-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathlocalbuild_scan.sh
executable file
·86 lines (66 loc) · 2.06 KB
/
localbuild_scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash
# v2: Updated to use quay.io/sysdig/secure-inline-scan:2
# This is an example pipeline execution as a Bash script of how to
# execute an inline scan with Sysdig without requiring priviledges.
# The image is locally built, scanned without uploading its contents
# to Sysdig backend, and if it passes the Scan policies, then it's
# pushed to the registry. If it doesn't, nothing is pushed.
# It employs Kaniko for build and Skopeo to push without requiring
# privileged containers, root user or access to Docker socket.
# You can adapt this script steps to the environment or CI/CD engine
# based on containers of your choice.
set -euf
KEYS=${$KEYS:-"./"}
DOCKER_USER=$(cat $KEYS/DOCKER_USER)
DOCKER_PASS=$(cat $KEYS/DOCKER_PASS)
SYSDIG_SECURE_API_TOKEN=$(cat $KEYS/SYSDIG_SECURE_API_TOKEN)
IMAGE=docker.io/vicenteherrera/leeroy-web-my
REPO=https://github.com/GoogleContainerTools/skaffold
DOCKERFILE=examples/microservices/leeroy-web/Dockerfile
CONTEXT=examples/microservices/leeroy-web/
function clone {
echo
echo "> Clone"
rm -rf repo
git clone $REPO repo
}
function build {
echo
echo "> Build"
docker run -v $PWD:/workspace \
gcr.io/kaniko-project/executor:latest \
--dockerfile=/workspace/repo/$DOCKERFILE \
--context=/workspace/repo/$CONTEXT \
--destination=$IMAGE \
--no-push \
--oci-layout-path=/workspace/oci \
--tarPath=/workspace/image.tar
}
function scan {
echo
echo "> Scan"
docker run -v $PWD:/workspace quay.io/sysdig/secure-inline-scan:2 \
-s https://secure.sysdig.com \
--storage-type oci-dir \
--storage-path /workspace/oci \
-k $SYSDIG_SECURE_API_TOKEN \
$IMAGE
}
function push {
echo
echo "> Push"
docker run \
-v $PWD:/workspace \
quay.io/skopeo/stable \
--dest-creds $DOCKER_USER:$DOCKER_PASS \
--insecure-policy \
copy \
oci:/workspace/oci/ \
docker://$IMAGE
# alternative: --dest-authfile /home/.docker/config.json
}
# PIPELINE
clone
build
scan
push