rename componenets

helm/templates/_enforce-policy.yaml

@@ -0,0 +1,17 @@
+{{- define "template.enforce-policy" }}
+- name: enforce-policy
+      inputs:
+        parameters:
+          - name: fail-on-cvss
+      container:
+        image: agentguard-tools:latest
+        command:
+          - node
+          - /app/dist/enforce-policy.js
+        env:
+          - name: FAIL_ON_CVSS
+            value: "{{inputs.parameters.fail-on-cvss}}"
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}

helm/templates/_scan-crossguard.yaml

@@ -1,10 +1,4 @@
-{{- if .Values.pipeline.enabled }}
+{{- define "template.scan-crossguard" }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
 - name: scan-crossguard
       container:
         image: pulumi/pulumi:3.154.0

helm/templates/_scan-kics.yaml

@@ -1,10 +1,4 @@
-{{- if .Values.pipeline.enabled }}
+{{- define "template.scan-kics" }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
 - name: scan-kics
       container:
         image: checkmarx/kics:1.7.14

helm/templates/_scan-semgrep.yaml

@@ -1,10 +1,4 @@
-{{- if .Values.pipeline.enabled }}
+{{- define "template.scan-semgrep" }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
 - name: scan-semgrep
       container:
         image: returntocorp/semgrep:1.85.0

helm/templates/_scan-socketdev.yaml

@@ -1,10 +1,4 @@
-{{- if .Values.pipeline.enabled }}
+{{- define "template.scan-socketdev" }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
 - name: scan-socketdev
       container:
         image: socketdev/socketcli:latest

helm/templates/_scan-syft-grype.yaml

@@ -1,10 +1,4 @@
-{{- if .Values.pipeline.enabled }}
+{{- define "template.scan-syft-grype" }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
 - name: scan-syft-grype
       container:
         image: anchore/syft:latest

helm/templates/_scan-trufflehog.yaml

@@ -0,0 +1,16 @@
+{{- define "template.scan-trufflehog" }}
+- name: scan-trufflehog
+      container:
+        image: trufflesecurity/trufflehog:latest
+        command:
+          - sh
+          - -c
+        args:
+          - |
+            set -eu
+            mkdir -p /workspace/reports
+            trufflehog filesystem /workspace --json > /workspace/reports/trufflehog.json || true
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}

helm/templates/_upload-defectdojo.yaml

@@ -0,0 +1,22 @@
+{{- define "template.upload-defectdojo" }}
+- name: upload-defectdojo
+      container:
+        image: agentguard-tools:latest
+        env:
+          - name: DEFECTDOJO_URL
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: DEFECTDOJO_URL
+          - name: DEFECTDOJO_API_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: DEFECTDOJO_API_TOKEN
+        command:
+          - node
+          - /app/dist/upload-defectdojo.js
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}

helm/templates/_upload-storage.yaml

@@ -0,0 +1,39 @@
+{{- define "template.upload-storage" }}
+- name: upload-storage
+      container:
+        image: amazon/aws-cli:2.15.40
+        env:
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: AWS_ACCESS_KEY_ID
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: AWS_SECRET_ACCESS_KEY
+          - name: MINIO_ROOT_USER
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: MINIO_ROOT_USER
+          - name: MINIO_ROOT_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: MINIO_ROOT_PASSWORD
+        command:
+          - sh
+          - -c
+        args:
+          - |
+            set -eu
+            repo_name="${REPO_NAME:-repo}"
+            commit_sha="${GIT_COMMIT_SHA:-unknown}"
+            report_date="$(date -u +%F)"
+            aws s3 sync /workspace/reports "s3://${REPORTS_BUCKET:-security-reports}/${repo_name}/${report_date}/${commit_sha}/"
+      volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+{{- end }}

helm/templates/scan-trufflehog.yaml

@@ -1,19 +0,0 @@
-{{- if .Values.pipeline.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: amp-security-pipeline-v1.0.0
-spec:
-  templates:
-    - name: scan-trufflehog
-      container:
-        image: alpine:3.20
-        command:
-          - sh
-          - -c
-        args:
-          - mkdir -p /workspace/reports && echo "stub: trufflehog" > /workspace/reports/trufflehog.json
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
-{{- end }}