From bffc53c8b7534ae8167b62805579ae39bd17cf06 Mon Sep 17 00:00:00 2001 From: Dustin Van Buskirk Date: Mon, 2 Apr 2018 15:34:56 -0700 Subject: [PATCH 1/6] adding in yaml for Twistlock scanning build step --- codefresh.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/codefresh.yml b/codefresh.yml index d6ca58c3d..4a3f5343b 100644 --- a/codefresh.yml +++ b/codefresh.yml @@ -29,6 +29,48 @@ steps: test: image: '${{build_step}}' command: npm test + + TwistlockScanImage: + type: composition + composition: + version: '2' + services: + targetimage: + image: ${{build_step}} # Must be the Docker build step name + command: sh -c "exit 0" + labels: + build.image.id: ${{CF_BUILD_ID}} # Provides a lookup for the composition + composition_candidates: + scan_service: + image: codefresh/docker-twistcli:latest # Recommend replacing with current Twistlock Console version + environment: # Add only the Environment Variables you need + - CODEFRESH_CLI_KEY=${{CODEFRESH_CLI_KEY}} # Required + - CONSOLE_HOSTNAME=${{CONSOLE_HOSTNAME}} # Required + - CONSOLE_PORT=${{CONSOLE_PORT}} # Required + - CONSOLE_USERNAME=${{CONSOLE_USERNAME}} # Required + - CONSOLE_PASSWORD=${{CONSOLE_PASSWORD}} # Required + - COMPLIANCE_THRESHOLD=${{COMPLIANCE_THRESHOLD}} # Optional Example + - VULNERABILITY_THRESHOLD=${{VULNERABILITY_THRESHOLD}} # Optional Example + - DETAILS=true + command: python /twistlock-cli.py "docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g'" + depends_on: + - targetimage + volumes: # Volumes required to run DIND + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker:/var/lib/docker + add_flow_volume_to_composition: true + on_success: # Execute only once the step succeeded + metadata: # Declare the metadata attribute + set: # Specify the set operation + - ${{build_step.imageId}}: # Select any number of target images + - SECURITY_SCAN: true + + on_fail: # Execute only once the step failed + metadata: # Declare the metadata attribute + set: # Specify the set operation + - ${{build_step.imageId}}: # Select any number of target images + - SECURITY_SCAN: false + push_to_registry: title: Push To Registry type: push From 547e4b25c3ccc448819a2c43329c258073fe9f68 Mon Sep 17 00:00:00 2001 From: Dustin Van Buskirk Date: Mon, 2 Apr 2018 16:15:47 -0700 Subject: [PATCH 2/6] adding Twistlock scan to fullpipeline --- fullpipeline.yml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/fullpipeline.yml b/fullpipeline.yml index 9f6740f4a..7dc5496fc 100644 --- a/fullpipeline.yml +++ b/fullpipeline.yml @@ -60,6 +60,47 @@ steps: set: - '${{BuildingDockerImage.imageId}}': - CF_QUALITY: false + TwistlockScanImage: + title: Running Security Tests + type: composition + composition: + version: '2' + services: + targetimage: + image: ${{build_step}} # Must be the Docker build step name + command: sh -c "exit 0" + labels: + build.image.id: ${{CF_BUILD_ID}} # Provides a lookup for the composition + composition_candidates: + scan_service: + image: codefresh/docker-twistcli:latest # Recommend replacing with current Twistlock Console version + environment: # Add only the Environment Variables you need + - CODEFRESH_CLI_KEY=${{CODEFRESH_CLI_KEY}} # Required + - CONSOLE_HOSTNAME=${{CONSOLE_HOSTNAME}} # Required + - CONSOLE_PORT=${{CONSOLE_PORT}} # Required + - CONSOLE_USERNAME=${{CONSOLE_USERNAME}} # Required + - CONSOLE_PASSWORD=${{CONSOLE_PASSWORD}} # Required + - COMPLIANCE_THRESHOLD=${{COMPLIANCE_THRESHOLD}} # Optional Example + - VULNERABILITY_THRESHOLD=${{VULNERABILITY_THRESHOLD}} # Optional Example + - DETAILS=true + command: python /twistlock-cli.py "docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g'" + depends_on: + - targetimage + volumes: # Volumes required to run DIND + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker:/var/lib/docker + add_flow_volume_to_composition: true + on_success: # Execute only once the step succeeded + metadata: # Declare the metadata attribute + set: # Specify the set operation + - ${{build_step.imageId}}: # Select any number of target images + - SECURITY_SCAN: true + + on_fail: # Execute only once the step failed + metadata: # Declare the metadata attribute + set: # Specify the set operation + - ${{build_step.imageId}}: # Select any number of target images + - SECURITY_SCAN: false add_jira_info: title: Parsing jira Commit image: r.cfcr.io/razielt77_github/containers101/annotator:master From 4d00608deb8f373bea70b1eaafbcb606a4ba8060 Mon Sep 17 00:00:00 2001 From: Dustin Van Buskirk Date: Mon, 2 Apr 2018 16:31:13 -0700 Subject: [PATCH 3/6] updating the build step name --- fullpipeline.