From 85c8e3f2be0e1d1bab054f376c6d4a4708208b8b Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 10:55:51 -0500 Subject: [PATCH 01/55] Added comments to end of braces --- Jenkinsfile | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 30bf27c..4e2b367 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,7 +11,7 @@ pipeline { TWISTLOCK_USERNAME = 'jenkins-svc' TWISTLOCK_PASSWORD = 'redhat12' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' - } + } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', description: "Which tools to run?", name: 'toolsToRun') @@ -19,7 +19,7 @@ pipeline { string(defaultValue: "up/ubi7-hardened-dev:latest", name: 'IMAGE_TAG', description: "Image tag to be used by Docker, Nexus and all Scanning tools") - } + } // parameters stages { @@ -40,8 +40,9 @@ pipeline { anyOf { environment name: "toolsToRun", value: "All" environment name: "toolsToRun", value: "OpenSCAP" - } - } + } // anyOf + } // when + steps { echo 'OpenSCAP Compliance Scan' script { @@ -77,8 +78,9 @@ pipeline { anyOf { environment name: "toolsToRun", value: "All" environment name: "toolsToRun", value: "Twistlock" - } - } + } // anyOf + } // when + steps { echo 'Twistlock Compliance Scan' // Using the OpenScap node to overcome docker inside docker limitations, @@ -112,8 +114,8 @@ pipeline { anyOf { environment name: "toolsToRun", value: "All" environment name: "toolsToRun", value: "Anchore" - } - } + } // anyOf + } // when steps { echo 'Anchore Scan' -- GitLab From 4f57edd984e2cee16177e55fd15714713f59d6b4 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 11:58:11 -0500 Subject: [PATCH 02/55] Testing finding ISO time --- Jenkinsfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 4e2b367..081dca7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,3 +1,10 @@ +//Can run groovy code outside of pipeline +//Need to get ISO Time to use for storing artifacts +DATETIME_TAG = java.time.LocalDateTime.now() + + + + // Example Declarative Pipeline with Anchore Scans pipeline { agent { label 'master' } @@ -11,6 +18,8 @@ pipeline { TWISTLOCK_USERNAME = 'jenkins-svc' TWISTLOCK_PASSWORD = 'redhat12' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' + DATETIME_TAG = '${DATETIME_TAG}' + } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', -- GitLab From e0b01f9382365d0ac602e98788ea9bb116d28ae4 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 12:00:18 -0500 Subject: [PATCH 03/55] Printing ISO time --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index 081dca7..e643851 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -36,6 +36,7 @@ pipeline { //agent { label 'docker' } steps { echo "Pushing ${IMAGE_TAG} to Nexus Staging" + echo "ISO time is ${DATETIME_TAG}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { -- GitLab From 9dd0f2806e13affc59bfdec3307167bdd2f0c5a0 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 12:05:44 -0500 Subject: [PATCH 04/55] Use timestamp in saving openscap report --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index e643851..5bcc077 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -69,8 +69,8 @@ pipeline { sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${IMAGE_TAG}" sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/openscap/report.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/${DATETIME_TAG}/openscap/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/${DATETIME_TAG}/openscap/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From f43b3d721d7b870b3fccefe8c636d755efbb2df7 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 12:35:52 -0500 Subject: [PATCH 05/55] Building full report location with ///_/ --- Jenkinsfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5bcc077..3796b96 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,12 +13,12 @@ pipeline { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' NEXUS_USERNAME = 'admin' NEXUS_PASSWORD = 'admin123' - S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' TWISTLOCK_USERNAME = 'jenkins-svc' TWISTLOCK_PASSWORD = 'redhat12' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' DATETIME_TAG = '${DATETIME_TAG}' + S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}' } // environment @@ -28,6 +28,9 @@ pipeline { string(defaultValue: "up/ubi7-hardened-dev:latest", name: 'IMAGE_TAG', description: "Image tag to be used by Docker, Nexus and all Scanning tools") + string(defaultValue: "RedHat", name: 'VENDOR_PRODUCT', + description: "What vendor is being scanned") + } // parameters stages { @@ -69,8 +72,8 @@ pipeline { sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${IMAGE_TAG}" sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/${DATETIME_TAG}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/${DATETIME_TAG}/openscap/report.