115 lines
2.9 KiB
Groovy
115 lines
2.9 KiB
Groovy
pipeline {
|
|
agent any
|
|
|
|
options {
|
|
timestamps()
|
|
disableConcurrentBuilds()
|
|
}
|
|
|
|
environment {
|
|
REGISTRY = "git.brammie15.dev"
|
|
IMAGE_NAME = "brammie15/resendit"
|
|
REGISTRY_CREDS = "registry-creds"
|
|
IMAGE = "${REGISTRY}/${IMAGE_NAME}"
|
|
DD_URL = "https://DD.brammie15.dev"
|
|
DD_API_KEY = credentials('dd-api-key')
|
|
NVD_API_KEY = credentials("nvd-api-key")
|
|
}
|
|
|
|
stages {
|
|
|
|
stage('Debug') {
|
|
steps {
|
|
sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la'
|
|
}
|
|
}
|
|
|
|
stage('Checkout') {
|
|
steps {
|
|
checkout scm
|
|
}
|
|
}
|
|
|
|
stage('SAST - Semgrep') {
|
|
steps {
|
|
sh """
|
|
docker run --rm -v "\$(pwd):/src" \
|
|
returntocorp/semgrep \
|
|
semgrep scan --config=auto \
|
|
--sarif --output /src/semgrep.sarif \
|
|
/src/internal /src/cmd || true
|
|
|
|
echo "After semgrep:"
|
|
ls -la
|
|
"""
|
|
}
|
|
}
|
|
|
|
stage('Upload to DefectDojo') {
|
|
steps {
|
|
sh """
|
|
curl -X POST "${DD_URL}/api/v2/import-scan/" \
|
|
-H "Authorization: Token ${DD_API_KEY}" \
|
|
-F "scan_type=SARIF" \
|
|
-F "file=@\$(pwd)/semgrep.sarif" \
|
|
-F "product_name=ReSendit" \
|
|
-F "engagement_name=Jenkins-CI" \
|
|
-F "auto_create_context=true" \
|
|
-F "close_old_findings=true"
|
|
"""
|
|
}
|
|
}
|
|
|
|
stage('Build image') {
|
|
steps {
|
|
script {
|
|
def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim()
|
|
env.IMAGE_TAG_SHA = shortSha
|
|
sh """
|
|
docker build \
|
|
--build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \
|
|
-t ${IMAGE}:${IMAGE_TAG_SHA} .
|
|
"""
|
|
}
|
|
}
|
|
}
|
|
|
|
stage('Login to registry') {
|
|
steps {
|
|
withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) {
|
|
sh 'echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin'
|
|
}
|
|
}
|
|
}
|
|
|
|
stage('Push image') {
|
|
steps {
|
|
script {
|
|
sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}"
|
|
def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim())
|
|
def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-')
|
|
sh """
|
|
docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch}
|
|
docker push ${IMAGE}:${safeBranch}
|
|
"""
|
|
if (branch == 'master') {
|
|
sh """
|
|
docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest
|
|
docker push ${IMAGE}:latest
|
|
"""
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
post {
|
|
always {
|
|
sh 'docker logout ${REGISTRY} || true'
|
|
sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true'
|
|
sh 'docker image prune -f || true'
|
|
// sh 'rm -f semgrep.sarif || true'
|
|
}
|
|
}
|
|
} |