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fullpipeline.yml b/fullpipeline.yml index 7dc5496fc..d58186eb3 100644 --- a/fullpipeline.yml +++ b/fullpipeline.yml @@ -67,7 +67,7 @@ steps: version: '2' services: targetimage: - image: ${{build_step}} # Must be the Docker build step name + image: ${{BuildingDockerImage}} # Must be the Docker build step name command: sh -c "exit 0" labels: build.image.id: ${{CF_BUILD_ID}} # Provides a lookup for the composition @@ -93,13 +93,13 @@ steps: on_success: # Execute only once the step succeeded metadata: # Declare the metadata attribute set: # Specify the set operation - - ${{build_step.imageId}}: # Select any number of target images + - ${{BuildingDockerImage.imageId}}: # Select any number of target images - SECURITY_SCAN: true on_fail: # Execute only once the step failed metadata: # Declare the metadata attribute set: # Specify the set operation - - ${{build_step.imageId}}: # Select any number of target images + - ${{BuildingDockerImage.imageId}}: # Select any number of target images - SECURITY_SCAN: false add_jira_info: title: Parsing jira Commit From 416a3e7143196cb1e9abc33055026131078a2c32 Mon Sep 17 00:00:00 2001 From: Dustin Van Buskirk Date: Mon, 2 Apr 2018 16:46:47 -0700 Subject: [PATCH 4/6] not using thresholds for demo --- codefresh.yml | 2 -- fullpipeline.yml | 14 ++++++-------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/codefresh.yml b/codefresh.yml index 4a3f5343b..3a8c7bebf 100644 --- a/codefresh.yml +++ b/codefresh.yml @@ -49,8 +49,6 @@ steps: - CONSOLE_PORT=${{CONSOLE_PORT}} # Required - CONSOLE_USERNAME=${{CONSOLE_USERNAME}} # Required - CONSOLE_PASSWORD=${{CONSOLE_PASSWORD}} # Required - - COMPLIANCE_THRESHOLD=${{COMPLIANCE_THRESHOLD}} # Optional Example - - VULNERABILITY_THRESHOLD=${{VULNERABILITY_THRESHOLD}} # Optional Example - DETAILS=true command: python /twistlock-cli.py "docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g'" depends_on: diff --git a/fullpipeline.yml b/fullpipeline.yml index d58186eb3..3c9595430 100644 --- a/fullpipeline.yml +++ b/fullpipeline.yml @@ -11,7 +11,7 @@ steps: title: Running Unit Tests image: '${{BuildingDockerImage}}' working_directory: IMAGE_WORK_DIR - commands: + commands: - bash unit_test.sh on_success: metadata: @@ -22,7 +22,7 @@ steps: metadata: set: - '${{BuildingDockerImage.imageId}}': - - CF_QUALITY: false + - CF_QUALITY: false RunningPerformanceTests: title: Running Performance Tests type: composition @@ -41,14 +41,14 @@ steps: command: bash runtests environment: - CF_VOLUME_PATH=${{CF_VOLUME_PATH}} - - TOKEN=${{TOKEN}} + - TOKEN=${{TOKEN}} volumes: - '${{CF_VOLUME_NAME}}:/codefresh/volume' add_flow_volume_to_composition: true when: condition: all: - testresults: '"${{FAIL}}" == "0"' + testresults: '"${{FAIL}}" == "0"' on_success: metadata: set: @@ -80,8 +80,6 @@ steps: - CONSOLE_PORT=${{CONSOLE_PORT}} # Required - CONSOLE_USERNAME=${{CONSOLE_USERNAME}} # Required - CONSOLE_PASSWORD=${{CONSOLE_PASSWORD}} # Required - - COMPLIANCE_THRESHOLD=${{COMPLIANCE_THRESHOLD}} # Optional Example - - VULNERABILITY_THRESHOLD=${{VULNERABILITY_THRESHOLD}} # Optional Example - DETAILS=true command: python /twistlock-cli.py "docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g'" depends_on: @@ -137,7 +135,7 @@ steps: when: condition: all: - testresults: '"${{FAIL}}" == "1"' + testresults: '"${{FAIL}}" == "1"' passfail: title: failed image: alpine @@ -149,4 +147,4 @@ steps: set: - '${{BuildingDockerImage.imageId}}': - CF_QUALITY: false - + From aab4d96c9f11f8579d1dff64855b6b434d9eab4d Mon Sep 17 00:00:00 2001 From: Dustin Van Buskirk Date: Tue, 3 Apr 2018 06:47:39 -0700 Subject: [PATCH 5/6] CF-5100 updating title of build step --- fullpipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fullpipeline.yml b/fullpipeline.yml index 3c9595430..f7ae305eb 100644 --- a/fullpipeline.yml +++ b/fullpipeline.yml @@ -61,7 +61,7 @@ steps: - '${{BuildingDockerImage.imageId}}': - CF_QUALITY: false TwistlockScanImage: - title: Running Security Tests + title: Running Twistlock Security Tests type: composition composition: version: '2' From 2e6e478a2fe10bef1219c12c6ebc21c00bec4bff Mon Sep 17 00:00:00 2001 From: Dustin Van Buskirk Date: Mon, 23 Apr 2018 17:37:17 -0700 Subject: [PATCH 6/6] using sctechdev --- fullpipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fullpipeline.yml b/fullpipeline.yml index f7ae305eb..9467ed617 100644 --- a/fullpipeline.yml +++ b/fullpipeline.yml @@ -73,7 +73,7 @@ steps: build.image.id: ${{CF_BUILD_ID}} # Provides a lookup for the composition composition_candidates: scan_service: - image: codefresh/docker-twistcli:latest # Recommend replacing with current Twistlock Console version + image: sctechdev/docker-twistcli:latest # Recommend replacing with current Twistlock Console version environment: # Add only the Environment Variables you need - CODEFRESH_CLI_KEY=${{CODEFRESH_CLI_KEY}} # Required - CONSOLE_HOSTNAME=${{CONSOLE_HOSTNAME}} # Required