-
Notifications
You must be signed in to change notification settings - Fork 0
/
Jenkinsfile-anchorectl
144 lines (133 loc) · 5.46 KB
/
Jenkinsfile-anchorectl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
pipeline {
environment {
//
// Initial variable setup
//
// you need a credential named 'docker-hub' with your DockerID/password to push images
// we will create DOCKER_HUB_USR and DOCKER_HUB_PSW from the docker-hub credential
CREDENTIAL = "docker-hub"
DOCKER_HUB = credentials("$CREDENTIAL")
//
// now we'll set up our image name/tag
//
REGISTRY = "docker.io"
REPOSITORY = "${DOCKER_HUB_USR}/${JOB_BASE_NAME}"
TAG = "${BRANCH_NAME}-anchorectl"
IMAGE = "${REGISTRY}/${REPOSITORY}:${TAG}"
BRANCH_NAME = "${GIT_BRANCH.split("/")[1]}"
//
// and we need credentials for anchorectl
//
ANCHORECTL_URL = credentials('Anchorectl_Url')
ANCHORECTL_USERNAME = credentials('Anchorectl_Username')
ANCHORECTL_PASSWORD = credentials('Anchorectl_Password')
//
// if you want to gate on policy failures, set this to "true"
//
ANCHORE_FAIL_ON_POLICY = "false"
//
} // end environment
agent any
stages {
stage('Checkout SCM') {
steps {
checkout scm
} // end steps
} // end stage "checkout scm"
stage('Verify Tools') {
steps {
sh """
which docker
###
### could additionally check for anchorectl here if you didn't want to fresh
### install it every time down below in the analyze stage
"""
} // end steps
} // end stage "Verify Tools"
stage('Build and Push Image') {
steps {
sh """
echo ${DOCKER_HUB_PSW} | docker login -u ${DOCKER_HUB_USR} --password-stdin
docker build -t ${IMAGE} --pull -f ./Dockerfile .
docker push ${IMAGE}
"""
} // end steps
} // end stage "build and push"
stage('Analyze Image with anchorectl') {
steps {
// anchore plugin for jenkins: https://www.jenkins.io/doc/pipeline/steps/anchore-container-scanner/
//
// first, install latest version of anchorectl
// (you could just install this into the jenkins build node at /usr/local/bin but for demo
// purposes this is probably better since it ensures I always have the newest version and I
// don't run this pipeline very frequently)
//
sh """
curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh | sh -s -- -b $HOME/.local/bin
export PATH="$HOME/.local/bin/:$PATH"
### you could also install grype and syft depending on what you need to do:
# curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b $HOME/.local/bin
# curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $HOME/.local/bin
### if you want to debug and check connectivity and anchorectl variables etc,
# anchorectl system status
"""
//
// now we queue the image for analysis
// the --wait is only necessary if you want to check the results, you can omit that if you are just
// queueing the image and will check results later.
//
sh """
${HOME}/.local/bin/anchorectl image add --no-auto-subscribe --dockerfile ./Dockerfile ${IMAGE}
#
### the jenkins plugin will pull the evaluation and vulnerability output and
### archive them as build artifacts, if you want to do that here, use these:
# anchorectl image vuln ${IMAGE}
# anchorectl image check --detail ${IMAGE}
#
### alternatively, if you want to break the pipeline if the policy evaluation fails,
#
# set -o pipefail
# if [ "$ANCHORE_FAIL_ON_POLICY" == "true" ] ; then
# anchorectl image check --detail --fail-based-on-results ${IMAGE} ;
# else
# anchorectl image check --detail ${IMAGE} ;
# fi
#
"""
//
// if you want continuous re-evaluation in the background, you can turn it on with these:
// anchorectl subscription activate policy_eval ${IMAGE}
// anchorectl subscription activate vuln_update ${IMAGE}
// and in this case you would probably also want to configure "policy & vulnerability" updates
// in "Events & Notifications" -> "Manage Notification Endpoints"
//
} // end steps
} // end stage "analyze image with anchorectl"
// optional, you could promote the image here
stage('Promote Image') {
steps {
sh """
### retag the image as "prod"
docker tag ${IMAGE} ${IMAGE}-prod
docker push ${IMAGE}-prod
"""
} // end steps
} // end stage "Promote Image"
stage('Clean up') {
steps {
//
// don't need the image(s) anymore so let's rm it
//
sh 'docker image rm ${IMAGE} ${IMAGE}-prod || failure=1'
// the || failure=1 just allows us to continue even if one or both of the tags we're
// rm'ing doesn't exist (e.g. if the evaluation failed, we might end up here without
// re-tagging the image, so ${BRANCH_NAME} wouldn't exist.
//
// you could also use the plugin here to generate the human-readable report and
// archive the results:
// sh 'echo ${IMAGE} > anchore_images'
// anchore name: 'anchore_images', engineRetries: '300', bailOnFail: 'false'
} // end steps
} // end stage "clean up"
} // end stages
} // end pipeline