From f11c7580089f0443e3713d156696e8f1fd2d2778 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 11:34:17 +0100 Subject: [PATCH 01/15] Update JenkinsFile --- Jenkinsfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 8b1a93a..4636e72 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,6 +23,10 @@ pipeline { REGISTRY_CREDS = "registry-creds" IMAGE = "${REGISTRY}/${IMAGE_NAME}" + + DD_URL = "https://DD.brammie15.dev" + DD_API_KEY = credentials('dd-api-key') + NVD_API_KEY = credentials("nvd-api-key") } stages { @@ -32,6 +36,16 @@ pipeline { } } + stage('SAST - Semgrep') { + steps { + sh """ + docker run --rm -v "\$(pwd):/src" \ + returntocorp/semgrep \ + semgrep scan --config=auto /src + """ + } + } + stage('Build image') { steps { script { From 644cf426d63dfc964e24f4b319e7f0505895c55d Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 18:54:06 +0100 Subject: [PATCH 02/15] Update Jenkinsfile --- Jenkinsfile | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 4636e72..78522f1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -30,6 +30,125 @@ pipeline { } stages { + + pipeline { + agent any + + options { + timestamps() + disableConcurrentBuilds() + } + + environment { + // --- Configure these for your registry --- + // For Gitea Container Registry (Packages), this is typically your Gitea host. + // Examples: + // REGISTRY = "git.brammie15.dev" (HTTPS) + // REGISTRY = "git.brammie15.dev:5050" (if your registry runs on a port) + REGISTRY = "git.brammie15.dev" + + // Image path in the registry. For Gitea/GitLab-style registries this is often: + // / (or sometimes //) + IMAGE_NAME = "brammie15/resendit" + + // Jenkins credential (Username/Password or token-as-password) that can push to the registry. + // Create it in Jenkins: Manage Jenkins -> Credentials + REGISTRY_CREDS = "registry-creds" + + IMAGE = "${REGISTRY}/${IMAGE_NAME}" + + DD_URL = "https://DD.brammie15.dev" + DD_API_KEY = credentials('dd-api-key') + NVD_API_KEY = credentials("nvd-api-key") + } + + stages { + stage('Debug') { + steps { + sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la' + } + } + + stage('Checkout') { + steps { + checkout scm + } + } + + stage('SAST - Semgrep') { + steps { + sh """ + docker run --rm -v "\$(pwd):/src" \ + returntocorp/semgrep \ + semgrep scan --config=auto /src + """ + } + } + + stage('Build image') { + steps { + script { + def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim() + env.IMAGE_TAG_SHA = shortSha + + sh """ + docker version + docker build \ + --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \ + -t ${IMAGE}:${IMAGE_TAG_SHA} . + """ + } + } + } + + stage('Login to registry') { + steps { + withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) { + sh """ + echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin + """ + } + } + } + + stage('Push image') { + steps { + script { + // Always push the commit SHA tag + sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}" + + // Also push a branch tag (handy for test environments) + def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim()) + def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-') + + sh """ + docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch} + docker push ${IMAGE}:${safeBranch} + """ + + // Only push 'latest' from master + if (branch == 'master') { + sh """ + docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest + docker push ${IMAGE}:latest + """ + } + } + } + } + } + + post { + always { + sh 'docker logout ${REGISTRY} || true' + // Keep agents from filling up over time + sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' + sh 'docker image prune -f || true' + } + } + } + + stage('Checkout') { steps { checkout scm From a6979805c16dc2307b87b82e4ff76f3a1d4c6457 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 18:57:44 +0100 Subject: [PATCH 03/15] Update jenkins file --- Jenkinsfile | 159 ++++------------------------------------------------ 1 file changed, 12 insertions(+), 147 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 78522f1..8a9020e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -7,148 +7,23 @@ pipeline { } environment { - // --- Configure these for your registry --- - // For Gitea Container Registry (Packages), this is typically your Gitea host. - // Examples: - // REGISTRY = "git.brammie15.dev" (HTTPS) - // REGISTRY = "git.brammie15.dev:5050" (if your registry runs on a port) - REGISTRY = "git.brammie15.dev" - - // Image path in the registry. For Gitea/GitLab-style registries this is often: - // / (or sometimes //) - IMAGE_NAME = "brammie15/resendit" - - // Jenkins credential (Username/Password or token-as-password) that can push to the registry. - // Create it in Jenkins: Manage Jenkins -> Credentials + REGISTRY = "git.brammie15.dev" + IMAGE_NAME = "brammie15/resendit" REGISTRY_CREDS = "registry-creds" - - IMAGE = "${REGISTRY}/${IMAGE_NAME}" - - DD_URL = "https://DD.brammie15.dev" - DD_API_KEY = credentials('dd-api-key') - NVD_API_KEY = credentials("nvd-api-key") + IMAGE = "${REGISTRY}/${IMAGE_NAME}" + DD_URL = "https://DD.brammie15.dev" + DD_API_KEY = credentials('dd-api-key') + NVD_API_KEY = credentials("nvd-api-key") } stages { - pipeline { - agent any - - options { - timestamps() - disableConcurrentBuilds() - } - - environment { - // --- Configure these for your registry --- - // For Gitea Container Registry (Packages), this is typically your Gitea host. - // Examples: - // REGISTRY = "git.brammie15.dev" (HTTPS) - // REGISTRY = "git.brammie15.dev:5050" (if your registry runs on a port) - REGISTRY = "git.brammie15.dev" - - // Image path in the registry. For Gitea/GitLab-style registries this is often: - // / (or sometimes //) - IMAGE_NAME = "brammie15/resendit" - - // Jenkins credential (Username/Password or token-as-password) that can push to the registry. - // Create it in Jenkins: Manage Jenkins -> Credentials - REGISTRY_CREDS = "registry-creds" - - IMAGE = "${REGISTRY}/${IMAGE_NAME}" - - DD_URL = "https://DD.brammie15.dev" - DD_API_KEY = credentials('dd-api-key') - NVD_API_KEY = credentials("nvd-api-key") - } - - stages { - stage('Debug') { - steps { - sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la' - } - } - - stage('Checkout') { - steps { - checkout scm - } - } - - stage('SAST - Semgrep') { - steps { - sh """ - docker run --rm -v "\$(pwd):/src" \ - returntocorp/semgrep \ - semgrep scan --config=auto /src - """ - } - } - - stage('Build image') { - steps { - script { - def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim() - env.IMAGE_TAG_SHA = shortSha - - sh """ - docker version - docker build \ - --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \ - -t ${IMAGE}:${IMAGE_TAG_SHA} . - """ - } - } - } - - stage('Login to registry') { - steps { - withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) { - sh """ - echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin - """ - } - } - } - - stage('Push image') { - steps { - script { - // Always push the commit SHA tag - sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}" - - // Also push a branch tag (handy for test environments) - def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim()) - def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-') - - sh """ - docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch} - docker push ${IMAGE}:${safeBranch} - """ - - // Only push 'latest' from master - if (branch == 'master') { - sh """ - docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest - docker push ${IMAGE}:latest - """ - } - } - } + stage('Debug') { + steps { + sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la' } } - post { - always { - sh 'docker logout ${REGISTRY} || true' - // Keep agents from filling up over time - sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' - sh 'docker image prune -f || true' - } - } - } - - stage('Checkout') { steps { checkout scm @@ -170,9 +45,7 @@ pipeline { script { def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim() env.IMAGE_TAG_SHA = shortSha - sh """ - docker version docker build \ --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \ -t ${IMAGE}:${IMAGE_TAG_SHA} . @@ -184,9 +57,7 @@ pipeline { stage('Login to registry') { steps { withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) { - sh """ - echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin - """ + sh 'echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin' } } } @@ -194,19 +65,13 @@ pipeline { stage('Push image') { steps { script { - // Always push the commit SHA tag sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}" - - // Also push a branch tag (handy for test environments) def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim()) def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-') - sh """ docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch} docker push ${IMAGE}:${safeBranch} """ - - // Only push 'latest' from master if (branch == 'master') { sh """ docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest @@ -216,14 +81,14 @@ pipeline { } } } + } post { always { sh 'docker logout ${REGISTRY} || true' - // Keep agents from filling up over time sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' sh 'docker image prune -f || true' } } -} +} \ No newline at end of file From 1fe45eaed13161f5990ba1c052b767a5a900339a Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 19:00:28 +0100 Subject: [PATCH 04/15] Update Jenkins --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8a9020e..0e9fe17 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -35,7 +35,7 @@ pipeline { sh """ docker run --rm -v "\$(pwd):/src" \ returntocorp/semgrep \ - semgrep scan --config=auto /src + semgrep scan --config=auto /src/cmd /src/internal """ } } From 90d1c1b562b163750a3bc6106a25220772747fb0 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 19:02:19 +0100 Subject: [PATCH 05/15] fix paths --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0e9fe17..b307174 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -35,7 +35,7 @@ pipeline { sh """ docker run --rm -v "\$(pwd):/src" \ returntocorp/semgrep \ - semgrep scan --config=auto /src/cmd /src/internal + semgrep scan --config=auto /cmd /internal """ } } From 253308dcc542339177c656f4a065b26c6de745f3 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 19:27:40 +0100 Subject: [PATCH 06/15] Add semgrep --- Jenkinsfile | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index b307174..845f1a8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -35,7 +35,24 @@ pipeline { sh """ docker run --rm -v "\$(pwd):/src" \ returntocorp/semgrep \ - semgrep scan --config=auto /cmd /internal + semgrep scan --config=auto \ + --sarif --output /src/semgrep.sarif \ + /src/internal /src/cmd + """ + } + } + + stage('Upload to DefectDojo') { + steps { + sh """ + curl -X POST "${DD_URL}/api/v2/import-scan/" \ + -H "Authorization: Token ${DD_API_KEY}" \ + -F "scan_type=SARIF" \ + -F "file=@\$(pwd)/semgrep.sarif" \ + -F "product_name=ReSendit" \ + -F "engagement_name=Jenkins-CI" \ + -F "auto_create_context=true" \ + -F "close_old_findings=true" """ } } @@ -89,6 +106,7 @@ pipeline { sh 'docker logout ${REGISTRY} || true' sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' sh 'docker image prune -f || true' + sh 'rm -f semgrep.sarif || true' } } } \ No newline at end of file From b31d39d97152f933d86cb6ce0b549bcf647964b5 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:03:26 +0100 Subject: [PATCH 07/15] fix fail --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 845f1a8..ab8baca 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -37,7 +37,7 @@ pipeline { returntocorp/semgrep \ semgrep scan --config=auto \ --sarif --output /src/semgrep.sarif \ - /src/internal /src/cmd + /src/internal /src/cmd || true """ } } From b9c40596b3994512c3aa62f4568e94e62d49fb93 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:08:57 +0100 Subject: [PATCH 08/15] god i hate docker --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ab8baca..4b27479 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -106,7 +106,7 @@ pipeline { sh 'docker logout ${REGISTRY} || true' sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' sh 'docker image prune -f || true' - sh 'rm -f semgrep.sarif || true' +// sh 'rm -f semgrep.sarif || true' } } } \ No newline at end of file From 6d60a8663eaeff0ed1e96b97703a7cc48d01997c Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:11:38 +0100 Subject: [PATCH 09/15] attempt to fix paths --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4b27479..8ce13d1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -33,7 +33,7 @@ pipeline { stage('SAST - Semgrep') { steps { sh """ - docker run --rm -v "\$(pwd):/src" \ + docker run --rm -v "$(pwd):/src" \ returntocorp/semgrep \ semgrep scan --config=auto \ --sarif --output /src/semgrep.sarif \ @@ -48,7 +48,7 @@ pipeline { curl -X POST "${DD_URL}/api/v2/import-scan/" \ -H "Authorization: Token ${DD_API_KEY}" \ -F "scan_type=SARIF" \ - -F "file=@\$(pwd)/semgrep.sarif" \ + -F "file=@$(pwd)/semgrep.sarif" \ -F "product_name=ReSendit" \ -F "engagement_name=Jenkins-CI" \ -F "auto_create_context=true" \ From c478a4306aeebcd39a2a9bc8f22ba5f9919071cb Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:14:11 +0100 Subject: [PATCH 10/15] Revert "attempt to fix paths" This reverts commit 6d60a8663eaeff0ed1e96b97703a7cc48d01997c. --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8ce13d1..4b27479 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -33,7 +33,7 @@ pipeline { stage('SAST - Semgrep') { steps { sh """ - docker run --rm -v "$(pwd):/src" \ + docker run --rm -v "\$(pwd):/src" \ returntocorp/semgrep \ semgrep scan --config=auto \ --sarif --output /src/semgrep.sarif \ @@ -48,7 +48,7 @@ pipeline { curl -X POST "${DD_URL}/api/v2/import-scan/" \ -H "Authorization: Token ${DD_API_KEY}" \ -F "scan_type=SARIF" \ - -F "file=@$(pwd)/semgrep.sarif" \ + -F "file=@\$(pwd)/semgrep.sarif" \ -F "product_name=ReSendit" \ -F "engagement_name=Jenkins-CI" \ -F "auto_create_context=true" \ From b3dcdf09bed270cb45a637be47425e8055806031 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:24:13 +0100 Subject: [PATCH 11/15] try to fix --- Jenkinsfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4b27479..ad8a0a3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -37,7 +37,10 @@ pipeline { returntocorp/semgrep \ semgrep scan --config=auto \ --sarif --output /src/semgrep.sarif \ - /src/internal /src/cmd || true + /src/internal /src/cmd + + echo "After semgrep:" + ls -la """ } } From 524f2deb50260186c4b977cf514fafa77a4709f0 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:25:33 +0100 Subject: [PATCH 12/15] asdasd --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ad8a0a3..ede6f08 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -37,7 +37,7 @@ pipeline { returntocorp/semgrep \ semgrep scan --config=auto \ --sarif --output /src/semgrep.sarif \ - /src/internal /src/cmd + /src/internal /src/cmd || true echo "After semgrep:" ls -la From b4bbaf25c99ebac1969f7c1863e847ddcabe96a2 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:46:10 +0100 Subject: [PATCH 13/15] another update ah --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index ede6f08..bfb3294 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -35,9 +35,9 @@ pipeline { sh """ docker run --rm -v "\$(pwd):/src" \ returntocorp/semgrep \ - semgrep scan --config=auto \ + semgrep scan --config=auto --debug \ --sarif --output /src/semgrep.sarif \ - /src/internal /src/cmd || true + /src/internal /src/cmd echo "After semgrep:" ls -la From c2d799eb18091a5060df0586e4606345a6413e78 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:48:44 +0100 Subject: [PATCH 14/15] fix config --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index bfb3294..15ddbc8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -35,7 +35,7 @@ pipeline { sh """ docker run --rm -v "\$(pwd):/src" \ returntocorp/semgrep \ - semgrep scan --config=auto --debug \ + semgrep scan --config=p/ci --debug \ --sarif --output /src/semgrep.sarif \ /src/internal /src/cmd From 781e4f3100673073ae6b933037f616d21c2ad068 Mon Sep 17 00:00:00 2001 From: Bram Date: Wed, 25 Mar 2026 20:51:11 +0100 Subject: [PATCH 15/15] true fix --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 15ddbc8..cacc7b9 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -37,7 +37,7 @@ pipeline { returntocorp/semgrep \ semgrep scan --config=p/ci --debug \ --sarif --output /src/semgrep.sarif \ - /src/internal /src/cmd + /src/internal /src/cmd || true echo "After semgrep:" ls -la