conjur-cli 6.2.1 → 6.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d0520b947529d571863374704ce0b613a07b6e63fa1e9cb37932e0d254e17353
-  data.tar.gz: 490b04289eb77fdbb1c7d56fc317ac6266111af4cde3fb6a655c92e48cf50cf3
+  metadata.gz: e1e8bd9b3f0492516bb7636d952ef5b9d8019aecedf93b4cb32ca0060417dd06
+  data.tar.gz: 0c51275a1eab0e47724036a0ddcf76e55eac4b9298c703b85ad0393346ac597a
 SHA512:
-  metadata.gz: 726d627c741a1a7ae611316dd482e6b2d6633e8d193fef1879f1acd5d8a86e68f8f5a0e5f0d6679085b7f15a86930a2a747c6a43c307ebedcd31494d52b1714e
-  data.tar.gz: 0424f34f72f7b625270eb42cbfe432160ab4a063a2600d82b7a8efe51d07df5e95a42d85b5dc3138d4074e63d2e28b8fc2a448d6c6ffe61f1715cd477269b2a2
+  metadata.gz: 9f8a5b7f4e9030008e7557e9c68ec661f4d03ee9a17ce78e59c806ca4fa71e99746f700630ec397e0066e6b0519e95e6c951583621d93d6ae1cf70a27db23303
+  data.tar.gz: 8f541da5d129e2e6ba4a0ac3e544b595041c4708d258708f8914ea4c6fdf37218f651a9d4fc022578dbee15d81e077c8745c105d57392c61bbfa1916261e1cd3

data/.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
+
+# Changes to .trivyignore require Security Architect approval
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+
+# Changes to .codeclimate.yml require Quality Architect approval
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+
+# Changes to SECURITY.md require Security Architect approval
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,42 @@
+---
+name: Bug
+about: Create a bug report to help us improve
+title: ''
+labels: component/cli, kind/bug
+assignees: ''
+
+---
+
+## Summary
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+## Expected Results
+A clear and concise description of what you expected to happen.
+
+## Actual Results (including error logs, if applicable)
+A clear and concise description of what actually did happen.
+
+## Reproducible
+   * [ ] Always 
+   * [ ] Sometimes
+   * [ ] Non-Reproducible
+   
+## Version/Tag number
+What version of the product are you running? Any version info that you can share is helpful. 
+For example, you might give the version from Docker logs, the Docker tag, a specific download URL, 
+the output of the `/info` route, etc.
+
+## Environment setup
+Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud? 
+Which cloud provider? Which container orchestrator (including version)? 
+The more info you can share about your runtime environment, the better we may be able to reproduce the issue.
+
+## Additional Information
+Add any other context about the problem here.

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,27 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: kind/enhancement, component/cli
+assignees: ''
+
+---
+
+## Is your feature request related to a problem? Please describe.
+
+A clear and concise description of what the problem is. Ex. `I would like to see [...] because [...]`.
+Please include the intended use case and what the feature would improve on so that we can prioritize
+the feature accordingly.
+
+## Describe the solution you would like
+
+A clear and concise description of what the desired end result(s) would be.
+
+## Describe alternatives you have considered
+
+A clear and concise description of any alternative solutions or features that may be related to this that
+you have considered.
+
+## Additional context
+
+Add any other context information about the feature request here.

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+### What does this PR do?
+- _What's changed? Why were these changes made?_
+- _How should the reviewer approach this PR, especially if manual tests are required?_
+- _Are there relevant screenshots you can add to the PR description?_
+
+### What ticket does this PR close?
+Resolves #[relevant GitHub issues, eg 76]
+
+### Checklists
+
+#### Change log
+- [ ] The CHANGELOG has been updated, or
+- [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update
+
+#### Test coverage
+- [ ] This PR includes new unit and integration tests to go with the code changes, or
+- [ ] The changes in this PR do not require tests
+
+#### Documentation
+- [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or
+- [ ] This PR does not require updating any documentation

