buildspec.yml

version: 0.2

run-as: root
phases:
        install:
                runtime-versions:
                        docker: 19
        pre_build:
                commands: 
                        - echo "Running pipeline!"
                        - nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &
                        - timeout 15 sh -c "until docker info; do echo .; sleep 1; done"
                        - yum install wget -y
                        - yum install jq -y
                        - wget https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-64bit.rpm
                        - rpm -ivh ./trivy_0.19.2_Linux-64bit.rpm
                        - /usr/local/bin/trivy --version
                        - echo ${Commit_ID}
                        - sudo find /tmp -type f -atime +1 -delete
        build:
                commands:
                        - echo "Building"
                        - message=$(aws codecommit get-commit --repository-name Trivy-Demo --commit-id ${Commit_ID} | jq .commit.message)
                        - export DOCKER_IMAGE=$(echo $message | grep "::.*" -o | sed 's/^..//' | sed 's/\\n//g' | sed 's/"//g')
                        - echo $DOCKER_IMAGE
                        - cd docker/centos
                        - update-alternatives --set iptables /usr/sbin/iptables-legacy
                        - echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
                        - docker build -t trivy-testing:latest .
                        - echo "Runnig trivy scan against $DOCKER_IMAGE"
                        - sudo /usr/local/bin/trivy -f json -o "trivy-results/${DOCKER_IMAGE}_results.json" --exit-code 0 --severity HIGH,MEDIUM,LOW --quiet --auto-refresh   
                        - echo "Done scanning. Proceeding to post build-build s3 results upload and vulnerability identification..."
                        - cd ../..
        post_build:
                commands:
                        - echo "Uploading results to s3"
                        - aws s3 cp trivy-results/${DOCKER_IMAGE}_results.json s3://${BUCKET_NAME}
                        - echo "Parsing results..."
                        - aws s3api select-object-content --bucket ${BUCKET_NAME} --key ${DOCKER_IMAGE}_results.json --expression "select * from s3object" --expression-type SQL --input-serialization '{"JSON": {"Type": "Document"}, "CompressionType": "None"}' --output-serialization '{"JSON": {"RecordDelimiter": "-"}}' "scan_result.json"
                        - chmod +x ./count_vulns.sh
                        - ./count_vulnes.sh
                finally: 
                        - unset DOCKER_IMAGE
                        - unset BUCKET_NAME