Skip to content

Commit

Permalink
Merge pull request #879 from snyk/chore/scan-images-during-cicd-workflow
Browse files Browse the repository at this point in the history 
chore: scan broker images as part of cicd workflow
  • Loading branch information
@pavel-snyk
pavel-snyk authored Nov 12, 2024
2 parents 510d207 + a6599f0 commit 927dbf4
Show file tree
Hide file tree
Showing 3 changed files with 115 additions and 73 deletions.
133 changes: 60 additions & 73 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ version: 2.1
orbs:
prodsec: snyk/[email protected]
slack: circleci/[email protected]
snyk: snyk/snyk@1.7.2
snyk: snyk/snyk@2.2.0

defaults: &defaults
docker:
Expand Down Expand Up @@ -119,6 +119,22 @@ commands:
name: Load archived Docker image
command: |
docker load < "/tmp/workspace/images/<<parameters.project_name>>:$CIRCLE_WORKFLOW_ID.tar.gz"
load-slack-templates:
steps:
- run:
name: Load Slack message templates
command: |
echo 'export SLACK_FAIL_MESSAGE_TEMPLATE=$(cat .circleci/templates/slack_fail_message.json)' >> $BASH_ENV
notify-slack-on-failure:
parameters:
channel:
type: string
default: broker-alerts-cicd
steps:
- slack/notify:
channel: <<parameters.channel>>
event: fail
template: SLACK_FAIL_MESSAGE_TEMPLATE
tag-and-push-docker-image:
description: "Tag and push Docker image to registry"
parameters:
Expand Down Expand Up @@ -166,80 +182,25 @@ commands:
export COSIGN_KEY=$(echo $COSIGN_ENCODED_KEY | base64 -d)
cosign sign --yes --key env://COSIGN_KEY --annotations tag=$IMAGE_TAG $IMAGE_WITH_DIGEST
unset COSIGN_KEY
prepare:
description: "Checkout repository source code and load all Slack templates"
steps:
- checkout
- load-slack-templates
prepare-dev-package-metadata:
steps:
- run:
name: Prepare package.json and metadata.json for dev images
command: |
cd dockerfiles/.scripts && source prepare.sh
notify-slack-on-failure:
parameters:
channel:
type: string
default: broker-alerts-cicd
steps:
- slack/notify:
channel: <<parameters.channel>>
event: fail
custom: |
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "CICD pipeline failed :circleci-fail:",
"emoji": true
}
},
{
"type": "divider"
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Project*: ${CIRCLE_PROJECT_REPONAME}"
},
{
"type": "mrkdwn",
"text": "*Job*: ${CIRCLE_JOB}"
},
{
"type": "mrkdwn",
"text": "*Branch*: ${CIRCLE_BRANCH}"
},
{
"type": "mrkdwn",
"text": "*Author*: ${CIRCLE_USERNAME}"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "View Job"
},
"url": "${CIRCLE_BUILD_URL}"
}
]
}
]
}
jobs:
install-npm-packages:
<<: *defaults
environment:
NODE_ENV: development
steps:
- checkout
- prepare
- run:
name: Install NPM packages
command: npm clean-install
Expand All @@ -250,7 +211,7 @@ jobs:
lint:
<<: *defaults
steps:
- checkout
- prepare
- attach_workspace:
at: ~/broker
- run:
Expand All @@ -259,14 +220,14 @@ jobs:
lint-json-samples:
<<: *defaults
steps:
- checkout
- prepare
- run:
name: Lint JSON templates
command: ./lintVerifier.sh
test:
<<: *defaults
steps:
- checkout
- prepare
- attach_workspace:
at: ~/broker
- run:
Expand All @@ -292,7 +253,7 @@ jobs:
type: string
default: "broker"
steps:
- checkout
- prepare
- setup_remote_docker:
docker_layer_caching: true
- get-tagged-broker-version
Expand All @@ -317,7 +278,7 @@ jobs:
type: string
default: "broker"
steps:
- checkout
- prepare
- setup_remote_docker:
docker_layer_caching: false
- get-tagged-broker-version
Expand All @@ -329,6 +290,9 @@ jobs:
scan-docker-image:
<<: *defaults
parameters:
monitor_on_build:
type: boolean
default: true
project:
type: string
project_name:
Expand All @@ -338,7 +302,7 @@ jobs:
type: string
default: "high"
steps:
- checkout
- prepare
- setup_remote_docker:
docker_layer_caching: false
- load-docker-image:
Expand All @@ -347,6 +311,7 @@ jobs:
additional-arguments: --policy-path=.snyk
docker-image-name: <<parameters.project_name>>:$CIRCLE_WORKFLOW_ID
fail-on-issues: <<pipeline.parameters.fail_on_issues>>
monitor-on-build: <<parameters.monitor_on_build>>
organization: platform-broker
project: <<parameters.project>>
severity-threshold: <<parameters.severity_threshold>>
Expand All @@ -361,7 +326,7 @@ jobs:
type: string
default: "broker"
steps:
- checkout
- prepare
- setup_remote_docker:
docker_layer_caching: true
- dockerhub-login
Expand Down Expand Up @@ -395,7 +360,7 @@ jobs:
type: string
default: "high"
steps:
- checkout
- prepare
- setup_remote_docker:
docker_layer_caching: false
- dockerhub-login
Expand All @@ -422,7 +387,7 @@ jobs:
release:
<<: *defaults
steps:
- checkout
- prepare
- attach_workspace:
at: ~/broker
- run:
Expand Down Expand Up @@ -469,22 +434,44 @@ workflows:
nodejs_cycle: "20"
project_name: broker

