other changes
This commit is contained in:
Elizabeth W
@@ -5,7 +5,7 @@ metadata:
|
||||
data:
|
||||
renovate.json: |
|
||||
{
|
||||
"extends": ["github>my-org/my-repo//renovate-preset"],
|
||||
"extends": [{{ .Values.preset | quote }}],
|
||||
"onboarding": false,
|
||||
"platform": "github",
|
||||
"repositories": {{ toJson .Values.repositories }}
|
||||
|
||||
@@ -4,4 +4,5 @@ image:
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
schedule: "0 * * * *"
|
||||
preset: "github>my-org/my-repo//renovate-preset"
|
||||
repositories: []
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if .Values.pipeline.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: ClusterWorkflowTemplate
|
||||
metadata:
|
||||
@@ -47,21 +48,11 @@ spec:
|
||||
value: "{{workflow.parameters.fail-on-cvss}}"
|
||||
- name: upload-storage
|
||||
dependencies:
|
||||
- scan-trufflehog
|
||||
- scan-semgrep
|
||||
- scan-kics
|
||||
- scan-socketdev
|
||||
- scan-syft-grype
|
||||
- scan-crossguard
|
||||
- scanners
|
||||
template: upload-storage
|
||||
- name: upload-defectdojo
|
||||
dependencies:
|
||||
- scan-trufflehog
|
||||
- scan-semgrep
|
||||
- scan-kics
|
||||
- scan-socketdev
|
||||
- scan-syft-grype
|
||||
- scan-crossguard
|
||||
- scanners
|
||||
template: upload-defectdojo
|
||||
- name: enforce-policy
|
||||
dependencies:
|
||||
@@ -76,54 +67,6 @@ spec:
|
||||
dependencies:
|
||||
- scanners
|
||||
template: sinks-and-enforcement
|
||||
- name: scan-trufflehog
|
||||
dependencies:
|
||||
- clone
|
||||
template: scan-trufflehog
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{workflow.parameters.working-dir}}"
|
||||
- name: scan-semgrep
|
||||
dependencies:
|
||||
- clone
|
||||
template: scan-semgrep
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{workflow.parameters.working-dir}}"
|
||||
- name: scan-kics
|
||||
dependencies:
|
||||
- clone
|
||||
template: scan-kics
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{workflow.parameters.working-dir}}"
|
||||
- name: scan-socketdev
|
||||
dependencies:
|
||||
- clone
|
||||
template: scan-socketdev
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{workflow.parameters.working-dir}}"
|
||||
- name: scan-syft-grype
|
||||
dependencies:
|
||||
- clone
|
||||
template: scan-syft-grype
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{workflow.parameters.working-dir}}"
|
||||
- name: scan-crossguard
|
||||
dependencies:
|
||||
- clone
|
||||
template: scan-crossguard
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{workflow.parameters.working-dir}}"
|
||||
- name: clone-repo
|
||||
inputs:
|
||||
parameters:
|
||||
@@ -148,39 +91,60 @@ spec:
|
||||
tasks:
|
||||
- name: trufflehog
|
||||
template: scan-trufflehog
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{inputs.parameters.working-dir}}"
|
||||
- name: semgrep
|
||||
template: scan-semgrep
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{inputs.parameters.working-dir}}"
|
||||
- name: kics
|
||||
template: scan-kics
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{inputs.parameters.working-dir}}"
|
||||
- name: socketdev
|
||||
template: scan-socketdev
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{inputs.parameters.working-dir}}"
|
||||
- name: syft-grype
|
||||
template: scan-syft-grype
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{inputs.parameters.working-dir}}"
|
||||
- name: defectdojo
|
||||
template: scan-crossguard
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: "{{inputs.parameters.working-dir}}"
|
||||
- name: sinks-and-enforcement
|
||||
container:
|
||||
image: alpine:3.20
|
||||
image: curlimages/curl:latest
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
args:
|
||||
- echo "stub: sinks and enforcement"
|
||||
- name: scan-trufflehog
|
||||
template: scan-trufflehog
|
||||
- name: scan-semgrep
|
||||
template: scan-semgrep
|
||||
- name: scan-kics
|
||||
template: scan-kics
|
||||
- name: scan-socketdev
|
||||
template: scan-socketdev
|
||||
- name: scan-syft-grype
|
||||
template: scan-syft-grype
|
||||
- name: scan-crossguard
|
||||
template: scan-crossguard
|
||||
- name: upload-storage
|
||||
template: upload-storage
|
||||
- name: upload-defectdojo
|
||||
template: upload-defectdojo
|
||||
- name: enforce-policy
|
||||
template: enforce-policy
|
||||
- |
|
||||
set -eu
|
||||
echo "Pipeline complete. You can configure a webhook notification here."
