...
Outputs and Groovy Condition
Each operation in this plugin supplies the option to configure a Groovy script to determine if the scan results are inacceptable and should fail the operation. Below is a list of variables available to the Groovy script.
| Info | ||
|---|---|---|
| ||
Each of these variables is also available as a plugin output |
| Groovy Variable | Plugin Output | Description | Example |
|---|---|---|---|
| STATUS | FDANCR_OUT_STATUS | Overall status of the scan/analysis. This is ultimately determined by the policy bundle that is used. Possible values are pass or fail. | fail |
| FINAL_ACTION | FDANCR_OUT_FINAL_ACTION | Similar to the status, this provides the recommended action for the image. | stop |
| STOP_COUNT | FDANCR_OUT_STOP_COUNT | An integer count of the number of STOP rules detected for the image | 2 |
| WARN_COUNT | FDANCR_OUT_WARN_COUNT | An integer count of the number of WARN rules detected for the image | 10 |
| ALL_COUNTS | FDANCR_OUT_ALL_COUNT_LIST | A full list of all counts returned | [STOP:2, WARN:10, GO:37] |
| All other FlexDeploy Variables are also available in the Groovy Script Condition |
Example Groovy Script Conditions
The most common use case, lets the policy bundle unequivocally determine failure.
Code Block language groovy STATUS == "fail"No warn or stop checks found
Code Block language groovy (STOP_COUNT + WARN_COUNT) != 0- A script that is more lenient on non master stream builds (could be only master stream is pushed to the registry and other streams are for local testing).
Code Block language groovy //master is not allowed any stop checks whereas every other stream can have 5 or less FDBLD_STREAM_NAME == "master" ? STOP_COUNT > 0 : STOP_COUNT > 5
Project Configuration
Anchore is FlexDeploy's preferred choice when it comes to container scanning. As such, you can configure your project to scan the specified image without any configuration other than setting the below properties:
...