This is a very simple HTML document
9 | 10 | -------------------------------------------------------------------------------- /github-actions/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |This is a very simple HTML document
9 | 10 | -------------------------------------------------------------------------------- /gitlab/src/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import( 4 | "fmt" 5 | "net/http" 6 | ) 7 | 8 | func mainHandler() http.HandlerFunc{ 9 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request){ 10 | fmt.Fprintf(w, "Hello World!") 11 | }) 12 | } 13 | 14 | func main(){ 15 | http.HandleFunc("/", mainHandler()) 16 | http.ListenAndServe(":8080", nil) 17 | } 18 | -------------------------------------------------------------------------------- /circleci/src/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import( 4 | "fmt" 5 | "net/http" 6 | ) 7 | 8 | func mainHandler() http.HandlerFunc{ 9 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request){ 10 | fmt.Fprintf(w, "Hello World!") 11 | }) 12 | } 13 | 14 | func main(){ 15 | http.HandleFunc("/", mainHandler()) 16 | http.ListenAndServe(":8080", nil) 17 | } 18 | -------------------------------------------------------------------------------- /hashicorp-packer/variables.pkr.hcl: -------------------------------------------------------------------------------- 1 | variable "DEEPFENCE_DOCKER_USERNAME" { 2 | type = string 3 | default = "" 4 | sensitive = true 5 | } 6 | 7 | variable "DEEPFENCE_DOCKER_PASSWORD" { 8 | type = string 9 | default = "" 10 | sensitive = true 11 | } 12 | 13 | variable "DEEPFENCE_CONSOLE_URL" { 14 | type = string 15 | default = "127.0.0.1" 16 | sensitive = false 17 | } 18 | 19 | variable "DEEPFENCE_KEY" { 20 | type = string 21 | default = "" 22 | sensitive = true 23 | } 24 | 25 | variable "FAIL_CVE_COUNT" { 26 | type = string 27 | default = "-1" 28 | sensitive = false 29 | } 30 | 31 | variable "FAIL_CVE_SCORE" { 32 | type = string 33 | default = "-1" 34 | sensitive = false 35 | } 36 | 37 | variable "image_name" { 38 | type = string 39 | default = "deepfence/nginx-packer-build" 40 | sensitive = false 41 | } 42 | 43 | variable "image_tag" { 44 | type = string 45 | default = "1.0" 46 | sensitive = false 47 | } -------------------------------------------------------------------------------- /hashicorp-packer/docker.pkr.hcl: -------------------------------------------------------------------------------- 1 | packer { 2 | required_plugins { 3 | docker = { 4 | version = ">= 0.0.7" 5 | source = "github.com/hashicorp/docker" 6 | } 7 | } 8 | } 9 | 10 | source "docker" "debian" { 11 | image = "debian:bullseye" 12 | commit = true 13 | changes = [ 14 | "ENTRYPOINT nginx -g 'daemon off;'" 15 | ] 16 | } 17 | 18 | build { 19 | sources = [ 20 | "source.docker.debian", 21 | ] 22 | 23 | provisioner "shell" { 24 | inline = [ 25 | "apt-get update", 26 | "apt-get install -y nginx" 27 | ] 28 | } 29 | 30 | post-processor "docker-tag" { 31 | repository = "${var.image_name}" 32 | tag = ["${var.image_tag}"] 33 | } 34 | 35 | post-processor "shell-local" { 36 | inline = [ 37 | "rm -rf deepfence_docker && mkdir deepfence_docker", 38 | "docker_config_path=\"$(pwd)/deepfence_docker\"", 39 | "docker_creds=$(echo -n \"${var.DEEPFENCE_DOCKER_USERNAME}:${var.DEEPFENCE_DOCKER_PASSWORD}\" | base64)", 40 | "echo \"{\\\"auths\\\":{\\\"https://index.docker.io/v1/\\\":{\\\"auth\\\":\\\"$docker_creds\\\"}}}\" > \"$docker_config_path/config.json\"", 41 | "docker --config \"$docker_config_path\" pull deepfenceio/deepfence_vulnerability_mapper:3.7.3", 42 | "rm -rf deepfence_docker", 43 | "docker run -i --rm --net=host --privileged=true --cpus=\"0.3\" -v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_vulnerability_mapper:3.7.3 -mgmt-console-url=${var.DEEPFENCE_CONSOLE_URL} -deepfence-key=\"${var.DEEPFENCE_KEY}\" -image-name=\"${var.image_name}:${var.image_tag}\" -fail-cve-count=${var.FAIL_CVE_COUNT} -fail-cve-score=${var.FAIL_CVE_SCORE} -scan-type=\"base,java,python,ruby,php,nodejs,js,dotnet\"" 44 | ] 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /jenkins/Jenkinsfile: -------------------------------------------------------------------------------- 1 | node { 2 | def app 3 | def full_image_name = 'deepfenceio/jenkins-example:latest' 4 | def deepfence_key = "" // If authentication is enabled in management console, set deepfence key here 5 | def deepfence_mgmt_console_url = '111.111.111.111' // IP address of Deepfence management console 6 | def fail_cve_count = 100 // Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. 7 | def fail_cve_score = 8 // Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. 8 | def mask_cve_ids = "" // Comma separated. Example: "CVE-2019-9168,CVE-2019-9169" 9 | 10 | stage('Clone repository') { 11 | checkout scm 12 | } 13 | 14 | stage('Build image') { 15 | app = docker.build("${full_image_name}", "-f jenkins/Dockerfile .") 16 | } 17 | 18 | stage('Run Deepfence Vulnerability Mapper'){ 19 | DeepfenceAgent = docker.image("deepfenceio/deepfence_vulnerability_mapper:3.7.3") 20 | try { 21 | c = DeepfenceAgent.run("-it --net=host --privileged=true -v /var/run/docker.sock:/var/run/docker.sock:rw", "-mgmt-console-url='${deepfence_mgmt_console_url}' -image-name='${full_image_name}' -deepfence-key='${deepfence_key}' -fail-cve-count=${fail_cve_count} -fail-cve-score=${fail_cve_score} -scan-type='base,java,python,ruby,php,nodejs,js,dotnet' -mask-cve-ids='${mask_cve_ids}'") 22 | sh "docker logs -f ${c.id}" 23 | def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true 24 | sh "exit ${out}" 25 | } finally { 26 | c.stop() 27 | } 28 | } 29 | 30 | stage('Remove unused docker image') { 31 | sh "docker rmi ${full_image_name}" 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /gitlab/README.md: -------------------------------------------------------------------------------- 1 | # Gitlab CI/CD Demo: Simple Go Server Application. 2 | 3 | [This](https://gitlab.com/deepfence-gitlab/simple_go_server) project builds and deploys a "Hello World" Go webapp. It provides an example of how to build and test a Dockerized 4 | web application on [Gitlab](https://gitlab.com). The image can later be pushed to any remote registry of choice. 5 | 6 | ### Configure environment variables on Gitlab 7 | The following [environment variables](https://docs.gitlab.com/ee/ci/variables/) must be set for the project on Gitlab 8 | via the project settings (i.e `Project > Settings > CI/CD > Variables`) page, before the project can be built successfully. 9 | 10 | 11 | | Variable | Description | 12 | |-----------------------------|----------------------------------------------------------------------------------------------------------------| 13 | | `DEEPFENCE_CONSOLE_URL` | Deepfence management console ip address | 14 | | `DEEPFENCE_DOCKER_PASSWORD` | Deepfence docker hub username | 15 | | `DEEPFENCE_DOCKER_USERNAME` | Deepfence docker hub password | 16 | | `FAIL_CVE_COUNT` | Fail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities. | 17 | | `FAIL_CVE_SCORE` | Fail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. | 18 | 19 | ## References 20 | - https://docs.gitlab.com/ee/ci/docker/using_docker_build.html 21 | - https://docs.gitlab.com/ee/ci/docker/using_docker_images.html 22 | 23 | -------------------------------------------------------------------------------- /gitlab/.