added trivy scan for streetcode_client image

[flannooz]

dev

JIRA

• Main JIRA ticket

Code reviewers

• @github_username

Second Level Review

• @github_username

Summary of issue

ToDo

Summary of change

ToDo

Testing approach

ToDo

CHECK LIST

• СI passed
• Сode coverage >=95%
• PR is reviewed manually again (to make sure you have 100% ready code)
• All reviewers agreed to merge the PR
• I've checked new feature as logged in and logged out user if needed
• PR meets all conventions

Summary by CodeRabbit

• New Features

  • Introduced a security scan stage using Trivy to check Docker images for high and critical vulnerabilities after building.
  • Added deployment status notifications to Discord for aborted, failed, success, and rollback events, enhancing real-time monitoring.

• Chores

  • Updated Docker image tagging to use an environment variable for the username.

[coderabbitai]

Walkthrough

The Jenkins pipeline was updated to refactor the Docker image tagging by introducing a DOCKER_USERNAME environment variable. A new conditional stage, 'Trivy Security Scan', was added after the image build to scan the Docker image for high and critical vulnerabilities without failing the pipeline on scan issues. Deployment stages were enhanced with Discord notifications for various build results using a new global function sendDiscordNotification.

Changes

File(s)

Change Summary

Jenkinsfile

- Introduced DOCKER_USERNAME env var for Docker image tagging. - Added conditional 'Trivy Security Scan' stage after image build. - Scan targets HIGH and CRITICAL vulnerabilities. - Scan runs in Docker container with mounted Docker socket. - Scan failures do not fail the pipeline. - Wrapped deployment approval and steps in try-catch to handle abort and failure. - Added Discord notifications on ABORTED, FAILURE, and SUCCESS states. - Extended post-conditions to notify on deployment failures and trigger rollback on abort. - Added global function sendDiscordNotification(status, message) to post formatted JSON messages to Discord webhook.

Sequence Diagram(s)

sequenceDiagram
    participant Jenkins
    participant Docker
    participant Trivy
    participant Discord

    Jenkins->>Docker: Build Docker image (using DOCKER_USERNAME)
    alt Image build successful
        Jenkins->>Trivy: Run security scan on built image
        Trivy-->>Jenkins: Report vulnerabilities (does not fail pipeline)
        Jenkins->>Discord: Send notification (build success)
    else Build failed or aborted
        Jenkins->>Discord: Send notification (failure or aborted)
    end

Loading

Poem

🐳
A username set, the image built,
Then Trivy scans without a wilt.
High risks flagged, yet pipeline flows,
Securely safe as knowledge grows.
Alerts dispatched with Discord's cheer,
Deployment status loud and clear.
🔍🚀

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

Jenkinsfile (2)

119-122: Reevaluate the removal of branch filter on ‘Build image’
By commenting out the when { branch pattern: "release/[0-9]\\.[0-9]\\.[0-9]", comparator: "REGEXP" } block, the image build will now trigger on all branches (including feature/PR branches). This may lead to unnecessary Docker builds and registry churn.

Consider reintroducing a targeted branch filter or driving behavior via a parameter (e.g., BUILD_IMAGE=true) to limit builds to your intended release branches.

---

180-367: Remove or modularize large commented-out deployment blocks
There are extensive commented sections for staging, production, syncing, and rollback. Keeping them in-line makes the Jenkinsfile hard to navigate and maintain.

If you need to retain historical logic, consider:

• Extracting these stages into a shared library or separate Jenkinsfile template, or
• Controlling their execution via a Boolean parameter (e.g., ENABLE_DEPLOY=true).
  Otherwise, prune deprecated code to improve readability.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7099557 and 88b51b9.

📒 Files selected for processing (1)

• Jenkinsfile (6 hunks)

🔇 Additional comments (1)

Jenkinsfile (1)

125-128: Verify consistent usage of DOCKER_USERNAME
You’ve captured the Docker registry user as env.DOCKER_USERNAME, which is great for reuse. Please audit all downstream steps (push, tag, Trivy scan) to ensure they reference env.DOCKER_USERNAME instead of directly using the local username variable to prevent mismatches.

Run a quick search for docker push and docker tag invocations to confirm consistency.

[coderabbitai]

🛠️ Refactor suggestion

Strengthen Trivy scan enforcement or reporting
Adding a Trivy Security Scan is an excellent step toward shifting security left. However, the || true suffix on the scan command silences failures—even for HIGH/CRITICAL vulnerabilities—potentially hiding critical issues.