|
||||
if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then
|
||||
curl -X POST -H 'Content-type: application/json' --data '{"text":"Security Pipeline Finished"}' "${SLACK_WEBHOOK_URL}" || true
|
||||
fi
|
||||
{{ include "template.scan-syft-grype" . | indent 4 }}
|
||||
{{ include "template.scan-socketdev" . | indent 4 }}
|
||||
{{ include "template.scan-crossguard" . | indent 4 }}
|
||||
{{ include "template.scan-semgrep" . | indent 4 }}
|
||||
{{ include "template.scan-trufflehog" . | indent 4 }}
|
||||
{{ include "template.scan-kics" . | indent 4 }}
|
||||
{{ include "template.upload-defectdojo" . | indent 4 }}
|
||||
{{ include "template.upload-storage" . | indent 4 }}
|
||||
{{ include "template.enforce-policy" . | indent 4 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,88 +0,0 @@
|
||||
{{- if .Values.pipeline.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: ClusterWorkflowTemplate
|
||||
metadata:
|
||||
name: amp-security-pipeline-v1.0.0
|
||||
spec:
|
||||
templates:
|
||||
- name: enforce-policy
|
||||
inputs:
|
||||
parameters:
|
||||
- name: fail-on-cvss
|
||||
container:
|
||||
image: python:3.12-alpine
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
args:
|
||||
- |
|
||||
set -eu
|
||||
python - <<'PY'
|
||||
import json
|
||||
import os
|
||||
import pathlib
|
||||
import sys
|
||||
|
||||
threshold = float(os.environ["FAIL_ON_CVSS"])
|
||||
reports_dir = pathlib.Path("/workspace/reports")
|
||||
findings = []
|
||||
|
||||
for report in sorted(reports_dir.iterdir()):
|
||||
if not report.is_file():
|
||||
continue
|
||||
text = report.read_text(errors="ignore")
|
||||
if report.suffix == ".sarif":
|
||||
try:
|
||||
data = json.loads(text)
|
||||
except json.JSONDecodeError:
|
||||
continue
|
||||
for run in data.get("runs", []):
|
||||
for result in run.get("results", []):
|
||||
for fix in result.get("properties", {}).get("security-severity", []):
|
||||
pass
|
||||
for level in result.get("properties", {}).values():
|
||||
pass
|
||||
for prop in [result.get("properties", {}), result.get("taxa", [])]:
|
||||
pass
|
||||
for region in result.get("locations", []):
|
||||
pass
|
||||
sev = result.get("properties", {}).get("security-severity")
|
||||
if sev is None:
|
||||
continue
|
||||
try:
|
||||
score = float(sev)
|
||||
except (TypeError, ValueError):
|
||||
continue
|
||||
if score >= threshold:
|
||||
findings.append((report.name, score))
|
||||
elif report.suffix == ".json":
|
||||
try:
|
||||
data = json.loads(text)
|
||||
except json.JSONDecodeError:
|
||||
continue
|
||||
if isinstance(data, dict):
|
||||
for item in data.get("findings", data.get("vulnerabilities", [])):
|
||||
score = item.get("cvss") or item.get("score")
|
||||
if score is None:
|
||||
continue
|
||||
try:
|
||||
score = float(score)
|
||||
except (TypeError, ValueError):
|
||||
continue
|
||||
if score >= threshold:
|
||||
findings.append((report.name, score))
|
||||
|
||||
if findings:
|
||||
for name, score in findings:
|
||||
print(f"{name}: CVSS {score} >= {threshold}", file=sys.stderr)
|
||||
raise SystemExit(1)
|
||||
|
||||
print(f"No findings met or exceeded CVSS {threshold}")
|
||||
PY
|
||||
env:
|
||||
- name: FAIL_ON_CVSS
|
||||
value: "{{inputs.parameters.fail-on-cvss}}"
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
{{- end }}
|
||||
Reference in New Issue
Block a user