diff --git a/helm/templates/clusterworkflowtemplate.yaml b/helm/templates/clusterworkflowtemplate.yaml index 8308631..abef0e0 100644 --- a/helm/templates/clusterworkflowtemplate.yaml +++ b/helm/templates/clusterworkflowtemplate.yaml @@ -2,10 +2,11 @@ apiVersion: argoproj.io/v1alpha1 kind: ClusterWorkflowTemplate metadata: - name: amp-security-pipeline-v1.0.0 + name: {{ .Values.pipeline.name | quote }} spec: - serviceAccountName: default + serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }} entrypoint: security-pipeline + onExit: pipeline-exit-hook volumeClaimTemplates: - metadata: name: workspace @@ -14,16 +15,16 @@ spec: - ReadWriteOnce resources: requests: - storage: 1Gi + storage: {{ .Values.pipeline.workspace.storage | quote }} arguments: parameters: - name: working-dir - value: . + value: {{ .Values.pipeline.workingDir | quote }} - name: fail-on-cvss - value: "7.0" + value: {{ .Values.pipeline.failOnCvss | quote }} - name: repo-url - name: git-revision - value: main + value: {{ .Values.pipeline.gitRevision | quote }} templates: - name: security-pipeline dag: @@ -33,9 +34,9 @@ spec: arguments: parameters: - name: repo-url - value: "{{workflow.parameters.repo-url}}" + value: {{ `{{workflow.parameters.repo-url}}` | quote }} - name: git-revision - value: "{{workflow.parameters.git-revision}}" + value: {{ `{{workflow.parameters.git-revision}}` | quote }} - name: scanners dependencies: - clone @@ -43,42 +44,39 @@ spec: arguments: parameters: - name: working-dir - value: "{{workflow.parameters.working-dir}}" - - name: fail-on-cvss - value: "{{workflow.parameters.fail-on-cvss}}" - - name: upload-storage - dependencies: - - scanners - template: upload-storage - - name: upload-defectdojo - dependencies: - - scanners - template: upload-defectdojo + value: {{ `{{workflow.parameters.working-dir}}` | quote }} - name: enforce-policy dependencies: - - upload-storage - - upload-defectdojo + - scanners template: enforce-policy arguments: parameters: - name: fail-on-cvss - value: "{{workflow.parameters.fail-on-cvss}}" - - name: sinks-and-enforcement + value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }} +{{- if .Values.storage.enabled }} + - name: upload-storage dependencies: - scanners - template: sinks-and-enforcement + template: upload-storage +{{- end }} +{{- if .Values.defectdojo.enabled }} + - name: upload-defectdojo + dependencies: + - scanners + template: upload-defectdojo +{{- end }} - name: clone-repo inputs: parameters: - name: repo-url - name: git-revision container: - image: alpine/git:2.45.2 + image: {{ .Values.images.git | quote }} command: - sh - -c args: - - git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace + - git clone --branch {{ `{{inputs.parameters.git-revision}}` | quote }} --single-branch {{ `{{inputs.parameters.repo-url}}` | quote }} /workspace volumeMounts: - name: workspace mountPath: /workspace @@ -86,37 +84,37 @@ spec: inputs: parameters: - name: working-dir - - name: fail-on-cvss dag: tasks: - {{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "defectdojo" }} + {{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }} - name: {{ $scanner }} template: scan-{{ $scanner }} arguments: parameters: - name: working-dir - value: "{{inputs.parameters.working-dir}}" + value: {{ `{{inputs.parameters.working-dir}}` | quote }} {{- end }} - - name: sinks-and-enforcement + - name: pipeline-exit-hook container: - image: curlimages/curl:latest + image: {{ .Values.images.curl | quote }} command: - sh - -c args: - | set -eu - echo "Pipeline complete. You can configure a webhook notification here." - if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then - curl -X POST -H 'Content-type: application/json' --data '{"text":"Security Pipeline Finished"}' "${SLACK_WEBHOOK_URL}" || true - fi -{{ include "template.scan-syft-grype" . | indent 4 }} -{{ include "template.scan-socketdev" . | indent 4 }} -{{ include "template.scan-defectdojo" . | indent 4 }} -{{ include "template.scan-semgrep" . | indent 4 }} -{{ include "template.scan-trufflehog" . | indent 4 }} -{{ include "template.scan-kics" . | indent 4 }} -{{ include "template.upload-defectdojo" . | indent 4 }} -{{ include "template.upload-storage" . | indent 4 }} -{{ include "template.enforce-policy" . | indent 4 }} + echo "Pipeline completed with status: {{ `{{workflow.status}}` }}" +{{ include "template.scan-trufflehog" . | nindent 4 }} +{{ include "template.scan-semgrep" . | nindent 4 }} +{{ include "template.scan-kics" . | nindent 4 }} +{{ include "template.scan-socketdev" . | nindent 4 }} +{{ include "template.scan-syft-grype" . | nindent 4 }} +{{ include "template.scan-pulumi-crossguard" . | nindent 4 }} +{{- if .Values.storage.enabled }} +{{ include "template.upload-storage" . | nindent 4 }} +{{- end }} +{{- if .Values.defectdojo.enabled }} +{{ include "template.upload-defectdojo" . | nindent 4 }} +{{- end }} +{{ include "template.enforce-policy" . | nindent 4 }} {{- end }}