ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

redo flow to have configurable upload and defectdojo

Browse Source
This commit is contained in:
ada
2026-04-20 18:07:32 -06:00
parent 5bdf3fe114
commit 6f0252776f
1 changed files with 42 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/templates/clusterworkflowtemplate.yaml
+42 -44
View File
@@ -2,10 +2,11 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate kind: ClusterWorkflowTemplate
metadata: metadata:
name: amp-security-pipeline-v1.0.0 name: {{ .Values.pipeline.name | quote }}
spec: spec:
serviceAccountName: default serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }}
entrypoint: security-pipeline entrypoint: security-pipeline
onExit: pipeline-exit-hook
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: workspace name: workspace
@@ -14,16 +15,16 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 1Gi storage: {{ .Values.pipeline.workspace.storage | quote }}
arguments: arguments:
parameters: parameters:
- name: working-dir - name: working-dir
value: . value: {{ .Values.pipeline.workingDir | quote }}
- name: fail-on-cvss - name: fail-on-cvss
value: "7.0" value: {{ .Values.pipeline.failOnCvss | quote }}
- name: repo-url - name: repo-url
- name: git-revision - name: git-revision
value: main value: {{ .Values.pipeline.gitRevision | quote }}
templates: templates:
- name: security-pipeline - name: security-pipeline
dag: dag:
@@ -33,9 +34,9 @@ spec:
arguments: arguments:
parameters: parameters:
- name: repo-url - name: repo-url
value: "{{workflow.parameters.repo-url}}" value: {{ `{{workflow.parameters.repo-url}}` | quote }}
- name: git-revision - name: git-revision
value: "{{workflow.parameters.git-revision}}" value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners - name: scanners
dependencies: dependencies:
- clone - clone
@@ -43,42 +44,39 @@ spec:
arguments: arguments:
parameters: parameters:
- name: working-dir - name: working-dir
value: "{{workflow.parameters.working-dir}}" value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: fail-on-cvss
value: "{{workflow.parameters.fail-on-cvss}}"
- name: upload-storage
dependencies:
- scanners
template: upload-storage
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
- name: enforce-policy - name: enforce-policy
dependencies: dependencies:
- upload-storage - scanners
- upload-defectdojo
template: enforce-policy template: enforce-policy
arguments: arguments:
parameters: parameters:
- name: fail-on-cvss - name: fail-on-cvss
value: "{{workflow.parameters.fail-on-cvss}}" value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
- name: sinks-and-enforcement {{- if .Values.storage.enabled }}
- name: upload-storage
dependencies: dependencies:
- scanners - scanners
template: sinks-and-enforcement template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
{{- end }}
- name: clone-repo - name: clone-repo
inputs: inputs:
parameters: parameters:
- name: repo-url - name: repo-url
- name: git-revision - name: git-revision
container: container:
image: alpine/git:2.45.2 image: {{ .Values.images.git | quote }}
command: command:
- sh - sh
- -c - -c
args: args:
- git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace - git clone --branch {{ `{{inputs.parameters.git-revision}}` | quote }} --single-branch {{ `{{inputs.parameters.repo-url}}` | quote }} /workspace
volumeMounts: volumeMounts:
- name: workspace - name: workspace
mountPath: /workspace mountPath: /workspace
@@ -86,37 +84,37 @@ spec:
inputs: inputs:
parameters: parameters:
- name: working-dir - name: working-dir
- name: fail-on-cvss
dag: dag:
tasks: tasks:
{{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "defectdojo" }} {{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }}
- name: {{ $scanner }} - name: {{ $scanner }}
template: scan-{{ $scanner }} template: scan-{{ $scanner }}
arguments: arguments:
parameters: parameters:
- name: working-dir - name: working-dir
value: "{{inputs.parameters.working-dir}}" value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }} {{- end }}
- name: sinks-and-enforcement - name: pipeline-exit-hook
container: container:
image: curlimages/curl:latest image: {{ .Values.images.curl | quote }}
command: command:
- sh - sh
- -c - -c
args: args:
- | - |
set -eu set -eu
echo "Pipeline complete. You can configure a webhook notification here." echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then {{ include "template.scan-trufflehog" . | nindent 4 }}
curl -X POST -H 'Content-type: application/json' --data '{"text":"Security Pipeline Finished"}' "${SLACK_WEBHOOK_URL}" || true {{ include "template.scan-semgrep" . | nindent 4 }}
fi {{ include "template.scan-kics" . | nindent 4 }}
{{ include "template.scan-syft-grype" . | indent 4 }} {{ include "template.scan-socketdev" . | nindent 4 }}
{{ include "template.scan-socketdev" . | indent 4 }} {{ include "template.scan-syft-grype" . | nindent 4 }}
{{ include "template.scan-defectdojo" . | indent 4 }} {{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
{{ include "template.scan-semgrep" . | indent 4 }} {{- if .Values.storage.enabled }}
{{ include "template.scan-trufflehog" . | indent 4 }} {{ include "template.upload-storage" . | nindent 4 }}
{{ include "template.scan-kics" . | indent 4 }} {{- end }}
{{ include "template.upload-defectdojo" . | indent 4 }} {{- if .Values.defectdojo.enabled }}
{{ include "template.upload-storage" . | indent 4 }} {{ include "template.upload-defectdojo" . | nindent 4 }}
{{ include "template.enforce-policy" . | indent 4 }} {{- end }}
{{ include "template.enforce-policy" . | nindent 4 }}
{{- end }} {{- end }}