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/openscap/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/openscap/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From f58a45a2a362432a4b0c8f70881f2b5b75ed5d4e Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 12:38:37 -0500 Subject: [PATCH 06/55] Echoing path to double check --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 3796b96..5e549dc 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -39,7 +39,7 @@ pipeline { //agent { label 'docker' } steps { echo "Pushing ${IMAGE_TAG} to Nexus Staging" - echo "ISO time is ${DATETIME_TAG}" + echo "Artifact path is ${S3_REPORT_LOCATION}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { -- GitLab From 6db889e705f972f43cc4b0831108ef75904fb307 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 12:43:08 -0500 Subject: [PATCH 07/55] Fixing artifact path --- Jenkinsfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5e549dc..cbcd252 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,13 +13,11 @@ pipeline { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' NEXUS_USERNAME = 'admin' NEXUS_PASSWORD = 'admin123' + S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' TWISTLOCK_USERNAME = 'jenkins-svc' TWISTLOCK_PASSWORD = 'redhat12' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' - DATETIME_TAG = '${DATETIME_TAG}' - S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}' - } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', @@ -39,7 +37,7 @@ pipeline { //agent { label 'docker' } steps { echo "Pushing ${IMAGE_TAG} to Nexus Staging" - echo "Artifact path is ${S3_REPORT_LOCATION}" + echo "Artifact path is ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { @@ -72,8 +70,8 @@ pipeline { sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${IMAGE_TAG}" sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/openscap/report.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From f29f67aa5ed42855cae51d8dd72baf3b196b105a Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 12:55:26 -0500 Subject: [PATCH 08/55] Breaking out IMAGE_TAG into REPO_NAME and IMAGE_TAG --- Jenkinsfile | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index cbcd252..7190af4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,8 +23,11 @@ pipeline { parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', description: "Which tools to run?", name: 'toolsToRun') - string(defaultValue: "up/ubi7-hardened-dev:latest", name: 'IMAGE_TAG', - description: "Image tag to be used by Docker, Nexus and all Scanning tools") + string(defaultValue: "up/ubi7-hardened-dev", name: 'REPO_NAME', + description: "Name of repo to be used by Docker, Nexus and all Scanning tools") + + string(defaultValue: "latest", name: 'IMAGE_TAG', + description: "Image tag to be used by Docker, Nexus and all Scanning tools") string(defaultValue: "RedHat", name: 'VENDOR_PRODUCT', description: "What vendor is being scanned") @@ -36,12 +39,12 @@ pipeline { stage('Pull from Staging') { //agent { label 'docker' } steps { - echo "Pushing ${IMAGE_TAG} to Nexus Staging" - echo "Artifact path is ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" + echo "Pushing ${REPO_NAME}:${IMAGE_TAG} to Nexus Staging" + echo "Artifact path is ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { - sh "docker push ${NEXUS_SERVER}/${IMAGE_TAG}" + sh "docker push ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" }*/ } } @@ -67,11 +70,11 @@ pipeline { remote.identityFile = identity stage('OpenSCAP Scan') { sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p ${NEXUS_PASSWORD} ${NEXUS_SERVER}" - sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${IMAGE_TAG}" - sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" - sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report.html" + sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" + sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} --report /tmp/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) @@ -108,7 +111,7 @@ pipeline { remote.identityFile = identity stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline @@ -131,7 +134,7 @@ pipeline { echo 'Anchore Scan' //Below is example command that will be needed in Push to Staging step. - sh "echo '${NEXUS_SERVER}/${IMAGE_TAG}' > anchore_images" + sh "echo '${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}' > anchore_images" anchore bailOnFail: false, bailOnPluginFail: false, name: 'anchore_images' @@ -152,7 +155,7 @@ pipeline { stage('Push to External Registry (TODO)') { steps { - //input message: "Push image ${IMAGE_TAG} to registry?" + //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' } // steps } // stage -- GitLab From 9ef267ff1cff0a6191d257ed464fa3baa4ebbab3 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:30:46 -0500 Subject: [PATCH 09/55] Testing path and credentials --- Jenkinsfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 7190af4..f50910e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,7 +1,7 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts DATETIME_TAG = java.time.LocalDateTime.now() - +DATETIME_TAG = DATETIME_TAG.replaceAll(":", "") @@ -18,6 +18,7 @@ pipeline { TWISTLOCK_USERNAME = 'jenkins-svc' TWISTLOCK_PASSWORD = 'redhat12' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' + TEST_TWISTLOCK = 'credentials('Something')' } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', @@ -41,6 +42,7 @@ pipeline { steps { echo "Pushing ${REPO_NAME}:${IMAGE_TAG} to Nexus Staging" echo "Artifact path is ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" + echo "test ${TEST_TWISTLOCK}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { -- GitLab From 7fbe77d039c8bd1b62744cf30f97c07ac65a0f8d Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:33:49 -0500 Subject: [PATCH 10/55] removing quotes --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index f50910e..dcfd60d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -18,7 +18,7 @@ pipeline { TWISTLOCK_USERNAME = 'jenkins-svc' TWISTLOCK_PASSWORD = 'redhat12' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' - TEST_TWISTLOCK = 'credentials('Something')' + TEST_TWISTLOCK = credentials('Something') } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', -- GitLab From 2cc22e2a0c27c276b49198fed1f508e599ea10e0 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:39:31 -0500 Subject: [PATCH 11/55] fixing date conversion --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index dcfd60d..d9a8a41 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,6 +1,6 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts -DATETIME_TAG = java.time.LocalDateTime.now() +DATETIME_TAG = java.time.LocalDateTime.now().getDateString() DATETIME_TAG = DATETIME_TAG.replaceAll(":", "") -- GitLab From e149f11fcbb254913135e8907046773574302a64 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:40:44 -0500 Subject: [PATCH 12/55] fixing date conversion --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index d9a8a41..7bb362d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,6 +1,6 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts -DATETIME_TAG = java.time.LocalDateTime.now().getDateString() +DATETIME_TAG = java.time.LocalDateTime.now().getDateTimeString() DATETIME_TAG = DATETIME_TAG.replaceAll(":", "") -- GitLab From 376b82603d5e0bc237285588da90af20dd6dede0 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:42:05 -0500 Subject: [PATCH 13/55] fixing date conversion --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 7bb362d..da858b4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,6 +1,6 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts -DATETIME_TAG = java.time.LocalDateTime.now().getDateTimeString() +DATETIME_TAG = java.time.LocalDateTime.now().getDateTimeString DATETIME_TAG = DATETIME_TAG.replaceAll(":", "") -- GitLab From 9cd0a7c0c4b6c0e4b6db602dc9e5c495e7ca8ede Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:42:54 -0500 Subject: [PATCH 14/55] fixing date conversion --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index da858b4..a7bd4bf 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,7 +1,7 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts -DATETIME_TAG = java.time.LocalDateTime.now().getDateTimeString -DATETIME_TAG = DATETIME_TAG.replaceAll(":", "") +DATETIME_TAG = java.time.LocalDateTime.now() +DATETIME_TAG = DATETIME_TAG..getDateTimeString().replaceAll(":", "") -- GitLab From 9b41ffca848195bc02f7c39d13e61b17d01358e5 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:47:17 -0500 Subject: [PATCH 15/55] fixing date conversion --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index a7bd4bf..1967124 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,7 +1,7 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts DATETIME_TAG = java.time.LocalDateTime.now() -DATETIME_TAG = DATETIME_TAG..getDateTimeString().replaceAll(":", "") +DATETIME_TAG = DATETIME_TAG..toString().replaceAll(":", "") -- GitLab From 39b45380e88dd219641ca2045c14ccca9a6f9ef5 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:48:24 -0500 Subject: [PATCH 16/55] fixing date conversion --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 1967124..14033cc 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,7 +1,7 @@ //Can run groovy code outside of pipeline //Need to get ISO Time to use for storing artifacts DATETIME_TAG = java.time.LocalDateTime.now() -DATETIME_TAG = DATETIME_TAG..toString().replaceAll(":", "") +DATETIME_TAG = DATETIME_TAG.toString().replaceAll(":", "") -- GitLab From 1bda3c132221cdd70c50dbee58c810f866a4895c Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 13:54:04 -0500 Subject: [PATCH 17/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 14033cc..999c778 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -16,9 +16,8 @@ pipeline { S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' TWISTLOCK_USERNAME = 'jenkins-svc' - TWISTLOCK_PASSWORD = 'redhat12' + TWISTLOCK_PASSWORD = credentials('TwistLock_Password') REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' - TEST_TWISTLOCK = credentials('Something') } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', @@ -42,7 +41,6 @@ pipeline { steps { echo "Pushing ${REPO_NAME}:${IMAGE_TAG} to Nexus Staging" echo "Artifact path is ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" - echo "test ${TEST_TWISTLOCK}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { -- GitLab From 4c8be07a513dc3ad525bbaf914fb0af791e24b2f Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:01:22 -0500 Subject: [PATCH 18/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 999c778..0b24aca 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -16,7 +16,6 @@ pipeline { S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' TWISTLOCK_USERNAME = 'jenkins-svc' - TWISTLOCK_PASSWORD = credentials('TwistLock_Password') REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } // environment @@ -111,7 +110,7 @@ pipeline { remote.identityFile = identity stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TWISTLOCK_PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TWISTLOCK_PASSWORD} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${$TwistLock_Password} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${$TwistLock_Password} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline -- GitLab From f85e0757aa4a20faf462809c9811b6f4c2e8b8b2 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:03:49 -0500 Subject: [PATCH 19/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0b24aca..6cd3676 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -110,7 +110,7 @@ pipeline { remote.identityFile = identity stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${$TwistLock_Password} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${$TwistLock_Password} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TwistLock_Password} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TwistLock_Password} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline -- GitLab From faad04c4448f9d1bfb4b0cfbdec2258b9a0147ff Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:16:42 -0500 Subject: [PATCH 20/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6cd3676..22ec83f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -15,7 +15,6 @@ pipeline { NEXUS_PASSWORD = 'admin123' S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' - TWISTLOCK_USERNAME = 'jenkins-svc' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } // environment @@ -110,7 +109,9 @@ pipeline { remote.identityFile = identity stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${TWISTLOCK_USERNAME}:${TwistLock_Password} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${TWISTLOCK_USERNAME} --password ${TwistLock_Password} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${PASSWORD} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + }// withCredentials // Clean up // Stop or remove the container image if needed.. // ToDo - Catch, or call from the console, the twistcli scan results, and complile them with the rest of the pipeline -- GitLab From 03be97c173fdef116d4697cf9b4e79c34032814e Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:25:25 -0500 Subject: [PATCH 21/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 22ec83f..cb2110d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -110,7 +110,8 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${PASSWORD} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + password_escaped = PASSWORD.replaceAll(":", "") + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${password_escaped} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up // Stop or remove the container image if needed.. -- GitLab From a2a3d07f7d6f330b9b74b6ed3c51de8decf6b457 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:27:30 -0500 Subject: [PATCH 22/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index cb2110d..627e26e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -110,7 +110,7 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - password_escaped = PASSWORD.replaceAll(":", "") + password_escaped = PASSWORD.replaceAll("&", "\&") sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${password_escaped} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up -- GitLab From 3c4e774b771e41918366c20abfd3e505a0df50d1 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:28:29 -0500 Subject: [PATCH 23/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 627e26e..919140f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -110,7 +110,7 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - password_escaped = PASSWORD.replaceAll("&", "\&") + password_escaped = PASSWORD.replaceAll("&", "\\&") sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${password_escaped} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up -- GitLab From c29f0775041c20d3d15885f1e125436ca92abeb4 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:35:53 -0500 Subject: [PATCH 24/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 919140f..e2ad35f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -110,7 +110,7 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - password_escaped = PASSWORD.replaceAll("&", "\\&") + password_escaped = PASSWORD.replaceAll("&", "/\\&/") sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${password_escaped} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up -- GitLab From b926213987f5ca384153aa161e2898bcac47c4ae Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:37:24 -0500 Subject: [PATCH 25/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index e2ad35f..6da50a4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -110,7 +110,7 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - password_escaped = PASSWORD.replaceAll("&", "/\\&/") + password_escaped = PASSWORD.replaceAll("&", "\\\\&") sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${password_escaped} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up -- GitLab From 500b3e5a5a64484e93ea4ccba40960d9e14a87bf Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:40:03 -0500 Subject: [PATCH 26/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6da50a4..ed7224e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -111,7 +111,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { password_escaped = PASSWORD.replaceAll("&", "\\\\&") - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password ${password_escaped} --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}'' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up // Stop or remove the container image if needed.. -- GitLab From b1e0d8c92c1295bddc219fd406ca3a0e8850f086 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:41:28 -0500 Subject: [PATCH 27/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ed7224e..a6c28e2 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -111,7 +111,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { password_escaped = PASSWORD.replaceAll("&", "\\\\&") - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}'' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up // Stop or remove the container image if needed.. -- GitLab From b0f5b6ef97a62b19eea711b1c2960b2913ae7963 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:43:05 -0500 Subject: [PATCH 28/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index a6c28e2..e370fcd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -111,7 +111,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { password_escaped = PASSWORD.replaceAll("&", "\\\\&") - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${PASSWORD} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${password_escaped} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up // Stop or remove the container image if needed.. -- GitLab From 4e66f2983d0ee75418985c4441f9715d6a1e160f Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:44:44 -0500 Subject: [PATCH 29/55] Moving Twistlock credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index e370fcd..2526041 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -111,7 +111,7 @@ pipeline { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { password_escaped = PASSWORD.replaceAll("&", "\\\\&") - sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:${password_escaped} ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" + sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:'${PASSWORD}' ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up // Stop or remove the container image if needed.. -- GitLab From cccbacf09d97cb3a5d0fcc13dca3239badf697f6 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:52:09 -0500 Subject: [PATCH 30/55] Moving Nexus credentials to Jenkins credentials --- Jenkinsfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2526041..080f967 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,8 +11,6 @@ pipeline { environment { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' - NEXUS_USERNAME = 'admin' - NEXUS_PASSWORD = 'admin123' S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' @@ -67,7 +65,11 @@ pipeline { remote.user = userName remote.identityFile = identity stage('OpenSCAP Scan') { - sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p ${NEXUS_PASSWORD} ${NEXUS_SERVER}" + + withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'NEXUS_USERNAME', passwordVariable: 'NEXUS_PASSWORD')]) { + sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p '${NEXUS_PASSWORD}' ${NEXUS_SERVER}" + } + sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} --report /tmp/report-cve.html" @@ -110,7 +112,6 @@ pipeline { stage('SSH to Twistlock Node') { // Start the container, import the TwistCLI binary, scan image withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - password_escaped = PASSWORD.replaceAll("&", "\\\\&") sshCommand remote: remote, command: "sudo curl -k -ssl -u ${USERNAME}:'${PASSWORD}' ${TWISTLOCK_SERVER}/api/v1/util/twistcli -o twistcli && sudo chmod +x ./twistcli && sudo ./twistcli images scan ${REPO_NAME}:${IMAGE_TAG} --user ${USERNAME} --password '${PASSWORD}' --address ${TWISTLOCK_SERVER} --details ${REPO_NAME}:${IMAGE_TAG}" }// withCredentials // Clean up -- GitLab From 5d6ece43e26811071f17de219d8c4246f50b5b2b Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:53:44 -0500 Subject: [PATCH 31/55] Moving Nexus credentials to Jenkins credentials --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 080f967..8819311 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -67,7 +67,7 @@ pipeline { stage('OpenSCAP Scan') { withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'NEXUS_USERNAME', passwordVariable: 'NEXUS_PASSWORD')]) { - sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p '${NEXUS_PASSWORD}' ${NEXUS_SERVER}" + sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p ${NEXUS_PASSWORD} ${NEXUS_SERVER}" } sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" -- GitLab From 3bb0b52ebd0b8b5ed5377f91e048c64e10c112c0 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 14:57:35 -0500 Subject: [PATCH 32/55] Moving Nexus credentials to Jenkins credentials --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8819311..0a7babb 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -66,8 +66,8 @@ pipeline { remote.identityFile = identity stage('OpenSCAP Scan') { - withCredentials([usernamePassword(credentialsId: 'TwistLock', usernameVariable: 'NEXUS_USERNAME', passwordVariable: 'NEXUS_PASSWORD')]) { - sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p ${NEXUS_PASSWORD} ${NEXUS_SERVER}" + withCredentials([usernamePassword(credentialsId: 'Nexus', usernameVariable: 'NEXUS_USERNAME', passwordVariable: 'NEXUS_PASSWORD')]) { + sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p '${NEXUS_PASSWORD}' ${NEXUS_SERVER}" } sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" -- GitLab From 862af1d5677c064683a909387855d2cecb8f0b26 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 15:01:32 -0500 Subject: [PATCH 33/55] Changed S3_REPORT_LOCATION to S3_REPORT_BUCKET to make clearer --- Jenkinsfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0a7babb..cc98b55 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,7 +11,7 @@ pipeline { environment { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' - S3_REPORT_LOCATION = 's3://dsop-pipeline-artifacts' + S3_REPORT_BUCKET = 's3://dsop-pipeline-artifacts' TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } // environment @@ -36,7 +36,7 @@ pipeline { //agent { label 'docker' } steps { echo "Pushing ${REPO_NAME}:${IMAGE_TAG} to Nexus Staging" - echo "Artifact path is ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" + echo "Artifact path is ${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}" //TODO Test docker on agent eventually /*withDockerRegistry([url: '${env.NEXUS_SERVER}', credentialsId: '${env.NEXUS_USERNAME}/${env.NEXUS_PASSWORD}']) { @@ -73,8 +73,8 @@ pipeline { sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_LOCATION}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From b03f60874f6e04709d86464691b9d2da09db6c02 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 15:20:58 -0500 Subject: [PATCH 34/55] Generating openscap artifact path at start of block --- Jenkinsfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index cc98b55..fb739da 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -62,6 +62,7 @@ pipeline { remote.allowAnyHosts = true node { withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + openscap_artifact_path = "${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/" remote.user = userName remote.identityFile = identity stage('OpenSCAP Scan') { @@ -74,7 +75,7 @@ pipeline { sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} --report /tmp/report-cve.html" sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${openscap_artifact_path}/report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From 41e76ce6aea89012fa4674d25afb293e4dcb27fd Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 15:24:43 -0500 Subject: [PATCH 35/55] Generating full image path at start of block --- Jenkinsfile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index fb739da..26b5e44 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -63,6 +63,7 @@ pipeline { node { withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { openscap_artifact_path = "${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/" + image_full_path = "${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" remote.user = userName remote.identityFile = identity stage('OpenSCAP Scan') { @@ -71,11 +72,11 @@ pipeline { sshCommand remote: remote, command: "sudo docker login -u ${NEXUS_USERNAME} -p '${NEXUS_PASSWORD}' ${NEXUS_SERVER}" } - sshCommand remote: remote, command: "sudo docker pull ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}" - sshCommand remote: remote, command: "sudo oscap-docker image ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" - sshCommand remote: remote, command: "sudo oscap-docker image-cve ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} --report /tmp/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${S3_REPORT_BUCKET}/${VENDOR_PRODUCT}/${REPO_NAME}/${IMAGE_TAG}/${DATETIME_TAG}_${BUILD_NUMBER}/openscap/report-cve.html" - sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${openscap_artifact_path}/report.html" + sshCommand remote: remote, command: "sudo docker pull ${image_full_path}" + sshCommand remote: remote, command: "sudo oscap-docker image ${image_full_path} xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" + sshCommand remote: remote, command: "sudo oscap-docker image-cve ${image_full_path} --report /tmp/report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report-cve.html ${openscap_artifact_path}report-cve.html" + sshCommand remote: remote, command: "/usr/sbin/aws s3 cp /tmp/report.html ${openscap_artifact_path}report.html" sshGet remote: remote, from: "/tmp/report.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-compliance-report.html", override: true sshGet remote: remote, from: "/tmp/report-cve.html", into: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}/openscap-cve-report.html", override: true publishHTML([alwaysLinkToLastBuild: false, keepAll: false, reportDir: "/var/lib/jenkins/jobs/${env.JOB_NAME}/builds/${env.BUILD_NUMBER}", reportFiles: 'openscap-compliance-report.html', reportName: 'OpenSCAP Compliance Report', reportTitles: 'OpenSCAP Compliance Report']) -- GitLab From a099ae8ffc3eb65bce1f81710df0779dcdc3a916 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 16:34:17 -0500 Subject: [PATCH 36/55] Seeing if gpg available --- Jenkinsfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 