diff --git a/Dockerfile b/Dockerfile index cd8ea22..469822d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:latest AS builder +FROM golang:1.23.2 AS builder WORKDIR /shared-data/app COPY ./ ./ @@ -7,7 +7,8 @@ COPY ./ ./ RUN CGO_ENABLED=0 GOOS=linux go build -o fibonacci_go . -FROM alpine:latest +# ToDo: use stretch as image for a completly empty container +FROM alpine:3.20.3 WORKDIR /shared-data/app COPY --from=builder /shared-data/app/fibonacci_go . diff --git a/argo-workflows/example-ci-workflow.yaml b/argo-workflows/example-ci-workflow.yaml index 72c1c2d..3da946c 100644 --- a/argo-workflows/example-ci-workflow.yaml +++ b/argo-workflows/example-ci-workflow.yaml @@ -29,79 +29,59 @@ spec: tasks: - name: git-clone template: git-clone - arguments: - parameters: [{ name: message, value: "git-clone task completed" }] - name: ls template: ls dependencies: [git-clone] - name: build template: build - arguments: - parameters: [{ name: message, value: "build task completed" }] dependencies: [unit-tests, lint-scan] - name: unit-tests template: unit-tests - arguments: - parameters: - [{ name: message, value: "unit-tests task completed" }] dependencies: [ls] - name: lint-scan template: lint-scan - arguments: - parameters: [{ name: message, value: "lint-scan task completed" }] dependencies: [ls] - name: trivy-image-scan - template: simple-container - arguments: - parameters: - [{ name: message, value: "trivy-image-scan task completed" }] + template: trivy-image-scan dependencies: [build] - name: trivy-filesystem-scan - template: simple-container - arguments: - parameters: - [ - { - name: message, - value: "trivy-filesystem-scan task completed", - }, - ] + template: trivy-filesystem-scan dependencies: [git-clone] - name: deploy-image template: simple-container - arguments: - parameters: - [{ name: message, value: "push-image task completed" }] # when: " == true" dependencies: [trivy-image-scan, trivy-filesystem-scan] - name: simple-container - inputs: - parameters: - - name: message container: - image: alpine:latest + image: alpine:3.20.3 command: [sh, -c] - args: ["echo {{inputs.parameters.message}}"] + args: ["echo test"] - name: ls container: - image: alpine:latest + image: alpine:3.20.3 command: [sh, -c] - args: [ls /] + args: + - | + ls -la / + ls -la /shared-data + ls -la /shared-data/repo + volumeMounts: + - name: shared-data + mountPath: /shared-data - name: git-clone container: - image: ubuntu:latest + image: ubuntu:24.10 command: [sh, -c] args: - | apt update apt install -y git git clone -b main https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/Franz.Germann/fibonacci_go.git /shared-data/repo - ls -la / - ls -la /shared-data - ls -la /shared-data/repo + + echo git-clone task completed volumeMounts: - name: shared-data mountPath: /shared-data @@ -130,13 +110,13 @@ spec: - | cd /shared-data/repo go test ./... -v + + echo unit-test task completed volumeMounts: - name: shared-data mountPath: /shared-data # How to extract artifacts - # For now this task will fail if the lint scan finds any issue with --error-on-issues - # --max-same-issues or --max-issues-per-linter also possible - name: lint-scan container: image: golangci/golangci-lint:v1.61.0 @@ -145,6 +125,27 @@ spec: - | cd /shared-data/repo golangci-lint run ./... --out-format=json --timeout 5m --issues-exit-code 1 + + echo lint-scan task completed volumeMounts: - name: shared-data mountPath: /shared-data + + - name: trivy-filesystem-scan + container: + image: aquasec/trivy:0.56.2 + command: [sh, -c] + args: + - | + trivy fs --scanners license,vuln,misconfig,secret /shared-data/repo + + echo trivy-filesystem-scan task completed + volumeMounts: + - name: shared-data + mountPath: /shared-data + + - name: trivy-image-scan + container: + image: aquasec/trivy:0.56.2 + command: [sh, -c] + args: ["TRIVY_INSECURE=true trivy image --scanners vuln,secret,misconfig gitea.cnoe.localtest.me/giteaadmin/fibonacci_go:latest"] \ No newline at end of file