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | stages: 2 | - test-go-app-build 3 | - test-docker-build 4 | 5 | test-go-app-build: 6 | image: golang:latest 7 | stage: test-go-app-build 8 | 9 | variables: 10 | # Please edit to your GitLab project 11 | REPO_NAME: gitlab.com/deepfence-gitlab/simple_go_server 12 | 13 | # The problem is that to be able to use go get, one needs to put 14 | # the repository in the $GOPATH. So for example if your gitlab domain 15 | # is gitlab.com, and that your repository is namespace/project, and 16 | # the default GOPATH being /go, then you'd need to have your 17 | # repository in /go/src/gitlab.com/namespace/project 18 | # Thus, making a symbolic link corrects this. 19 | before_script: 20 | - mkdir -p $GOPATH/src/$(dirname $REPO_NAME) 21 | - ln -svf $CI_PROJECT_DIR $GOPATH/src/$REPO_NAME 22 | - cd $GOPATH/src/$REPO_NAME 23 | 24 | script: 25 | - go build -o $CI_PROJECT_DIR/demo-app src/main.go 26 | artifacts: 27 | paths: 28 | - demo-app 29 | 30 | test-docker-build-and-cve: 31 | image: docker:latest 32 | stage: test-docker-build 33 | services: 34 | - docker:dind 35 | variables: 36 | IMAGE_NAME: go-server-test:latest 37 | script: 38 | - docker build -t $IMAGE_NAME . 39 | - mkdir deepfence_docker 40 | - docker_config_path="$(pwd)/deepfence_docker" 41 | - docker_creds=$(echo -n "$DEEPFENCE_DOCKER_USERNAME:$DEEPFENCE_DOCKER_PASSWORD" | base64) 42 | - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"$docker_creds\"}}}" > "$docker_config_path/config.json" 43 | - docker --config "$docker_config_path" pull deepfenceio/deepfence_vulnerability_mapper:3.7.3 44 | - rm -rf deepfence_docker 45 | - docker run --rm --net=host -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_vulnerability_mapper:3.7.3 -mgmt-console-url=$DEEPFENCE_CONSOLE_URL -image-name="$IMAGE_NAME" -fail-cve-count=$FAIL_CVE_COUNT -fail-cve-score=$FAIL_CVE_SCORE 46 | 47 | -------------------------------------------------------------------------------- /circleci/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2018 CircleCI 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | This project includes code from the go-ecs-ecr project 24 | at https://github.com/circleci/go-ecs-ecr, used under the following license: 25 | 26 | The MIT License (MIT) 27 | 28 | Copyright (c) 2016 Ricardo N Feliciano 29 | 30 | Permission is hereby granted, free of charge, to any person obtaining a copy 31 | of this software and associated documentation files (the "Software"), to deal 32 | in the Software without restriction, including without limitation the rights 33 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 34 | copies of the Software, and to permit persons to whom the Software is 35 | furnished to do so, subject to the following conditions: 36 | 37 | The above copyright notice and this permission notice shall be included in all 38 | copies or substantial portions of the Software. 39 | 40 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 41 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 42 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 43 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 44 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 45 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 46 | SOFTWARE. -------------------------------------------------------------------------------- /github-actions/.