all phases complete!

helm/templates/scan-crossguard.yaml

@@ -6,24 +6,33 @@ metadata:
 spec:
   templates:
     - name: scan-crossguard
-      metadata:
-        annotations:
-          secrets.infisical.com/auto-reload: "true"
-      initContainers:
-        - name: wait-for-infisical
-          image: alpine:3.20
-          command:
-            - sh
-            - -c
-          args:
-            - until [ -n "${DEFECTDOJO_API_KEY:-}" ]; do sleep 2; done
       container:
-        image: alpine:3.20
+        image: pulumi/pulumi:3.154.0
+        env:
+          - name: PULUMI_ACCESS_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: PULUMI_ACCESS_TOKEN
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: AWS_ACCESS_KEY_ID
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: amp-security-pipeline-secrets
+                key: AWS_SECRET_ACCESS_KEY
         command:
           - sh
           - -c
         args:
-          - mkdir -p /workspace/reports && echo "stub: defectdojo" > /workspace/reports/crossguard.json
+          - |
+            set -eu
+            mkdir -p /workspace/reports
+            cd /workspace
+            pulumi preview --policy-pack ./policy-pack > /workspace/reports/crossguard.json 2>&1 || true
       volumeMounts:
         - name: workspace
           mountPath: /workspace