayers'
}
}
}
/*
Snyk can be used to scan container images.
There is a free plan with 200 tests per month limit. The free plan misses out on a lot of features but is good to get started.
See snyk -h for commands and snyk <COMMAND> -h for options on commands.
NOTE: It is possible that the free plan can start failing if misused.
- Use --severity-threshold to filter vulnerabilities. low, medium, high
- Use --file to path of Dockerfile for more detailed advice. Only supports official images presently.
*/
stage('Snyk Scan') {
steps {
dir("sample_projects/eShopOnWeb"){
sh 'snyk container test --project-name=eshopwebmvc --severity-threshold=high --file=src/Web/Dockerfile eshopwebmvc || true'
}
}
}
/*
Hadolint checks Dockerfile's for best practice. It basically uses shellcheck rules for best practice.
You can ignore rule/findings with a config file `hadolint.yaml`, when executing it from the CLI or inline in the Docklerfile.
- Use --no-fail if you don't want findings to fail the build.
- Ignore irrelevant findings inline in the Dockerfile for best visibility.
- Use `--format checkstyle > hadolint.xml` to publish in Jenkins.
*/
stage('HadoLint') {
steps {
dir("sample_projects/eShopOnContainers") {
// This specifies a specific Dockerfile that we know had one issue.
sh 'hadolint --no-fail ./src/Web/WebSPA/Dockerfile'
}
}
}
}
post {
success {
sh "echo Do something on success!"
}
unstable {
sh "echo Do something on unstable!"
}
failure {
sh "echo Do something on failure!"
}
always {
// Clean up non committed files.
sh "git clean -fdx"
sh "docker rmi eshopwebmvc"
sh """docker rmi -f \$(docker images | awk '/^<none>/ {print \$3}') || true"""
}
}
}