add working dir as input to step

2026-04-20 18:06:58 -06:00
parent 7f366204a9
commit 5bdf3fe114
9 changed files with 271 additions and 194 deletions
@@ -1,17 +1,18 @@
-{{- define "template.enforce-policy" }}
+{{- define "template.enforce-policy" -}}
 - name: enforce-policy
-      inputs:
-        parameters:
-          - name: fail-on-cvss
-      container:
-        image: agentguard-tools:latest
-        command:
-          - node
-          - /app/dist/enforce-policy.js
-        env:
-          - name: FAIL_ON_CVSS
-            value: "{{inputs.parameters.fail-on-cvss}}"
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  inputs:
+    parameters:
+      - name: fail-on-cvss
+  container:
+    image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
+    imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
+    command:
+      - node
+      - /app/dist/enforce-policy.js
+    env:
+      - name: FAIL_ON_CVSS
+        value: {{ `{{inputs.parameters.fail-on-cvss}}` | quote }}
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,22 +1,25 @@
-{{- define "template.scan-kics" }}
+{{- define "template.scan-kics" -}}
 - name: scan-kics
-      container:
-        image: checkmarx/kics:1.7.14
-        command:
-          - sh
-          - -c
-        args:
-          - |
-            set -eu
-            mkdir -p /workspace/reports
-            kics scan -p /workspace -o /workspace/reports --report-formats sarif,json --output-name kics || true
-            if [ -f /workspace/reports/kics.sarif ]; then
-              exit 0
-            fi
-            if [ -f /workspace/reports/kics.json ]; then
-              cp /workspace/reports/kics.json /workspace/reports/kics.sarif
-            fi
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  inputs:
+    parameters:
+      - name: working-dir
+  container:
+    image: {{ .Values.images.kics | quote }}
+    command:
+      - sh
+      - -c
+    args:
+      - |
+        set -eu
+        mkdir -p /workspace/reports
+        kics scan -p "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" -o /workspace/reports --report-formats sarif,json --output-name kics || true
+        if [ -f /workspace/reports/kics.sarif ]; then
+          exit 0
+        fi
+        if [ -f /workspace/reports/kics.json ]; then
+          cp /workspace/reports/kics.json /workspace/reports/kics.sarif
+        fi
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,16 +1,19 @@
-{{- define "template.scan-semgrep" }}
+{{- define "template.scan-semgrep" -}}
 - name: scan-semgrep
-      container:
-        image: returntocorp/semgrep:1.85.0
-        command:
-          - sh
-          - -c
-        args:
-          - |
-            set -eu
-            mkdir -p /workspace/reports
-            semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif /workspace || true
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  inputs:
+    parameters:
+      - name: working-dir
+  container:
+    image: {{ .Values.images.semgrep | quote }}
+    command:
+      - sh
+      - -c
+    args:
+      - |
+        set -eu
+        mkdir -p /workspace/reports
+        semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" || true
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,22 +1,25 @@
-{{- define "template.scan-socketdev" }}
+{{- define "template.scan-socketdev" -}}
 - name: scan-socketdev
-      container:
-        image: socketdev/socketcli:latest
-        env:
-          - name: SOCKET_DEV_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: SOCKET_DEV_API_KEY
-        command:
-          - sh
-          - -c
-        args:
-          - |
-            set -eu
-            mkdir -p /workspace/reports
-            socketdev scan /workspace --format json --output /workspace/reports/socketdev.json || true
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  inputs:
+    parameters:
+      - name: working-dir
+  container:
+    image: {{ .Values.images.socketdev | quote }}
+    env:
+      - name: SOCKET_DEV_API_KEY
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: SOCKET_DEV_API_KEY
+    command:
+      - sh
+      - -c
+    args:
+      - |
+        set -eu
+        mkdir -p /workspace/reports
+        socketdev scan "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" --format json --output /workspace/reports/socketdev.json || true
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,17 +1,20 @@
-{{- define "template.scan-syft-grype" }}
+{{- define "template.scan-syft-grype" -}}
 - name: scan-syft-grype
-      container:
-        image: anchore/syft:latest
-        command:
-          - sh
-          - -c
-        args:
-          - |
-            set -eu
-            mkdir -p /workspace/reports
-            syft scan dir:/workspace -o cyclonedx-json=/workspace/reports/sbom.json || true
-            grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  inputs:
+    parameters:
+      - name: working-dir
+  container:
+    image: {{ .Values.images.syftGrype | quote }}
+    command:
+      - sh
+      - -c
+    args:
+      - |
+        set -eu
+        mkdir -p /workspace/reports
+        syft scan dir:/workspace/{{ `{{inputs.parameters.working-dir}}` }} -o cyclonedx-json=/workspace/reports/sbom.json || true
