[Feature][Change] Updated azure devops ci pipeline (#15)

iamabhishek-dubey · web-flow · commit b69fd3cb43c2 · 2021-05-16T22:18:31.000+05:30
* Added few security steps in azure pipline

Signed-off-by: iamabhishek-dubey &lt;abhishekbhardwaj510@gmail.com&gt;
diff --git a/.azure-pipelines/pipeline.yml b/.azure-pipelines/pipeline.yml
@@ -13,6 +13,17 @@ variables:
 stages:
 - stage: precheck
   jobs:
+    - job: gofmt
+      dependsOn: []
+      pool:
+        vmImage: "ubuntu-18.04"
+      steps:
+        - task: GoTool@0
+          displayName: "Installing Golang"
+          inputs:
+            version: '1.16'
+        - script: scripts/gofmt.sh
+          displayName: "Executing gofmt"
     - job: govet
       dependsOn: []
       pool:
@@ -45,7 +56,7 @@ stages:
             ./bin/golangci-lint run --timeout 5m0s ./...
           displayName: "Executing golang-ci lint"
 
-- stage: dockerfile_lint
+- stage: container_quality
   dependsOn: ["precheck"]
   jobs:
     - job: dockerfile_lint
@@ -88,7 +99,7 @@ stages:
             publishLocation: 'Container'
 
 - stage: build_image
-  dependsOn: ["dockerfile_lint"]
+  dependsOn: ["container_quality"]
   jobs:
     - job: linux_amd64
       dependsOn: []
@@ -99,9 +110,53 @@ stages:
           command: 'build'
           Dockerfile: '**/Dockerfile'
           tags: '$(Build.BuildId)'
+          repository: 'k8s-vault-webhook'
+      - script: |
+          mkdir -p $(Build.ArtifactStagingDirectory)/image
+          docker save -o $(Build.ArtifactStagingDirectory)/image/k8s-vault-webhook.tar k8s-vault-webhook:$(Build.BuildId)
+        displayName: "Archiving docker image"
+      - task: PublishBuildArtifacts@1
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)/image'
+          ArtifactName: 'drop'
+          publishLocation: 'Container'
+
+- stage: code_security
+  dependsOn: ["build"]
+  jobs:
+    - job: gosec
+      dependsOn: []
+      steps:
+        - script: scripts/gosec.sh
+          displayName: "Execute gosec scan"
+        - task: PublishTestResults@2
+          displayName: "Publish test results"
+          inputs:
+            testResultsFormat: 'JUnit'
+            testResultsFiles: './bin/results.xml'
+            failTaskOnFailedTests: false
+            testRunTitle: 'GoSec Test Result'
+
+- stage: container_security
+  dependsOn: ["build_image"]
+  jobs:
+    - job: trivy_scan
+      dependsOn: []
+      steps:
+        - task: DownloadBuildArtifacts@0
+          displayName: "Downloading the image artifact"
+          inputs:
+            buildType: 'current'
+            downloadType: 'single'
+            artifactName: 'drop'
+            downloadPath: '$(System.ArtifactsDirectory)'
+        - script: scripts/trivy-scan.sh
+          displayName: "Execute trivy scan"
+          env:
+            IMAGE_PATH: $(System.ArtifactsDirectory)/drop/k8s-vault-webhook.tar
 
 - stage: release_binaries
-  dependsOn: ["build", "build_image"]
+  dependsOn: ["code_security"]
   jobs:
     - job: goreleaser
       dependsOn: []  
@@ -115,7 +170,7 @@ stages:
       condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
 
 - stage: release_quay
-  dependsOn: ["build", "build_image"]
+  dependsOn: ["container_security", "code_security"]
   jobs:
     - job: quay
       dependsOn: []  
@@ -135,7 +190,7 @@ stages:
       condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
 
 - stage: release_github_image
-  dependsOn: ["build", "build_image"]
+  dependsOn: ["container_security", "code_security"]
   jobs:
     - job: github
       dependsOn: []  
@@ -181,7 +236,7 @@ stages:
           displayName: "Executing k8s-vault-webhook"
 
 - stage: docs
-  dependsOn: ["release_binaries", "release_quay", "release_github_image"]
+  dependsOn: ["verify"]
   jobs:
     - job: build
       dependsOn: []  
diff --git a/scripts/gofmt.sh b/scripts/gofmt.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+gofmt_files=$(go fmt ./... | wc -l)
+
+if [[ ${gofmt_files} > 0 ]]
+then
+    echo "Please format golang files using:- go fmt ./..."
+    exit 1
+else
+    echo "All files are formated using gofmt"
+fi
diff --git a/scripts/gosec.sh b/scripts/gosec.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+install_gosec() {
+    curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s latest
+}
+
+execute_gosec() {
+    ./bin/gosec -fmt=junit-xml -out=./bin/results.xml ./... || true
+}
+
+main() {
+    install_gosec
+    execute_gosec
+}
+
+main
diff --git a/scripts/trivy-scan.sh b/scripts/trivy-scan.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+install_trivy() {
+    sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+    sudo apt-get update
+    sudo apt-get install trivy -y
+}
+
+execute_trivy() {
+    trivy image --input ${IMAGE_PATH}
+}
+
+main() {
+    install_trivy
+    execute_trivy
+}
+
+main
