From 251070dd77dc449d1381ac3dfe104cf09ec3c119 Mon Sep 17 00:00:00 2001 From: Elizabeth W Date: Mon, 20 Apr 2026 01:23:13 -0600 Subject: [PATCH] rename componenets --- helm/templates/_enforce-policy.yaml | 17 ++++++++ ...-crossguard.yaml => _scan-crossguard.yaml} | 10 +---- .../{scan-kics.yaml => _scan-kics.yaml} | 10 +---- .../{scan-semgrep.yaml => _scan-semgrep.yaml} | 10 +---- ...an-socketdev.yaml => _scan-socketdev.yaml} | 10 +---- ...-syft-grype.yaml => _scan-syft-grype.yaml} | 10 +---- helm/templates/_scan-trufflehog.yaml | 16 ++++++++ helm/templates/_upload-defectdojo.yaml | 22 +++++++++++ helm/templates/_upload-storage.yaml | 39 +++++++++++++++++++ helm/templates/scan-trufflehog.yaml | 19 --------- 10 files changed, 104 insertions(+), 59 deletions(-) create mode 100644 helm/templates/_enforce-policy.yaml rename helm/templates/{scan-crossguard.yaml => _scan-crossguard.yaml} (83%) rename helm/templates/{scan-kics.yaml => _scan-kics.yaml} (77%) rename helm/templates/{scan-semgrep.yaml => _scan-semgrep.yaml} (67%) rename helm/templates/{scan-socketdev.yaml => _scan-socketdev.yaml} (75%) rename helm/templates/{scan-syft-grype.yaml => _scan-syft-grype.yaml} (70%) create mode 100644 helm/templates/_scan-trufflehog.yaml create mode 100644 helm/templates/_upload-defectdojo.yaml create mode 100644 helm/templates/_upload-storage.yaml delete mode 100644 helm/templates/scan-trufflehog.yaml diff --git a/helm/templates/_enforce-policy.yaml b/helm/templates/_enforce-policy.yaml new file mode 100644 index 0000000..7b3fc16 --- /dev/null +++ b/helm/templates/_enforce-policy.yaml @@ -0,0 +1,17 @@ +{{- define "template.enforce-policy" }} +- name: enforce-policy + inputs: + parameters: + - name: fail-on-cvss + container: + image: agentguard-tools:latest + command: + - node + - /app/dist/enforce-policy.js + env: + - name: FAIL_ON_CVSS + value: "{{inputs.parameters.fail-on-cvss}}" + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/scan-crossguard.yaml b/helm/templates/_scan-crossguard.yaml similarity index 83% rename from helm/templates/scan-crossguard.yaml rename to helm/templates/_scan-crossguard.yaml index 8088cbc..73fce87 100644 --- a/helm/templates/scan-crossguard.yaml +++ b/helm/templates/_scan-crossguard.yaml @@ -1,11 +1,5 @@ -{{- if .Values.pipeline.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: ClusterWorkflowTemplate -metadata: - name: amp-security-pipeline-v1.0.0 -spec: - templates: - - name: scan-crossguard +{{- define "template.scan-crossguard" }} +- name: scan-crossguard container: image: pulumi/pulumi:3.154.0 env: diff --git a/helm/templates/scan-kics.yaml b/helm/templates/_scan-kics.yaml similarity index 77% rename from helm/templates/scan-kics.yaml rename to helm/templates/_scan-kics.yaml index 4303a35..f764431 100644 --- a/helm/templates/scan-kics.yaml +++ b/helm/templates/_scan-kics.yaml @@ -1,11 +1,5 @@ -{{- if .Values.pipeline.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: ClusterWorkflowTemplate -metadata: - name: amp-security-pipeline-v1.0.0 -spec: - templates: - - name: scan-kics +{{- define "template.scan-kics" }} +- name: scan-kics container: image: checkmarx/kics:1.7.14 command: diff --git a/helm/templates/scan-semgrep.yaml b/helm/templates/_scan-semgrep.yaml similarity index 67% rename from helm/templates/scan-semgrep.yaml rename to helm/templates/_scan-semgrep.yaml index 02a8012..e7c482e 100644 --- a/helm/templates/scan-semgrep.yaml +++ b/helm/templates/_scan-semgrep.yaml @@ -1,11 +1,5 @@ -{{- if .Values.pipeline.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: ClusterWorkflowTemplate -metadata: - name: amp-security-pipeline-v1.0.0 -spec: - templates: - - name: scan-semgrep +{{- define "template.scan-semgrep" }} +- name: scan-semgrep container: image: returntocorp/semgrep:1.85.0 command: diff --git a/helm/templates/scan-socketdev.yaml b/helm/templates/_scan-socketdev.yaml similarity index 75% rename from helm/templates/scan-socketdev.yaml rename to helm/templates/_scan-socketdev.yaml index 56532df..f5c1cb5 100644 --- a/helm/templates/scan-socketdev.yaml +++ b/helm/templates/_scan-socketdev.yaml @@ -1,11 +1,5 @@ -{{- if .Values.pipeline.