-
Notifications
You must be signed in to change notification settings - Fork 137
/
Copy pathjenkinsfile_trivy
37 lines (34 loc) · 1.36 KB
/
jenkinsfile_trivy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
node {
stage('Clone repository') {
checkout scm
}
stage('Build image') {
app = docker.build("admin/flask-example")
}
stage('Push image') {
docker.withRegistry('https://127.0.0.1/', 'harbor_cred') {
app.push("${env.BUILD_NUMBER}")
app.push("latest")
}
}
stage('Scan') {
// Install trivy
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
// Scan all vuln levels
sh 'mkdir -p reports'
sh 'ls -R .'
sh 'trivy filesystem --ignore-unfixed --vuln-type os,library --format template --template "@html.tpl" -o reports/nodjs-scan.html ./'
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'nodjs-scan.html',
reportName: 'Trivy Scan',
reportTitles: 'Trivy Scan'
]
// Scan again and fail on CRITICAL vulns
sh 'trivy filesystem --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ./'
}
}