Skip to content

Commit

Permalink
Replace scanAndReport with runSecurityScans
Browse files Browse the repository at this point in the history
  • Loading branch information
@imheresamir
imheresamir committed Jan 10, 2025
1 parent 00e82d3 commit 1b0bb6e
Showing 1 changed file with 39 additions and 18 deletions.
57 changes: 39 additions & 18 deletions Jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
#!/usr/bin/env groovy
@Library("product-pipelines-shared-library") _

def productName = 'Conjur CLI'
def productTypeName = 'Conjur Enterprise'

// Automated release, promotion and dependencies
properties([
// Include the automated release parameters for the build
Expand All @@ -19,6 +22,17 @@ if (params.MODE == "PROMOTE") {
// Any publishing of targetVersion artifacts occur here
// Anything added to assetDirectory will be attached to the Github Release

env.INFRAPOOL_PRODUCT_NAME = "${productName}"
env.INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"

// Scan the image before promoting
runSecurityScans(infrapool,
image: "registry.tld/conjur-cli:${sourceVersion}",
buildMode: params.MODE,
branch: env.BRANCH_NAME,
arch: 'linux/amd64'
)

// Promote source version to target version.

// NOTE: the use of --pull to ensure source images are pulled from internal registry
Expand Down Expand Up @@ -86,7 +100,7 @@ pipeline {
stage('Validate') {
parallel {
stage('Changelog') {
steps {
steps {
script {
parseChangelog(INFRAPOOL_EXECUTORV2_AGENT_0)
}
Expand Down Expand Up @@ -177,17 +191,30 @@ pipeline {
}
}

// Publish container images to internal registry. Need to push before we do security scans
// since the Snyk scans pull from artifactory on a seprate executor node
stage('Push images to internal registry') {
steps {
script {
INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './bin/publish_container_images --internal'
}
}
}

stage('Integration test while scanning') {
environment {
INFRAPOOL_REGISTRY_URL = "${REGISTRY_URL}"
// Values to direct scan results to the right place in DefectDojo
INFRAPOOL_PRODUCT_NAME = "${productName}"
INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
}
parallel {
stage('Run integration tests') {
environment {
INFRAPOOL_REGISTRY_URL = "${REGISTRY_URL}"
}
steps {
withCredentials([
conjurSecretCredential(credentialsId: "RnD-Global-Conjur-Ent-Conjur_Operating_System-WindowsDomainAccountDailyRotation-cyberng.com-svc_cnjr_enterprise_username", variable: 'INFRAPOOL_IDENTITY_USERNAME'),
conjurSecretCredential(credentialsId: "RnD-Global-Conjur-Ent-Conjur_Operating_System-WindowsDomainAccountDailyRotation-cyberng.com-svc_cnjr_enterprise_password", variable: 'INFRAPOOL_IDENTITY_PASSWORD')
])
])
{
script {
INFRAPOOL_EXECUTORV2_AGENT_0.agentDir('ci') {
Expand All @@ -202,18 +229,15 @@ pipeline {
}
}

stage("Scan container images for fixable issues") {
stage("Scan main Docker image") {
steps {
script {
scanAndReport(INFRAPOOL_EXECUTORV2_AGENT_0, "${containerImageWithTag()}", "HIGH", false)
}
}
}

stage("Scan container images for total issues") {
steps {
script {
scanAndReport(INFRAPOOL_EXECUTORV2_AGENT_0, "${containerImageWithTag()}", "NONE", true)
runSecurityScans(INFRAPOOL_EXECUTORV2_AGENT_0,
image: "registry.tld/${containerImageWithTag()}",
buildMode: params.MODE,
branch: env.BRANCH_NAME,
arch: 'linux/amd64'
)
}
}
}
Expand All @@ -239,9 +263,6 @@ pipeline {
INFRAPOOL_EXECUTORV2_AGENT_0.agentSh """export PATH="${toolsDirectory}/bin:${PATH}" && go-bom --tools "${toolsDirectory}" --go-mod ./go.mod --image "golang" --main "cmd/conjur/" --output "${billOfMaterialsDirectory}/go-app-bom.json" """
// Create Go module SBOM
INFRAPOOL_EXECUTORV2_AGENT_0.agentSh """export PATH="${toolsDirectory}/bin:${PATH}" && go-bom --tools "${toolsDirectory}" --go-mod ./go.mod --image "golang" --output "${billOfMaterialsDirectory}/go-mod-bom.json" """

// Publish container images to internal registry
INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './bin/publish_container_images --internal'
}
}
}
Expand Down

0 comments on commit 1b0bb6e

Please sign in to comment.