feat: integrer SBOM dans la pipeline CI
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
- sbom-generate: Syft scanne l'image Docker buildee (radar-business) - sbom-scan: Trivy CVE depuis le SBOM (cache /home/syoul/trivy-cache) - sbom-publish: envoi vers Dependency-Track (dtrack.syoul.fr) Nouveau secret requis: dependency_track_token Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
syoul
@@ -79,7 +79,54 @@ steps:
|
||||
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
|
||||
echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
|
||||
|
||||
# Etape 3 : Healthcheck post-deploiement
|
||||
# Etape 3a : Generation SBOM (Syft) — inventaire de l'image Docker buildee
|
||||
# NOTE: volumes: et from_secret incompatibles dans le meme step — pas de secrets ici
|
||||
- name: sbom-generate
|
||||
image: alpine:3.20
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
commands:
|
||||
- apk add --no-cache curl
|
||||
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
|
||||
- mkdir -p .reports
|
||||
- |
|
||||
PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
|
||||
IMAGE="${PROJECT}-radar-business"
|
||||
echo "SBOM sur image: $IMAGE"
|
||||
syft "$IMAGE" -o cyclonedx-json --file .reports/sbom-radar.cyclonedx.json
|
||||
- echo "SBOM genere $(wc -c < .reports/sbom-radar.cyclonedx.json) octets"
|
||||
|
||||
# Etape 3b : Scan CVE (Trivy) depuis le SBOM Syft
|
||||
# Cache /home/syoul/trivy-cache evite ~200Mo de telechargement des DB CVE a chaque build
|
||||
# Prerequis sur sonic : mkdir -p /home/syoul/trivy-cache
|
||||
- name: sbom-scan
|
||||
image: aquasec/trivy:latest
|
||||
volumes:
|
||||
- /home/syoul/trivy-cache:/root/.cache/trivy
|
||||
commands:
|
||||
- trivy sbom --format json --output .reports/trivy-radar.json .reports/sbom-radar.cyclonedx.json
|
||||
- echo "Scan CVE termine"
|
||||
|
||||
# Etape 3c : Publication SBOM vers Dependency-Track (dtrack.syoul.fr)
|
||||
# NOTE: from_secret et volumes: incompatibles — pas de volumes ici
|
||||
- name: sbom-publish
|
||||
image: alpine/curl:latest
|
||||
environment:
|
||||
DTRACK_TOKEN:
|
||||
from_secret: dependency_track_token
|
||||
commands:
|
||||
- |
|
||||
VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
|
||||
HTTP=$(curl -s -o /tmp/dtrack-response.txt -w "%{http_code}" -X POST "https://dtrack.syoul.fr/api/v1/bom" \
|
||||
-H "X-Api-Key: $DTRACK_TOKEN" \
|
||||
-F "autoCreate=true" \
|
||||
-F "projectName=techradardev-app" \
|
||||
-F "projectVersion=$VERSION" \
|
||||
-F "bom=@.reports/sbom-radar.cyclonedx.json")
|
||||
echo "HTTP $HTTP : $(cat /tmp/dtrack-response.txt)"
|
||||
[ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
|
||||
|
||||
# Etape 4 : Healthcheck post-deploiement
|
||||
- name: healthcheck
|
||||
image: alpine:3.20
|
||||
commands:
|
||||
|
||||
Reference in New Issue
Block a user