ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

implementing first steps

Browse Source
This commit is contained in:
Elizabeth W
2026-04-19 22:29:13 -06:00
parent 8c2c420bff
commit df10609df5
6 changed files with 303 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/templates/clusterworkflowtemplate.yaml
+156
View File
@@ -0,0 +1,156 @@
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
serviceAccountName: default
entrypoint: security-pipeline
volumeClaimTemplates:
- metadata:
name: workspace
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
arguments:
parameters:
- name: working-dir
value: .
- name: fail-on-cvss
value: "7.0"
- name: repo-url
- name: git-revision
value: main
templates:
- name: security-pipeline
dag:
tasks:
- name: clone
template: clone-repo
arguments:
parameters:
- name: repo-url
value: "{{workflow.parameters.repo-url}}"
- name: git-revision
value: "{{workflow.parameters.git-revision}}"
- name: scanners
dependencies:
- clone
template: parallel-scanners
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: fail-on-cvss
value: "{{workflow.parameters.fail-on-cvss}}"
- name: sinks-and-enforcement
dependencies:
- scanners
template: sinks-and-enforcement
- name: scan-trufflehog
dependencies:
- clone
template: scan-trufflehog
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-semgrep
dependencies:
- clone
template: scan-semgrep
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-kics
dependencies:
- clone
template: scan-kics
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-socketdev
dependencies:
- clone
template: scan-socketdev
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-syft-grype
dependencies:
- clone
template: scan-syft-grype
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: scan-crossguard
dependencies:
- clone
template: scan-crossguard
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: clone-repo
inputs:
parameters:
- name: repo-url
- name: git-revision
container:
image: alpine/git:2.45.2
command:
- sh
- -c
args:
- git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace
volumeMounts:
- name: workspace
mountPath: /workspace
- name: parallel-scanners
inputs:
parameters:
- name: working-dir
- name: fail-on-cvss
dag:
tasks:
- name: trufflehog
template: scan-trufflehog
- name: semgrep
template: scan-semgrep
- name: kics
template: scan-kics
- name: socketdev
template: scan-socketdev
- name: syft-grype
template: scan-syft-grype
- name: defectdojo
template: scan-crossguard
- name: sinks-and-enforcement
metadata:
annotations:
secrets.infisical.com/auto-reload: "true"
container:
image: alpine:3.20
command:
- sh
- -c
args:
- echo "stub: sinks and enforcement"
- name: scan-trufflehog
template: scan-trufflehog
- name: scan-semgrep
template: scan-semgrep
- name: scan-kics
template: scan-kics
- name: scan-socketdev
template: scan-socketdev
- name: scan-syft-grype
template: scan-syft-grype
- name: scan-crossguard
template: scan-crossguard
helm/templates/scan-crossguard.yaml
+30
View File
@@ -0,0 +1,30 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
templates:
- name: scan-crossguard
metadata:
annotations:
secrets.infisical.com/auto-reload: "true"
initContainers:
- name: wait-for-infisical
image: alpine:3.20
command:
- sh
- -c
args:
- until [ -n "${DEFECTDOJO_API_KEY:-}" ]; do sleep 2; done
container:
image: alpine:3.20
command:
- sh
- -c
args:
- mkdir -p /workspace/reports && echo "stub: defectdojo" > /workspace/reports/crossguard.json
volumeMounts:
- name: workspace
mountPath: /workspace
{{- end }}
helm/templates/scan-kics.yaml
+39
View File
@@ -0,0 +1,39 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
templates:
- name: scan-kics
metadata:
annotations:
secrets.infisical.com/auto-reload: "true"
initContainers:
- name: wait-for-infisical
image: alpine:3.20
command:
- sh
- -c
args:
- until [ -n "${KICS_TOKEN:-}" ]; do sleep 2; done
container:
image: checkmarx/kics:1.7.14
command:
- sh
- -c
args:
- |
set -eu
mkdir -p /workspace/reports
kics scan -p /workspace -o /workspace/reports --report-formats sarif,json --output-name kics || true
if [ -f /workspace/reports/kics.sarif ]; then
exit 0
fi
if [ -f /workspace/reports/kics.json ]; then
cp /workspace/reports/kics.json /workspace/reports/kics.sarif
fi
volumeMounts:
- name: workspace
mountPath: /workspace
{{- end }}
helm/templates/scan-semgrep.yaml
+22
View File
@@ -0,0 +1,22 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
templates:
- name: scan-semgrep
container:
image: returntocorp/semgrep:1.85.0
command:
- sh
- -c
args:
- |
set -eu
mkdir -p /workspace/reports
semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif /workspace || true
volumeMounts:
- name: workspace
mountPath: /workspace
{{- end }}
helm/templates/scan-socketdev.yaml
+33
View File
@@ -0,0 +1,33 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
templates:
- name: scan-socketdev
metadata:
annotations:
secrets.infisical.com/auto-reload: "true"
initContainers:
- name: wait-for-infisical
image: alpine:3.20
command:
- sh
- -c
args:
- until [ -n "${SOCKETDEV_TOKEN:-}" ]; do sleep 2; done
container:
image: socketdev/socketcli:latest
command:
- sh
- -c
args:
- |
set -eu
mkdir -p /workspace/reports
socketdev scan /workspace --format json --output /workspace/reports/socketdev.json || true
volumeMounts:
- name: workspace
mountPath: /workspace
{{- end }}
helm/templates/scan-syft-grype.yaml
+23
View File
@@ -0,0 +1,23 @@
{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
spec:
templates:
- name: scan-syft-grype
container:
image: anchore/syft:latest
command:
- sh
- -c
args:
- |
set -eu
mkdir -p /workspace/reports
syft scan dir:/workspace -o cyclonedx-json=/workspace/reports/sbom.json || true
grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true
volumeMounts:
- name: workspace
mountPath: /workspace
{{- end }}