add working dir as input to step

2026-04-20 18:06:58 -06:00
parent 7f366204a9
commit 5bdf3fe114
9 changed files with 271 additions and 194 deletions
@@ -1,16 +1,17 @@
-{{- define "template.enforce-policy" }}
+{{- define "template.enforce-policy" -}}
 - name: enforce-policy
  inputs:
    parameters:
      - name: fail-on-cvss
  container:
-        image: agentguard-tools:latest
+    image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
    imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
    command:
      - node
      - /app/dist/enforce-policy.js
    env:
      - name: FAIL_ON_CVSS
-            value: "{{inputs.parameters.fail-on-cvss}}"
+        value: {{ `{{inputs.parameters.fail-on-cvss}}` | quote }}
    volumeMounts:
      - name: workspace
        mountPath: /workspace
@@ -1,7 +1,10 @@
-{{- define "template.scan-kics" }}
+{{- define "template.scan-kics" -}}
 - name: scan-kics
  inputs:
    parameters:
      - name: working-dir
  container:
-        image: checkmarx/kics:1.7.14
+    image: {{ .Values.images.kics | quote }}
    command:
      - sh
      - -c
@@ -9,7 +12,7 @@
      - |
        set -eu
        mkdir -p /workspace/reports
-            kics scan -p /workspace -o /workspace/reports --report-formats sarif,json --output-name kics || true
+        kics scan -p "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" -o /workspace/reports --report-formats sarif,json --output-name kics || true
        if [ -f /workspace/reports/kics.sarif ]; then
          exit 0
        fi
@@ -1,7 +1,10 @@
-{{- define "template.scan-semgrep" }}
+{{- define "template.scan-semgrep" -}}
 - name: scan-semgrep
  inputs:
    parameters:
      - name: working-dir
  container:
-        image: returntocorp/semgrep:1.85.0
+    image: {{ .Values.images.semgrep | quote }}
    command:
      - sh
      - -c
@@ -9,7 +12,7 @@
      - |
        set -eu
        mkdir -p /workspace/reports
-            semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif /workspace || true
+        semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" || true
    volumeMounts:
      - name: workspace
        mountPath: /workspace
@@ -1,7 +1,10 @@
-{{- define "template.scan-socketdev" }}
+{{- define "template.scan-socketdev" -}}
 - name: scan-socketdev
  inputs:
    parameters:
      - name: working-dir
  container:
-        image: socketdev/socketcli:latest
+    image: {{ .Values.images.socketdev | quote }}
    env:
      - name: SOCKET_DEV_API_KEY
        valueFrom:
@@ -15,7 +18,7 @@
      - |
        set -eu
        mkdir -p /workspace/reports
-            socketdev scan /workspace --format json --output /workspace/reports/socketdev.json || true
+        socketdev scan "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" --format json --output /workspace/reports/socketdev.json || true
    volumeMounts:
      - name: workspace
        mountPath: /workspace
@@ -1,7 +1,10 @@
-{{- define "template.scan-syft-grype" }}
+{{- define "template.scan-syft-grype" -}}
 - name: scan-syft-grype
  inputs:
    parameters:
      - name: working-dir
  container:
-        image: anchore/syft:latest
+    image: {{ .Values.images.syftGrype | quote }}
    command:
      - sh
      - -c
@@ -9,7 +12,7 @@
      - |
        set -eu
        mkdir -p /workspace/reports
-            syft scan dir:/workspace -o cyclonedx-json=/workspace/reports/sbom.json || true
+        syft scan dir:/workspace/{{ `{{inputs.parameters.working-dir}}` }} -o cyclonedx-json=/workspace/reports/sbom.json || true
        grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true
    volumeMounts:
      - name: workspace
@@ -1,7 +1,10 @@
-{{- define "template.scan-trufflehog" }}
+{{- define "template.scan-trufflehog" -}}
 - name: scan-trufflehog
  inputs:
    parameters:
      - name: working-dir
  container:
-        image: trufflesecurity/trufflehog:latest
+    image: {{ .Values.images.trufflehog | quote }}
    command:
      - sh
      - -c
@@ -9,7 +12,7 @@
      - |
        set -eu
        mkdir -p /workspace/reports
-            trufflehog filesystem /workspace --json > /workspace/reports/trufflehog.json || true
