From df10609df54da4e5209c18c03ba8f7cf15a16277 Mon Sep 17 00:00:00 2001 From: Elizabeth W Date: Sun, 19 Apr 2026 22:29:13 -0600 Subject: [PATCH] implementing first steps --- helm/templates/clusterworkflowtemplate.yaml | 156 ++++++++++++++++++++ helm/templates/scan-crossguard.yaml | 30 ++++ helm/templates/scan-kics.yaml | 39 +++++ helm/templates/scan-semgrep.yaml | 22 +++ helm/templates/scan-socketdev.yaml | 33 +++++ helm/templates/scan-syft-grype.yaml | 23 +++ 6 files changed, 303 insertions(+) create mode 100644 helm/templates/clusterworkflowtemplate.yaml create mode 100644 helm/templates/scan-crossguard.yaml create mode 100644 helm/templates/scan-kics.yaml create mode 100644 helm/templates/scan-semgrep.yaml create mode 100644 helm/templates/scan-socketdev.yaml create mode 100644 helm/templates/scan-syft-grype.yaml diff --git a/helm/templates/clusterworkflowtemplate.yaml b/helm/templates/clusterworkflowtemplate.yaml new file mode 100644 index 0000000..67f4f7a --- /dev/null +++ b/helm/templates/clusterworkflowtemplate.yaml @@ -0,0 +1,156 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ClusterWorkflowTemplate +metadata: + name: amp-security-pipeline-v1.0.0 +spec: + serviceAccountName: default + entrypoint: security-pipeline + volumeClaimTemplates: + - metadata: + name: workspace + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + arguments: + parameters: + - name: working-dir + value: . + - name: fail-on-cvss + value: "7.0" + - name: repo-url + - name: git-revision + value: main + templates: + - name: security-pipeline + dag: + tasks: + - name: clone + template: clone-repo + arguments: + parameters: + - name: repo-url + value: "{{workflow.parameters.repo-url}}" + - name: git-revision + value: "{{workflow.parameters.git-revision}}" + - name: scanners + dependencies: + - clone + template: parallel-scanners + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: fail-on-cvss + value: "{{workflow.parameters.fail-on-cvss}}" + - name: sinks-and-enforcement + dependencies: + - scanners + template: sinks-and-enforcement + - name: scan-trufflehog + dependencies: + - clone + template: scan-trufflehog + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: scan-semgrep + dependencies: + - clone + template: scan-semgrep + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: scan-kics + dependencies: + - clone + template: scan-kics + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: scan-socketdev + dependencies: + - clone + template: scan-socketdev + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: scan-syft-grype + dependencies: + - clone + template: scan-syft-grype + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: scan-crossguard + dependencies: + - clone + template: scan-crossguard + arguments: + parameters: + - name: working-dir + value: "{{workflow.parameters.working-dir}}" + - name: clone-repo + inputs: + parameters: + - name: repo-url + - name: git-revision + container: + image: alpine/git:2.45.2 + command: + - sh + - -c + args: + - git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace + volumeMounts: + - name: workspace + mountPath: /workspace + - name: parallel-scanners + inputs: + parameters: + - name: working-dir + - name: fail-on-cvss + dag: + tasks: + - name: trufflehog + template: scan-trufflehog + - name: semgrep + template: scan-semgrep + - name: kics + template: scan-kics + - name: socketdev + template: scan-socketdev + - name: syft-grype + template: scan-syft-grype + - name: defectdojo + template: scan-crossguard + - name: sinks-and-enforcement + metadata: + annotations: + secrets.infisical.com/auto-reload: "true" + container: + image: alpine:3.20 + command: + - sh + - -c + args: + - echo "stub: sinks and enforcement" + - name: scan-trufflehog + template: scan-trufflehog + - name: scan-semgrep + template: scan-semgrep + - name: scan-kics + template: scan-kics + - name: scan-socketdev + template: scan-socketdev + - name: scan-syft-grype + template: scan-syft-grype + - name: scan-crossguard + template: scan-crossguard diff --git a/helm/templates/scan-crossguard.yaml b/helm/templates/scan-crossguard.yaml new file mode 100644 index 0000000..b3539ec --- /dev/null +++ b/helm/templates/scan-crossguard.yaml @@ -0,0 +1,30 @@ +{{- if .Values.pipeline.