ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

redo flow to have configurable upload and defectdojo

Browse Source
This commit is contained in:
ada
2026-04-20 18:07:32 -06:00
parent 5bdf3fe114
commit 6f0252776f
1 changed files with 42 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/templates/clusterworkflowtemplate.yaml
+42 -44
View File
@@ -2,10 +2,11 @@
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: amp-security-pipeline-v1.0.0
name: {{ .Values.pipeline.name | quote }}
spec:
serviceAccountName: default
serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }}
entrypoint: security-pipeline
onExit: pipeline-exit-hook
volumeClaimTemplates:
- metadata:
name: workspace
@@ -14,16 +15,16 @@ spec:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storage: {{ .Values.pipeline.workspace.storage | quote }}
arguments:
parameters:
- name: working-dir
value: .
value: {{ .Values.pipeline.workingDir | quote }}
- name: fail-on-cvss
value: "7.0"
value: {{ .Values.pipeline.failOnCvss | quote }}
- name: repo-url
- name: git-revision
value: main
value: {{ .Values.pipeline.gitRevision | quote }}
templates:
- name: security-pipeline
dag:
@@ -33,9 +34,9 @@ spec:
arguments:
parameters:
- name: repo-url
value: "{{workflow.parameters.repo-url}}"
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
- name: git-revision
value: "{{workflow.parameters.git-revision}}"
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners
dependencies:
- clone
@@ -43,42 +44,39 @@ spec:
arguments:
parameters:
- name: working-dir
value: "{{workflow.parameters.working-dir}}"
- name: fail-on-cvss
value: "{{workflow.parameters.fail-on-cvss}}"
- name: upload-storage
dependencies:
- scanners
template: upload-storage
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: enforce-policy
dependencies:
- upload-storage
- upload-defectdojo
- scanners
template: enforce-policy
arguments:
parameters:
- name: fail-on-cvss
value: "{{workflow.parameters.fail-on-cvss}}"
- name: sinks-and-enforcement
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
- name: upload-storage
dependencies:
- scanners
template: sinks-and-enforcement
template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
{{- end }}
- name: clone-repo
inputs:
parameters:
- name: repo-url
- name: git-revision
container:
image: alpine/git:2.45.2
image: {{ .Values.images.git | quote }}
command:
- sh
- -c
args:
- git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace
- git clone --branch {{ `{{inputs.parameters.git-revision}}` | quote }} --single-branch {{ `{{inputs.parameters.repo-url}}` | quote }} /workspace
volumeMounts:
- name: workspace
mountPath: /workspace
@@ -86,37 +84,37 @@ spec:
inputs:
parameters:
- name: working-dir
- name: fail-on-cvss
dag:
tasks:
{{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "defectdojo" }}
{{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }}
- name: {{ $scanner }}
template: scan-{{ $scanner }}
arguments:
parameters:
- name: working-dir
value: "{{inputs.parameters.working-dir}}"
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }}
- name: sinks-and-enforcement
- name: pipeline-exit-hook
container:
image: curlimages/curl:latest
image: {{ .Values.images.curl | quote }}
command:
- sh
- -c
args:
- |
set -eu
echo "Pipeline complete. You can configure a webhook notification here."
if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then
curl -X POST -H 'Content-type: application/json' --data '{"text":"Security Pipeline Finished"}' "${SLACK_WEBHOOK_URL}" || true
fi
{{ include "template.scan-syft-grype" . | indent 4 }}
{{ include "template.scan-socketdev" . | indent 4 }}
{{ include "template.scan-defectdojo" . | indent 4 }}
{{ include "template.scan-semgrep" . | indent 4 }}
{{ include "template.scan-trufflehog" . | indent 4 }}
{{ include "template.scan-kics" . | indent 4 }}
{{ include "template.upload-defectdojo" . | indent 4 }}
{{ include "template.upload-storage" . | indent 4 }}
{{ include "template.enforce-policy" . | indent 4 }}
echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
{{ include "template.scan-trufflehog" . | nindent 4 }}
{{ include "template.scan-semgrep" . | nindent 4 }}
{{ include "template.scan-kics" . | nindent 4 }}
{{ include "template.scan-socketdev" . | nindent 4 }}
{{ include "template.scan-syft-grype" . | nindent 4 }}
{{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . | nindent 4 }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . | nindent 4 }}
{{- end }}
{{ include "template.enforce-policy" . | nindent 4 }}
{{- end }}