ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add working dir as input to step

Browse Source
This commit is contained in:
ada
2026-04-20 18:06:58 -06:00
parent 7f366204a9
commit 5bdf3fe114
9 changed files with 271 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/templates/_enforce-policy.yaml
+4 -3
View File
@@ -1,16 +1,17 @@
{{- define "template.enforce-policy" }}
{{- define "template.enforce-policy" -}}
- name: enforce-policy
inputs:
parameters:
- name: fail-on-cvss
container:
image: agentguard-tools:latest
image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
command:
- node
- /app/dist/enforce-policy.js
env:
- name: FAIL_ON_CVSS
value: "{{inputs.parameters.fail-on-cvss}}"
value: {{ `{{inputs.parameters.fail-on-cvss}}` | quote }}
volumeMounts:
- name: workspace
mountPath: /workspace
helm/templates/_scan-kics.yaml
+6 -3
View File
@@ -1,7 +1,10 @@
{{- define "template.scan-kics" }}
{{- define "template.scan-kics" -}}
- name: scan-kics
inputs:
parameters:
- name: working-dir
container:
image: checkmarx/kics:1.7.14
image: {{ .Values.images.kics | quote }}
command:
- sh
- -c
@@ -9,7 +12,7 @@
- |
set -eu
mkdir -p /workspace/reports
kics scan -p /workspace -o /workspace/reports --report-formats sarif,json --output-name kics || true
kics scan -p "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" -o /workspace/reports --report-formats sarif,json --output-name kics || true
if [ -f /workspace/reports/kics.sarif ]; then
exit 0
fi
helm/templates/_scan-semgrep.yaml
+6 -3
View File
@@ -1,7 +1,10 @@
{{- define "template.scan-semgrep" }}
{{- define "template.scan-semgrep" -}}
- name: scan-semgrep
inputs:
parameters:
- name: working-dir
container:
image: returntocorp/semgrep:1.85.0
image: {{ .Values.images.semgrep | quote }}
command:
- sh
- -c
@@ -9,7 +12,7 @@
- |
set -eu
mkdir -p /workspace/reports
semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif /workspace || true
semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" || true
volumeMounts:
- name: workspace
mountPath: /workspace
helm/templates/_scan-socketdev.yaml
+6 -3
View File
@@ -1,7 +1,10 @@
{{- define "template.scan-socketdev" }}
{{- define "template.scan-socketdev" -}}
- name: scan-socketdev
inputs:
parameters:
- name: working-dir
container:
image: socketdev/socketcli:latest
image: {{ .Values.images.socketdev | quote }}
env:
- name: SOCKET_DEV_API_KEY
valueFrom:
@@ -15,7 +18,7 @@
- |
set -eu
mkdir -p /workspace/reports
socketdev scan /workspace --format json --output /workspace/reports/socketdev.json || true
socketdev scan "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" --format json --output /workspace/reports/socketdev.json || true
volumeMounts:
- name: workspace
mountPath: /workspace
helm/templates/_scan-syft-grype.yaml
+6 -3
View File
@@ -1,7 +1,10 @@
{{- define "template.scan-syft-grype" }}
{{- define "template.scan-syft-grype" -}}
- name: scan-syft-grype
inputs:
parameters:
- name: working-dir
container:
image: anchore/syft:latest
image: {{ .Values.images.syftGrype | quote }}
command:
- sh
- -c
@@ -9,7 +12,7 @@
- |
set -eu
mkdir -p /workspace/reports
syft scan dir:/workspace -o cyclonedx-json=/workspace/reports/sbom.json || true
syft scan dir:/workspace/{{ `{{inputs.parameters.working-dir}}` }} -o cyclonedx-json=/workspace/reports/sbom.json || true
grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true
volumeMounts:
- name: workspace
helm/templates/_scan-trufflehog.yaml
+6 -3
View File
@@ -1,7 +1,10 @@
{{- define "template.scan-trufflehog" }}
{{- define "template.scan-trufflehog" -}}
- name: scan-trufflehog
inputs:
parameters:
- name: working-dir
