Add trivy scanning

cyberark · Jan 20, 2023 · 5bf7288 · 5bf7288
1 parent 0820604
commit 5bf7288
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 11 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -115,8 +115,10 @@ pipeline {
               // Go releaser requires a pristine checkout
               checkout scm
 
-              // Create release artifacts without releasing to Github
+              // Copy VERSION info into prisitine folder
               sh "cp ../VERSION ./VERSION"
+
+              // Create release artifacts without releasing to Github
               sh "./bin/build_release --skip-validate --rm-dist"
 
               // Build container images
@@ -130,17 +132,33 @@ pipeline {
       }
     }
 
-    stage('Run integration tests') {
-      steps {
-        dir('ci') {
-          script {
-            try{
-              sh 'summon -f ./okta/secrets.yml ./test_integration'
-            } finally {
-              archiveArtifacts 'cleanup.log'
+    stage('Integration test while scanning') {
+      parallel {
+        stage('Run integration tests') {
+          steps {
+            dir('ci') {
+              script {
+                try{
+                  sh 'summon -f ./okta/secrets.yml ./test_integration'
+                } finally {
+                  archiveArtifacts 'cleanup.log'
+                }
+              }
             }
           }
         }
+
+        stage("Scan container images for fixable issues") {
+          steps {
+            scanAndReport("${containerImageWithTag()}", "HIGH", false)
+          }
+        }
+
+        stage("Scan container images for total issues") {
+          steps {
+            scanAndReport("${containerImageWithTag()}", "NONE", true)
+          }
+        }
       }
     }
 
@@ -169,4 +187,11 @@ pipeline {
       }
     }
   }
-}
+}
+
+def containerImageWithTag() {
+  sh(
+    returnStdout: true,
+    script: 'source ./bin/build_utils && echo "conjur-cli:$(project_version_with_commit)"'
+  )
+}
diff --git a/bin/build_utils b/bin/build_utils
@@ -59,8 +59,10 @@ function project_version_with_commit() {
 # (note: the argument itself is not printed, append it explicitly if needed)
 function gen_versions() {
   local version="${1}"
+
+  # echo "${version%%.*}-latest"
   while [[ "${version}" = *.* ]]; do
-    version=${version%.*}
+    version="${version%.*}"
     echo "${version}"
   done
 }