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: ClusterWorkflowTemplate -metadata: - name: amp-security-pipeline-v1.0.0 -spec: - templates: - - name: scan-socketdev +{{- define "template.scan-socketdev" }} +- name: scan-socketdev container: image: socketdev/socketcli:latest env: diff --git a/helm/templates/scan-syft-grype.yaml b/helm/templates/_scan-syft-grype.yaml similarity index 70% rename from helm/templates/scan-syft-grype.yaml rename to helm/templates/_scan-syft-grype.yaml index 3f31af2..4595f68 100644 --- a/helm/templates/scan-syft-grype.yaml +++ b/helm/templates/_scan-syft-grype.yaml @@ -1,11 +1,5 @@ -{{- if .Values.pipeline.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: ClusterWorkflowTemplate -metadata: - name: amp-security-pipeline-v1.0.0 -spec: - templates: - - name: scan-syft-grype +{{- define "template.scan-syft-grype" }} +- name: scan-syft-grype container: image: anchore/syft:latest command: diff --git a/helm/templates/_scan-trufflehog.yaml b/helm/templates/_scan-trufflehog.yaml new file mode 100644 index 0000000..28ac35d --- /dev/null +++ b/helm/templates/_scan-trufflehog.yaml @@ -0,0 +1,16 @@ +{{- define "template.scan-trufflehog" }} +- name: scan-trufflehog + container: + image: trufflesecurity/trufflehog:latest + command: + - sh + - -c + args: + - | + set -eu + mkdir -p /workspace/reports + trufflehog filesystem /workspace --json > /workspace/reports/trufflehog.json || true + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/_upload-defectdojo.yaml b/helm/templates/_upload-defectdojo.yaml new file mode 100644 index 0000000..28edc0e --- /dev/null +++ b/helm/templates/_upload-defectdojo.yaml @@ -0,0 +1,22 @@ +{{- define "template.upload-defectdojo" }} +- name: upload-defectdojo + container: + image: agentguard-tools:latest + env: + - name: DEFECTDOJO_URL + valueFrom: + secretKeyRef: + name: amp-security-pipeline-secrets + key: DEFECTDOJO_URL + - name: DEFECTDOJO_API_TOKEN + valueFrom: + secretKeyRef: + name: amp-security-pipeline-secrets + key: DEFECTDOJO_API_TOKEN + command: + - node + - /app/dist/upload-defectdojo.js + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/_upload-storage.yaml b/helm/templates/_upload-storage.yaml new file mode 100644 index 0000000..5e3e735 --- /dev/null +++ b/helm/templates/_upload-storage.yaml @@ -0,0 +1,39 @@ +{{- define "template.upload-storage" }} +- name: upload-storage + container: + image: amazon/aws-cli:2.15.40 + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: amp-security-pipeline-secrets + key: AWS_ACCESS_KEY_ID + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: amp-security-pipeline-secrets + key: AWS_SECRET_ACCESS_KEY + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: amp-security-pipeline-secrets + key: MINIO_ROOT_USER + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: amp-security-pipeline-secrets + key: MINIO_ROOT_PASSWORD + command: + - sh + - -c + args: + - | + set -eu + repo_name="${REPO_NAME:-repo}" + commit_sha="${GIT_COMMIT_SHA:-unknown}" + report_date="$(date -u +%F)" + aws s3 sync /workspace/reports "s3://${REPORTS_BUCKET:-security-reports}/${repo_name}/${report_date}/${commit_sha}/" + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/scan-trufflehog.yaml b/helm/templates/scan-trufflehog.yaml deleted file mode 100644 index 7df1f94..0000000 --- a/helm/templates/scan-trufflehog.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.pipeline.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: ClusterWorkflowTemplate -metadata: - name: amp-security-pipeline-v1.0.0 -spec: - templates: - - name: scan-trufflehog - container: - image: alpine:3.20 - command: - - sh - - -c - args: - - mkdir -p /workspace/reports && echo "stub: trufflehog" > /workspace/reports/trufflehog.json - volumeMounts: - - name: workspace - mountPath: /workspace -{{- end }}