Pipeline Template Update

Background

Iron Bank has updated the container hardening pipeline to use a single template. This update allows for code to select which template should be used for a given pipeline.

Previously some users may have seen an issue when a project was to use a distroless parent image, but the pipeline was formatted to use another operating system. With this update, the pipeline will use a parent/child configuration, with the parent figuring out which template should be used for the child pipeline.

Parent/Child Pipeline

Users will notice that the pipeline looks at first like it is missing stages. This is because the parent pipeline runs some initial linting jobs, and then a script to find the os-type, the given pipeline is using. Once the os-type has been determined, the triggered pipeline will contain all of the stages and jobs users are accustomed to seeing.

Future Changes

The pipelines team will continue to refine and improve the pipeline in an effort to improve stability and run time. One improvement will be to remove redundancy, and shift as much left as is possible. An example would be to run trufflehog once, in the parent pipeline, as well as file validation and linting.

These changes will be rolled out as time permits and as they have been tested to ensure no other issues are created from this process.