data/.gitleaks.toml

@@ -0,0 +1,216 @@
+title = "Secretless Broker gitleaks config"
+
+# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
+[[rules]]
+description = "AWS Client ID"
+regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS MWS key"
+regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+description = "PKCS8"
+regex = '''-----BEGIN PRIVATE KEY-----'''
+tags = ["key", "PKCS8"]
+
+[[rules]]
+description = "RSA"
+regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+tags = ["key", "RSA"]
+
+[[rules]]
+description = "SSH"
+regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+tags = ["key", "SSH"]
+
+[[rules]]
+description = "PGP"
+regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook Secret Key"
+regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook Client ID"
+regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook access token"
+regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter Secret Key"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Twitter Client ID"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "LinkedIn Client ID"
+regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "LinkedIn Secret Key"
+regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+tags = ["secret", "Twitter"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
+
+[[rules]]
+description = "EC"
+regex = '''-----BEGIN EC PRIVATE KEY-----'''
+tags = ["key", "EC"]
+
+[[rules]]
+description = "Generic API key"
+regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "API", "generic"]
+
+[[rules]]
+description = "Generic Secret"
+regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "Secret", "generic"]
+
+[[rules]]
+description = "Google API key"
+regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+tags = ["key", "Google"]
+
+[[rules]]
+description = "Google Cloud Platform API key"
+regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
+tags = ["key", "Google", "GCP"]
+
+[[rules]]
+description = "Google OAuth"
+regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Google OAuth access token"
+regex = '''ya29\.[0-9A-Za-z\-_]+'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Heroku API key"
+regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+tags = ["key", "Heroku"]
+
+[[rules]]
+description = "MailChimp API key"
+regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+tags = ["key", "Mailchimp"]
+
+[[rules]]
+description = "Mailgun API key"
+regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+tags = ["key", "Mailgun"]
+
+[[rules]]
+description = "Password in URL"
+regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
+tags = ["key", "URL", "generic"]
+
+[[rules]]
+description = "PayPal Braintree access token"
+regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+tags = ["key", "Paypal"]
+
+[[rules]]
+description = "Picatic API key"
+regex = '''sk_live_[0-9a-z]{32}'''
+tags = ["key", "Picatic"]
+
+[[rules]]
+description = "Slack Webhook"
+regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+tags = ["key", "slack"]
+
+[[rules]]
+description = "Stripe API key"
+regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+tags = ["key", "Stripe"]
+
+[[rules]]
+description = "Square access token"
+regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Square OAuth secret"
+regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Twilio API key"
+regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "twilio"]
+
+[whitelist]
+files = [
+#  "(.*?)(jpg|gif|doc|pdf|bin)$",
+  ".gitleaks.toml"
+]
+regexes = [
+  "3a4rb19rpjejr89h6r29kd2fb3808cpy" # sample host API key in test data
+]
+
+# Additional Examples
+
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = [
+#     "4.1-4.3",
+#     "5.5-6.3",
+# ]
+# entropyROI = "line"
+# filetypes = [".go", ".py", ".c"]
+# tags = ["key"]
+# severity = "8"
+#
+#
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# filetypes = [".gee"]
+# entropyROI = "line"
+# tags = ["key"]
+# severity = "medium"
+
+# [[rules]]
+# description = "Any pem file"
+# filetypes = [".key"]
+# tags = ["pem"]
+# severity = "high"

data/CHANGELOG.md

@@ -1,34 +1,75 @@
-# 6.2.1
+# Changelog
+All notable changes to this project will be documented in this file.
 
-* Pin to xdg gem v2.2.3 due to a [crashing CLI](https://github.com/cyberark/conjur-cli/issues/243).
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-# 6.2.0
+## [Unreleased]
 
-* Add `ldap-sync` subcommand.
+## [6.2.5] - 2021-09-29
 
-# 6.1.1
+### Fixed
+- Upgraded `highline` dependency to fix deprecation warning.
+  [cyberark/conjur-cli#330](https://github.com/cyberark/conjur-cli/pull/330)
 
-* No longer displaying error stack traces by default when an exception occurs duing CLI
-  initialization (e.g when trying to open a missing conjur certificate file). Stack traces
-  can be enabled for all errors in the CLI by setting the environment variable `GLI_DEBUG=true`.
+## [6.2.4] - 2021-07-01
+### Changed
+- Upgraded `conjur-api` dependency to 5.3.5.
+  [cyberark/conjur-cli#310](https://github.com/cyberark/conjur-cli/issues/310)
 
-# [6.1.0](https://github.com/cyberark/conjur-cli/releases/tag/v6.1.0)
+## [6.2.3] - 2020-12-22
+### Fixed
+- The Conjur CLI now raises a proper error when trying to rotate a non-existing
+  user's API key.
+  [cyberark/conjur#979](https://github.com/cyberark/conjur/issues/979)
 
-* Pin dependency 'conjur-api' to '~> 5.1'. This update adds authn-local support to the API. [conjur-api PR #131](https://github.com/cyberark/conjur-api-ruby/pull/131)
+## [6.2.2] - 2020-04-02
+### Changed
+- Docker image updated to flatten to a single layer and reduce the image
+  size ([cyberark/conjur-cli#253](https://github.com/cyberark/conjur-cli/issues/253))
 