Option A: Capture Trivy’s exit code and fail the build above a severity threshold.
Option B: Bubble up the scan output to a centralized report/dashboard, then allow the build to continue but clearly flag security regressions.
Example diff to fail on critical findings:

-    sh """
-        docker run --rm \
-        -v /var/run/docker.sock:/var/run/docker.sock \
-        aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image} || true
-    """
+    sh """
+        docker run --rm \
+        -v /var/run/docker.sock:/var/run/docker.sock \
+        aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image}
+    """

This change will cause the stage to fail if any HIGH/CRITICAL vulnerabilities are detected.

[LanchevychMaxym]

LGTM!

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

Jenkinsfile (1)

136-156: ⚠️ Potential issue

Reinstate Trivy scan exit code handling.
The || true suffix will suppress all HIGH/CRITICAL vulnerability failures, potentially hiding security regressions. To enforce scans or better report results, consider removing || true or handling exit codes explicitly so critical findings surface.

Example:

-    aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image} || true
+    aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image}

Alternatively, capture the exit code and fail only on CRITICAL severity to balance pipeline stability with security.

🧹 Nitpick comments (1)

Jenkinsfile (1)

128-129: Persist DOCKER_USERNAME in an environment block.
Assigning env.DOCKER_USERNAME inside the script works, but it’s more idiomatic to declare it in an environment {} block at the pipeline or stage level for clarity and consistent scoping.

Example:

 stage('Build image') {
   environment {
-    // credential loaded in script
+    DOCKER_USERNAME = credentials('docker-login-streetcode').username
   }
   steps {
     script {
       sh "docker build -t ${DOCKER_USERNAME}/streetcode_client:latest ."

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6736495 and 1a36dc5.

📒 Files selected for processing (1)

• Jenkinsfile (7 hunks)

🔇 Additional comments (1)

Jenkinsfile (1)

119-124: Confirm intentional removal of branch filtering in Build Image stage.
The when block restricting builds to release/x.x.x branches has been commented out, causing images to be built on all branches. Is this intended? Building on every branch could lead to resource waste and unexpected image tags.

[coderabbitai]

🛠️ Refactor suggestion

Use a structured HTTP request step and JSON builder.
Constructing a multiline JSON string inside a shell curl call can break on unescaped characters and is hard to maintain. Leverage the Jenkins httpRequest step or Groovy’s JsonOutput to build and send the payload safely, avoiding manual shell quoting.

Example using httpRequest:

def payload = new groovy.json.JsonBuilder([
  content: "${status}: ${message}",
  embeds : [
    [
      title : 'Deployment Status',
      fields: [
        [name: 'Environment',       value: 'Stage', inline: true],
        [name: 'Pipeline Name',     value: env.JOB_NAME, inline: true],
        [name: 'Status',            value: status, inline: true],
        [name: 'Deployment Tag',    value: env.CODE_VERSION, inline: true],
        [name: 'Date and Time',     value: new Date().format('yyyy-MM-dd HH:mm:ss'), inline: true],
        [name: 'Pipeline Link',     value: "[Click here](${env.BUILD_URL})", inline: true],
      ]
    ]
  ]
]).toString()

httpRequest(
  httpMode    : 'POST',
  contentType : 'APPLICATION_JSON',
  requestBody : payload,
  url         : env.DISCORD_WEBHOOK_URL
)

This approach handles escaping, improves readability, and avoids brittle shell invocations.

🤖 Prompt for AI Agents

In Jenkinsfile lines 401 to 423, the current method builds a multiline JSON
string manually and sends it via a shell curl command, which risks breaking on
unescaped characters and is hard to maintain. Refactor the
sendDiscordNotification function to use Groovy's JsonBuilder to construct the
JSON payload and Jenkins' httpRequest step to send the POST request. This will
handle JSON escaping properly, improve readability, and avoid fragile shell
quoting issues.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

Jenkinsfile (2)

404-423: Use JSON builder and Jenkins httpRequest for notifications
Building a multiline JSON string manually in a shell curl is brittle (escaping issues, leftover indentation) and may not interpolate variables correctly. Leverage Groovy’s JsonBuilder with Jenkins’ httpRequest step for safer, cleaner payload construction and delivery.

