From 546fe3365e02a0d1549156f68678bdde5e43a63c Mon Sep 17 00:00:00 2001 From: Terrence Cort Date: Mon, 6 May 2019 20:55:13 +0000 Subject: [PATCH 1/5] change REMOTE_HOST value --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index a60bddb..fd76bc4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,7 +21,7 @@ pipeline { environment { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' S3_REPORT_BUCKET = 'dsop-pipeline-artifacts' - REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' + REMOTE_HOST = 'ec2-160-1-44-188.us-gov-west-1.compute.amazonaws.com' } // environment parameters { -- GitLab From 3ef9789502b4d1dba2555d9d0f4fdfd8672ac093 Mon Sep 17 00:00:00 2001 From: Terrence Cort Date: Mon, 6 May 2019 23:29:42 +0000 Subject: [PATCH 2/5] replace oscap credentials with secure-build --- Jenkinsfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index fd76bc4..eaeca70 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -63,7 +63,7 @@ pipeline { node { - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + withCredentials([sshUserPrivateKey(credentialsId: 'secure-build', keyFileVariable: 'identity', usernameVariable: 'userName')]) { image_full_path = "${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" remote.user = userName @@ -107,7 +107,7 @@ pipeline { node { - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + withCredentials([sshUserPrivateKey(credentialsId: 'secure-build', keyFileVariable: 'identity', usernameVariable: 'userName')]) { image_full_path = "${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" remote.user = userName @@ -172,7 +172,7 @@ pipeline { node { // using the oscap user, this is temporary - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + withCredentials([sshUserPrivateKey(credentialsId: 'secure-build', keyFileVariable: 'identity', usernameVariable: 'userName')]) { remote.user = userName remote.identityFile = identity @@ -325,7 +325,7 @@ pipeline { //siging the image node { - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + withCredentials([sshUserPrivateKey(credentialsId: 'secure-build', keyFileVariable: 'identity', usernameVariable: 'userName')]) { remote.user = userName remote.identityFile = identity @@ -387,7 +387,7 @@ pipeline { node { // using the oscap user, this is temporary - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + withCredentials([sshUserPrivateKey(credentialsId: 'secure-build', keyFileVariable: 'identity', usernameVariable: 'userName')]) { remote.user = userName remote.identityFile = identity -- GitLab From 2665154d0642c39bd3cecbb230f952446b291570 Mon Sep 17 00:00:00 2001 From: Terrence Cort Date: Mon, 6 May 2019 23:32:51 +0000 Subject: [PATCH 3/5] updated aws binary location --- Jenkinsfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index eaeca70..203f82f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -134,8 +134,8 @@ pipeline { sshCommand remote: remote, command: "sudo oscap-docker image-cve ${image_full_path} --report /tmp/report-cve.html" //copy files to s3 - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${openscap_artifact_path}report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${openscap_artifact_path}report.html" + sshCommand remote: remote, command: "/usr/bin/aws s3 cp /tmp/report-cve.html ${openscap_artifact_path}report-cve.html" + sshCommand remote: remote, command: "/usr/bin/aws s3 cp /tmp/report.html ${openscap_artifact_path}report.html" } // script } // withCredentials @@ -189,7 +189,7 @@ pipeline { // Pull latest report from the twistlock console // and save to s3 - sshCommand remote: remote, command: "curl -k -s -u ${TWISTLOCK_USERNAME}:'${TWISTLOCK_PASSWORD}' -H 'Content-Type: application/json' -X GET '${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}&limit=1&reverse=true&type=twistcli' | python -m json.tool | /usr/sbin/aws s3 cp - ${twistlock_artifact_path}${IMAGE_TAG}.json" + sshCommand remote: remote, command: "curl -k -s -u ${TWISTLOCK_USERNAME}:'${TWISTLOCK_PASSWORD}' -H 'Content-Type: application/json' -X GET '${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}&limit=1&reverse=true&type=twistcli' | python -m json.tool | /usr/bin/aws s3 cp - ${twistlock_artifact_path}${IMAGE_TAG}.json" } // withCredentials } // withCredentials @@ -330,7 +330,7 @@ pipeline { remote.identityFile = identity sshPut remote: remote, from: "${SIGNING_KEY}", into: './signingkey' - signature = sshCommand remote: remote, command: "g=\$(mktemp -d) && f=\$(mktemp) && e=\$(mktemp) && trap \"sudo rm \$e;sudo rm \$f;sudo rm -rf \$g\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo chmod o=r \$e;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ./signingkey ;echo \$e;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$e;/usr/sbin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/docker_image;rm ./signingkey;cat \$f;" + signature = sshCommand remote: remote, command: "g=\$(mktemp -d) && f=\$(mktemp) && e=\$(mktemp) && trap \"sudo rm \$e;sudo rm \$f;sudo rm -rf \$g\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo chmod o=r \$e;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ./signingkey ;echo \$e;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$e;/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/docker_image;rm ./signingkey;cat \$f;" def signatureMatch = signature =~ /(?s)-----BEGIN PGP SIGNATURE-----.*-----END PGP SIGNATURE-----/ def signature = "" -- GitLab From c5b36de44ae3bd35cb75f0cc325e72e65be5f95e Mon Sep 17 00:00:00 2001 From: Terrence Cort Date: Tue, 7 May 2019 14:49:52 +0000 Subject: [PATCH 4/5] updated remote-host url --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 203f82f..46ae6bd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,7 +21,7 @@ pipeline { environment { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' S3_REPORT_BUCKET = 'dsop-pipeline-artifacts' - REMOTE_HOST = 'ec2-160-1-44-188.us-gov-west-1.compute.amazonaws.com' + REMOTE_HOST = 'ec2-52-61-217-50.us-gov-west-1.compute.amazonaws.com' } // environment parameters { -- GitLab From 35d995328dbab95f91ec16734fdc28e1934a2826 Mon Sep 17 00:00:00 2001 From: Terrence Cort Date: Tue, 7 May 2019 15:02:11 +0000 Subject: [PATCH 5/5] updated to nip.io twistlock address --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 46ae6bd..a9c3057 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -146,7 +146,7 @@ pipeline { stage('Twistlock Scan') { environment { - TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' + TWISTLOCK_SERVER = 'https://twistlock.52.61.140.4.nip.io' } // environment when { -- GitLab