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | 3 | on: 4 | push: 5 | branches: 6 | - "*" # run for branches 7 | tags: 8 | - "*" # run for tags 9 | pull_request: 10 | branches: 11 | - "*" # run for branches 12 | tags: 13 | - "*" # run for tags 14 | 15 | jobs: 16 | build: 17 | runs-on: ubuntu-latest 18 | env: 19 | GROUP: deepfence 20 | COMMIT: ${{ github.sha }} 21 | REPO: demo-app 22 | DEEPFENCE_CONSOLE_URL: 1.1.1.1 23 | steps: 24 | - uses: actions/checkout@v2 25 | 26 | # Build docker image for service 27 | - name: Build docker image 28 | uses: docker/build-push-action@v1 29 | with: 30 | push: false 31 | repository: ${{ env.GROUP }}/${{ env.REPO }} 32 | tag_with_ref: true 33 | tag_with_sha: true 34 | tags: ${{ github.sha }} 35 | 36 | # Run Deepfence Vulnerability Mapper to check for vulnerabilities in image 37 | - name: Run Deepfence Vulnerability Mapper 38 | env: 39 | DEEPFENCE_CONSOLE_URL: ${{ env.DEEPFENCE_CONSOLE_URL }} 40 | DEEPFENCE_KEY: ${{ env.GROUP }} 41 | FULL_IMAGE_NAME: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }} 42 | FAIL_CVE_COUNT: 100 # Fail build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. 43 | FAIL_CVE_SCORE: 8 # Fail build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. 44 | run: | 45 | mkdir deepfence_docker 46 | docker_config_path="$(pwd)/deepfence_docker" 47 | docker_creds=$(echo -n "${{ secrets.DOCKER_USER }}:${{ secrets.DOCKER_PASS }}" | base64) 48 | echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"$docker_creds\"}}}" > "$docker_config_path/config.json" 49 | docker --config "$docker_config_path" pull deepfenceio/deepfence_vulnerability_mapper:3.7.3 50 | rm -rf deepfence_docker 51 | docker run --rm --net=host --privileged=true -v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_vulnerability_mapper:3.7.3 -mgmt-console-url=$DEEPFENCE_CONSOLE_URL -deepfence-key="$DEEPFENCE_KEY" -image-name="$FULL_IMAGE_NAME" -fail-cve-count=$FAIL_CVE_COUNT -fail-cve-score=$FAIL_CVE_SCORE -scan-type="base,java,python,ruby,php,nodejs,js,dotnet" 52 | 53 | # Push to dockerhub 54 | - name: Push to Docker Hub 55 | uses: docker/build-push-action@v1 56 | if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/master' 57 | with: 58 | username: ${{ secrets.DOCKER_USER }} 59 | password: ${{ secrets.DOCKER_PASS }} 60 | repository: ${{ env.GROUP }}/${{ env.REPO }} 61 | tag_with_ref: true 62 | tag_with_sha: true 63 | -------------------------------------------------------------------------------- /jenkins/README.md: -------------------------------------------------------------------------------- 1 | # Jenkins example for Deepfence Vulnerability Mapper 2 | 3 | This project demonstrates using Deepfence Vulnerability Mapper in Jenkins build pipeline. 4 | After customer's image is built, Deepfence Vulnerability Mapper is run on the image and results are sent to Deepfence management console for further analysis. 5 | There is also an option to fail the build in case number of vulnerabilities crosses given limit. 6 | 7 | | Variable | Description | 8 | |-------------------------------------|--------------------------------------------------------------------------------------------------------------------| 9 | | def deepfence_mgmt_console_url = '' | Deepfence management console ip address | 10 | | def deepfence_key = '' | If authentication is enabled in management console, set deepfence key here | 11 | | def fail_cve_count = 100 | Fail jenkins build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities. | 12 | | def fail_cve_score = 8 | Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. | 13 | 14 | ## Steps 15 | - Ensure `deepfenceio/deepfence_vulnerability_mapper:3.7.3` image is present in the vm where jenkins is installed. 