26b5e44..16b1fbd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -157,10 +157,14 @@ pipeline { } // steps } // stage + + + stage('Push to External Registry (TODO)') { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' + sh "gpg --list-keys" } // steps } // stage -- GitLab From b84df31e5439b29528fe3f6750ea4f2af9158d63 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 16:36:40 -0500 Subject: [PATCH 37/55] removing test to form another branch --- Jenkinsfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 16b1fbd..28caca3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -164,7 +164,6 @@ pipeline { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' - sh "gpg --list-keys" } // steps } // stage -- GitLab From 6e28535146eda8f558d2a8e4275dc864d99dd49e Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Fri, 26 Apr 2019 16:38:51 -0500 Subject: [PATCH 38/55] Seeing if gpg available --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index 28caca3..16b1fbd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -164,6 +164,7 @@ pipeline { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' + sh "gpg --list-keys" } // steps } // stage -- GitLab From 914526915ada31ac3ffeae7fe9aaed1c9a60f1f4 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:08:57 -0500 Subject: [PATCH 39/55] Adding GPG signing for containers --- Jenkinsfile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 16b1fbd..d730408 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,7 +12,6 @@ pipeline { environment { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' S3_REPORT_BUCKET = 's3://dsop-pipeline-artifacts' - TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' } // environment @@ -90,6 +89,10 @@ pipeline { } // stage stage('Twistlock Scan') { + environment { + TWISTLOCK_SERVER = 'https://twistlock-console-twistlock.us-gov-west-1.compute.internal' + } // environment + when { anyOf { environment name: "toolsToRun", value: "All" @@ -161,10 +164,15 @@ pipeline { stage('Push to External Registry (TODO)') { + environment { + SIGNING_KEY = credentials('ContainerSigningKey') + SIGNING_KEY_PASSPHRASE = credentials('ContainerSigningKeyPassphrase') + } // environment + steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' - sh "gpg --list-keys" + sh "g=$(mktemp -d) && trap "rm -rf $g" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir $g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr $g" } // steps } // stage -- GitLab From 8420b5c4f2a764dbd031d85e48277430998d70aa Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:12:50 -0500 Subject: [PATCH 40/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index d730408..f8a74cc 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -172,7 +172,7 @@ pipeline { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' - sh "g=$(mktemp -d) && trap "rm -rf $g" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir $g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr $g" + sh "g=$(mktemp -d) && trap \"rm -rf $g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir $g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr $g" } // steps } // stage -- GitLab From 2f2b445e89f539e28617bbdf8641f8014b77aabb Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:15:05 -0500 Subject: [PATCH 41/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index f8a74cc..9dbd71e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -172,7 +172,7 @@ pipeline { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' - sh "g=$(mktemp -d) && trap \"rm -rf $g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir $g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr $g" + sh "g=$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr \$g" } // steps } // stage -- GitLab From 74c4c53dab7403c4a6396833a3be714f4e064ef3 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:16:30 -0500 Subject: [PATCH 42/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9dbd71e..753517d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -172,7 +172,7 @@ pipeline { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' - sh "g=$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr \$g" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr \$g" } // steps } // stage -- GitLab From e6c24ef1fc5c7ac155329efd2221adb88c9928a8 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:22:26 -0500 Subject: [PATCH 43/55] dubugging GPG signing --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index 753517d..b67d015 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -172,6 +172,7 @@ pipeline { steps { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' + sh "echo 'My very cool container' > sometext.txt" sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr \$g" } // steps } // stage -- GitLab From 152e82e2b19a795de2bbb77008d97d5e56e903ff Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:45:35 -0500 Subject: [PATCH 44/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index b67d015..9b8b2e4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' | gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} - ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sometext.txt; rm -fr \$g" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From a62f192e937029deb31dc51c8cb1ef6c331b47c8 