From af202da79c2a32603a40e79af85cfa5f809b9337 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 08:39:00 -0500 Subject: [PATCH 01/16] Testing adding NEXUS_SERVER environment variable --- Jenkinsfile | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index fcae09a..d3b3824 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -2,13 +2,18 @@ pipeline { agent { label 'master' } + environment { + NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' + + } + stages { - + stage('Pull from Staging') { //agent { label 'docker' } steps { echo "Pushing ${IMAGE_TAG} to Nexus Staging" - + //TODO Test docker on agent eventually /*withDockerRegistry([url: 'nexus-docker.52.61.140.4.nip.io', credentialsId: 'admin/admin123']) { sh "docker push nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG}" @@ -16,8 +21,8 @@ pipeline { } } - stage('OpenSCAP Config') { - steps { + stage('OpenSCAP Config') { + steps { echo 'OpenSCAP Compliance Scan' script { def remote = [:] @@ -29,7 +34,7 @@ pipeline { remote.user = userName remote.identityFile = identity stage('OpenSCAP Scan') { - sshCommand remote: remote, command: "sudo docker login -u admin -p admin123 nexus-docker.52.61.140.4.nip.io" + sshCommand remote: remote, command: "sudo docker login -u admin -p admin123 ${NEXUS_SERVER}" sshCommand remote: remote, command: "sudo docker pull nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG}" sshCommand remote: remote, command: "sudo oscap-docker image nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG} --report /tmp/report-cve.html" @@ -41,7 +46,7 @@ pipeline { publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-cve-report.html', reportName: 'OpenSCAP Vulnerability Report', reportTitles: 'OpenSCAP Vulnerability Report']) //archiveArtifacts "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html" } // script - } // stage + } // stage } // withCredentials } //node } // steps @@ -77,7 +82,7 @@ pipeline { } // stage stage('Anchore Scan') { - steps { + steps { echo 'Anchore Scan' //Below is example command that will be needed in Push to Staging step. @@ -86,7 +91,7 @@ pipeline { anchore bailOnFail: false, bailOnPluginFail: false, name: 'anchore_images' //TODO: Push reports to git repo - + // s3Upload consoleLogLevel: 'INFO', dontWaitForConcurrentBuildCompletion: false, // entries: [[bucket: 'dsop-pipeline-artifacts', excludedFile: '', flatten: false, // gzipFiles: false, keepForever: false, managedArtifacts: false, noUploadOnFailure: false, @@ -110,4 +115,3 @@ pipeline { } // stages } // pipeline - -- GitLab From 92323ab0531000fe1ca6ece534bd93f9c69d80fa Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 09:00:32 -0500 Subject: [PATCH 02/16] Added NEXUS_USERNAME NEXUS_PASSWORD S3_REPORT_LOCATION --- Jenkinsfile | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index d3b3824..9ada903 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -4,7 +4,10 @@ pipeline { environment { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' - + NEXUS_USERNAME = 'admin' + NEXUS_PASSWORD = 'admin123' + S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' + TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' } stages { @@ -16,7 +19,7 @@ pipeline { //TODO Test docker on agent eventually /*withDockerRegistry([url: 'nexus-docker.52.61.140.4.nip.io', credentialsId: 'admin/admin123']) { - sh "docker push nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG}" + sh "docker push ${NEXUS_SERVER}/${IMAGE_TAG}" }*/ } } @@ -34,12 +37,12 @@ pipeline { remote.user = userName remote.identityFile = identity stage('OpenSCAP Scan') { - sshCommand remote: remote, command: "sudo docker login -u admin -p admin123 ${NEXUS_SERVER}" - sshCommand remote: remote, command: "sudo docker pull nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG}" - sshCommand remote: remote, command: "sudo oscap-docker image nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" - sshCommand remote: remote, command: "sudo oscap-docker image-cve nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html s3://dsop-pipeline-artifacts/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html s3://dsop-pipeline-artifacts/openscap/report.html" + sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p ${NEXUS_PASSWORD} ${NEXUS_SERVER}" + sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" + sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${IMAGE_TAG} --report /tmp/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/openscap/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/openscap/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From 8527d3a2570fae7b8db43d45288d1aefd0fbdcf7 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 09:19:50 -0500 Subject: [PATCH 03/16] Added TWISTLOCK_SERVER, TWISTLOCK_USERNAME, TWISTLOCK_PASSWORD --- Jenkinsfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9ada903..f5dac99 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -8,6 +8,9 @@ pipeline { NEXUS_PASSWORD = 'admin123' S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' + TWISTLOCK_USERNAME = 'jenkins-svc' + TWISTLOCK_PASSWORD = 'redhat12' + REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } stages { @@ -72,7 +75,7 @@ pipeline { remote.identityFile = identity stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image - sshCommand remote: remote, command: "sudo curl -k -ssl -u jenkins-svc:redhat12 https://twistlock-console-twistlock.us-gov-west-1.compute.internal/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user jenkins-svc --password redhat12 --address https://twistlock-console-twistlock.us-gov-west-1.compute.internal --details ${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${IMAGE_TAG}" // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline @@ -89,7 +92,7 @@ pipeline { echo 'Anchore Scan' //Below is example command that will be needed in Push to Staging step. - sh "echo 'nexus-docker.52.61.140.4.nip.io/${IMAGE_TAG}' > anchore_images" + sh "echo '${NEXUS_SERVER}/${IMAGE_TAG}' > anchore_images" anchore bailOnFail: false, bailOnPluginFail: false, name: 'anchore_images' -- GitLab From b55e30c6e987510409643b2537b2b4c8b23b7690 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 09:26:22 -0500 Subject: [PATCH 04/16] Added REMOTE_HOST --- Jenkinsfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index f5dac99..b684833 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,7 +21,7 @@ pipeline { echo "Pushing ${IMAGE_TAG} to Nexus Staging" //TODO Test docker on agent eventually - /*withDockerRegistry([url: 'nexus-docker.52.61.140.4.nip.io', credentialsId: 'admin/admin123']) { + /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { sh "docker push ${NEXUS_SERVER}/${IMAGE_TAG}" }*/ } @@ -33,7 +33,7 @@ pipeline { script { def remote = [:] remote.name = "node" - remote.host = "ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com" + remote.host = "${env.REMOTE_HOST}" remote.allowAnyHosts = true node { withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { @@ -66,7 +66,7 @@ pipeline { script { def remote = [:] remote.name = "node" - remote.host = "ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com" + remote.host = "${env.REMOTE_HOST}" remote.allowAnyHosts = true node { // using the oscap user, this is temporary -- GitLab From b3a84cf6aac48c3c83019935040e9a52b5e7eacc Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:09:27 -0500 Subject: [PATCH 05/16] Added a choice parameter --- Jenkinsfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index b684833..748c61d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,6 +13,8 @@ pipeline { REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } + parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore')} + stages { stage('Pull from Staging') { -- GitLab From cbfe41e004e1611e36f3276dfd80b123e76d8c84 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:18:29 -0500 Subject: [PATCH 06/16] adding param name/description --- Jenkinsfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 748c61d..48c631f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,8 +13,9 @@ pipeline { REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } - parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore')} - + parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', + description: "Which tools to run?", name: 'toolsToRun')} + stages { stage('Pull from Staging') { -- GitLab From 19e6c7bf9654a44bd731a19f5cd490683740d304 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:21:49 -0500 Subject: [PATCH 07/16] moving IMAGE_TAG to Jenkinsfile --- Jenkinsfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 48c631f..8a62269 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,7 +14,12 @@ pipeline { } parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', - description: "Which tools to run?", name: 'toolsToRun')} + description: "Which tools to run?", name: 'toolsToRun'), + + string(defaultValue: "up/ubi7-hardened-dev:latest", name: 'IMAGE_TAG', + description: "Image tag to be used by Docker, Nexus and all Scanning tools") + + } stages { -- GitLab From 8366cc726451a58ac8453522e597c853f49deef8 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:28:14 -0500 Subject: [PATCH 08/16] reverting IMAGE_TAG --- Jenkinsfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8a62269..12227cb 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,11 +14,7 @@ pipeline { } parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', - description: "Which tools to run?", name: 'toolsToRun'), - - string(defaultValue: "up/ubi7-hardened-dev:latest", name: 'IMAGE_TAG', - description: "Image tag to be used by Docker, Nexus and all Scanning tools") - + description: "Which tools to run?", name: 'toolsToRun') } stages { -- GitLab From 457eed10dae5d89ff56c0d19d6ffdc6cc6f4d488 Mon Sep 17 00:00:00 2001 From: jnach Date: Fri, 26 Apr 2019 15:28:43 +0000 Subject: [PATCH 09/16] add s3 upload --- Jenkinsfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 48c631f..8b3325d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -79,6 +79,8 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${IMAGE_TAG}" + // Pull latest report from the twistlock console + sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=nexus-docker.52.61.140.4.nip.io/up/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/bin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline -- GitLab From ba8b054ab9c6efc138fe4644bc65fbf8a160e69b Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:31:00 -0500 Subject: [PATCH 10/16] moving IMAGE_TAG to Jenkinsfile --- Jenkinsfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 12227cb..e9d3eb3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -15,6 +15,10 @@ pipeline { parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', description: "Which tools to run?", name: 'toolsToRun') + + string(defaultValue: "up/ubi7-hardened-dev:latest", name: 'IMAGE_TAG', + description: "Image tag to be used by Docker, Nexus and all Scanning tools") + } stages { -- GitLab From 5776534b0e33bd9913d034d1d2f4bb6a9f919db0 Mon Sep 17 00:00:00 2001 From: jnach Date: Fri, 26 Apr 2019 15:33:40 +0000 Subject: [PATCH 11/16] parameterize server fqdn --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8b3325d..2c81761 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -80,7 +80,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${IMAGE_TAG}" // Pull latest report from the twistlock console - sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=nexus-docker.52.61.140.4.nip.io/up/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/bin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" + sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/up/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/bin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline -- GitLab From 375c78ac44bdaa19a0eef0141d9d7bd2bb1c7fa0 Mon Sep 17 00:00:00 2001 From: jnach Date: Fri, 26 Apr 2019 15:44:10 +0000 Subject: [PATCH 12/16] add docker cleanup --- Jenkinsfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2c81761..ff80621 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -82,9 +82,7 @@ pipeline { // Pull latest report from the twistlock console sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/up/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/bin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" // Clean up - // Stop or remove the container image if needed.. - // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline - // Possibly make an API call to /images/scan/id + sshCommand remote: remote, command: "sudo docker rmi ${NEXUS_SERVER}/${IMAGE_TAG}" } // script } // stage } // withCredentials -- GitLab From 30fb1da08e8e6e6d3b77b2bbb030201e8ef3fcb0 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:44:29 -0500 Subject: [PATCH 13/16] Selectively running OpenSCAP --- Jenkinsfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index e9d3eb3..a862514 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -36,6 +36,12 @@ pipeline { } stage('OpenSCAP Config') { + when { + anyOf { + environment name: "toolsToRun", value: "All" + environment name: "toolsToRun", value: "OpenSCAP" + } + } steps { echo 'OpenSCAP Compliance Scan' script { -- GitLab From de7578b3744708145b27775b6d7f066067b0f142 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:48:21 -0500 Subject: [PATCH 14/16] Selectively running Twister and Anchore --- Jenkinsfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index a862514..30bf27c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -73,6 +73,12 @@ pipeline { } // stage stage('Twistlock Scan') { + when { + anyOf { + environment name: "toolsToRun", value: "All" + environment name: "toolsToRun", value: "Twistlock" + } + } steps { echo 'Twistlock Compliance Scan' // Using the OpenScap node to overcome docker inside docker limitations, @@ -102,6 +108,12 @@ pipeline { } // stage stage('Anchore Scan') { + when { + anyOf { + environment name: "toolsToRun", value: "All" + environment name: "toolsToRun", value: "Anchore" + } + } steps { echo 'Anchore Scan' -- GitLab From 0b2ea37673dfb32ce820e2d2d0cccbf57a92dec9 Mon Sep 17 00:00:00 2001 From: jnach Date: Fri, 26 Apr 2019 15:52:00 +0000 Subject: [PATCH 15/16] path corrections --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ff80621..cb44b2e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -80,7 +80,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${IMAGE_TAG}" // Pull latest report from the twistlock console - sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/up/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/bin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" + sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/sbin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" // Clean up sshCommand remote: remote, command: "sudo docker rmi ${NEXUS_SERVER}/${IMAGE_TAG}" } // script -- GitLab From 4079486ee854f529c7771894f2b9bdd809281ad6 Mon Sep 17 00:00:00 2001 From: jnach Date: Fri, 26 Apr 2019 16:00:57 +0000 Subject: [PATCH 16/16] add silent option, quote url --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index cb44b2e..c75ebb1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -80,7 +80,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${IMAGE_TAG}" // Pull latest report from the twistlock console - sshCommand remote: remote, command: "curl -k -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET ${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli | python -m json.tool | /usr/sbin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" + sshCommand remote: remote, command: "curl -k -s -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} -H 'Content-Type: application/json' -X GET '${TWISTLOCK_SERVER}/api/v1/scans?search=${NEXUS_SERVER}/${IMAGE_TAG}&limit=1&reverse=true&type=twistcli' | python -m json.tool | /usr/sbin/aws s3 cp - ${S3_REPORT_LOCATION}/twistlock/${IMAGE_TAG}.json" // Clean up sshCommand remote: remote, command: "sudo docker rmi ${NEXUS_SERVER}/${IMAGE_TAG}" } // script -- GitLab