-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathCSSCPatchImage.yaml
More file actions
40 lines (34 loc) · 1.27 KB
/
CSSCPatchImage.yaml
File metadata and controls
40 lines (34 loc) · 1.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
version: v1.1.0
steps:
# Step #1: Perform the vulnerability scan
- id: print-inputs
cmd: |
bash -c 'echo "Scan and Schedule Patch {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}"'
# Step 3: Patch the image with Copacetic
- id: setup-data-dir
cmd: bash mkdir ./data
- id: generate-trivy-report
cmd: |
ghcr.io/aquasecurity/trivy image \
{{.Run.Registry}}/{{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}} \
--vuln-type os \
--ignore-unfixed \
--format json \
--output /workspace/data/vulnerability-report_trivy_{{now | date "2023-01-02"}}.json
- id: buildkitd
cmd: moby/buildkit --addr tcp://0.0.0.0:8888
entrypoint: buildkitd
detach: true
privileged: true
ports: ["127.0.0.1:8888:8888/tcp"]
- id: list-output-file
cmd: bash ls -l /workspace/data
- id: patch-with_copa
cmd: |
ghcr.io/toddysm/cssc-framework/copacetic:1.0 \
{{.Run.Registry}}/{{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}} \
vulnerability-report_trivy_{{now | date "2023-01-02"}}.json \
{{.Values.SOURCE_IMAGE_TAG}}-patched
network: host
- id: push-image
cmd: docker push {{.Run.Registry}}/{{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}-patched