-
Notifications
You must be signed in to change notification settings - Fork 9
/
cloudbuild.yaml
114 lines (96 loc) · 4.3 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
steps:
- name: 'gcr.io/$PROJECT_ID/sonar-scanner:latest'
id: '0: Sonarqube Integration - code quality inspection'
args:
- '-Dsonar.host.url=https://sonarcloud.io'
- '-Dsonar.login=$_SONAR_LOGIN'
- '-Dsonar.projectKey=$_SONAR_PROJECT'
- '-Dsonar.organization=$_SONAR_ORG'
- '-Dsonar.sources=.'
- name: 'gcr.io/cloud-builders/docker'
id: '1 Linting Dockerfile for Static Analysis'
entrypoint: bash
args:
- '-c'
- |
docker run --rm -i hadolint/hadolint hadolint -f json - < ./Dockerfile > /workspace/res.txt ; \
if [[ $(cat res.txt | wc -c) -gt 3 ]] ; then echo 'Static Analysis failed' && cat res.txt && exit 1; else echo 'Linting passed'; fi
- name: 'gcr.io/cloud-builders/docker'
id: '2 Build Docker Image'
args: [ 'build', '-t', '$_IMAGE_NAME:$SHORT_SHA', '.' ]
- name: 'gcr.io/cloud-builders/docker'
id: '3 Push Docker Image to Repository'
args: [ 'push', '$_IMAGE_NAME:$SHORT_SHA']
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
id: '4 Run Common Vulnerability Analysis scan'
entrypoint: sh
args:
- '-c'
- |
gcloud artifacts docker images scan $_IMAGE_NAME:$SHORT_SHA \
--format='value(response.scan)' > /workspace/scan_id.txt
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
id: '5 Validate CVE Scan'
entrypoint: bash
args:
- '-c'
- |
gcloud artifacts docker images list-vulnerabilities $(cat /workspace/scan_id.txt) \
--format='value(vulnerability.effectiveSeverity)' | grep 'HIGH'| wc -l>/workspace/total.txt; \
if [[ $(cat /workspace/total.txt) -gt 3 ]] ; then echo 'CVE failed' && exit 1; else echo 'CVE passed'; fi
- name: 'gcr.io/$PROJECT_ID/cloudbuild-attestor'
id: '6 Attest Image (Binary Auth)'
entrypoint: 'sh'
args:
- -xe
- -c
- |-
FQ_DIGEST=$(gcloud container images describe --format 'value(image_summary.fully_qualified_digest)' $_IMAGE_NAME:$SHORT_SHA)
/scripts/create_attestation.sh \
-p "$PROJECT_ID" \
-i "$${FQ_DIGEST}" \
-a "$_VULNZ_ATTESTOR" \
-v "$_VULNZ_KMS_KEY_VERSION" \
-k "$_VULNZ_KMS_KEY" \
-l "$_KMS_LOCATION" \
-r "$_KMS_KEYRING"
- name: 'gcr.io/cloud-builders/gcloud'
id: '7 Generate Kubernetes manifest'
entrypoint: /bin/sh
args:
- '-c'
- |-
DIGEST=$(gcloud container images describe --format 'value(image_summary.digest)' $_IMAGE_NAME:$SHORT_SHA)
sed "s/DIGEST/$${DIGEST}/g" manifests/gradle-app.yaml.tpl > manifests/gradle-app.yaml
- name: 'gcr.io/cloud-builders/docker'
id: '8 Kubesec Scan for Kubernetes Resources'
entrypoint: bash
args:
- '-c'
- |
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < manifests/gradle-app.yaml.tpl>/workspace/kubesec.json ; \
if [[ $(cat /workspace/kubesec.json | docker run --rm -i imega/jq .[0].score) -gt 3 ]]; then echo 'Kubesec Analysis Passed' ; else echo 'Kubesec Analysis Failed' && cat /workspace/kubesec.json && exit 1; fi
- name: 'gcr.io/cloud-builders/docker'
id: '9 Security Unit testing with Conftest'
entrypoint: bash
args:
- '-c'
- |
docker run --rm -v $(pwd):/project openpolicyagent/conftest test Dockerfile>/workspace/conftest.txt; \
if [[ $(cat /workspace/conftest.txt | grep 'FAIL'| wc -l) -gt 0 ]] ; then echo 'Conftest failed' && cat /workspace/conftest.txt && exit 1; else echo 'Conftest Passed'; fi
- name: 'gcr.io/cloud-builders/kubectl'
id: '10 Deploy Kubernetes Manifest to GKE'
args: [ 'apply', '-f', 'manifests/gradle-app.yaml' ]
env:
- 'CLOUDSDK_COMPUTE_REGION=australia-southeast1-b'
- 'CLOUDSDK_CONTAINER_CLUSTER=software-secure-supply'