-
Notifications
You must be signed in to change notification settings - Fork 3
/
azure-pipelines.yml
73 lines (62 loc) · 2.53 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# anchorectl example
# build image, push to docker hub, scan with anchorectl/anchore enterprise and get evaluations
trigger:
- main
# the "anchore" variable group contains ANCHORECTL_USERNAME, ANCHORECTL_PASSWORD, and ANCHORECTL_URL, which are needed to authenticate to anchore enterprise
# the "dockerhub" variable group contains DOCKERHUB_USERNAME and DOCKERHUB_TOKEN for pushing the built image to docker hub
variables:
- group: "anchore"
- group: "dockerhub"
- name: IMAGE
value: docker.io/pvnovarese/anchorectl-azure-test:latest
pool:
vmImage: ubuntu-latest
steps:
- checkout: self
displayName: Checkout
- script: |
which docker
docker build -t ${IMAGE} .
displayName: 'Build Docker Image'
- script: |
echo ${DOCKERHUB_TOKEN} | docker login -u ${DOCKERHUB_USERNAME} --password-stdin
docker push ${IMAGE}
displayName: 'Login to Docker Hub and Push'
- script: |
curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh | sh -s -- -b ${HOME}/.local/bin v5.6.0
export PATH="${HOME}/.local/bin/:${PATH}"
displayName: 'Install anchorectl Binary'
- script: |
anchorectl version
anchorectl system status
anchorectl feed list
displayName: 'Connectivity Check'
- script: |
### this will do a "distributed" scan (i.e. create the SBOM locally on the
### build runner and push the SBOM to the Anchore API)
#
anchorectl image add --no-auto-subscribe --wait --from registry ${IMAGE}
#
### alternatively, for a "centralized" scan (i.e. inform the API to have
### the backend analyzer pod pull the image and create the SBOM), do this:
#
# anchorectl image add ${IMAGE}
#
### in either case, some notes on the other flags:
### --wait is necessary if you want to immediately pull vulns or policy evaluations,
### --from can be registry, docker, or local sbom file
### --no-auto-subscribe tells anchore not to continuously poll the tag for new image pushes
### if you specify --dockerfile <file>, --force is recommended
### --annotation is always optional
### see "anchorectl image add -h" for more info
displayName: 'Generate SBOM and Push to Anchore'
- script: |
anchorectl image vulnerabilities ${IMAGE}
displayName: 'Pull Vulnerability List'
- script: |
# set "ANCHORECTL_FAIL_BASED_ON_RESULTS=true" to break the pipeline here if the
# policy evaluation returns FAIL or add -f, --fail-based-on-results to this
# command for the same result
#
anchorectl image check --detail ${IMAGE}
displayName: 'Pull Policy Evaluation'