-
Notifications
You must be signed in to change notification settings - Fork 27
Expand file tree
/
Copy pathJenkinsfile
More file actions
122 lines (115 loc) · 5.04 KB
/
Jenkinsfile
File metadata and controls
122 lines (115 loc) · 5.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
pipeline {
agent { label 'azure-linux-ubuntu-18' }
options {
skipStagesAfterUnstable()
disableConcurrentBuilds()
}
stages {
stage("Clone Git Repo") {
steps {
cleanWs()
script {
def branchName = env.CHANGE_BRANCH ?: env.BRANCH_NAME
env.branchName = branchName
echo "Using branch/commit: ${env.BRANCH_NAME}"
}
checkout([
$class: 'GitSCM',
branches: [[name: "refs/heads/${env.branchName}"]],
doGenerateSubmoduleConfigurations: false,
extensions: [
[$class: 'RelativeTargetDirectory', relativeTargetDir: 'valideer'],
[$class: 'CloneOption', shallow: false, noTags: false]
],
submoduleCfg: [],
userRemoteConfigs: [[credentialsId: 'github-app-podio-jm', url: 'https://github.com/podio/valideer.git']]
])
}
}
stage('Polaris') {
environment {
BRIDGE_POLARIS_SERVERURL = "https://polaris.blackduck.com"
BRIDGE_POLARIS_ACCESSTOKEN = credentials('blackduck-api-token')
BRIDGE_POLARIS_APPLICATION_NAME = "Podio-Podio"
BRIDGE_POLARIS_PROJECT_NAME = "valideer"
BRIDGE_POLARIS_BRANCH_NAME = "${env.branchName}"
BRIDGE_POLARIS_ASSESSMENT_TYPES = "SAST"
}
steps {
dir('valideer') {
script {
def status = sh returnStatus: true, script: '''
bridge-cli --stage polaris
'''
if (status == 8) {
unstable 'Policy violation'
} else if (status != 0) {
error 'Bridge CLI failure'
}
}
}
}
}
stage('BlackDuckSCA') {
environment {
BRIDGE_BLACKDUCKSCA_URL = "https://progresssoftware.app.blackduck.com"
BRIDGE_BLACKDUCKSCA_TOKEN = credentials('blackduck-sca-token')
BRIDGE_BLACKDUCKSCA_SCAN_FAILURE_SEVERITIES = "CRITICAL"
BRIDGE_BLACKDUCKSCA_SCAN_FULL = "true"
BRIDGE_DETECT_ARGS = "--detect.project.name=DX-Podio-valideer --detect.project.version.name=${env.branchName} --detect.project.version.update=true --detect.project.version.distribution=SAAS --detect.project.group.name=Podio-Podio --detect.accuracy.required=NONE --detect.excluded.detector.types=PIP"
}
steps {
dir('valideer') {
script {
def status = sh returnStatus: true, script: '''
bridge-cli --stage blackducksca
'''
if (status != 0) {
error 'BlackDuck SCA Scan failed'
}
}
}
}
}
stage('TruffleHog Scan') {
steps {
script {
def scanOutput = 'trufflehog_output.json'
def repoPath = "${env.WORKSPACE}/valideer"
echo "🔍 Running TruffleHog Git scan on repo path: ${repoPath}, branch: ${env.branchName}"
def scanExitCode = sh(returnStatus: true, script: """
docker run --rm -v "${repoPath}:/usr/src" \
artifacts.progress.com/ci-local-docker/trufflesecurity/trufflehog:3.88.29-amd64 \
git file:/usr/src \
--branch="${env.branchName}" \
--results=verified \
--force-skip-binaries \
--force-skip-archives \
--json \
--no-update \
> "${scanOutput}"
echo "📄 TruffleHog scan completed. Output saved to ${scanOutput}"
if grep -q '"SourceMetadata"' "${scanOutput}"; then
echo "❌ TruffleHog found potential secrets!"
cat "${scanOutput}"
exit 1
else
echo "✅ No secrets found."
fi
""")
if (scanExitCode != 0) {
error("❌ TruffleHog scan failed, potential secrets detected in the repository.")
}
}
}
post {
always {
archiveArtifacts artifacts: 'trufflehog_output.json', fingerprint: true, allowEmptyArchive: true
}
success {
echo "✅ TruffleHog scan passed - No secrets detected."
}
}
}
}
}