ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

other changes

Browse Source
This commit is contained in:
Elizabeth W
2026-04-20 01:25:44 -06:00
parent 38ff2f4fde
commit 1036fce55e
11 changed files with 2035 additions and 171 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/templates/clusterworkflowtemplate.yaml
+44 -80
View File
@@ -1,3 +1,4 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
@@ -47,21 +48,11 @@ spec:
value: "{{workflow.parameters.fail-on-cvss}}"
- name: upload-storage
dependencies:
- scan-trufflehog
- scan-semgrep
- scan-kics
- scan-socketdev
- scan-syft-grype
- scan-crossguard
- scanners
template: upload-storage
- name: upload-defectdojo
dependencies:
- scan-trufflehog
- scan-semgrep
- scan-kics
- scan-socketdev
- scan-syft-grype
- scan-crossguard
- scanners
template: upload-defectdojo
- name: enforce-policy
dependencies:
@@ -76,54 +67,6 @@ spec:
dependencies:
- scanners
template: sinks-and-enforcement
- name: scan-trufflehog
dependencies:
- clone
template: scan-trufflehog
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-semgrep
dependencies:
- clone
template: scan-semgrep
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-kics
dependencies:
- clone
template: scan-kics
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-socketdev
dependencies:
- clone
template: scan-socketdev
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-syft-grype
dependencies:
- clone
template: scan-syft-grype
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-crossguard
dependencies:
- clone
template: scan-crossguard
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: clone-repo
inputs:
parameters:
@@ -148,39 +91,60 @@ spec:
tasks:
- name: trufflehog
template: scan-trufflehog
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
- name: semgrep
template: scan-semgrep
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
- name: kics
template: scan-kics
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
- name: socketdev
template: scan-socketdev
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
- name: syft-grype
template: scan-syft-grype
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
- name: defectdojo
template: scan-crossguard
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
- name: sinks-and-enforcement
container:
image: alpine:3.20
image: curlimages/curl:latest
command:
- sh
- -c
args:
- echo "stub: sinks and enforcement"
- name: scan-trufflehog
template: scan-trufflehog
- name: scan-semgrep
template: scan-semgrep
- name: scan-kics
template: scan-kics
- name: scan-socketdev
template: scan-socketdev
- name: scan-syft-grype
template: scan-syft-grype
- name: scan-crossguard
template: scan-crossguard
- name: upload-storage
template: upload-storage
- name: upload-defectdojo
template: upload-defectdojo
- name: enforce-policy
template: enforce-policy
- |
set -eu
echo "Pipeline complete. You can configure a webhook notification here."
if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then
curl -X POST -H 'Content-type: application/json' --data '{"text":"Security Pipeline Finished"}' "${SLACK_WEBHOOK_URL}" || true
fi
{{ include "template.scan-syft-grype" . | indent 4 }}
{{ include "template.scan-socketdev" . | indent 4 }}
{{ include "template.scan-crossguard" . | indent 4 }}
{{ include "template.scan-semgrep" . | indent 4 }}
{{ include "template.scan-trufflehog" . | indent 4 }}
{{ include "template.scan-kics" . | indent 4 }}
{{ include "template.upload-defectdojo" . | indent 4 }}
{{ include "template.upload-storage" . | indent 4 }}
{{ include "template.enforce-policy" . | indent 4 }}
{{- end }}
helm/templates/enforce-policy.yaml
-88
View File
@@ -1,88 +0,0 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
templates:
- name: enforce-policy
inputs:
parameters:
- name: fail-on-cvss
container:
image: python:3.12-alpine
command:
- sh
- -c
args:
- |
set -eu
python - <<'PY'
import json
import os
import pathlib
import sys
threshold = float(os.environ["FAIL_ON_CVSS"])
reports_dir = pathlib.Path("/workspace/reports")
findings = []
for report in sorted(reports_dir.iterdir()):
if not report.is_file():
continue
text = report.read_text(errors="ignore")
if report.suffix == ".sarif":
try:
data = json.loads(text)
except json.JSONDecodeError:
continue
for run in data.get("runs", []):
for result in run.get("results", []):
for fix in result.get("properties", {}).get("security-severity", []):
pass
for level in result.get("properties", {}).values():
pass
for prop in [result.get("properties", {}), result.get("taxa", [])]:
pass
for region in result.get("locations", []):
pass
sev = result.get("properties", {}).get("security-severity")
if sev is None:
continue
try:
score = float(sev)
except (TypeError, ValueError):
continue
if score >= threshold:
findings.append((report.name, score))
elif report.suffix == ".json":
try:
data = json.loads(text)
except json.JSONDecodeError:
continue
if isinstance(data, dict):
for item in data.get("findings", data.get("vulnerabilities", [])):
score = item.get("cvss") or item.get("score")
if score is None:
continue
try:
score = float(score)
except (TypeError, ValueError):
continue
if score >= threshold:
findings.append((report.name, score))
if findings:
for name, score in findings:
print(f"{name}: CVSS {score} >= {threshold}", file=sys.stderr)
raise SystemExit(1)
print(f"No findings met or exceeded CVSS {threshold}")
PY
env:
- name: FAIL_ON_CVSS
value: "{{inputs.parameters.fail-on-cvss}}"
volumeMounts:
- name: workspace
mountPath: /workspace
{{- end }}