-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathbuildspec.yml
47 lines (42 loc) · 1.76 KB
/
buildspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
version: 0.2
# https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
# https://docs.aws.amazon.com/pt_br/codebuild/latest/userguide/sample-docker.html
# REQUIRED ENVIRONMENT VARIABLES
# AWS_ACCOUNT_ID
# AWS_DEFAULT_REGION
# AWS_ECR_PUBLIC_DOMAIN
env:
shell: bash
variables:
IMAGE_NAME: "demo-trivy"
IMAGE_TAG: "codebuild"
ECR_PRIVATE_REG: ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com
ECR_PUBLIC_REG: public.ecr.aws
AWS_ECR_PUBLIC_DOMAIN: v4f3f9r2
exported-variables:
- IMAGE_NAME
- IMAGE_TAG
- ECR_PRIVATE_REG
- ECR_PUBLIC_REG
- AWS_ECR_PUBLIC_DOMAIN
batch:
fast-fail: true
phases:
install:
commands:
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- echo $TRIVY_VERSION
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
- export PATH=$PWD/:$PATH
pre_build:
commands:
- echo Logging in to Amazon ECR...
- aws ecr-public get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin ${ECR_PUBLIC_REG}/${AWS_ECR_PUBLIC_DOMAIN}
build:
commands:
- docker build -t $IMAGE_NAME:$IMAGE_TAG .
- trivy image --exit-code 1 --severity HIGH,CRITICAL $IMAGE_NAME:$IMAGE_TAG
- echo ---------- Container Scan completed on `date`
- docker tag $IMAGE_NAME:$IMAGE_TAG $ECR_PUBLIC_REG/$AWS_ECR_PUBLIC_DOMAIN/$IMAGE_NAME:$IMAGE_TAG
- echo ---------- Container $ECR_PUBLIC_REG/$AWS_ECR_PUBLIC_DOMAIN/$IMAGE_NAME:$IMAGE_TAG
- docker push $ECR_PUBLIC_REG/$AWS_ECR_PUBLIC_DOMAIN/$IMAGE_NAME:$IMAGE_TAG