metadata: name: protecodeExecuteScan description: Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family. longDescription: |- Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family. !!! hint "Auditing findings (Triaging)" Triaging is now supported by the Protecode backend and also Piper does consider this information during the analysis of the scan results though product versions are not supported by Protecode. Therefore please make sure that the `fileName` you are providing does either contain a stable version or that it does not contain one at all. By ensuring that you are able to triage CVEs globally on the upload file's name without affecting any other artifacts scanned in the same Protecode group and as such triaged vulnerabilities will be considered during the next scan and will not fail the build anymore. spec: inputs: secrets: - name: protecodeCredentialsId description: Jenkins 'Username with password' credentials ID containing username and password to authenticate to the Protecode system. type: jenkins - name: dockerConfigJsonCredentialsId description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in [Prerequisites](https://www.project-piper.io/steps/protecodeExecuteScan/#prerequisites). type: jenkins aliases: - name: dockerCredentialsId deprecated: true params: - name: excludeCVEs aliases: - name: protecodeExcludeCVEs type: string description: "DEPRECATED: Do use triaging within the Protecode UI instead" scope: - PARAMETERS - STAGES - STEPS default: "" - name: failOnSevereVulnerabilities aliases: - name: protecodeFailOnSevereVulnerabilities type: bool description: Whether to fail the job on severe vulnerabilties or not scope: - PARAMETERS - STAGES - STEPS default: true - name: scanImage aliases: - name: dockerImage type: string description: The reference to the docker image to scan with Protecode resourceRef: - name: commonPipelineEnvironment param: container/imageNameTag scope: - GENERAL - PARAMETERS - STAGES - STEPS - name: dockerRegistryUrl type: string description: The reference to the docker registry to scan with Protecode resourceRef: - name: commonPipelineEnvironment param: container/registryUrl scope: - GENERAL - PARAMETERS - STAGES - STEPS - name: dockerConfigJSON type: string description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). scope: - PARAMETERS - STAGES - STEPS secret: true resourceRef: - name: dockerConfigJsonCredentialsId type: secret - type: vaultSecretFile paths: - $(vaultPath)/docker-config - $(vaultBasePath)/$(vaultPipelineName)/docker-config - $(vaultBasePath)/GROUP-SECRETS/docker-config - name: cleanupMode type: string description: Decides which parts are removed from the Protecode backend after the scan scope: - PARAMETERS - STAGES - STEPS default: binary possibleValues: - none - binary - complete - name: filePath type: string description: The path to the file from local workspace to scan with Protecode scope: - PARAMETERS - STAGES - STEPS - name: includeLayers type: bool description: Flag if the docker layers should be included scope: - PARAMETERS - STAGES - STEPS - name: timeoutMinutes aliases: - name: protecodeTimeoutMinutes type: string description: The timeout to wait for the scan to finish scope: - PARAMETERS - STAGES - STEPS default: 60 - name: serverUrl aliases: - name: protecodeServerUrl type: string description: The URL to the Protecode backend mandatory: true scope: - GENERAL - PARAMETERS - STAGES - STEPS - name: reportFileName type: string description: The file name of the report to be created scope: - PARAMETERS - STAGES - STEPS default: protecode_report.pdf - name: fetchUrl type: string description: The URL to fetch the file or image to scan with Protecode. longDescription: The URL to fetch the file or image to scan with Protecode. The URL must be accessible via public HTTP GET request. To fetch a docker image the URL needs a 'docker-registry-' prefix. scope: - PARAMETERS - STAGES - STEPS - name: group aliases: - name: protecodeGroup type: string description: The Protecode group ID of your team mandatory: true scope: - PARAMETERS - STAGES - STEPS - name: verifyOnly aliases: - name: reuseExisting deprecated: true type: bool description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle scope: - PARAMETERS - STAGES - STEPS default: false - name: replaceProductId type: int description: Specify which application binary will be replaced and rescanned and product id remains unchanged. By using this parameter, Protecode avoids creating multiple same products. Note this will affect results and feeds. scope: - PARAMETERS - STAGES - STEPS - name: username aliases: - name: user deprecated: true type: string description: User which is used for the protecode scan mandatory: true scope: - PARAMETERS - STAGES - STEPS secret: true resourceRef: - name: protecodeCredentialsId type: secret param: username - type: vaultSecret paths: - $(vaultPath)/protecode - $(vaultBasePath)/$(vaultPipelineName)/protecode - $(vaultBasePath)/GROUP-SECRETS/protecode - name: password type: string description: Password which is used for the user mandatory: true scope: - PARAMETERS - STAGES - STEPS secret: true resourceRef: - name: protecodeCredentialsId type: secret param: password - type: vaultSecret paths: - $(vaultPath)/protecode - $(vaultBasePath)/$(vaultPipelineName)/protecode - $(vaultBasePath)/GROUP-SECRETS/protecode - name: version aliases: - name: artifactVersion deprecated: true type: string description: The version of the artifact to allow identification in protecode backend resourceRef: - name: commonPipelineEnvironment param: artifactVersion scope: - PARAMETERS - STAGES - STEPS - name: pullRequestName type: string description: The name of the pull request scope: - PARAMETERS - STAGES - STEPS outputs: resources: - name: influx type: influx params: - name: step_data fields: - name: protecode type: bool - name: protecode_data fields: - name: excluded_vulnerabilities type: int - name: historical_vulnerabilities type: int - name: major_vulnerabilities type: int - name: minor_vulnerabilities type: int - name: triaged_vulnerabilities type: int - name: vulnerabilities type: int