azure-pipelines-checkov.yml

# Checkov
# Análisis de archivos Dockerfile
#

trigger: none # Disable CI triggers.
#- master

resources:
- repo: self

variables:
# a regular variable
- name: dockerfilePath
  value: '$(Build.SourcesDirectory)/Dockerfile'
- name: tag
  value: 'latest'
- name: vmImageName
  value: 'ubuntu-latest'
# a variable group
- group: Mis_Variables

stages:
  - stage: CodeSecurityScan
    displayName: Code Security Scan
    jobs:
      - job: Checkov
        displayName: Checkov
        pool:
          vmImage: $(vmImageName)
        steps:
        - task: Bash@3
          displayName: 'Install Checkov CLI'
          inputs:
            targetType: 'inline'
            script: |
              echo 'Install Checkov'
              pip3 install checkov
              mkdir checkov-report
        - task: Bash@3
          displayName: 'Checkov Dockerfile Analysis'
          inputs:
            targetType: 'inline'
            script: |
              checkov -d . --soft-fail --framework all --output junitxml > ./checkov-report/TEST-checkov-IaC-report.xml
#        - task: Bash@3
#          displayName: 'Checkov SCA Analysis'
#          inputs:
#            targetType: 'inline'
#            script: |
#              checkov -d . --soft-fail --framework sca_package --bc-api-key $(API) --output junitxml > ./checkov-report/TEST-checkov-SCA-report.xml
        - task: PublishTestResults@2
          displayName: 'Checkov Dockerfile Report'
          inputs:
            testResultsFormat: 'JUnit'
            testResultsFiles: '**/TEST-checkov-IaC-report.xml'
            searchFolder: '$(System.DefaultWorkingDirectory)/checkov-report'
            mergeTestResults: false
            testRunTitle: 'Checkov Dockerfile Report'
            failTaskOnFailedTests: false
            publishRunAttachments: true
#        - task: PublishTestResults@2
#          displayName: 'Checkov SCA Report'
#          inputs:
#            testResultsFormat: 'JUnit'
#            testResultsFiles: '**/TEST-checkov-SCA-report.xml'
#            searchFolder: '$(System.DefaultWorkingDirectory)/checkov-report'
#            mergeTestResults: false
#            testRunTitle: 'Checkov SCA Report'
#            failTaskOnFailedTests: false
#            publishRunAttachments: true