-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathJenkinsfile
114 lines (104 loc) · 3.56 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
pipeline {
agent any
environment {
imageName = "dsocouncil/node-service:${GIT_COMMIT}"
githubRepoURL = 'https://github.com/shrivastavashish/devsecops-main-repo.git'
sonarProjectKey = 'devsecops'
sonarHostUrl = 'http://54.89.224.127:9000/'
sonarToken = 'sqp_a75e8fe4cf8f67f1bada216f7e5d3c799c893a32'
dockerImageName = "dsocouncil/node-service:${env.GIT_COMMIT}"
}
stages {
stage('Build Artifact') {
steps {
script {
sh "mvn clean package -DskipTests=true"
archiveArtifacts artifacts: 'target/*.jar', onlyIfSuccessful: true
}
}
}
stage('Check Git-Secrets') {
steps {
script {
sh "rm trufflehog || true"
sh """
docker run --rm -v \"$PWD:/pwd\" \
trufflesecurity/trufflehog:latest github --repo ${githubRepoURL} --json > trufflehog_report.json
"""
sh "sudo cp trufflehog_report.json /root/reports/trufflehog/"
}
}
}
stage('Static Analysis - SonarQube') {
steps {
script {
withSonarQubeEnv('devsecops') {
sh "mvn sonar:sonar -Dsonar.projectKey=${sonarProjectKey} -Dsonar.host.url=${sonarHostUrl} -Dsonar.login=${sonarToken}"
}
}
}
}
stage('SCA Scan - Dependency-Check') {
steps {
sh "mvn dependency-check:check"
}
post {
always {
dependencyCheckPublisher pattern: 'target/dependency-check-report.xml'
}
}
}
stage('Trivy Scan') {
steps {
sh "bash trivy-scan.sh"
}
}
stage('Docker Build and Push') {
steps {
script {
withDockerRegistry(credentialsId: "dockerhub", url: "https://index.docker.io/v1/") {
sh "sudo docker build -t ${dockerImageName} ."
sh "docker push ${dockerImageName}"
}
}
}
}
stage('Kubernetes - Vulnerability Scan') {
steps {
parallel(
"Kubesec Scan": {
sh "bash kubesec-scan.sh"
},
"Trivy Scan": {
sh "bash trivy-kuber-scan.sh"
}
)
}
}
stage('Kubernetes- CIS Benchmark') {
steps {
parallel(
"Master": {
sh "bash cis-master.sh"
},
"Etcd": {
sh "bash cis-etcd.sh"
},
"Kubelet": {
sh "bash cis-kubelet.sh"
}
)
}
}
stage('Kubernetes Deployment - DEV') {
steps {
withKubeConfig([credentialsId: 'kubeconfig']) {
sh "cp k8s_deployment_service.yaml k8s_deployment_service_temp.yaml"
sh "sed -i 's#replace#${imageName}#g' k8s_deployment_service_temp.yaml"
sh "kubectl apply -f k8s_deployment_service_temp.yaml"
sh "rm k8s_deployment_service_temp.yaml"
}
}
}
}
}