Elizabeth W
20 lines
1.2 KiB
Markdown
20 lines
1.2 KiB
Markdown
# Implementation Plan: Pulumi Crossguard
|
|
|
|
## Objective
|
|
Implement the Pulumi Crossguard policy enforcement step as a parallel task in the DAG.
|
|
|
|
## Requirements
|
|
- Define a task template named `scan-crossguard`.
|
|
- Depend on the `clone-repo` task.
|
|
- Mount the shared PVC at `/workspace`.
|
|
- Expect Pulumi credentials and cloud provider credentials (e.g., AWS/GCP) to be injected via Infisical as environment variables (using the initContainer logic).
|
|
- Run `pulumi preview --policy-pack <path>` inside the `/workspace`.
|
|
- Capture the output and convert/save it into a structured JSON/SARIF format at `/workspace/reports/crossguard.json`.
|
|
- Ensure the task exits successfully (`|| true`) to allow Phase 3 aggregation.
|
|
|
|
## Agent Instructions
|
|
1. Add the `scan-crossguard` template to the `ClusterWorkflowTemplate`.
|
|
2. Configure the Infisical initContainer to wait for Pulumi and Cloud credentials.
|
|
3. Wire it into the DAG alongside the other scanners.
|
|
4. **CRITICAL: File Splitting:** Do NOT put everything into one giant file! Split your YAML manifests or configurations into separate, smaller files (e.g. using separate Helm template files, configmaps, or helper scripts) to prevent exhausting the context window.
|