diff --git a/Jenkinsfile b/Jenkinsfile index 8b1a93a..cacc7b9 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -7,39 +7,65 @@ pipeline { } environment { - // --- Configure these for your registry --- - // For Gitea Container Registry (Packages), this is typically your Gitea host. - // Examples: - // REGISTRY = "git.brammie15.dev" (HTTPS) - // REGISTRY = "git.brammie15.dev:5050" (if your registry runs on a port) - REGISTRY = "git.brammie15.dev" - - // Image path in the registry. For Gitea/GitLab-style registries this is often: - // / (or sometimes //) - IMAGE_NAME = "brammie15/resendit" - - // Jenkins credential (Username/Password or token-as-password) that can push to the registry. - // Create it in Jenkins: Manage Jenkins -> Credentials + REGISTRY = "git.brammie15.dev" + IMAGE_NAME = "brammie15/resendit" REGISTRY_CREDS = "registry-creds" - - IMAGE = "${REGISTRY}/${IMAGE_NAME}" + IMAGE = "${REGISTRY}/${IMAGE_NAME}" + DD_URL = "https://DD.brammie15.dev" + DD_API_KEY = credentials('dd-api-key') + NVD_API_KEY = credentials("nvd-api-key") } stages { + + stage('Debug') { + steps { + sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la' + } + } + stage('Checkout') { steps { checkout scm } } + stage('SAST - Semgrep') { + steps { + sh """ + docker run --rm -v "\$(pwd):/src" \ + returntocorp/semgrep \ + semgrep scan --config=p/ci --debug \ + --sarif --output /src/semgrep.sarif \ + /src/internal /src/cmd || true + + echo "After semgrep:" + ls -la + """ + } + } + + stage('Upload to DefectDojo') { + steps { + sh """ + curl -X POST "${DD_URL}/api/v2/import-scan/" \ + -H "Authorization: Token ${DD_API_KEY}" \ + -F "scan_type=SARIF" \ + -F "file=@\$(pwd)/semgrep.sarif" \ + -F "product_name=ReSendit" \ + -F "engagement_name=Jenkins-CI" \ + -F "auto_create_context=true" \ + -F "close_old_findings=true" + """ + } + } + stage('Build image') { steps { script { def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim() env.IMAGE_TAG_SHA = shortSha - sh """ - docker version docker build \ --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \ -t ${IMAGE}:${IMAGE_TAG_SHA} . @@ -51,9 +77,7 @@ pipeline { stage('Login to registry') { steps { withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) { - sh """ - echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin - """ + sh 'echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin' } } } @@ -61,19 +85,13 @@ pipeline { stage('Push image') { steps { script { - // Always push the commit SHA tag sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}" - - // Also push a branch tag (handy for test environments) def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim()) def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-') - sh """ docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch} docker push ${IMAGE}:${safeBranch} """ - - // Only push 'latest' from master if (branch == 'master') { sh """ docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest @@ -83,14 +101,15 @@ pipeline { } } } + } post { always { sh 'docker logout ${REGISTRY} || true' - // Keep agents from filling up over time sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' sh 'docker image prune -f || true' +// sh 'rm -f semgrep.sarif || true' } } -} +} \ No newline at end of file