-
Notifications
You must be signed in to change notification settings - Fork 23
/
jenkinfile1
142 lines (123 loc) · 4.61 KB
/
jenkinfile1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
pipeline {
agent any
environment {
// Define environment variables
IMAGE_NAME = 'cloudsihmar/pett'
PORT_MAPPING = '9090:8080'
CONTAINER_NAME = 'pett'
TAG = "${BUILD_NUMBER}"
}
stages {
stage('clean workspace') {
steps {
cleanWs()
}
}
stage('git') {
steps {
git 'https://github.com/CloudSihmar/pet.git'
}
}
// SAST starts here
stage('Static code analysis') {
environment {
SCANNER_HOME = tool 'scanner'
}
steps {
withSonarQubeEnv('sonar-server') {
sh """${SCANNER_HOME}/bin/sonar-scanner \\
-Dsonar.projectKey=cloudsihmar_pet \\
-Dsonar.projectName=cloudsihmar_pet\\
-Dsonar.projectVersion=${BUILD_NUMBER} \\
-Dsonar.sources=src/main/java \\
-Dsonar.tests=src/test/java \\
-Dsonar.exclusions='src/main/resources/**/*.java,src/test/**/*.java,src/pmd/**/*,**/*.properties'
"""
}
}
}
// SAST ends here
// Quality Gate stage starts (abortPipeline if true then build will fail if doent meet the criteria)
stage("quality gate"){
steps {
script {
waitForQualityGate abortPipeline: true, credentialsId: 'sonar-secret'
}
}
}
// Quality Gate ends
// Build starts here
stage("maven build"){
steps {
script {
sh 'mvn clean package'
}
}
}
// Build ends here
// Software composition analysis starts
stage('OWASP FS SCAN') {
steps {
dependencyCheck additionalArguments: '--format HTML --scan target/', odcInstallation: 'Owasp dependency check'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
//Software composition analysis ends
// Image Stage (dockerhub is the cred id and varibles created from username and password stored)
stage('Image') {
steps {
withCredentials([usernamePassword(credentialsId: 'dockerhub', passwordVariable: 'docker_password', usernameVariable: 'docker_username')]) {
sh "docker login -u ${docker_username} -p ${docker_password}"
// Build and push Docker image
sh "docker build -t $IMAGE_NAME:${BUILD_NUMBER} -f Dockerfile.v3 ."
sh "docker push $IMAGE_NAME:${BUILD_NUMBER}"
}
}
}
// Image Stage ends here
// Trivy scan starts
stage("TRIVY-IMAGE-SCAN-JSON"){
steps{
sh "trivy image $IMAGE_NAME:${BUILD_NUMBER} --no-progress --format json --output result.json --severity HIGH,CRITICAL"
}
}
// Trivy stage ends
// Trivy scan starts
stage("TRIVY-IMAGE-SCAN-HTML"){
steps{
sh "trivy image $IMAGE_NAME:$BUILD_NUMBER --format template --template "@/usr/local/share/trivy/templates/html.tpl" --output result.html --severity HIGH,CRITICAL"
}
}
// Trivy stage ends
// approval stage
stage('approval') {
steps {
input 'please approve to deploy a container'
}
}
// approval stage ends here
// Deploy stage starts here
stage('Deploy') {
steps {
// Deploy the Docker image to your environment (e.g., Kubernetes, Docker Swarm)
sh '''if [ "$(docker ps -aq -f name=$CONTAINER_NAME)" ]; then
echo "Stopping and removing existing container..."
docker stop $CONTAINER_NAME
docker rm $CONTAINER_NAME
fi'''
sh 'docker run -d -p 9090:8080 --name $CONTAINER_NAME $IMAGE_NAME:${BUILD_NUMBER}'
}
}
// Deploy stage ends here
// DAST scanning starts
stage('DAST-Analysis') {
steps {
script {
def output = sh(script: 'docker run ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t public-ip:9090 || echo "Command 3 failed with exit code $?"', returnStdout: true)
writeFile file: 'zap_scan_output.txt', text: output
}
}
}
// DAST scanning ends here
}
}