DBAinTheCloud/12-container-trivy-sacnning/azure-pipelines-dm12.yml at master · WinOpsDBA/DBAinTheCloud · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
trigger:
  paths:
    include: ["12-container-trivy-sacnning"]

resources:
  - repo: self

variables:
  tag: "ubuntu_az_terraform.$(Build.BuildNumber)"
  imageName: "nikosts/workbench"

stages:
  - stage: Build
    displayName: Build image
    jobs:
      - job: Build
        displayName: Build
        pool:
          vmImage: ubuntu-latest
        steps:
          - task: Docker@2
            displayName: Build an image
            inputs:
              command: "build"
              Dockerfile: "$(Build.SourcesDirectory)/12-container-trivy-sacnning/dockerfile"
              tags: "$(tag)"
              arguments: "-t $(imageName):$(tag)"

          - task: CmdLine@2
            displayName: Scan for reports
            inputs:
              script: |
                docker run --rm \
                -v /var/run/docker.sock:/var/run/docker.sock \
                -v $HOME/Library/Caches:/root/.cache/ \
                -v "$(pwd):/src" \
                aquasec/trivy \
                --exit-code 0 \
                --severity LOW,MEDIUM,HIGH \
                --format template --template "@contrib/junit.tpl" \
                -o src/junit-report-low-med-high.xml \
                --ignore-unfixed \
                '$(imageName):$(tag)'

                docker run --rm \
                -v /var/run/docker.sock:/var/run/docker.sock \
                -v $HOME/Library/Caches:/root/.cache/ \
                -v "$(pwd):/src" \
                aquasec/trivy \
                --exit-code 0 \
                --severity CRITICAL \
                --format template --template "@contrib/junit.tpl" \
                -o src/junit-report-crit.xml \
                --ignore-unfixed \
                '$(imageName):$(tag)'

          - task: PublishTestResults@2
            displayName: Publish Test Results
            inputs:
              testResultsFormat: "JUnit" # Options: JUnit, NUnit, VSTest, xUnit, cTest
              testResultsFiles: "**/junit-report-*.xml"

          # --severity CRITICAL -> fail only on clitical, --severity CRITICAL,HIGH -> fail only on clitical and high,

          - task: CmdLine@2
            displayName: Scan for errors
            inputs:
              script: |
                docker run --rm \
                -v /var/run/docker.sock:/var/run/docker.sock \
                -v $HOME/Library/Caches:/root/.cache/ \
                -v "$(pwd):/src" \
                aquasec/trivy \
                --exit-code 1 \
                --severity CRITICAL \
                --ignore-unfixed \
                '$(imageName):$(tag)'

          - task: Docker@2
            inputs:
              containerRegistry: "DockerHub-WinOpsDBA-nikosts"
              command: "login"

          # - task: Docker@2
          #   inputs:
          #     containerRegistry: 'DockerHub-WinOpsDBA-nikosts'
          #     repository: '$(imageName)'
          #     command: 'push'
          #     tags: '$(tag)'