-
Notifications
You must be signed in to change notification settings - Fork 0
/
.codefresh-example-workflow
113 lines (104 loc) · 4.47 KB
/
.codefresh-example-workflow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# More examples of Codefresh YAML can be found at
# https://codefresh.io/docs/docs/yaml-examples/examples/
version: "1.0"
### you will need these variables:
### ANCHORECTL_URL
### ANCHORECTL_USERNAME
### ANCHORECTL_PASSWORD
###
### see anchorectl docs for more info
### https://docs.anchore.com/current/docs/using/anchorectl_usage/
### https://docs.anchore.com/current/docs/deployment/anchorectl/
###
### also if you want to break on policy violations, there is
### ANCHORE_FAIL_ON_POLICY=true
### (there is a commented-out line in the test stage where you can
### set this, or you could add it as a project variable)
stages:
- "build"
- "test"
- "promote"
steps:
prep:
title: "Prepare Environment"
image: alpine:latest
commands:
# cf_export is codefresh-specific to export variables across steps
- export ANCHORE_REGISTRY="docker.io"
- export ANCHORE_REPO=${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
- export ANCHORE_IMAGE_REPO=${ANCHORE_REGISTRY}/${ANCHORE_REPO}
- export ANCHORE_TEST_TAG=cf-dev
- export ANCHORE_PROD_TAG=cf-${{CF_BRANCH}}
- cf_export ANCHORE_REGISTRY ANCHORE_REPO ANCHORE_IMAGE_REPO ANCHORE_TEST_TAG ANCHORE_PROD_TAG
stage: "build"
clone:
title: "Cloning Repository"
type: "git-clone"
repo: "${{ANCHORE_REPO}}"
revision: "${{CF_BRANCH}}"
git: "github"
stage: "build"
build:
title: "Building Docker Image"
type: "build"
### disable caches to make sure we get a clean build
no_cache: true
no_cf_cache: true
### codefresh's build step is weird, it absolutely assumes you are using
### docker hub and adds "docker.io" to your image name even if you already
### included it, so I am using ANCHORE_REPO here
### instead of ANCHORE_IMAGE_REPO
### I kind of think it would make more sense to just use a freestyle
### step here and just issue a "docker build" and "docker push" etc
image_name: "${{ANCHORE_REPO}}"
working_directory: "${{clone}}"
tag: "${{ANCHORE_TEST_TAG}}"
dockerfile: "Dockerfile"
stage: "build"
test:
title: "Scan with Anchore Enterprise"
### this anchore-plugin image is pretty old and has anchore-cli only
#image: quay.io/codefreshplugins/anchore-plugin:latest
image: docker.io/pvnovarese/anchore-tools:main
environment:
- ANCHORE_IMAGE=${{ANCHORE_IMAGE_REPO}}:${{ANCHORE_TEST_TAG}}
### uncomment the following line if you want to break the pipeline for policy violation (or set it as a project variable, whatever)
#- ANCHORE_FAIL_ON_POLICY=true
commands:
#- /entrypoint.sh ### only use this with the anchore-plugin image
- anchorectl image add --force --dockerfile ${CF_REPO_NAME}/Dockerfile --no-auto-subscribe --wait --annotation build_tool=codefresh --annotation build_id=${{CF_SHORT_REVISION}} ${ANCHORE_IMAGE}
### we'll check the evaluation and get the callouts either way,
### only break the pipeline if ANCHORE_FAIL_ON_POLICY=true
- |
if [ "$ANCHORE_FAIL_ON_POLICY" == "true" ] ; then
anchorectl image check --detail --fail-based-on-results ${ANCHORE_IMAGE} ;
else
anchorectl image check --detail ${ANCHORE_IMAGE} ;
fi
stage: "test"
promote:
title: "Rebuild and Promote Docker Image"
type: "build"
# we want the cache from the first build since we're not changing anything
no_cache: false
no_cf_cache: false
image_name: "${{ANCHORE_REPO}}"
working_directory: "${{clone}}"
tag: "${{ANCHORE_PROD_TAG}}"
dockerfile: "Dockerfile"
stage: "promote"
queue:
title: "Add Promoted Image to Anchore Queue"
image: docker.io/pvnovarese/anchore-tools:main
environment:
- ANCHORE_IMAGE=${{ANCHORE_IMAGE_REPO}}:${{ANCHORE_PROD_TAG}}
commands:
### don't need "--wait" this time unless you're going to subscribe to vuln/policy updates
- anchorectl image add --force --dockerfile ${CF_REPO_NAME}/Dockerfile --no-auto-subscribe --annotation build_tool=codefresh --annotation build_id=${{CF_SHORT_REVISION}} ${ANCHORE_IMAGE}
### optional, if you want to activate subscriptions for this image
### make sure you add --wait to the "anchorectl image add" in this step
### if you want continuous updates if new vulns are found:
#- anchorectl subscription activate ${ANCHORE_IMAGE} vuln_update
### if you want continuous updates if the policy evaluation changes:
#- anchorectl subscription activate ${ANCHORE_IMAGE} policy_eval
stage: "promote"