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: ClusterWorkflowTemplate +metadata: + name: amp-security-pipeline-v1.0.0 +spec: + templates: + - name: scan-crossguard + metadata: + annotations: + secrets.infisical.com/auto-reload: "true" + initContainers: + - name: wait-for-infisical + image: alpine:3.20 + command: + - sh + - -c + args: + - until [ -n "${DEFECTDOJO_API_KEY:-}" ]; do sleep 2; done + container: + image: alpine:3.20 + command: + - sh + - -c + args: + - mkdir -p /workspace/reports && echo "stub: defectdojo" > /workspace/reports/crossguard.json + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/scan-kics.yaml b/helm/templates/scan-kics.yaml new file mode 100644 index 0000000..a95e7c0 --- /dev/null +++ b/helm/templates/scan-kics.yaml @@ -0,0 +1,39 @@ +{{- if .Values.pipeline.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: ClusterWorkflowTemplate +metadata: + name: amp-security-pipeline-v1.0.0 +spec: + templates: + - name: scan-kics + metadata: + annotations: + secrets.infisical.com/auto-reload: "true" + initContainers: + - name: wait-for-infisical + image: alpine:3.20 + command: + - sh + - -c + args: + - until [ -n "${KICS_TOKEN:-}" ]; do sleep 2; done + container: + image: checkmarx/kics:1.7.14 + command: + - sh + - -c + args: + - | + set -eu + mkdir -p /workspace/reports + kics scan -p /workspace -o /workspace/reports --report-formats sarif,json --output-name kics || true + if [ -f /workspace/reports/kics.sarif ]; then + exit 0 + fi + if [ -f /workspace/reports/kics.json ]; then + cp /workspace/reports/kics.json /workspace/reports/kics.sarif + fi + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/scan-semgrep.yaml b/helm/templates/scan-semgrep.yaml new file mode 100644 index 0000000..02a8012 --- /dev/null +++ b/helm/templates/scan-semgrep.yaml @@ -0,0 +1,22 @@ +{{- if .Values.pipeline.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: ClusterWorkflowTemplate +metadata: + name: amp-security-pipeline-v1.0.0 +spec: + templates: + - name: scan-semgrep + container: + image: returntocorp/semgrep:1.85.0 + command: + - sh + - -c + args: + - | + set -eu + mkdir -p /workspace/reports + semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif /workspace || true + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/scan-socketdev.yaml b/helm/templates/scan-socketdev.yaml new file mode 100644 index 0000000..756890b --- /dev/null +++ b/helm/templates/scan-socketdev.yaml @@ -0,0 +1,33 @@ +{{- if .Values.pipeline.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: ClusterWorkflowTemplate +metadata: + name: amp-security-pipeline-v1.0.0 +spec: + templates: + - name: scan-socketdev + metadata: + annotations: + secrets.infisical.com/auto-reload: "true" + initContainers: + - name: wait-for-infisical + image: alpine:3.20 + command: + - sh + - -c + args: + - until [ -n "${SOCKETDEV_TOKEN:-}" ]; do sleep 2; done + container: + image: socketdev/socketcli:latest + command: + - sh + - -c + args: + - | + set -eu + mkdir -p /workspace/reports + socketdev scan /workspace --format json --output /workspace/reports/socketdev.json || true + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }} diff --git a/helm/templates/scan-syft-grype.yaml b/helm/templates/scan-syft-grype.yaml new file mode 100644 index 0000000..3f31af2 --- /dev/null +++ b/helm/templates/scan-syft-grype.yaml @@ -0,0 +1,23 @@ +{{- if .Values.pipeline.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: ClusterWorkflowTemplate +metadata: + name: amp-security-pipeline-v1.0.0 +spec: + templates: + - name: scan-syft-grype + container: + image: anchore/syft:latest + command: + - sh + - -c + args: + - | + set -eu + mkdir -p /workspace/reports + syft scan dir:/workspace -o cyclonedx-json=/workspace/reports/sbom.json || true + grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true + volumeMounts: + - name: workspace + mountPath: /workspace +{{- end }}