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:47:22 -0500 Subject: [PATCH 45/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9b8b2e4..ba450a1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;gpg --detach-sign -o sig.gpg --armor --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From 38fe519e8ea18d146bd1b5e994994e2b63b5e8ad Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:55:09 -0500 Subject: [PATCH 46/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ba450a1..43ff367 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From f1cb62ee4ea72432b6a64a8115fe22de26c9c823 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:57:25 -0500 Subject: [PATCH 47/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 43ff367..501bc4f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;echo 'made it here';;gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From 19146a2997f7dfac93ea94906fd6812499c99a9b Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 09:58:39 -0500 Subject: [PATCH 48/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 501bc4f..30dbf26 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;echo 'made it here';;gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;echo 'made it here';gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From 13a4f05c8fce43f55a18570be63c34ba95a57be7 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 10:17:21 -0500 Subject: [PATCH 49/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 30dbf26..1bad1b0 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$f ;echo 'made it here';gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\;rm -rf \$g" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;echo 'made it here';gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From cd9ff629f015f10c6338acf239a204e845e011c2 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 10:18:25 -0500 Subject: [PATCH 50/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 1bad1b0..5b0ada1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f\;rm -rf \$g" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;echo 'made it here';gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;echo 'made it here';gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From 725228a7f8d9a186a61e8b90e15a1804ab663bbc Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 10:20:10 -0500 Subject: [PATCH 51/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5b0ada1..664ad6a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255; echo '${SIGNING_KEY}' > \$f;cat \$f; gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;echo 'made it here';gpg --pinentry-mode loopback --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" } // steps } // stage -- GitLab From cd63bab026c0da6e05bf329ddbd0ee2a9ef2d743 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 10:22:57 -0500 Subject: [PATCH 52/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 664ad6a..4e88dbf 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o sig.gpg --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat sig.gpg; rm -fr \$g; rm \$f; rm sig.gpg" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat \$f; rm -fr \$g;rm \$f" } // steps } // stage -- GitLab From e3c22f84d4a1d5a4d7f6fa51a31f13b1fcab7642 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 10:24:38 -0500 Subject: [PATCH 53/55] dubugging GPG signing --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4e88dbf..0cf1ff1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat \$f; rm -fr \$g;rm \$f" + sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat \$f;" } // steps } // stage -- GitLab From 8820088f6887a11bb4efa4eaf325b519b826c8c0 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Sat, 27 Apr 2019 10:31:27 -0500 Subject: [PATCH 54/55] refactor to combine both mktemp into one statement --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0cf1ff1..e852239 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -173,7 +173,7 @@ pipeline { //input message: "Push image ${REPO_NAME}:${IMAGE_TAG} to registry?" echo 'Pushing to Registry' sh "echo 'My very cool container' > sometext.txt" - sh "g=\$(mktemp -d) && trap \"rm -rf \$g\" EXIT || exit 255;f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat \$f;" + sh "g=\$(mktemp -d) && f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} sometext.txt;cat \$f;" } // steps } // stage -- GitLab From 77fb909de3d88811e21e7ae95c22bf7044327016 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Mon, 29 Apr 2019 07:36:31 -0500 Subject: [PATCH 55/55] Documented built in variables to track git/job information --- Jenkinsfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index e852239..1ca8e1c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,6 +13,15 @@ pipeline { NEXUS_SERVER = 'nexus-docker.52.61.140.4.nip.io' S3_REPORT_BUCKET = 's3://dsop-pipeline-artifacts' REMOTE_HOST = 'ec2-52-222-64-188.us-gov-west-1.compute.amazonaws.com' + // built in variables we can use to track information + //BUILD_TAG=jenkins-Datagen-17 + //GIT_COMMIT=ce9a3c1404e8c91be604088670e93434c4253f03 + //JOB_NAME=Datagen + //BUILD_ID=2011-06-22_15-26-06 + //GIT_BRANCH=master + //BUILD_NUMBER=17 + + } // environment parameters { choice(choices : 'All\nOpenSCAP\nTwistlock\nAnchore', -- GitLab