16 | ```shell script 17 | docker pull deepfenceio/deepfence_vulnerability_mapper:3.7.3 18 | ``` 19 | ### Scripted Pipeline 20 | ``` 21 | stage('Run Deepfence Vulnerability Mapper'){ 22 | DeepfenceAgent = docker.image("deepfenceio/deepfence_vulnerability_mapper:3.7.3") 23 | try { 24 | c = DeepfenceAgent.run("-it --net=host --privileged=true -v /var/run/docker.sock:/var/run/docker.sock:rw", "-mgmt-console-url='${deepfence_mgmt_console_url}' -image-name='${full_image_name}' -deepfence-key='${deepfence_key}' -fail-cve-count=${fail_cve_count} -fail-cve-score=${fail_cve_score} -scan-type='base,java,python,ruby,php,nodejs,js,dotnet'") 25 | sh "docker logs -f ${c.id}" 26 | def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true 27 | sh "exit ${out}" 28 | } finally { 29 | c.stop() 30 | } 31 | } 32 | ``` 33 | ### Declarative Pipeline 34 | ``` 35 | stage('Run Deepfence Vulnerability Mapper'){ 36 | steps { 37 | script { 38 | DeepfenceAgent = docker.image("deepfenceio/deepfence_vulnerability_mapper:3.7.3") 39 | try { 40 | c = DeepfenceAgent.run("-it --net=host --privileged=true -v /var/run/docker.sock:/var/run/docker.sock:rw", "-mgmt-console-url='${deepfence_mgmt_console_url}' -image-name='${full_image_name}' -deepfence-key='${deepfence_key}' -fail-cve-count=${fail_cve_count} -fail-cve-score=${fail_cve_score} -scan-type='base,java,python,ruby,php,nodejs,js,dotnet' -mask-cve-ids='${mask_cve_ids}'") 41 | sh "docker logs -f ${c.id}" 42 | def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true 43 | sh "exit ${out}" 44 | } finally { 45 | c.stop() 46 | } 47 | } 48 | } 49 | } 50 | ``` 51 | - Set `deepfence_mgmt_console_url`, `fail_cve_count` variables in Jenkinsfile 52 | -------------------------------------------------------------------------------- /circleci/.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | jobs: 3 | build: 4 | docker: 5 | - image: circleci/golang:1.8 6 | steps: 7 | - checkout 8 | - setup_remote_docker 9 | - run: 10 | name: Make the executable 11 | command: | 12 | go build -o demo-app src/main.go 13 | - run: 14 | name: Setup common environment variables 15 | command: | 16 | echo 'export ECR_REPOSITORY_NAME="${AWS_RESOURCE_NAME_PREFIX}"' >> $BASH_ENV 17 | echo 'export FULL_IMAGE_NAME="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${ECR_REPOSITORY_NAME}:${CIRCLE_SHA1}"' >> $BASH_ENV 18 | - run: 19 | name: Build image 20 | command: | 21 | docker build -t $FULL_IMAGE_NAME . 22 | - run: 23 | name: Run Deepfence Vulnerability Mapper 24 | command: | 25 | mkdir deepfence_docker 26 | docker_config_path="$(pwd)/deepfence_docker" 27 | docker_creds=$(echo -n "$DEEPFENCE_DOCKER_USERNAME:$DEEPFENCE_DOCKER_PASSWORD" | base64) 28 | echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"$docker_creds\"}}}" > "$docker_config_path/config.json" 29 | docker --config "$docker_config_path" pull deepfenceio/deepfence_vulnerability_mapper:3.7.3 30 | rm -rf deepfence_docker 31 | docker run -it --rm --net=host --privileged=true -v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_vulnerability_mapper:3.7.3 -mgmt-console-url=$DEEPFENCE_CONSOLE_URL -deepfence-key="$DEEPFENCE_KEY" -image-name="$FULL_IMAGE_NAME" -fail-cve-count=$FAIL_CVE_COUNT -fail-cve-score=$FAIL_CVE_SCORE -scan-type="base,java,python,ruby,php,nodejs,js,dotnet" 32 | - run: 33 | name: Test image 34 | command: | 35 | docker run -d -p 8080:8080 --name built-image $FULL_IMAGE_NAME 36 | sleep 10 37 | docker run --network container:built-image appropriate/curl --retry 10 --retry-connrefused http://localhost:8080 | grep "Hello World!" 38 | - run: 39 | name: Save image to an archive 40 | command: | 41 | mkdir docker-image 42 | docker save -o docker-image/image.tar $FULL_IMAGE_NAME 43 | - persist_to_workspace: 44 | root: . 