Resolve "Docker Builds are not able to provide a tag version"
General MR
Issue: changes to a docker file could not specify a new version/tag
Cause: the version/tag was defined in the master
branch of the pipeline-templates.
Summary
- Use a Manifest file (similar to IB approach) to gather tag versions and other info to be used when building the image.
- Other changes to trivy scanning:
- use of an ignore file
- do not use ignore file on full reports
- copy reports as artifacts
- Fixed Build Args being passed
--build-arg $VAR=value
is incorrect. The correct syntax is--build-arg=$VAR=value
- Security Vulns were reduced for bb-ci, terraform and cypress but some still remain.
Relevant logs/screenshots
Working pipeline for only 1 image:
- https://repo1.dso.mil/big-bang/pipeline-templates/package-validation/-/pipelines/3283433
- Scan stage has artifacts
- The HTML reports ALL CVEs
- The ignore file allows the gates to pass without warning when:
- no FIXABLE High or Critical CVEs found that are Not in the ignore list (or with expiration time of ignore list)
Linked Issue
Closes #372
Upgrade Notices
N/A
Edited by Jared Ladner