search

anchore / ci-tools

Contains scripts for running anchore engine in CI pipelines
Apache License 2.0
34 stars 34 forks source link

[feature] allow custom path for policy bundle #9

Closed denismakogon closed 5 years ago

denismakogon commented 5 years ago

Follow-up on https://github.com/anchore/anchore-engine/issues/174

intro

CircleCI Anchore orb allows using a bundle file that stored at .circleci/.anchore/policy_bundle.json.

However, there's a problem because anchore/analyze_local_image attempts to load custom bundle file from the following path:

/home/circleci/project/.circleci/.anchore/policy_bundle.json

when at most of the times it's not there and here's very simple circleci job template that breaks anchore orb:

  "python36_security_check":
    executor: anchore/anchore_engine
    working_directory: ~/go/src/github.com/fnproject/fdk-python
    steps:
      - checkout
      - run:
          name: Python 3.6 build
          command: |
            ./build-images.sh 3.6
      - anchore/analyze_local_image:
          image_name: fnproject/python:3.6-dev
          timeout: '500'
          policy_failure: true
      - anchore/analyze_local_image:
          image_name: fnproject/python:3.6
          timeout: '500'
          policy_failure: true
      - anchore/parse_reports

as you may notice, there's working_directory: ~/go/src/github.com/fnproject/fdk-python that changes working directory and make impossible to find bundle file for anchore:

#!/bin/bash -eo pipefail
(anchore-cli --json policy add /home/circleci/project/.circleci/.anchore/policy_bundle.json | jq '.policyId' | xargs anchore-cli policy activate) &> /dev/null || \
  printf "\n%s\n" "Custom policy bundle not found - /home/circleci/project/.circleci/.anchore/policy_bundle.json - using default policy bundle."
if true; then
  anchore-cli evaluate check anchore-registry:5000/fnproject/python:3.6-dev --detail
else
  (set +o pipefail; anchore-cli evaluate check anchore-registry:5000/fnproject/python:3.6-dev --detail | tee /dev/null)
fi

Custom policy bundle not found - /home/circleci/project/.circleci/.anchore/policy_bundle.json - using default policy bundle.
Btodhunter commented 5 years ago

Hey @denismakogon! You can specify a custom path for your policy bundle by using the policy_bundle_file_path parameter. Like in this example (but with an actual path, I'm using "" here to use the default policy): https://github.com/anchore/ci-tools/blob/master/.circleci/config.yml#L34-L44

Let me know if this works for you.

denismakogon commented 5 years ago

okay, will try it out.

denismakogon commented 5 years ago

will close this, for now, might reopen if needed.