[WIP]Add platsec check to jenkinsfile

RedHatInsights · Sep 22, 2023 · 26fb2c6 · 26fb2c6
1 parent 72295a1
commit 26fb2c6
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/examples/backend-pipeline-pr-checks/Jenkinsfile b/examples/backend-pipeline-pr-checks/Jenkinsfile
@@ -24,7 +24,7 @@ pipeline {
         APP_NAME="CHANGEME"  // name of app-sre "application" folder this component lives in
         COMPONENT_NAME="CHANGEME"  // name of app-sre "resourceTemplate" in deploy.yaml for this component
         IMAGE="quay.io/cloudservices/CHANGEME"  // image location on quay
-
+        RUN_PLATSEC=false // optional step to run vulnerability checks
         IQE_PLUGINS="CHANGEME"  // name of the IQE plugin for this app.
         IQE_MARKER_EXPRESSION="CHANGEME"  // This is the value passed to pytest -m
         IQE_FILTER_EXPRESSION=""  // This is the value passed to pytest -k
@@ -67,6 +67,15 @@ pipeline {
 
                     }
                 }
+
+                stage ('Run vulnerability tests') {
+                    if (env.RUN_PLATSEC == true)
+                        steps {
+                            withVault([configuration, vaultSecrets: secrets]) {
+                                sh 'source ${CICD_ROOT}/platsec.sh' 
+                        }
+                    }
+                }   
             }
         }
     }

diff --git a/platsec.sh b/platsec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+ARTIFACTS_DIR="grype-vuln-artifacts"
+IMAGE_TAG="quay.io/gburges/kibana:latest"
+
+mkdir -p "$ARTIFACTS_DIR"
+
+function download (){
+    curl -sSfL https://raw.githubusercontent.com/anchore/$1/main/install.sh | sh -s -- -b ./bin
+}
+
+if ! ./bin/syft; then
+    download syft
+fi
+
+if ! ./bin/grype; then
+    download grype
+fi
+
+#install and run syft
+# curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ./bin
+./bin/syft -v ${IMAGE_TAG} > "${ARTIFACTS_DIR}/syft-sbom-results.txt"
+
+#install and run grype
+# curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ./bin
+./bin/grype -v -o table ${IMAGE_TAG} > "${ARTIFACTS_DIR}/grype-vuln-results-full.txt"
+./bin/grype -v -o table --only-fixed ${IMAGE_TAG} > "${ARTIFACTS_DIR}/grype-vuln-results-fixable.txt"
+./bin/grype -v -o table --only-fixed --fail-on high ${IMAGE_TAG};