|
|
|
@ -57,91 +57,91 @@ pipeline {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
stage('Security: Verify Dependencies') {
|
|
|
|
// stage('Security: Verify Dependencies') {
|
|
|
|
steps {
|
|
|
|
// steps {
|
|
|
|
script {
|
|
|
|
// script {
|
|
|
|
sh """#!/bin/bash
|
|
|
|
// sh """#!/bin/bash
|
|
|
|
set -e
|
|
|
|
// set -e
|
|
|
|
|
|
|
|
|
|
|
|
WORKSPACE_DIR="\$(pwd)"
|
|
|
|
// WORKSPACE_DIR="\$(pwd)"
|
|
|
|
echo "Working directory: \${WORKSPACE_DIR}"
|
|
|
|
// echo "Working directory: \${WORKSPACE_DIR}"
|
|
|
|
|
|
|
|
|
|
|
|
echo "1. Checking Python dependencies..."
|
|
|
|
// echo "1. Checking Python dependencies..."
|
|
|
|
if [ -f "\${WORKSPACE_DIR}/requirements.txt" ]; then
|
|
|
|
// if [ -f "\${WORKSPACE_DIR}/requirements.txt" ]; then
|
|
|
|
echo " - Found requirements.txt"
|
|
|
|
// echo " - Found requirements.txt"
|
|
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
// echo ""
|
|
|
|
echo "2. Running security checks inside Python container..."
|
|
|
|
// echo "2. Running security checks inside Python container..."
|
|
|
|
|
|
|
|
|
|
|
|
# Buat container, copy file, jalankan check
|
|
|
|
// # Buat container, copy file, jalankan check
|
|
|
|
CONTAINER_ID=\$(docker create python:3.11-slim bash -c '
|
|
|
|
// CONTAINER_ID=\$(docker create python:3.11-slim bash -c '
|
|
|
|
set -e
|
|
|
|
// set -e
|
|
|
|
|
|
|
|
|
|
|
|
echo "Installing security tools..."
|
|
|
|
// echo "Installing security tools..."
|
|
|
|
pip install --upgrade pip setuptools wheel > /dev/null 2>&1
|
|
|
|
// pip install --upgrade pip setuptools wheel > /dev/null 2>&1
|
|
|
|
pip install pip-audit safety > /dev/null 2>&1
|
|
|
|
// pip install pip-audit safety > /dev/null 2>&1
|
|
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
// echo ""
|
|
|
|
echo "Installing dependencies from requirements.txt..."
|
|
|
|
// echo "Installing dependencies from requirements.txt..."
|
|
|
|
pip install -r /tmp/requirements.txt
|
|
|
|
// pip install -r /tmp/requirements.txt
|
|
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
// echo ""
|
|
|
|
echo "Running pip-audit for known vulnerabilities..."
|
|
|
|
// echo "Running pip-audit for known vulnerabilities..."
|
|
|
|
pip-audit --desc || {
|
|
|
|
// pip-audit --desc || {
|
|
|
|
echo "Security vulnerabilities detected"
|
|
|
|
// echo "Security vulnerabilities detected"
|
|
|
|
exit 1
|
|
|
|
// exit 1
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
// echo ""
|
|
|
|
echo "Running safety check..."
|
|
|
|
// echo "Running safety check..."
|
|
|
|
safety check || {
|
|
|
|
// safety check || {
|
|
|
|
echo "Safety check found issues"
|
|
|
|
// echo "Safety check found issues"
|
|
|
|
exit 1
|
|
|
|
// exit 1
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
// echo ""
|
|
|
|
echo "Checking for outdated packages..."
|
|
|
|
// echo "Checking for outdated packages..."
|
|
|
|
pip list --outdated || echo "All packages are up to date"
|
|
|
|
// pip list --outdated || echo "All packages are up to date"
|
|
|
|
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
// echo ""
|
|
|
|
echo "Verifying package integrity..."