-# [6.0.1](https://github.com/cyberark/conjur-cli/releases/tag/v6.0.1)
+### Fixed
+- CLI image is only updated in DockerHub when the project has a new tag
+  ([cyberark/conjur-cli#270](https://github.com/cyberark/conjur-cli/issues/270))
 
-* Pushes to `cyberark/conjur-cli:5` on DockerHub when tests pass
-* Use SNI when fetching certificate with `conjur init`.
-* Correctly specify dependency versions in gemspec.
-* Allow ActiveSupport v5 as a dependency.
+### Security
+- Update rake for CVE-2020-8130 ([cyberark/conjur-cli#263](https://github.com/cyberark/conjur-cli/issues/263))
 
-# [6.0.0](https://github.com/cyberark/conjur-cli/releases/tag/v6.0.0)
+## [6.2.1] - 2019-05-22
+### Added
+- Pin to xdg gem v2.2.3 due to a [crashing CLI](https://github.com/cyberark/conjur-cli/issues/243).
 
-* Provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE.
-* License changed to Apache 2.0.
-* **Codebase forked: for changes to the 5.x (API [v4][v4-branch]) series, see
-  [CHANGELOG in `v4` branch][v4-changelog]**
+## 6.2.0 - 2018-06-22
+### Added
+- Add `ldap-sync` subcommand.
 
-[v4-branch]: https://github.com/cyberark/conjur-cli/tree/v4
-[v4-changelog]: https://github.com/cyberark/conjur-cli/blob/v4/CHANGELOG.md
+## 6.1.1 - 0000-00-00
+### Added
+- No longer displaying error stack traces by default when an exception occurs duing CLI initialization (e.g when trying to open a missing conjur certificate file). Stack traces can be enabled for all errors in the CLI by setting the environment variable `GLI_DEBUG=true`.
+
+## [6.1.0] - 2018-04-09
+### Added
+- Pin dependency 'conjur-api' to '~> 5.1'. This update adds authn-local support to the API. [conjur-api PR #131](https://github.com/cyberark/conjur-api-ruby/pull/131)
+
+## [6.0.1] - 2018-04-09
+### Added
+- Pushes to `cyberark/conjur-cli:5` on DockerHub when tests pass
+- Use SNI when fetching certificate with `conjur init`.
+- Correctly specify dependency versions in gemspec.
+- Allow ActiveSupport v5 as a dependency.
+
+## [6.0.0] - 2017-10-13
+### Added
+- Provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE.
+- License changed to Apache 2.0.
+- **Codebase forked: for changes to the 5.x (API [v4](https://github.com/cyberark/conjur-cli/tree/v4)) series, see
+  [CHANGELOG in `v4` branch][v4-changelog](https://github.com/cyberark/conjur-cli/blob/v4/CHANGELOG.md)**
+
+[Unreleased]: https://github.com/cyberark/conjur-cli/compare/v6.2.4...HEAD
+[6.2.4]: https://github.com/cyberark/conjur-cli/compare/v6.2.3...v6.2.4
+[6.2.3]: https://github.com/cyberark/conjur-cli/compare/v6.2.2...v6.2.3
+[6.2.2]: https://github.com/cyberark/conjur-cli/compare/v6.2.1...v6.2.2
+[6.2.1]: https://github.com/cyberark/conjur-cli/compare/v6.2.0...v6.2.1
+[6.1.0]: https://github.com/cyberark/conjur-cli/compare/v6.0.1...v6.1.0
+[6.0.1]: https://github.com/cyberark/conjur-cli/compare/v6.0.0...v6.0.1
+[6.0.0]: https://github.com/cyberark/conjur-cli/compare/v5.6.6...v6.0.0

