forked from Scribe-public-demos/jenkins-pki-example
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Jenkinsfile
103 lines (96 loc) · 4.02 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
node {
withEnv([
"PATH=./temp/bin:$PATH",
"LOGICAL_APP_NAME=PKI-Sign-demo-project",
"APP_VERSION=1.0.1",
"AUTHOR_NAME=John-Smith",
"AUTHOR_PHONE=555-8426157",
"SUPPLIER_NAME=Scribe-Security",
"SUPPLIER_URL=www.scribesecurity.com",
"SUPPLIER_PHONE=001-001-0011",
"PRIVATE_KEY=xxx",
"SIGNING_CERT=yyy",
"CA_CERT=xxx"
])
{
stage('install') {
cleanWs()
sh 'curl -sSfL https://get.scribesecurity.com/install.sh | sh -s -- -b ./temp/bin -D'
}
stage('checkout') {
sh 'git clone -b main --single-branch https://guycherno:[email protected]/scribe-security/jenkins-pki-example.git'
sh 'cd jenkins-pki-example; docker build -t pki-test -f ./orig-Dockerfile .'
}
stage('bom-git') {
withCredentials([
usernamePassword(credentialsId: 'scribe-production-auth-id', usernameVariable: 'SCRIBE_CLIENT_ID', passwordVariable: 'SCRIBE_CLIENT_SECRET'),
file(credentialsId: 'key-file', variable: 'KEY_FILE'),
file(credentialsId: 'sig-cert-file', variable: 'SIG_CERT_FILE'),
file(credentialsId: 'ca-cert-file', variable: 'CA_CERT_FILE')
])
{
sh '''
PRIVATE_KEY=$(cat $KEY_FILE)
SIGNING_CERT=$(cat $SIG_CERT_FILE)
CA_CERT=$(cat $CA_CERT_FILE)
valint bom git:jenkins-pki-example \
--config jenkins-pki-example/.valint.yaml \
-o attest \
--context-type jenkins \
--output-directory ./scribe/valint \
-E -U $SCRIBE_CLIENT_ID -P $SCRIBE_CLIENT_SECRET \
--app-name $LOGICAL_APP_NAME --app-version $APP_VERSION \
--author-name $AUTHOR_NAME --author-email AUTHOR_EMAIL --author-phone $AUTHOR_PHONE \
--supplier-name $SUPPLIER_NAME --supplier-url $SUPPLIER_URL --supplier-email $SUPPLIER_EMAIL \
--supplier-phone $SUPPLIER_PHONE \
-f '''
}
}
stage('bom-image') {
withCredentials([
usernamePassword(credentialsId: 'scribe-production-auth-id', usernameVariable: 'SCRIBE_CLIENT_ID', passwordVariable: 'SCRIBE_CLIENT_SECRET'),
file(credentialsId: 'key-file', variable: 'KEY_FILE'),
file(credentialsId: 'sig-cert-file', variable: 'SIG_CERT_FILE'),
file(credentialsId: 'ca-cert-file', variable: 'CA_CERT_FILE')
])
{
sh '''
PRIVATE_KEY=$(cat $KEY_FILE)
SIGNING_CERT=$(cat $SIG_CERT_FILE)
CA_CERT=$(cat $CA_CERT_FILE)
valint bom pki-test:latest \
--config jenkins-pki-example/.valint.yaml \
-o attest \
--context-type jenkins \
--output-directory ./scribe/valint \
-E -U $SCRIBE_CLIENT_ID -P $SCRIBE_CLIENT_SECRET \
--app-name $LOGICAL_APP_NAME --app-version $APP_VERSION \
--author-name $AUTHOR_NAME --author-email AUTHOR_EMAIL --author-phone $AUTHOR_PHONE \
--supplier-name $SUPPLIER_NAME --supplier-url $SUPPLIER_URL --supplier-email $SUPPLIER_EMAIL \
--supplier-phone $SUPPLIER_PHONE \
-f '''
}
}
stage('bom-image-verify') {
withCredentials([
usernamePassword(credentialsId: 'scribe-production-auth-id', usernameVariable: 'SCRIBE_CLIENT_ID', passwordVariable: 'SCRIBE_CLIENT_SECRET'),
file(credentialsId: 'key-file', variable: 'KEY_FILE'),
file(credentialsId: 'sig-cert-file', variable: 'SIG_CERT_FILE'),
file(credentialsId: 'ca-cert-file', variable: 'CA_CERT_FILE')
])
{
sh '''
PRIVATE_KEY=$(cat $KEY_FILE)
SIGNING_CERT=$(cat $SIG_CERT_FILE)
CA_CERT=$(cat $CA_CERT_FILE)
valint verify pki-test:latest \
--config jenkins-pki-example/.valint.yaml \
--output-directory ./scribe/valint \
-E -U $SCRIBE_CLIENT_ID -P $SCRIBE_CLIENT_SECRET \
'''
}
}
}
}