container:
image: trufflesecurity/trufflehog:latest
image: {{ .Values.images.trufflehog | quote }}
command:
- sh
- -c
@@ -9,7 +12,7 @@
- |
set -eu
mkdir -p /workspace/reports
trufflehog filesystem /workspace --json > /workspace/reports/trufflehog.json || true
trufflehog filesystem "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" --json > /workspace/reports/trufflehog.json || true
volumeMounts:
- name: workspace
mountPath: /workspace
helm/templates/_upload-defectdojo.yaml
+19 -2
View File
@@ -1,7 +1,8 @@
{{- define "template.upload-defectdojo" }}
{{- define "template.upload-defectdojo" -}}
- name: upload-defectdojo
container:
image: agentguard-tools:latest
image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
env:
- name: DEFECTDOJO_URL
valueFrom:
@@ -13,6 +14,22 @@
secretKeyRef:
name: amp-security-pipeline-secrets
key: DEFECTDOJO_API_TOKEN
- name: DEFECTDOJO_PRODUCT_TYPE_NAME
value: {{ .Values.defectdojo.productTypeName | quote }}
- name: DEFECTDOJO_PRODUCT_NAME
value: {{ .Values.defectdojo.productName | quote }}
- name: DEFECTDOJO_ENGAGEMENT_NAME
value: {{ .Values.defectdojo.engagementName | quote }}
- name: DEFECTDOJO_MINIMUM_SEVERITY
value: {{ .Values.defectdojo.minimumSeverity | quote }}
- name: DEFECTDOJO_ACTIVE
value: {{ .Values.defectdojo.active | quote }}
- name: DEFECTDOJO_VERIFIED
value: {{ .Values.defectdojo.verified | quote }}
- name: DEFECTDOJO_CLOSE_OLD_FINDINGS
value: {{ .Values.defectdojo.closeOldFindings | quote }}
- name: DEFECTDOJO_AUTO_CREATE_CONTEXT
value: {{ .Values.defectdojo.autoCreateContext | quote }}
command:
- node
- /app/dist/upload-defectdojo.js
helm/templates/_upload-storage.yaml
+14 -4
View File
@@ -1,7 +1,7 @@
{{- define "template.upload-storage" }}
{{- define "template.upload-storage" -}}
- name: upload-storage
container:
image: amazon/aws-cli:2.15.40
image: {{ .Values.images.awsCli | quote }}
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
@@ -23,16 +23,26 @@
secretKeyRef:
name: amp-security-pipeline-secrets
key: MINIO_ROOT_PASSWORD
- name: REPORTS_BUCKET
value: {{ .Values.storage.reportsBucket | quote }}
- name: REPO_NAME
value: {{ .Values.pipeline.repoName | quote }}
- name: STORAGE_ENDPOINT
value: {{ .Values.storage.endpoint | quote }}
command:
- sh
- -c
args:
- |
set -eu
repo_name="${REPO_NAME:-repo}"
commit_sha="${GIT_COMMIT_SHA:-unknown}"
report_date="$(date -u +%F)"
aws s3 sync /workspace/reports "s3://${REPORTS_BUCKET:-security-reports}/${repo_name}/${report_date}/${commit_sha}/"
sync_target="s3://${REPORTS_BUCKET}/${REPO_NAME}/${report_date}/${commit_sha}/"
if [ -n "${STORAGE_ENDPOINT}" ]; then
aws --endpoint-url "${STORAGE_ENDPOINT}" s3 sync /workspace/reports "${sync_target}"
else
aws s3 sync /workspace/reports "${sync_target}"
fi
volumeMounts:
- name: workspace
mountPath: /workspace
tools/src/upload-defectdojo.ts
+69 -35
View File
@@ -1,68 +1,102 @@
import * as fs from 'node:fs';
import { promises as fs } from 'node:fs';
import * as path from 'node:path';
import { fileURLToPath } from 'node:url';
export async function uploadReports() {
const baseUrl = (process.env.DEFECTDOJO_URL || "").replace(/\/$/, "");
function resolveScanType(fileName: string): string | undefined {
if (fileName.endsWith('.sarif')) {
return 'SARIF';
}
if (fileName === 'generic-findings.json') {
return 'Generic Findings Import';
}
return undefined;
}
export async function uploadReports(): Promise<void> {
const baseUrl = (process.env.DEFECTDOJO_URL || '').replace(/\/$/, '');
const apiToken = process.env.DEFECTDOJO_API_TOKEN;
const productName = process.env.DEFECTDOJO_PRODUCT_NAME || "agentguard-ci";