+        trufflehog filesystem "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" --json > /workspace/reports/trufflehog.json || true
    volumeMounts:
      - name: workspace
        mountPath: /workspace
@@ -1,7 +1,8 @@
-{{- define "template.upload-defectdojo" }}
+{{- define "template.upload-defectdojo" -}}
 - name: upload-defectdojo
  container:
-        image: agentguard-tools:latest
+    image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
    imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
    env:
      - name: DEFECTDOJO_URL
        valueFrom:
@@ -13,6 +14,22 @@
          secretKeyRef:
            name: amp-security-pipeline-secrets
            key: DEFECTDOJO_API_TOKEN
      - name: DEFECTDOJO_PRODUCT_TYPE_NAME
        value: {{ .Values.defectdojo.productTypeName | quote }}
      - name: DEFECTDOJO_PRODUCT_NAME
        value: {{ .Values.defectdojo.productName | quote }}
      - name: DEFECTDOJO_ENGAGEMENT_NAME
        value: {{ .Values.defectdojo.engagementName | quote }}
      - name: DEFECTDOJO_MINIMUM_SEVERITY
        value: {{ .Values.defectdojo.minimumSeverity | quote }}
      - name: DEFECTDOJO_ACTIVE
        value: {{ .Values.defectdojo.active | quote }}
      - name: DEFECTDOJO_VERIFIED
        value: {{ .Values.defectdojo.verified | quote }}
      - name: DEFECTDOJO_CLOSE_OLD_FINDINGS
        value: {{ .Values.defectdojo.closeOldFindings | quote }}
      - name: DEFECTDOJO_AUTO_CREATE_CONTEXT
        value: {{ .Values.defectdojo.autoCreateContext | quote }}
    command:
      - node
      - /app/dist/upload-defectdojo.js
@@ -1,7 +1,7 @@
-{{- define "template.upload-storage" }}
+{{- define "template.upload-storage" -}}
 - name: upload-storage
  container:
-        image: amazon/aws-cli:2.15.40
+    image: {{ .Values.images.awsCli | quote }}
    env:
      - name: AWS_ACCESS_KEY_ID
        valueFrom:
@@ -23,16 +23,26 @@
          secretKeyRef:
            name: amp-security-pipeline-secrets
            key: MINIO_ROOT_PASSWORD
      - name: REPORTS_BUCKET
        value: {{ .Values.storage.reportsBucket | quote }}
      - name: REPO_NAME
        value: {{ .Values.pipeline.repoName | quote }}
      - name: STORAGE_ENDPOINT
        value: {{ .Values.storage.endpoint | quote }}
    command:
      - sh
      - -c
    args:
      - |
        set -eu
            repo_name="${REPO_NAME:-repo}"
        commit_sha="${GIT_COMMIT_SHA:-unknown}"
        report_date="$(date -u +%F)"
-            aws s3 sync /workspace/reports "s3://${REPORTS_BUCKET:-security-reports}/${repo_name}/${report_date}/${commit_sha}/"
+        sync_target="s3://${REPORTS_BUCKET}/${REPO_NAME}/${report_date}/${commit_sha}/"
        if [ -n "${STORAGE_ENDPOINT}" ]; then
          aws --endpoint-url "${STORAGE_ENDPOINT}" s3 sync /workspace/reports "${sync_target}"
        else
          aws s3 sync /workspace/reports "${sync_target}"
        fi
    volumeMounts:
      - name: workspace
        mountPath: /workspace
@@ -1,68 +1,102 @@
-import * as fs from 'node:fs';
+import { promises as fs } from 'node:fs';
 import * as path from 'node:path';
 import { fileURLToPath } from 'node:url';
-export async function uploadReports() {
+function resolveScanType(fileName: string): string | undefined {
-    const baseUrl = (process.env.DEFECTDOJO_URL || "").replace(/\/$/, "");
+    if (fileName.endsWith('.sarif')) {
        return 'SARIF';
    }
    if (fileName === 'generic-findings.json') {
        return 'Generic Findings Import';
    }
    return undefined;
 }
 export async function uploadReports(): Promise<void> {
    const baseUrl = (process.env.DEFECTDOJO_URL || '').replace(/\/$/, '');
    const apiToken = process.env.DEFECTDOJO_API_TOKEN;
-    const productName = process.env.DEFECTDOJO_PRODUCT_NAME || "agentguard-ci";
+    const productTypeName = process.env.DEFECTDOJO_PRODUCT_TYPE_NAME || 'Homelab Security';
    const productName = process.env.DEFECTDOJO_PRODUCT_NAME || 'agentguard-ci';
    const engagementName = process.env.DEFECTDOJO_ENGAGEMENT_NAME || 'Default Pipeline';
    const minimumSeverity = process.env.DEFECTDOJO_MINIMUM_SEVERITY || 'Info';
    const active = process.env.DEFECTDOJO_ACTIVE || 'true';
    const verified = process.env.DEFECTDOJO_VERIFIED || 'true';
