-
Notifications
You must be signed in to change notification settings - Fork 2
/
scanBinaries.yml
48 lines (47 loc) · 1.71 KB
/
scanBinaries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
parameters:
- name: artifactName
type: string
displayName: "name of the artifact on Azure DevOps that contains the Zip file"
- name: zipFile
type: string
displayName: "name or pattern of the zipfile to be extracted and scanned"
- name: trivyIgnoreFile
type: string
displayName: "path to the trivy ignore file"
default: ''
- name : trivyCacheAzureSubscription
type: string
default: ''
displayName: 'Subscription used to retrieve Trivy cache. If left empty, no cache will be used.'
- name : trivyCacheStorageAccount
type: string
default: ''
displayName: 'Storage account name where the Trivy cache is stored'
jobs:
- job: scan
displayName: Scan binaries
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
- task: DownloadPipelineArtifact@2
displayName: Download ZipDeployArchive
inputs:
artifactName: ${{ parameters.artifactName }}
targetPath: '$(System.DefaultWorkingDirectory)'
- task: ExtractFiles@1
displayName: Extract ${{ parameters.zipFile }}
inputs:
archiveFilePatterns: ${{ parameters.zipFile }}
destinationFolder: $(System.DefaultWorkingDirectory)/Binaries
cleanDestinationFolder: true
overwriteExistingFiles: false
- template: ./scanWithRetryTask.yml
parameters:
dockerExtraArguments: "-v $(System.DefaultWorkingDirectory)/Binaries:/src"
trivyExtraArguments: "filesystem /src"
trivyIgnoreFile: ${{ parameters.trivyIgnoreFile }}
displayName: Scan compiled code with Trivy
trivyCacheAzureSubscription: ${{ parameters.trivyCacheAzureSubscription }}
trivyCacheStorageAccount: ${{ parameters.trivyCacheStorageAccount }}
localTrivyCachePath: $(Agent.TempDirectory)/trivy-cache