const productTypeName = process.env.DEFECTDOJO_PRODUCT_TYPE_NAME || 'Homelab Security';
const productName = process.env.DEFECTDOJO_PRODUCT_NAME || 'agentguard-ci';
const engagementName = process.env.DEFECTDOJO_ENGAGEMENT_NAME || 'Default Pipeline';
const minimumSeverity = process.env.DEFECTDOJO_MINIMUM_SEVERITY || 'Info';
const active = process.env.DEFECTDOJO_ACTIVE || 'true';
const verified = process.env.DEFECTDOJO_VERIFIED || 'true';
const closeOldFindings = process.env.DEFECTDOJO_CLOSE_OLD_FINDINGS || 'false';
const autoCreateContext = process.env.DEFECTDOJO_AUTO_CREATE_CONTEXT || 'true';
if (!baseUrl || !apiToken) {
console.error("DEFECTDOJO_URL and DEFECTDOJO_API_TOKEN must be set.");
console.error('DEFECTDOJO_URL and DEFECTDOJO_API_TOKEN must be set.');
process.exit(1);
}
const scanMap: Record<string, string> = {
".sarif": "SARIF",
".json": "Generic Findings Import",
};
const reportsDir = '/workspace/reports';
let fileNames: string[];
const reportsDir = "/workspace/reports";
if (!fs.existsSync(reportsDir)) {
console.log("No reports directory found.");
try {
fileNames = (await fs.readdir(reportsDir)).sort();
} catch {
console.log('No reports directory found.');
return;
}
const files = fs.readdirSync(reportsDir).sort();
for (const fileName of fileNames) {
const fullPath = path.join(reportsDir, fileName);
const stats = await fs.stat(fullPath);
if (!stats.isFile()) {
continue;
}
for (const file of files) {
const fullPath = path.join(reportsDir, file);
if (!fs.statSync(fullPath).isFile()) continue;
const scanType = resolveScanType(fileName);
if (!scanType) {
console.log(`Skipping ${fileName}: no DefectDojo importer is configured for this file yet.`);
continue;
}
const ext = path.extname(file);
const scanType = scanMap[ext];
if (!scanType) continue;
const reportContents = await fs.readFile(fullPath);
const form = new FormData();
form.append('scan_type', scanType);
form.append('product_type_name', productTypeName);
form.append('product_name', productName);
form.append('engagement_name', engagementName);
form.append('test_title', fileName);
form.append('minimum_severity', minimumSeverity);
form.append('active', active);
form.append('verified', verified);
form.append('close_old_findings', closeOldFindings);
form.append('auto_create_context', autoCreateContext);
form.append('file', new Blob([reportContents]), fileName);
console.log(`Uploading ${file} as ${scanType}...`);
console.log(`Uploading ${fileName} to DefectDojo as ${scanType}...`);
try {
const response = await fetch(`${baseUrl}/api/v2/import-scan/`, {
method: "POST",
const response = await fetch(`${baseUrl}/api/v2/reimport-scan/`, {
method: 'POST',
headers: {
"Authorization": `Token ${apiToken}`,
"Content-Type": "application/json",
Authorization: `Token ${apiToken}`,
},
body: JSON.stringify({
scan_type: scanType,
product_name: productName,
file_name: file,
})
body: form,
});
if (!response.ok) {
const text = await response.text();
console.error(`Failed to upload ${file}: ${response.status} ${response.statusText} - ${text}`);
console.error(`Failed to upload ${fileName}: ${response.status} ${response.statusText} - ${text}`);
process.exitCode = 1;
} else {
console.log(`Successfully uploaded ${file}`);
continue;
}
} catch (e) {
console.error(`Network error uploading ${file}:`, e);
console.log(`Successfully uploaded ${fileName}`);
} catch (error) {
console.error(`Network error uploading ${fileName}:`, error);
process.exitCode = 1;
}
}
}
if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
uploadReports();
uploadReports().catch((error: unknown) => {
console.error('Unexpected upload failure:', error);
process.exit(1);
});
}