ShiftSBOMGen/bitbucket-pipelines.yml at main · shiftleftcyber/ShiftSBOMGen · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
clone:
  debth: full

definitions:
  caches:
    sonar: ~/.sonar/cache
  steps:
    - step: &build-docker-image
        name: 'Build Docker Image'
        size: 2x
        script:
          - IMAGE_NAME=syft-bitbucket-pipe
          - docker build --build-arg ARCH=amd64 --tag "${IMAGE_NAME}:local" .
          - docker save "${IMAGE_NAME}:local" --output "${IMAGE_NAME}.tar"
        services:
          - docker
        caches:
          - docker
        artifacts:
          - "*.tar"
    - step: &shell-check
        name: 'Shell Lint'
        image: koalaman/shellcheck-alpine:v0.11.0
        script:
          - echo "Linting shell scripts"
          - shellcheck -x *.sh
    - step: &docker-lint
        name: 'Docker Lint'
        image: hadolint/hadolint:v2.14.0-alpine
        script:
          - echo "Linting Dockerfile(s)"
          - hadolint Dockerfile
    - step: &markdown-lint
        name: 'Markdown Lint'
        image: markdownlint/markdownlint:0.15.0
        script:
          - echo "Linting Markdown Files"
          - mdl *.md || echo "Potential mdlint issues found..."
    - step: &gen-sbom-for-project
          name: gen sbom
          size: 2x
          image: debian:bookworm-slim
          services:
            - docker
          caches:
            - docker
          script:
            - apt-get update
            - DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
            - apt-get install -y curl
            - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.42.3
            - IMAGE_NAME=syft-bitbucket-pipe
            - docker load --input "${IMAGE_NAME}.tar"
            - mkdir sbom_output
            - syft "${IMAGE_NAME}:local" --output cyclonedx-json@1.6 >> sbom_output/${IMAGE_NAME}_cyclonedx-sbom.json
          artifacts:
            - sbom_output/*
    - step: &scan-sbom
          name: Scan sBOM
          size: 2x
          script:
            - chmod 777 sbom_output
            - pipe: docker://ccideas/sbom-utilities-pipe:1.5.0
              variables:
                PATH_TO_SBOM: "sbom_output/syft-bitbucket-pipe_cyclonedx-sbom.json"
                OUTPUT_DIRECTORY: 'sbom_output'
                SCAN_SBOM_WITH_BOMBER: 'true'
                BOMBER_OUTPUT_FORMAT: 'html'
                BOMBER_DEBUG: 'true'
                SCAN_SBOM_WITH_SBOMQS: 'true'
                SBOMQS_OUTPUT_FORMAT: 'detailed'
                SCAN_SBOM_WITH_OSV: 'true'
                OSV_OUTPUT_FORMAT: 'table'
                SCAN_SBOM_WITH_GRYPE: 'true'
                GRYPE_ARGS: '--output table --add-cpes-if-none'
                GRYPE_OUTPUT_FILENAME: 'grype-scan-results.txt'
          artifacts:
            - sbom_output/*
    - step: &sonarcloud
          name: sonarcloud scan
          size: 2x
          image: sonarsource/sonar-scanner-cli:5
          caches:
            - sonar
          script:
            - sonar-scanner

pipelines:
  pull-requests:
    '**':
      - parallel:
          - step: *shell-check
          - step: *docker-lint
          - step: *markdown-lint
          - step: *build-docker-image
          #- step: *sonarcloud
  branches:
    main:
      - parallel:
          - step: *shell-check
          - step: *docker-lint
          - step: *markdown-lint
          - step: *build-docker-image
          #- step: *sonarcloud
      - step: *gen-sbom-for-project
      - step: *scan-sbom
  custom:
    push to Dockerhub (dev):
      - step: *build-docker-image
      - step:
          name: 'Publish Dev Docker Image'
          deployment: Development
          script:
            - echo ${DOCKERHUB_PASSWORD} | docker login --username "${DOCKERHUB_USERNAME}" --password-stdin
            - IMAGE_NAME=syft-bitbucket-pipe
            - docker load --input "${IMAGE_NAME}.tar"
            - docker tag "${IMAGE_NAME}:local" "${DOCKERHUB_NAMESPACE}/${IMAGE_NAME}:${DEV_VERSION}-${BITBUCKET_BUILD_NUMBER}"
            - docker push "${DOCKERHUB_NAMESPACE}/${IMAGE_NAME}:${DEV_VERSION}-${BITBUCKET_BUILD_NUMBER}"
          services:
            - docker
    Prod Release:
      - variables:
          - name: PRODUCTION_VERSION
      - step: *build-docker-image
      - stage:
          name: OSS Scan
          steps:
            - step: *gen-sbom-for-project
            - step: *scan-sbom
      - stage:
          name: Deploy to Prod
          deployment: Production
          steps:
            - step:
                name: 'Publish Prod Docker Image'
                script:
                  - IMAGE_NAME=syft-bitbucket-pipe
                  - echo ${DOCKERHUB_PASSWORD} | docker login --username "${DOCKERHUB_USERNAME}" --password-stdin
                  - docker load --input "${IMAGE_NAME}.tar"
                  - docker tag "${IMAGE_NAME}:local" "${DOCKERHUB_NAMESPACE}/${IMAGE_NAME}:${PRODUCTION_VERSION}"
                  - docker push "${DOCKERHUB_NAMESPACE}/${IMAGE_NAME}:${PRODUCTION_VERSION}"
                services:
                  - docker
                caches:
                  - docker
            - step:
                name: tag branch
                image: alpine/git:1.0.26
                script:
                  - git tag -a "v${PRODUCTION_VERSION}" -m "release version ${PRODUCTION_VERSION}"
                  - git push origin "v${PRODUCTION_VERSION}"