Example refactor:

def sendDiscordNotification(status, message) {
    withCredentials([string(credentialsId: 'WEBHOOK_URL', variable: 'DISCORD_WEBHOOK_URL')]) {
        def payload = new groovy.json.JsonBuilder([
            content: "${status}: ${message}",
            embeds: [
                [
                    title: 'Deployment Status',
                    fields: [
                        [name: 'Environment',    value: 'Stage',                         inline: true],
                        [name: 'Pipeline Name',  value: env.JOB_NAME,                    inline: true],
                        [name: 'Status',         value: status,                          inline: true],
                        [name: 'Deployment Tag', value: env.CODE_VERSION,                inline: true],
                        [name: 'Date and Time',  value: new Date().format('yyyy-MM-dd HH:mm:ss'), inline: true],
                        [name: 'Pipeline Link',  value: "[Click here](${env.BUILD_URL})", inline: true]
                    ]
                ]
            ]
        ]).toString()
        httpRequest(
            httpMode: 'POST',
            contentType: 'APPLICATION_JSON',
            requestBody: payload,
            url: DISCORD_WEBHOOK_URL
        )
    }
}

---

136-156: ⚠️ Potential issue

Avoid silencing critical vulnerability failures
The || true at the end of the Trivy scan command suppresses failures even on HIGH/CRITICAL vulnerabilities, potentially masking security regressions. Consider removing || true so the stage fails on critical issues, or capture the exit code to conditionally fail/report based on severity.

Example diff:

- aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image} || true
+ aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image}

🧹 Nitpick comments (2)

Jenkinsfile (2)

128-131: Consider defining DOCKER_USERNAME in the environment block
Assigning env.DOCKER_USERNAME inside the script block works, but it may be clearer to declare this credential-based variable at the pipeline-level environment section or reference ${username} directly when tagging. This makes the variable’s scope and intent more explicit.

---

215-223: Refine abort exception handling
Catching a generic Exception and matching on e.getMessage()?.contains('Rejected by') may not reliably detect user-initiated aborts or other interrupt scenarios. Instead, catch org.jenkinsci.plugins.workflow.steps.FlowInterruptedException for aborts and set currentBuild.result = 'ABORTED', reserving the generic catch for genuine failures.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6b0a57a and a9df9f0.

📒 Files selected for processing (1)

• Jenkinsfile (7 hunks)

🔇 Additional comments (1)

Jenkinsfile (1)

119-124: Review branch gating removal
The when condition for the Build image stage is commented out, causing the image to build on every branch. Ensure this is intentional and won’t lead to unnecessary image builds for feature branches or PRs. If you intend to restrict builds to release branches, consider re-enabling or updating the when { branch pattern: ... } block.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

Jenkinsfile (2)

136-156: Enforce scan results for critical vulnerabilities

Currently you suppress Trivy exit codes with || true, so HIGH/CRITICAL findings won’t fail the build. It’s safer to surface critical issues by removing the || true suffix or handling the exit code explicitly.

---

421-443: Use Jenkins httpRequest and JsonBuilder for Discord payload

Building a multiline JSON string and invoking curl can lead to quoting issues and is harder to maintain. Leverage Groovy’s JsonBuilder and the httpRequest step:

def payload = new groovy.json.JsonBuilder([...]).toString()
httpRequest(
  httpMode: 'POST',
  url: env.DISCORD_WEBHOOK_URL,
  contentType: 'APPLICATION_JSON',
  requestBody: payload
)

This ensures proper escaping and better readability.

🧹 Nitpick comments (2)

Jenkinsfile (2)

128-129: Standardize Docker username usage

You assign env.DOCKER_USERNAME = username but then use ${env.DOCKER_USERNAME} for the build, whereas later you push with ${username} directly. To improve consistency and avoid confusion, consider using env.DOCKER_USERNAME everywhere.

---

245-248: Remove stale commented-out notification

The old sendDiscordNotification('SUCCESS', ...) call is commented out. Consider cleaning up this dead code to improve readability.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between a9df9f0 and 5e28bb0.

📒 Files selected for processing (1)

• Jenkinsfile (7 hunks)

🔇 Additional comments (1)

Jenkinsfile (1)

119-124: Confirm the commented-out branch condition is intentional

It looks like the when block filtering release/* branches was commented out. Please verify if you want to allow image builds on all branches or re-enable the branch pattern guard to avoid accidental builds.

[coderabbitai]

🛠️ Refactor suggestion

Refine exception handling around approval input

Catching all Exception and inspecting message strings can be brittle. Instead, catch FlowInterruptedException separately for user aborts, and fall back to a general catch for other errors:

import org.jenkinsci.plugins.workflow.steps.FlowInterruptedException

try {
    input ...
    proceed = true
} catch (FlowInterruptedException e) {
    sendDiscordNotification('ABORTED', ...)
    currentBuild.result = 'ABORTED'
    return
} catch (Exception e) {
    sendDiscordNotification('FAILED', ...)
    throw e
}

🤖 Prompt for AI Agents

In Jenkinsfile lines 190 to 204, improve exception handling by specifically
catching FlowInterruptedException instead of catching all Exceptions and
checking message strings. Import FlowInterruptedException, then use a try-catch
block where FlowInterruptedException is caught first to handle user aborts with
appropriate notifications and build status, followed by a general catch for
other exceptions to send failure notifications and rethrow the error.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

