codacy-trivy/.circleci/config.yml at master · codacy/codacy-trivy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
version: 2.1

orbs:
  codacy: codacy/base@13.0.2
  codacy_plugins_test: codacy/plugins-test@2.1.2

references:
  install_trivy_and_download_dbs: &install_trivy_and_download_dbs
    persist_to_workspace: true
    # https://trivy.dev/docs/v0.69/getting-started/installation/#installing-trivy
    cmd: |
      curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . v0.69.3
      mkdir cache
      ./trivy --cache-dir ./cache image --download-db-only

  build_openssf_malicious_package_index: &build_openssf_malicious_package_index
    persist_to_workspace: true
    cmd: |
      mkdir openssf-malicious-packages
      curl -sfL https://api.github.com/repos/ossf/malicious-packages/tarball/main | tar -xz --strip-components=1 -C openssf-malicious-packages
      python3 scripts/build_openssf_index.py

  build_and_publish_docker: &build_and_publish_docker
    persist_to_workspace: true
    cmd: |
      docker build --no-cache -t $CIRCLE_PROJECT_REPONAME:latest --build-arg TRIVY_VERSION=0.69.3 .
      docker save --output docker-image.tar $CIRCLE_PROJECT_REPONAME:latest

workflows:
  compile_test_deploy:
    jobs:
      - codacy/checkout_and_version
      - codacy/shell:
          name: generate_and_test
          cmd: |
            go env -w GOEXPERIMENT=jsonv2
            go generate ./...
            go test ./...
          requires:
            - codacy/checkout_and_version
      - codacy/shell:
          <<: *install_trivy_and_download_dbs
          name: install_trivy_and_download_dbs
          requires:
            - generate_and_test
      - codacy/shell:
          <<: *build_openssf_malicious_package_index
          name: build_openssf_malicious_package_index
          requires:
            - install_trivy_and_download_dbs
      - codacy/shell:
          <<: *build_and_publish_docker
          name: publish_docker_local
          requires:
            - build_openssf_malicious_package_index
      - codacy_plugins_test/run:
          name: plugins_test
          run_multiple_tests: true
          requires:
            - publish_docker_local
      - codacy/publish_docker:
          context: CodacyDocker
          requires:
            - plugins_test
          filters:
            branches:
              only:
                - master
      - codacy/tag_version:
          name: tag_version
          context: CodacyAWS
          requires:
            - codacy/publish_docker

  update_vulnerability_dbs:
    triggers:
      - schedule:
          # Run at 00:30 06:30 12:30 18:30
          # https://github.com/aquasecurity/trivy-db?tab=readme-ov-file#update-interval
          cron: "30 0,6,12,18 * * *"
          filters:
            branches:
              only:
                - master
    jobs:
      - codacy/checkout_and_version
      - codacy/shell:
          name: generate_and_test
          cmd: |
            go env -w GOEXPERIMENT=jsonv2
            go generate ./...
            go test ./...
          requires:
            - codacy/checkout_and_version
      - codacy/shell:
          <<: *install_trivy_and_download_dbs
          name: install_trivy_and_download_dbs
          requires:
            - generate_and_test
      - codacy/shell:
          <<: *build_openssf_malicious_package_index
          name: build_openssf_malicious_package_index
          requires:
            - install_trivy_and_download_dbs
      - codacy/shell:
          <<: *build_and_publish_docker
          name: publish_docker_local
          requires:
            - build_openssf_malicious_package_index
      - codacy/publish_docker:
          name: publish_dockerhub
          context: CodacyDocker
          cmd: |
            docker load --input docker-image.tar
            echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin
            docker tag "$CIRCLE_PROJECT_REPONAME:latest" "codacy/$CIRCLE_PROJECT_REPONAME:$(cat .previous_version)"
            docker tag "$CIRCLE_PROJECT_REPONAME:latest" "codacy/$CIRCLE_PROJECT_REPONAME:latest"
            docker push --all-tags "codacy/$CIRCLE_PROJECT_REPONAME"
          requires:
            - publish_docker_local
      - codacy/mirror_to_ecr:
          context: CodacyAWS
          name: mirror_to_ecr_integration
          aws_profile: integration
          source_name: codacy/codacy-trivy
          mirror_name: codacy/codacy-trivy
          source_tag: $(cat .previous_version)
          force: true
          requires:
            - publish_dockerhub
      - codacy/mirror_to_ecr:
          context: CodacyAWS
          name: mirror_to_ecr_staging
          aws_profile: staging
          source_name: codacy/codacy-trivy
          mirror_name: codacy/codacy-trivy
          source_tag: $(cat .previous_version)
          force: true
          requires:
            - publish_dockerhub
      - codacy/mirror_to_ecr:
          context: CodacyAWS
          name: mirror_to_ecr_production
          aws_profile: production
          source_name: codacy/codacy-trivy
          mirror_name: codacy/codacy-trivy
          source_tag: $(cat .previous_version)
          force: true
          requires:
            - publish_dockerhub