This repository was archived by the owner on Feb 28, 2023. It is now read-only.
This repository was archived by the owner on Feb 28, 2023. It is now read-only.
[feature] allow custom path for policy bundle #9
Closed
Description
Follow-up on anchore/anchore-engine#174
intro
CircleCI Anchore orb allows using a bundle file that stored at .circleci/.anchore/policy_bundle.json.
However, there's a problem because anchore/analyze_local_image attempts to load custom bundle file from the following path:
/home/circleci/project/.circleci/.anchore/policy_bundle.json
when at most of the times it's not there and here's very simple circleci job template that breaks anchore orb:
"python36_security_check":
executor: anchore/anchore_engine
working_directory: ~/go/src/github.com/fnproject/fdk-python
steps:
- checkout
- run:
name: Python 3.6 build
command: |
./build-images.sh 3.6
- anchore/analyze_local_image:
image_name: fnproject/python:3.6-dev
timeout: '500'
policy_failure: true
- anchore/analyze_local_image:
image_name: fnproject/python:3.6
timeout: '500'
policy_failure: true
- anchore/parse_reports
as you may notice, there's working_directory: ~/go/src/github.com/fnproject/fdk-python that changes working directory and make impossible to find bundle file for anchore:
#!/bin/bash -eo pipefail
(anchore-cli --json policy add /home/circleci/project/.circleci/.anchore/policy_bundle.json | jq '.policyId' | xargs anchore-cli policy activate) &> /dev/null || \
printf "\n%s\n" "Custom policy bundle not found - /home/circleci/project/.circleci/.anchore/policy_bundle.json - using default policy bundle."
if true; then
anchore-cli evaluate check anchore-registry:5000/fnproject/python:3.6-dev --detail
else
(set +o pipefail; anchore-cli evaluate check anchore-registry:5000/fnproject/python:3.6-dev --detail | tee /dev/null)
fi
Custom policy bundle not found - /home/circleci/project/.circleci/.anchore/policy_bundle.json - using default policy bundle.
Metadata
Metadata
Assignees
Labels
No labels