-
Notifications
You must be signed in to change notification settings - Fork 2
/
copa.yaml
72 lines (69 loc) 路 2.77 KB
/
copa.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: copa_$(Date:yyyyMMdd)_$(Rev:r)
trigger: none
pr: none
parameters:
- name: image
displayName: Image To Patch
type: string
default: "docker.io/library/nginx:1.21.6"
variables:
trivy.version: "0.41.0"
copa.version: "0.2.0"
buildkit.version: "0.11.6"
buildkit.port: "8888"
stages:
- stage: patch
jobs:
- job: copa
steps:
- bash: |
set -e
# Install the trivy version specified in the variable
wget "https://github.com/aquasecurity/trivy/releases/download/v$(trivy.version)/trivy_$(trivy.version)_Linux-64bit.tar.gz"
sudo tar -C /usr/local/bin -zxvf trivy_$(trivy.version)_Linux-*.tar.gz trivy
sudo chmod +x /usr/local/bin/trivy
# Install the copacetic version specified in the variable
wget "https://github.com/project-copacetic/copacetic/releases/download/v$(copa.version)/copa_$(copa.version)_linux_amd64.tar.gz"
sudo tar -C /usr/local/bin -zxvf copa_$(copa.version)_*.tar.gz copa
sudo chmod +x /usr/local/bin/copa
displayName: Download and Install Trivy and Copa
- bash: |
set -e
# Start buildkit for use by copa
docker run \
--detach \
--rm \
--privileged \
-p 127.0.0.1:$(buildkit.port):$(buildkit.port)/tcp \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:v$(buildkit.version)" \
--addr tcp://0.0.0.0:$(buildkit.port)
displayName: Start buildkit
- bash: |
set -e
tag=${IMAGE#*:}
repo=${IMAGE%:*}
# scan the image with trivy and store the output as a json file named copa-patch.json
trivy image --vuln-type os --ignore-unfixed -f json -o copa-patch.json $IMAGE
# now use the scan result to patch the image, if needed
copa patch \
-i $IMAGE \
-r copa-patch.json \
-t $tag-patched \
-a tcp://0.0.0.0:$(buildkit.port)
# save the new patched image as a tar file that can be used later
docker save -o patched-image.tar $repo:$tag-patched
env:
IMAGE: ${{ parameters.image }}
displayName: Scan and Patch Image
- task: PublishPipelineArtifact@1
inputs:
targetPath: $(System.DefaultWorkingDirectory)/copa-patch.json
artifactName: scan_results
displayName: Upload Scan Results as a pipeline artifact
- task: PublishPipelineArtifact@1
inputs:
targetPath: $(System.DefaultWorkingDirectory)/patched-image.tar
artifactName: patched
displayName: Upload patched image as a pipeline artifact