|
|
|
|
// echo "Verifying package integrity..."
|
|
|
|
pip check || {
|
|
|
|
// pip check || {
|
|
|
|
echo "Dependency conflicts detected"
|
|
|
|
// echo "Dependency conflicts detected"
|
|
|
|
exit 1
|
|
|
|
// exit 1
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
echo "All Python dependencies verified successfully"
|
|
|
|
// echo "All Python dependencies verified successfully"
|
|
|
|
')
|
|
|
|
// ')
|
|
|
|
|
|
|
|
|
|
|
|
echo " - Container ID: \${CONTAINER_ID}"
|
|
|
|
// echo " - Container ID: \${CONTAINER_ID}"
|
|
|
|
|
|
|
|
|
|
|
|
# Copy requirements.txt langsung ke container (tanpa volume mount)
|
|
|
|
// # Copy requirements.txt langsung ke container (tanpa volume mount)
|
|
|
|
docker cp "\${WORKSPACE_DIR}/requirements.txt" "\${CONTAINER_ID}:/tmp/requirements.txt"
|
|
|
|
// docker cp "\${WORKSPACE_DIR}/requirements.txt" "\${CONTAINER_ID}:/tmp/requirements.txt"
|
|
|
|
|
|
|
|
|
|
|
|
# Copy Pipfile jika ada
|
|
|
|
// # Copy Pipfile jika ada
|
|
|
|
if [ -f "\${WORKSPACE_DIR}/Pipfile.lock" ]; then
|
|
|
|
// if [ -f "\${WORKSPACE_DIR}/Pipfile.lock" ]; then
|
|
|
|
docker cp "\${WORKSPACE_DIR}/Pipfile.lock" "\${CONTAINER_ID}:/tmp/Pipfile.lock"
|
|
|
|
// docker cp "\${WORKSPACE_DIR}/Pipfile.lock" "\${CONTAINER_ID}:/tmp/Pipfile.lock"
|
|
|
|
fi
|
|
|
|
// fi
|
|
|
|
|
|
|
|
|
|
|
|
# Jalankan container dan pastikan cleanup
|
|
|
|
// # Jalankan container dan pastikan cleanup
|
|
|
|
docker start --attach "\${CONTAINER_ID}" || {
|
|
|
|
// docker start --attach "\${CONTAINER_ID}" || {
|
|
|
|
EXIT_CODE=\$?
|
|
|
|
// EXIT_CODE=\$?
|
|
|
|
docker rm "\${CONTAINER_ID}" > /dev/null 2>&1 || true
|
|
|
|
// docker rm "\${CONTAINER_ID}" > /dev/null 2>&1 || true
|
|
|
|
exit \${EXIT_CODE}
|
|
|
|
// exit \${EXIT_CODE}
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
docker rm "\${CONTAINER_ID}" > /dev/null 2>&1 || true
|
|
|
|
// docker rm "\${CONTAINER_ID}" > /dev/null 2>&1 || true
|
|
|
|
|
|
|
|
|
|
|
|
echo "✓ All Python dependencies are verified and up to date"
|
|
|
|
// echo "✓ All Python dependencies are verified and up to date"
|
|
|
|
else
|
|
|
|
// else
|
|
|
|
echo " - requirements.txt not found, skipping dependency check"
|
|
|
|
// echo " - requirements.txt not found, skipping dependency check"
|
|
|
|
echo " Directory contents:"
|
|
|
|
// echo " Directory contents:"
|
|
|
|
ls -la "\${WORKSPACE_DIR}/"
|
|
|
|
// ls -la "\${WORKSPACE_DIR}/"
|
|
|
|
fi
|
|
|
|
// fi
|
|
|
|
"""
|
|
|
|
// """
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
}
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
stage('Setup Vault SSH Tunnel') {
|
|
|
|
stage('Setup Vault SSH Tunnel') {
|
|
|
|
|