forked from sysdesign-code/dev-sec-ops-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudbuild-vulnerable.yaml
55 lines (55 loc) · 2.88 KB
/
cloudbuild-vulnerable.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
steps:
- id: Build the Image
name: 'gcr.io/cloud-builders/docker'
entrypoint: /bin/bash
args:
- -c
- |
docker build -t us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd:$REVISION_ID -f ./Dockerfile_vulnerable . &&
docker image inspect us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd:$REVISION_ID
- id: Scan The Image
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /bin/bash
args:
- -c
- |
gcloud artifacts docker images scan us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd:$REVISION_ID \
--format='value(response.scan)' > /workspace/scan_id.txt
- id: Check For Vulnerabilities within the Image
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /bin/bash
args:
- -c
- |
gcloud artifacts docker images list-vulnerabilities $(cat /workspace/scan_id.txt) \
--format='value(vulnerability.effectiveSeverity)' | if grep -Fxq $_SEVERITY; \
then echo 'Vulnerability check failed for docker image revision ID "$REVISION_ID", and will not be pushed to Artifact Registry Repo "$_CONTAINER_REPO_NAME" because "$_SEVERITY" checks are impacting the image and needs to be fixed' && exit 1; else exit 0; fi
- id: Push Image to Artifact Registry
name: 'gcr.io/cloud-builders/docker'
entrypoint: /bin/bash
args:
- -c
- |
docker push us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd:$REVISION_ID
- id: Capture Image Digest Information
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /bin/bash
args:
- -c
- |
gcloud container images describe us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd:$REVISION_ID \
--format='get(image_summary.digest)' > /workspace/digest.txt
- id: Create a cloud deploy release and this will also deploy the release to the first target ie dev
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /bin/bash
args:
- -c
- |
gcloud deploy releases create r-$REVISION_ID --project=$PROJECT_ID --region=us-central1 --delivery-pipeline=ci-cd-test --images=notes-app-image=us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd@$(cat /workspace/digest.txt)
- id: Promote/deploy cloud deploy release to next stage ie staging
name: gcr.io/cloud-builders/gcloud
args: ['deploy', 'releases', 'promote', '--release=r-$REVISION_ID','--project=$PROJECT_ID','--region=us-central1','--delivery-pipeline=ci-cd-test', '--to-target=staging']
- id: Promote/deploy cloud deploy release to next stage ie prod
name: gcr.io/cloud-builders/gcloud
args: ['deploy', 'releases', 'promote', '--release=r-$REVISION_ID','--project=$PROJECT_ID','--region=us-central1','--delivery-pipeline=ci-cd-test', '--to-target=prod']
images: ['us-central1-docker.pkg.dev/$PROJECT_ID/$_CONTAINER_REPO_NAME/cd:$REVISION_ID']