Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hof 405 #61

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 35 additions & 20 deletions .drone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,17 @@ name: default
type: kubernetes
steps:
- name: install
image: node:14
image: node:18
commands:
- npm ci

- name: test
image: node:14
image: node:18
commands:
- npm test

- name: audit
image: node:14
image: node:18
commands:
- npm audit --audit-level=high --production

Expand All @@ -24,31 +24,46 @@ steps:
- n=0; while [ "$n" -lt 60 ] && [ ! docker stats --no-stream ]; do n=$(( n + 1 )); sleep 1; done
- docker build -t html-pdf-converter .

- name: scan-image

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trivy Scan step should run after Docker push to Quay.
Also Image name has to be set to quay.io/ukhomeofficedigital/html-pdf-converter:$${DRONE_TAG}
Please follow ETA .drone.yml
We need these added
SEVERITY: MEDIUM,HIGH,CRITICAL
FAIL_ON_DETECTION: false
IGNORE_UNFIXED: true
and
ALLOW_CVE_LIST_FILE: trivy-cve-exceptions.txt
Also please check the conditions of Drone that executes the drone pipeline.

image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
pull: always
environment:
IMAGE_NAME: html-pdf-converter
WHITELIST_FILE: cve-exceptions.txt

- name: docker push
- name: image_to_quay
pull: if-not-exists
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
environment:
DOCKER_PASSWORD:
from_secret: docker_password
from_secret: DOCKER_PASSWORD
commands:
- docker login -u="ukhomeofficedigital+html_pdf_converter" -p=$${DOCKER_PASSWORD} quay.io
- docker tag html-pdf-converter quay.io/ukhomeofficedigital/html-pdf-converter:$${DRONE_TAG}
- docker push quay.io/ukhomeofficedigital/html-pdf-converter:$${DRONE_TAG}
when:
event: tag
branch: master
event: [push, pull_request]

- name: scan-image
pull: Always
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
resources:
limits:
cpu: 1000
memory: 1024Mi
environment:
IMAGE_NAME: quay.io/ukhomeofficedigital/html-pdf-converter:$${DRONE_TAG}
TOLERATE: MEDIUM,HIGH,CRITICAL
FAIL_ON_DETECTION: false
IGNORE_UNFIXED: true
ALLOW_CVE_LIST_FILE: trivy-cve-exceptions.txt
when:
event:
- pull_request
- push
- tag

services:
- name: docker
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
- name: anchore-submission-server
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
pull: always
commands:
- /run.sh server
- name: docker
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
resources:
limits:
cpu: 1000
memory: 1024Mi



76 changes: 0 additions & 76 deletions cve-exceptions.txt

This file was deleted.

1 change: 1 addition & 0 deletions trivy-cve-exceptions.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@