+        grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,16 +1,19 @@
-{{- define "template.scan-trufflehog" }}
+{{- define "template.scan-trufflehog" -}}
 - name: scan-trufflehog
-      container:
-        image: trufflesecurity/trufflehog:latest
-        command:
-          - sh
-          - -c
-        args:
-          - |
-            set -eu
-            mkdir -p /workspace/reports
-            trufflehog filesystem /workspace --json > /workspace/reports/trufflehog.json || true
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  inputs:
+    parameters:
+      - name: working-dir
+  container:
+    image: {{ .Values.images.trufflehog | quote }}
+    command:
+      - sh
+      - -c
+    args:
+      - |
+        set -eu
+        mkdir -p /workspace/reports
+        trufflehog filesystem "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" --json > /workspace/reports/trufflehog.json || true
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,22 +1,39 @@
-{{- define "template.upload-defectdojo" }}
+{{- define "template.upload-defectdojo" -}}
 - name: upload-defectdojo
-      container:
-        image: agentguard-tools:latest
-        env:
-          - name: DEFECTDOJO_URL
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: DEFECTDOJO_URL
-          - name: DEFECTDOJO_API_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: DEFECTDOJO_API_TOKEN
-        command:
-          - node
-          - /app/dist/upload-defectdojo.js
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  container:
+    image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
+    imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
+    env:
+      - name: DEFECTDOJO_URL
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: DEFECTDOJO_URL
+      - name: DEFECTDOJO_API_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: DEFECTDOJO_API_TOKEN
+      - name: DEFECTDOJO_PRODUCT_TYPE_NAME
+        value: {{ .Values.defectdojo.productTypeName | quote }}
+      - name: DEFECTDOJO_PRODUCT_NAME
+        value: {{ .Values.defectdojo.productName | quote }}
+      - name: DEFECTDOJO_ENGAGEMENT_NAME
+        value: {{ .Values.defectdojo.engagementName | quote }}
+      - name: DEFECTDOJO_MINIMUM_SEVERITY
+        value: {{ .Values.defectdojo.minimumSeverity | quote }}
+      - name: DEFECTDOJO_ACTIVE
+        value: {{ .Values.defectdojo.active | quote }}
+      - name: DEFECTDOJO_VERIFIED
+        value: {{ .Values.defectdojo.verified | quote }}
+      - name: DEFECTDOJO_CLOSE_OLD_FINDINGS
+        value: {{ .Values.defectdojo.closeOldFindings | quote }}
+      - name: DEFECTDOJO_AUTO_CREATE_CONTEXT
+        value: {{ .Values.defectdojo.autoCreateContext | quote }}
+    command:
+      - node
+      - /app/dist/upload-defectdojo.js
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}
@@ -1,39 +1,49 @@
-{{- define "template.upload-storage" }}
+{{- define "template.upload-storage" -}}
 - name: upload-storage
-      container:
-        image: amazon/aws-cli:2.15.40
-        env:
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: AWS_ACCESS_KEY_ID
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: AWS_SECRET_ACCESS_KEY
-          - name: MINIO_ROOT_USER
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: MINIO_ROOT_USER
-          - name: MINIO_ROOT_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: amp-security-pipeline-secrets
-                key: MINIO_ROOT_PASSWORD
-        command:
-          - sh
-          - -c
-        args:
-          - |
-            set -eu
-            repo_name="${REPO_NAME:-repo}"
-            commit_sha="${GIT_COMMIT_SHA:-unknown}"
-            report_date="$(date -u +%F)"
-            aws s3 sync /workspace/reports "s3://${REPORTS_BUCKET:-security-reports}/${repo_name}/${report_date}/${commit_sha}/"
-      volumeMounts:
-        - name: workspace
-          mountPath: /workspace
+  container:
+    image: {{ .Values.images.awsCli | quote }}
+    env:
+      - name: AWS_ACCESS_KEY_ID
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: AWS_ACCESS_KEY_ID
+      - name: AWS_SECRET_ACCESS_KEY
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: AWS_SECRET_ACCESS_KEY
+      - name: MINIO_ROOT_USER
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: MINIO_ROOT_USER
+      - name: MINIO_ROOT_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: amp-security-pipeline-secrets
+            key: MINIO_ROOT_PASSWORD
+      - name: REPORTS_BUCKET
+        value: {{ .Values.storage.reportsBucket | quote }}
+      - name: REPO_NAME
+        value: {{ .Values.pipeline.repoName | quote }}
+      - name: STORAGE_ENDPOINT
+        value: {{ .Values.storage.endpoint | quote }}
+    command:
+      - sh
+      - -c
+    args:
+      - |
+        set -eu
+        commit_sha="${GIT_COMMIT_SHA:-unknown}"
+        report_date="$(date -u +%F)"
+        sync_target="s3://${REPORTS_BUCKET}/${REPO_NAME}/${report_date}/${commit_sha}/"
+        if [ -n "${STORAGE_ENDPOINT}" ]; then
+          aws --endpoint-url "${STORAGE_ENDPOINT}" s3 sync /workspace/reports "${sync_target}"
+        else
+          aws s3 sync /workspace/reports "${sync_target}"
+        fi
+    volumeMounts:
+      - name: workspace
+        mountPath: /workspace
 {{- end }}