WebGoat/Jenkinsfile.rtf at main · RamyArmorCode/WebGoat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
{\rtf1\ansi\ansicpg1252\cocoartf2822
\cocoatextscaling0\cocoaplatform0{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
{\*\expandedcolortbl;;}
\margl1440\margr1440\vieww11520\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0

\f0\fs24 \cf0 // Jenkinsfile (Declarative)\
pipeline \{\
  agent \{ docker \{ image 'maven:3.9.6-eclipse-temurin-21' reuseNode true \} \}\
\
  /* ----- GLOBAL CONFIG ----- */\
  environment \{\
    REGISTRY      = 'ghcr.io/my-org'\
    IMAGE_NAME    = "my-app:$\{env.GIT_COMMIT\}"\
    AWS_DEFAULT_REGION = 'us-east-1'\
    AWS_CREDS  = credentials('aws-prod-deploy')        // ID in Jenkins Credentials\
    GITHUB_PAT = credentials('github-oidc-token')      // If pushing tags/releases\
  \}\
\
  options \{\
    timestamps()\
    disableConcurrentBuilds()\
    ansiColor('xterm')\
    durabilityHint('PERFORMANCE_OPTIMIZED')\
  \}\
\
  stages \{\
\
    stage('Checkout') \{\
      steps \{ checkout scm \}\
    \}\
\
    stage('Build') \{\
      steps \{\
        sh 'mvn -B clean package -DskipTests'\
      \}\
      post \{ \
        failure \{ mail to: 'dev@corp.com', subject: 'Build failed', body: "$\{env.JOB_NAME\} #$\{env.BUILD_NUMBER\}" \}\
      \}\
    \}\
\
    stage('Unit Test') \{\
      steps \{\
        sh 'mvn test'\
        junit '**/target/surefire-reports/*.xml'\
      \}\
    \}\
\
    stage('Static Code Analysis') \{\
      parallel \{\
        stage('OWASP Dependency-Check') \{\
          steps \{ sh 'mvn org.owasp:dependency-check-maven:check' \}\
        \}\
        stage('Snyk SAST') \{\
          when \{ expression \{ env.SNYK_TOKEN \} \}\
          steps \{ sh 'snyk test --severity-threshold=medium' \}\
        \}\
      \}\
    \}\
\
    stage('Package & Containerize') \{\
      agent \{ docker \{ image 'docker:24' args '-v /var/run/docker.sock:/var/run/docker.sock' \} \}\
      steps \{\
        sh '''\
          docker build -t $REGISTRY/$IMAGE_NAME .\
          echo $GITHUB_PAT | docker login $REGISTRY -u $GITHUB_ACTOR --password-stdin\
          docker push $REGISTRY/$IMAGE_NAME\
        '''\
      \}\
    \}\
\
    stage('Image Scan') \{\
      steps \{\
        sh "trivy image --severity HIGH,CRITICAL --exit-code 0 $REGISTRY/$IMAGE_NAME"\
      \}\
    \}\
\
    stage('Deploy to Dev') \{\
      steps \{\
        withCredentials([[$class: 'AmazonWebServicesCredentialsBinding',\
                          accessKeyVariable: 'AWS_ACCESS_KEY_ID',\
                          secretKeyVariable: 'AWS_SECRET_ACCESS_KEY',\
                          credentialsId: 'aws-prod-deploy']]) \{\
          sh '''\
            aws ecs update-service --cluster dev --service my-app \\\
              --force-new-deployment --region $AWS_DEFAULT_REGION\
          '''\
        \}\
      \}\
    \}\
  \}\
\
  post \{\
    always \{\
      cleanWs()\
    \}\
    success \{\
      echo "\uc0\u9989   Build $\{env.BUILD_NUMBER\} successful!"\
    \}\
  \}\
\}\
}