-
Notifications
You must be signed in to change notification settings - Fork 31
/
Jenkinsfile
93 lines (85 loc) · 4.45 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
pipeline {
agent { label 'rbhe' }
stages {
stage('Build') {
environment {
DOCKER_BUILD_ARGS = '--build-arg http_proxy --build-arg https_proxy' // add --no-cache for a clean build
}
steps {
// This really should be pulled out into a script in the source code repo
// like ./ci-build.sh or something similar
sh '''
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-aws-cli dockerfiles/aws-cli
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-wget dockerfiles/wget
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-git dockerfiles/git
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-dnsmasq dockerfiles/dnsmasq
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-squid dockerfiles/squid
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-web dockerfiles/nginx
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-gitea dockerfiles/gitea
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-qemu dockerfiles/qemu
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-smb dockerfiles/smb
# just need to trick the core builder. This image will not run, just needs to be built to be scanned by Snyk
for dir in conf data dockerfiles/core scripts template; do mkdir -p dockerfiles/core/files/${dir}; done
cp ./*.sh dockerfiles/core/files/
cp ./dockerfiles/core/init.sh dockerfiles/core/files/dockerfiles/core/init.sh
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-core dockerfiles/core
rm -rf dockerfiles/core/files
# just need to trick the certbot builder. This image will not run, just needs to be built to be scanned by Snyk
mkdir -p dockerfiles/certbot/scripts
docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-certbot dockerfiles/certbot
rm -rf dockerfiles/certbot/scripts
docker images | grep "edgebuilder"
'''
}
}
stage('Static Code Scan') {
when {
expression { env.GIT_BRANCH == 'master' }
}
stages {
stage('Prep Snyk Env') {
steps {
script {
def _files = [
'edgebuilder-aws-cli': 'dockerfiles/aws-cli/Dockerfile',
'edgebuilder-wget': 'dockerfiles/wget/Dockerfile',
'edgebuilder-git': 'dockerfiles/git/Dockerfile',
'edgebuilder-dnsmasq': 'dockerfiles/dnsmasq/Dockerfile',
'edgebuilder-squid': 'dockerfiles/squid/Dockerfile',
'edgebuilder-web': 'dockerfiles/nginx/Dockerfile',
'edgebuilder-gitea': 'dockerfiles/gitea/Dockerfile',
'edgebuilder-qemu': 'dockerfiles/qemu/Dockerfile',
'edgebuilder-smb': 'dockerfiles/smb/Dockerfile',
'edgebuilder-core': 'dockerfiles/core/Dockerfile',
'edgebuilder-certbot': 'dockerfiles/certbot/Dockerfile',
]
env.SNYK_MANIFEST_FILE = _files.collect { k,v -> v }.join(',')
env.SNYK_PROJECT_NAME = _files.collect { k,v -> "${k}-docker" }.join(',')
env.SNYK_DOCKER_IMAGE = _files.collect { k,v -> k }.join(',')
env.SNYK_ALLOW_LONG_PROJECT_NAME = 'true'
env.SNYK_SEVERITY_THRESHOLD_CVE = 'high'
}
}
}
stage('Scan') {
environment {
SCANNERS = 'protex,snyk'
PROJECT_NAME = 'NEX – Container First Architecture'
}
steps {
rbheStaticCodeScan()
}
}
stage('Virus Scan') {
steps {
script {
virusScan {
dir = '.'
}
}
}
}
}
}
}
}