- scan-docker-image:
name: Scan base image (Ubuntu)
context:
- snyk-bot-slack
- team-broker-snyk
requires:
- Build base image (Ubuntu)
project: snyk/broker
project_name: broker
monitor_on_build: false

- build-and-save-docker-ubi-image:
name: Build base image (RHEL)
requires:
- Install NPM packages
dockerfile: dockerfiles/base/Dockerfile.ubi
project_name: broker-rhel-ubi

- scan-docker-image:
name: Scan base image (RHEL)
context:
- snyk-bot-slack
- team-broker-snyk
requires:
- Build base image (RHEL)
project: snyk/broker-rhel-ubi
project_name: broker-rhel-ubi
monitor_on_build: false

- release:
name: Release to GitHub and NPM
context:
- nodejs-lib-release
- snyk-bot-slack
- team-broker-snyk
requires:
- Build base image (Ubuntu)
- Build base image (RHEL)
- Scan base image (Ubuntu)
- Scan base image (RHEL)
- Test
post-steps:
- notify-slack-on-failure
Expand Down
50 changes: 50 additions & 0 deletions .circleci/templates/slack_fail_message.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Scans pipeline failed :circleci-fail:",
"emoji": true
}
},
{
"type": "divider"
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Project*: ${CIRCLE_PROJECT_REPONAME}"
},
{
"type": "mrkdwn",
"text": "*Job*: ${CIRCLE_JOB}"
},
{
"type": "mrkdwn",
"text": "*Branch*: ${CIRCLE_BRANCH}"
},
{
"type": "mrkdwn",
"text": "*Author*: ${CIRCLE_USERNAME}"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "View Job"
},
"url": "${CIRCLE_BUILD_URL}"
}
]
}
]
}
5 changes: 5 additions & 0 deletions .snyk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,9 @@ ignore:
reason: No upstream fix available
expires: 2024-12-11T13:11:49.669Z
created: 2024-11-11T13:11:49.674Z
SNYK-RHEL8-PAM-8350338:
- '*':
reason: No fix from RHEL available
expires: 2024-12-12T12:19:17.636Z
created: 2024-11-12T12:19:17.640Z
patch: {}

0 comments on commit 927dbf4

Please sign in to comment.