45 | paths: 46 | - docker-image 47 | deploy: 48 | docker: 49 | - image: circleci/python:3.6.1 50 | environment: 51 | AWS_DEFAULT_OUTPUT: json 52 | steps: 53 | - checkout 54 | - setup_remote_docker 55 | - attach_workspace: 56 | at: workspace 57 | - restore_cache: 58 | key: v1-{{ checksum "requirements.txt" }} 59 | - run: 60 | name: Install awscli 61 | command: | 62 | python3 -m venv venv 63 | . venv/bin/activate 64 | pip install -r requirements.txt 65 | - save_cache: 66 | key: v1-{{ checksum "requirements.txt" }} 67 | paths: 68 | - "venv" 69 | - run: 70 | name: Load image 71 | command: | 72 | docker load --input workspace/docker-image/image.tar 73 | - run: 74 | name: Setup common environment variables 75 | command: | 76 | echo 'export ECR_REPOSITORY_NAME="${AWS_RESOURCE_NAME_PREFIX}"' >> $BASH_ENV 77 | - run: 78 | name: Push image 79 | command: | 80 | . venv/bin/activate 81 | eval $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email) 82 | docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$ECR_REPOSITORY_NAME:$CIRCLE_SHA1 83 | workflows: 84 | version: 2 85 | build-deploy: 86 | jobs: 87 | - build 88 | - deploy: 89 | requires: 90 | - build -------------------------------------------------------------------------------- /circleci/README.md: -------------------------------------------------------------------------------- 1 | # CircleCI Demo: AWS ECS ECR [](https://circleci.com/gh/CircleCI-Public/circleci-demo-aws-ecs-ecr) 2 | 3 | ## Deploy to AWS ECS from ECR via CircleCI 2.0 (Example Project) 4 | This project is an update of the https://github.com/circleci/go-ecs-ecr project to 5 | deploy to AWS ECS from ECR on CircleCI 2.0. 6 | This project builds and deploys a "Hello World" Go webapp. It provides an example of how to build and test a Dockerized 7 | web application on [CircleCI](https://circleci.com), push the Docker image to an Amazon Elastic Container Registry (ECR). 8 | 9 | ## Alternative branches 10 | * [Using Orbs](https://github.com/CircleCI-Public/circleci-demo-aws-ecs-ecr/tree/orbs) 11 | * [Simplified Orb Demo](https://github.com/CircleCI-Public/circleci-demo-aws-ecs-ecr/tree/simple_orb_demo) 12 | 13 | ### Configure environment variables on CircleCI 14 | The following [environment variables](https://circleci.com/docs/2.0/env-vars/#setting-an-environment-variable-in-a-project) must be set for the project on CircleCI via the project settings page, before the project can be built successfully. 15 | 16 | 17 | | Variable | Description | 18 | |-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 19 | | `AWS_ACCESS_KEY_ID` | Used by the AWS CLI | 20 | | `AWS_SECRET_ACCESS_KEY` | Used by the AWS CLI | 21 | | `AWS_DEFAULT_REGION` | Used by the AWS CLI. Example value: "us-east-1" (Please make sure the specified region is supported by the Fargate launch type) | 22 | | `AWS_ACCOUNT_ID` | AWS account id. This information is required for deployment. | 23 | | `AWS_RESOURCE_NAME_PREFIX` | Prefix that some of the required AWS resources are assumed to have in their names. The value should correspond to the `aws_resource_prefix` variable value in `terraform_setup/terraform.tfvars`. | 24 | | `DEEPFENCE_CONSOLE_URL` | Deepfence management console ip address | 25 | | `DEEPFENCE_KEY` | If authentication is enabled in management console, set deepfence key here | 26 | | `DEEPFENCE_DOCKER_PASSWORD` | Deepfence docker hub username | 27 | | `DEEPFENCE_DOCKER_USERNAME` | Deepfence docker hub password | 28 | | `FAIL_CVE_COUNT` | Fail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities. | 29 | | `FAIL_CVE_SCORE` | Fail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. | 30 | 31 | ## References 32 | - https://github.com/circleci/go-ecs-ecr 33 | - https://github.com/awslabs/aws-cloudformation-templates 34 | - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_GetStarted.html 35 | --------------------------------------------------------------------------------