Skip to content

Commit

Permalink
Update config.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
rfaircloth-splunk committed Oct 7, 2019
1 parent 311454f commit 2673b71
Showing 1 changed file with 64 additions and 14 deletions.
78 changes: 64 additions & 14 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,6 @@ jobs:
- checkout
- setup_remote_docker
- run: docker pull $IMAGE_NAME:$CIRCLE_SHA1
- run: sudo mkdir /clair-reports
- snyk/scan:
docker-image-name: $IMAGE_NAME:$CIRCLE_SHA1

Expand All @@ -168,19 +167,70 @@ jobs:
environment:
IMAGE_NAME: rfaircloth/scs
steps:
- clair-scanner/scan:
image: $IMAGE_NAME:$CIRCLE_SHA1
whitelist: clair-whitelist.yml
# - run:
# command: |
# mkdir -p /root/project/test-results
# pip install -r requirements.txt
# python clair_to_junit_parser.py "/clair-reports/$IMAGE_NAME:$CIRCLE_SHA1.json" --output test-results/results.xml
# when: on_fail
# - store_test_results:
# path: test-results/results.xml
# - store_artifacts:
# path: /clair-reports
- checkout
- setup_remote_docker:
- run:
name: "Vulnerability scan"
command: |
#!/usr/bin/env bash
set -e
REPORT_DIR=clair-reports
mkdir $REPORT_DIR
DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest)
CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)
CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null)
clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml"
WHITELIST="-w /whitelist.yml"
function scan() {
local image=$1
# replace forward-slashes and colons with underscores
munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g')
sanitised_image_filename="${munged_image}.json"
local ret=0
local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \
--ip "$scanner_ip" \
--clair=http://"$clair_ip":6060 \
-t "high" \
--report "/$sanitised_image_filename" \
--log "/log.json" ${WHITELIST:+"-x"}
--reportAll=true \
--exit-when-no-features=false \
"$image")
docker pull "$image"
"${docker_cmd[@]}" 2>&1 || ret=$?
if [ $ret -eq 0 ]; then
echo "No unapproved vulnerabilities"
elif [ $ret -eq 1 ]; then
echo "Unapproved vulnerabilities found"
EXIT_STATUS=1
elif [ $ret -eq 5 ]; then
echo "Image was not scanned, not supported."
EXIT_STATUS=1
else
echo "Unknown clair-scanner return code $ret."
EXIT_STATUS=1
fi
docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true
}
EXIT_STATUS=0
scan "$IMAGE_NAME:$CIRCLE_SHA1"
exit $EXIT_STATUS
- store_artifacts:
path: clair-reports


publish-common:
Expand Down

0 comments on commit 2673b71

Please sign in to comment.