-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathconfig.yml
127 lines (118 loc) · 3.53 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
version: 2.1
orbs:
aws-ecr: circleci/[email protected]
aws-cli: circleci/[email protected]
jobs:
build-image:
docker:
- image: cimg/python:3.12.8
steps:
- checkout
- setup_remote_docker:
version: 20.10.24
docker_layer_caching: true
- aws-ecr/ecr_login
- run:
name: Build xreds image
command: docker build --build-arg="ROOT_PATH=/xreds/" -t ${ECR_REPO}:latest .
- run:
name: Archive Docker image
command: docker save -o image.tar ${ECR_REPO}:latest
- persist_to_workspace:
root: .
paths:
- image.tar
scan-image:
docker:
- image: cimg/python:3.12.8
parameters:
recipient_emails:
type: string
steps:
- attach_workspace:
at: /tmp/workspace
- setup_remote_docker:
version: 20.10.24
- run:
name: Apply environment variables
command: |
echo 'export RECIPIENT_EMAILS=<<parameters.recipient_emails>>' >> $BASH_ENV
echo 'export REPO_NAME=$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME' >> $BASH_ENV
- run:
name: Load archived image
command: docker load -i /tmp/workspace/image.tar
- run:
name: Install Grype
command: |
mkdir -p $HOME/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $HOME/bin
echo 'export PATH=$HOME/bin:$PATH' >> $BASH_ENV
source $BASH_ENV
- run:
name: Scan the Docker image with Grype
command: |
mkdir scans
curl https://asa-dev.s3.amazonaws.com/scripts/grype.tmpl > ./grype.tmpl
grype -o template -t ./grype.tmpl ${ECR_REPO}:latest > ./scans/xreds.csv
- run:
name: Check vulnerabilities
command: |
curl https://asa-dev.s3.amazonaws.com/scripts/grype_whitelist.csv > ./whitelist.csv
curl https://asa-dev.s3.amazonaws.com/scripts/check_vulnerabilities.py > ./check_vulnerabilities.py
python3 ./check_vulnerabilities.py
push-image:
docker:
- image: cimg/python:3.12.8
parameters:
image_tag:
type: string
default: "latest"
steps:
- attach_workspace:
at: /tmp/workspace
- setup_remote_docker:
version: 20.10.24
- aws-cli/setup
- aws-ecr/ecr_login:
public_registry: true
- run:
name: Load archived image
command: docker load -i /tmp/workspace/image.tar
- run:
name: Tag and Push xreds image
command: |
IMAGE_TAG=<<parameters.image_tag>>
docker tag ${ECR_REPO}:latest "${ECR_ENDPOINT}/${ECR_REPO}:${IMAGE_TAG}"
docker push "${ECR_ENDPOINT}/${ECR_REPO}:${IMAGE_TAG}"
workflows:
build-scan-push:
jobs:
- build-image:
filters:
branches:
only:
- main
- scan-image:
recipient_emails: "[email protected]"
requires:
- build-image
- push-image:
requires:
- build-image
scheduled-build-scan-push:
jobs:
- build-image
- scan-image:
recipient_emails: "[email protected]"
requires:
- build-image
- push-image:
requires:
- build-image
triggers:
- schedule:
cron: "0 9 * * 1"
filters:
branches:
only:
- main