Jenkinsfile (3)

190-204: Refine exception handling for approval input
Catching all Exception and inspecting message strings is brittle. You can explicitly catch FlowInterruptedException for user aborts, then fall back to a general catch for other errors:

import org.jenkinsci.plugins.workflow.steps.FlowInterruptedException

try {
    input message: 'Do you want to approve Staging deployment?', ok: 'Yes', submitter: '...'
    proceed = true
} catch (FlowInterruptedException e) {
    sendDiscordNotification('ABORTED', 'Deployment to Stage was aborted by user.')
    currentBuild.result = 'ABORTED'
    return
} catch (Exception e) {
    sendDiscordNotification('FAILED', "Deployment to Stage failed: ${e.message}")
    throw e
}

This approach is more maintainable and avoids fragile string checks.

---

136-156: ⚠️ Potential issue

Enforce Trivy scan failures on critical findings
Using || true silences all Trivy exit codes—even for HIGH/CRITICAL vulnerabilities—masking potential security issues. Consider removing || true so the pipeline fails on critical vulnerabilities:

-   aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image} || true
+   aquasec/trivy image --no-progress --severity HIGH,CRITICAL --exit-code 1 ${image}

Alternatively, capture and publish the scan report and still continue the pipeline.

---

410-432: 🛠️ Refactor suggestion

Use structured HTTP request instead of shell curl
Building JSON in a shell string can break on escaping. Consider using groovy.json.JsonOutput and the httpRequest step:

-def sendDiscordNotification(status, message) {
-    withCredentials([string(credentialsId: 'WEBHOOK_URL', variable: 'DISCORD_WEBHOOK_URL')]) {
-        def jsonMessage = """
-        { "content": "$status: $message", ... }
-        """
-        sh """curl -X POST -H 'Content-Type: application/json' -d '$jsonMessage' "\$DISCORD_WEBHOOK_URL" """
-    }
-}
+def sendDiscordNotification(status, message) {
+    withCredentials([string(credentialsId: 'WEBHOOK_URL', variable: 'WEBHOOK_URL')]) {
+        def payload = groovy.json.JsonOutput.toJson([
+            content: "${status}: ${message}",
+            embeds: [[
+                title : 'Deployment Status',
+                fields: [
+                    [name: 'Environment',    value: 'Stage',         inline: true],
+                    [name: 'Pipeline Name',  value: env.JOB_NAME,   inline: true],
+                    [name: 'Status',         value: status,         inline: true],
+                    [name: 'Deployment Tag', value: env.CODE_VERSION, inline: true],
+                    [name: 'Date and Time',  value: new Date().format('yyyy-MM-dd HH:mm:ss'), inline: true],
+                    [name: 'Pipeline Link',  value: "[Click here](${env.BUILD_URL})",     inline: true]
+                ]
+            ]]
+        ])
+        httpRequest(
+            httpMode:    'POST',
+            contentType: 'APPLICATION_JSON',
+            requestBody: payload,
+            url:         WEBHOOK_URL
+        )
+    }
+}

This handles quoting robustly and leverages Jenkins built-in steps.

🧹 Nitpick comments (1)

Jenkinsfile (1)

188-188: Remove commented-out input
The //input ... line is dead code now that you have the structured input block below. Removing it will improve readability.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between aa58110 and 7e4241d.

📒 Files selected for processing (1)

• Jenkinsfile (7 hunks)

🔇 Additional comments (5)

Jenkinsfile (5)

119-124: Restore or remove the commented branch filter for image builds
The commented when { branch pattern: ... } means the Docker image will build on every branch, which may be unintended. Consider reinstating the filter or removing this dead code to prevent unintentional image builds.

---

128-129: Good introduction of DOCKER_USERNAME
Assigning env.DOCKER_USERNAME dynamically from the credentials makes the build and push commands clearer and avoids hardcoding. This change looks solid.

---

231-231: Placement of success notification
Moving the sendDiscordNotification('SUCCESS', ...) inside the try block correctly ensures success is only reported when the deployment steps complete without error. Well done.

---

278-278: Explicit rollback notification
Emitting sendDiscordNotification('ABORTED', ...) during the rollback step clearly communicates that the staging rollback occurred. This is a helpful improvement.

---

282-286: Notify on unexpected failures in “WHAT IS THE NEXT STEP”
Adding a failure block with sendDiscordNotification('FAILED', ...) provides immediate feedback on errors in that stage. This is consistent with the rest of your post-condition notifications.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud