apiVersion: argoproj.io/v1alpha1 kind: ClusterWorkflowTemplate metadata: name: amp-security-pipeline-v1.0.0 spec: serviceAccountName: default entrypoint: security-pipeline volumeClaimTemplates: - metadata: name: workspace spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi arguments: parameters: - name: working-dir value: . - name: fail-on-cvss value: "7.0" - name: repo-url - name: git-revision value: main templates: - name: security-pipeline dag: tasks: - name: clone template: clone-repo arguments: parameters: - name: repo-url value: "{{workflow.parameters.repo-url}}" - name: git-revision value: "{{workflow.parameters.git-revision}}" - name: scanners dependencies: - clone template: parallel-scanners arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: fail-on-cvss value: "{{workflow.parameters.fail-on-cvss}}" - name: upload-storage dependencies: - scan-trufflehog - scan-semgrep - scan-kics - scan-socketdev - scan-syft-grype - scan-crossguard template: upload-storage - name: upload-defectdojo dependencies: - scan-trufflehog - scan-semgrep - scan-kics - scan-socketdev - scan-syft-grype - scan-crossguard template: upload-defectdojo - name: enforce-policy dependencies: - upload-storage - upload-defectdojo template: enforce-policy arguments: parameters: - name: fail-on-cvss value: "{{workflow.parameters.fail-on-cvss}}" - name: sinks-and-enforcement dependencies: - scanners template: sinks-and-enforcement - name: scan-trufflehog dependencies: - clone template: scan-trufflehog arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: scan-semgrep dependencies: - clone template: scan-semgrep arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: scan-kics dependencies: - clone template: scan-kics arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: scan-socketdev dependencies: - clone template: scan-socketdev arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: scan-syft-grype dependencies: - clone template: scan-syft-grype arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: scan-crossguard dependencies: - clone template: scan-crossguard arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: clone-repo inputs: parameters: - name: repo-url - name: git-revision container: image: alpine/git:2.45.2 command: - sh - -c args: - git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace volumeMounts: - name: workspace mountPath: /workspace - name: parallel-scanners inputs: parameters: - name: working-dir - name: fail-on-cvss dag: tasks: - name: trufflehog template: scan-trufflehog - name: semgrep template: scan-semgrep - name: kics template: scan-kics - name: socketdev template: scan-socketdev - name: syft-grype template: scan-syft-grype - name: defectdojo template: scan-crossguard - name: sinks-and-enforcement container: image: alpine:3.20 command: - sh - -c args: - echo "stub: sinks and enforcement" - name: scan-trufflehog template: scan-trufflehog - name: scan-semgrep template: scan-semgrep - name: scan-kics template: scan-kics - name: scan-socketdev template: scan-socketdev - name: scan-syft-grype template: scan-syft-grype - name: scan-crossguard template: scan-crossguard - name: upload-storage template: upload-storage - name: upload-defectdojo template: upload-defectdojo - name: enforce-policy template: enforce-policy