    const closeOldFindings = process.env.DEFECTDOJO_CLOSE_OLD_FINDINGS || 'false';
    const autoCreateContext = process.env.DEFECTDOJO_AUTO_CREATE_CONTEXT || 'true';
    if (!baseUrl || !apiToken) {
-        console.error("DEFECTDOJO_URL and DEFECTDOJO_API_TOKEN must be set.");
+        console.error('DEFECTDOJO_URL and DEFECTDOJO_API_TOKEN must be set.');
        process.exit(1);
    }
-    const scanMap: Record<string, string> = {
+    const reportsDir = '/workspace/reports';
-        ".sarif": "SARIF",
+    let fileNames: string[];
        ".json": "Generic Findings Import",
    };
-    const reportsDir = "/workspace/reports";
+    try {
-    if (!fs.existsSync(reportsDir)) {
+        fileNames = (await fs.readdir(reportsDir)).sort();
-        console.log("No reports directory found.");
+    } catch {
        console.log('No reports directory found.');
        return;
    }
-    const files = fs.readdirSync(reportsDir).sort();
+    for (const fileName of fileNames) {
        const fullPath = path.join(reportsDir, fileName);
        const stats = await fs.stat(fullPath);
        if (!stats.isFile()) {
            continue;
        }
-    for (const file of files) {
+        const scanType = resolveScanType(fileName);
-        const fullPath = path.join(reportsDir, file);
+        if (!scanType) {
-        if (!fs.statSync(fullPath).isFile()) continue;
+            console.log(`Skipping ${fileName}: no DefectDojo importer is configured for this file yet.`);
            continue;
        }
-        const ext = path.extname(file);
+        const reportContents = await fs.readFile(fullPath);
-        const scanType = scanMap[ext];
+        const form = new FormData();
-        if (!scanType) continue;
+        form.append('scan_type', scanType);
        form.append('product_type_name', productTypeName);
        form.append('product_name', productName);
        form.append('engagement_name', engagementName);
        form.append('test_title', fileName);
        form.append('minimum_severity', minimumSeverity);
        form.append('active', active);
        form.append('verified', verified);
        form.append('close_old_findings', closeOldFindings);
        form.append('auto_create_context', autoCreateContext);
        form.append('file', new Blob([reportContents]), fileName);
-        console.log(`Uploading ${file} as ${scanType}...`);
+        console.log(`Uploading ${fileName} to DefectDojo as ${scanType}...`);
        try {
-            const response = await fetch(`${baseUrl}/api/v2/import-scan/`, {
+            const response = await fetch(`${baseUrl}/api/v2/reimport-scan/`, {
-                method: "POST",
+                method: 'POST',
                headers: {
-                    "Authorization": `Token ${apiToken}`,
+                    Authorization: `Token ${apiToken}`,
                    "Content-Type": "application/json",
                },
-                body: JSON.stringify({
+                body: form,
                    scan_type: scanType,
                    product_name: productName,
                    file_name: file,
                })
            });
            if (!response.ok) {
                const text = await response.text();
-                console.error(`Failed to upload ${file}: ${response.status} ${response.statusText} - ${text}`);
+                console.error(`Failed to upload ${fileName}: ${response.status} ${response.statusText} - ${text}`);
                process.exitCode = 1;
-            } else {
+                continue;
                console.log(`Successfully uploaded ${file}`);
            }
-        } catch (e) {
+
-            console.error(`Network error uploading ${file}:`, e);
+            console.log(`Successfully uploaded ${fileName}`);
        } catch (error) {
            console.error(`Network error uploading ${fileName}:`, error);
            process.exitCode = 1;
        }
    }
 }
 if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
-    uploadReports();
+    uploadReports().catch((error: unknown) => {
        console.error('Unexpected upload failure:', error);
        process.exit(1);
    });
 }