data/CONTRIBUTING.md

@@ -0,0 +1,81 @@
+# Contributing
+
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!
+
+## Development
+
+Create a sandbox environment in Docker using the `./dev` folder:
+
+```sh-session
+$ cd dev
+dev $ ./start.sh
+```
+
+This will drop you into a bash shell in a container called `cli`.
+
+The sandbox also includes a Postgres container and Conjur server container. The
+environment is already setup to connect the CLI to the server:
+
+* **CONJUR_APPLIANCE_URL** `http://conjur`
+* **CONJUR_ACCOUNT** `cucumber`
+
+To login to conjur, type the following and you'll be prompted for a password:
+
+```sh-session
+root@2b5f618dfdcb:/# conjur authn login admin
+Please enter admin's password (it will not be echoed):
+```
+
+The required password is the API key at the end of the output from the
+`start.sh` script.  It looks like this:
+
+```
+=============== LOGIN WITH THESE CREDENTIALS ===============
+
+username: admin
+api key : 9j113d35wag023rq7tnv201rsym1jg4pev1t1nb4419767ms1cnq00n
+
+============================================================
+```
+
+At this point, you can use any CLI command you like.
+
+## Running Cucumber
+
+To install dev packages, run `bundle` from within the container:
+
+```sh-session
+root@2b5f618dfdcb:/# cd /usr/src/cli-ruby/
+root@2b5f618dfdcb:/usr/src/cli-ruby# bundle
+```
+
+Then you can run the cucumber tests:
+
+```sh-session
+root@2b5f618dfdcb:/usr/src/cli-ruby# cucumber
+...
+```
+
+## Releasing
+
+To create a new release, follow the instructions in our general release
+guidelines [here](https://github.com/cyberark/community/blob/main/Conjur/CONTRIBUTING.md#release-process).
+
+Note: this project documents the version in two places:
+- The [VERSION](./VERSION) file
+- In [`lib/conjur/version.rb`](./lib/conjur/version.rb)
+
+Both version files must be updated when this project is preparing for a release.

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-#ruby=ruby-2.2.5
+#ruby=ruby-2.7.0
 #ruby-gemset=conjur-cli
 
 # Specify your gem's dependencies in conjur.gemspec

data/Jenkinsfile

@@ -13,13 +13,16 @@ pipeline {
   }
 
   stages {
-    stage('Test 2.4') {
-      environment {
-        RUBY_VERSION = '2.4'
-      }
+    stage('Validate Changelog') {
+      steps { sh './bin/parse-changelog.sh' }
+    }
+
+    stage('Prepare CC Report Dir'){
       steps {
-        sh './test.sh'
-        junit 'spec/reports/*.xml, features/reports/*.xml'
+        script {
+          ccCoverage.dockerPrep()
+          sh 'mkdir -p coverage'
+        }
       }
     }
 
@@ -27,9 +30,15 @@ pipeline {
       environment {
         RUBY_VERSION = '2.5'
       }
+
       steps {
         sh './test.sh'
-        junit 'spec/reports/*.xml, features/reports/*.xml'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml, features/reports/*.xml'
+        }
       }
     }
 
@@ -37,9 +46,44 @@ pipeline {
       environment {
         RUBY_VERSION = '2.6'
       }
+
+      steps {
+        sh './test.sh'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml, features/reports/*.xml'
+        }
+      }
+    }
+
+    stage('Test 2.7') {
+      environment {
+        RUBY_VERSION = '2.7'
+      }
+
       steps {
         sh './test.sh'
-        junit 'spec/reports/*.xml, features/reports/*.xml'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml, features/reports/*.xml'
+        }
+      }
+    }
+
+    stage('Submit Coverage Report'){
+      steps{
+        sh 'ci/submit-coverage'
+        publishHTML([reportDir: 'coverage', reportFiles: 'index.html', reportName: 'Coverage Report', reportTitles: '', allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true])
+      }
+
+      post {
+        always {
+          archiveArtifacts artifacts: "coverage/.resultset.json", fingerprint: false
+        }
       }
     }
 
@@ -49,10 +93,23 @@ pipeline {
       }
     }
 
-    stage('Push standalone image to DockerHub') {
-      when {
-        branch 'master'
+    stage('Scan Docker image') {
+      parallel {
+        stage('Scan Docker image for fixable vulns') {
+          steps {
+            scanAndReport("cyberark/conjur-cli:latest", "HIGH", false)
+          }
+        }
+        stage('Scan Docker image for total vulns') {
+          steps {
+            scanAndReport("cyberark/conjur-cli:latest", "NONE", true)
+          }
+        }
       }
+    }
+
+    stage('Push standalone image to DockerHub') {
+      when { tag "v*" }
 
       steps {
         sh './push-image'
@@ -62,15 +119,9 @@ pipeline {
     // Only publish to RubyGems if the HEAD is
     // tagged with the same version as in version.rb
     stage('Publish to RubyGems') {
-      agent { label 'releaser-v2' }
-
       when {
         expression { currentBuild.resultIsBetterOrEqualTo('SUCCESS') }
-        branch "master"
-        expression {
-          def exitCode = sh returnStatus: true, script: './needs-publishing'
-          return exitCode == 0
-        }
+        tag "v*"
       }
 
       steps {