ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor to simplify main pipeline

Browse Source
This commit is contained in:
ada
2026-04-20 21:10:27 -06:00
parent 749afaebf7
commit 78f30b9608
4 changed files with 86 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/templates/_enforce-policy.yaml
+1 -1
View File
@@ -4,7 +4,7 @@
parameters: parameters:
- name: fail-on-cvss - name: fail-on-cvss
container: container:
image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}" image: {{ include "template.tools-image" . | quote }}
imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }} imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
command: command:
- node - node
helm/templates/_workflow-templates.yaml
+64
View File
@@ -0,0 +1,64 @@
{{- define "template.workflow.security-pipeline.tasks" -}}
- name: clone
template: clone-repo
arguments:
parameters:
- name: repo-url
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
- name: git-revision
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners
dependencies:
- clone
template: parallel-scanners
arguments:
parameters:
- name: working-dir
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: enforce-policy
dependencies:
- scanners
template: enforce-policy
arguments:
parameters:
- name: fail-on-cvss
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
- name: upload-storage
dependencies:
- scanners
template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
{{- end }}
{{- end }}
{{- define "template.workflow.parallel-scanners.tasks" -}}
{{- /* Scanner fan-out is data-driven from pipeline.scanners in values.yaml. */ -}}
{{- range $scanner := .Values.pipeline.scanners }}
- name: {{ $scanner }}
template: scan-{{ $scanner }}
arguments:
parameters:
- name: working-dir
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }}
{{- end }}
{{- define "template.workflow.named-templates" -}}
{{- /* Keep the main workflow file focused on orchestration; implementations are included here. */ -}}
{{- range $scanner := .Values.pipeline.scanners }}
{{ include (printf "template.scan-%s" $scanner) $ }}
{{- end }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . }}
{{- end }}
{{ include "template.enforce-policy" . }}
{{- end }}
helm/templates/clusterworkflowtemplate.yaml
+13 -62
View File
@@ -2,9 +2,9 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate kind: ClusterWorkflowTemplate
metadata: metadata:
name: {{ .Values.pipeline.name | quote }} name: {{ .Values.pipeline.name }}
spec: spec:
serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }} serviceAccountName: {{ .Values.pipeline.serviceAccountName }}
entrypoint: security-pipeline entrypoint: security-pipeline
onExit: pipeline-exit-hook onExit: pipeline-exit-hook
volumeClaimTemplates: volumeClaimTemplates:
@@ -15,7 +15,7 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: {{ .Values.pipeline.workspace.storage | quote }} storage: {{ .Values.pipeline.workspace.storage }}
arguments: arguments:
parameters: parameters:
- name: working-dir - name: working-dir
@@ -26,52 +26,20 @@ spec:
- name: git-revision - name: git-revision
value: {{ .Values.pipeline.gitRevision | quote }} value: {{ .Values.pipeline.gitRevision | quote }}
templates: templates:
# Top-level DAG wiring lives here so the workflow flow stays readable.
- name: security-pipeline - name: security-pipeline
dag: dag:
tasks: tasks:
- name: clone {{ include "template.workflow.security-pipeline.tasks" . | nindent 10 }}
template: clone-repo
arguments: # Concrete task implementations stay below.
parameters:
- name: repo-url
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
- name: git-revision
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners
dependencies:
- clone
template: parallel-scanners
arguments:
parameters:
- name: working-dir
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: enforce-policy
dependencies:
- scanners
template: enforce-policy
arguments:
parameters:
- name: fail-on-cvss
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
- name: upload-storage
dependencies:
- scanners
template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
{{- end }}
- name: clone-repo - name: clone-repo
inputs: inputs:
parameters: parameters:
- name: repo-url - name: repo-url
- name: git-revision - name: git-revision
container: container:
image: {{ .Values.images.git | quote }} image: {{ .Values.images.git }}
command: command:
- sh - sh
- -c - -c
@@ -80,23 +48,18 @@ spec:
volumeMounts: volumeMounts:
- name: workspace - name: workspace
mountPath: /workspace mountPath: /workspace
- name: parallel-scanners - name: parallel-scanners
inputs: inputs:
parameters: parameters:
- name: working-dir - name: working-dir
dag: dag:
tasks: tasks:
{{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }} {{ include "template.workflow.parallel-scanners.tasks" . | nindent 10 }}
- name: {{ $scanner }}
template: scan-{{ $scanner }}
arguments:
parameters:
- name: working-dir
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }}
- name: pipeline-exit-hook - name: pipeline-exit-hook
container: container:
image: {{ .Values.images.curl | quote }} image: {{ .Values.images.curl }}
command: command:
- sh - sh
- -c - -c
@@ -104,17 +67,5 @@ spec:
- | - |
set -eu set -eu
echo "Pipeline completed with status: {{ `{{workflow.status}}` }}" echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
{{ include "template.scan-trufflehog" . | nindent 4 }} {{ include "template.workflow.named-templates" . | nindent 4 }}
{{ include "template.scan-semgrep" . | nindent 4 }}
{{ include "template.scan-kics" . | nindent 4 }}
{{ include "template.scan-socketdev" . | nindent 4 }}
{{ include "template.scan-syft-grype" . | nindent 4 }}
{{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . | nindent 4 }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . | nindent 4 }}
{{- end }}
{{ include "template.enforce-policy" . | nindent 4 }}
{{- end }} {{- end }}
helm/values.yaml
+8
View File
@@ -8,6 +8,14 @@ pipeline:
workspace: workspace:
storage: 1Gi storage: 1Gi
repoName: agentguard-ci repoName: agentguard-ci
# Order here matches the scanner fan-out in the workflow DAG.
scanners:
- trufflehog
- semgrep
- kics
- socketdev
- syft-grype
- pulumi-crossguard
toolsImage: toolsImage:
repository: agentguard-tools repository: agentguard-tools
tag: latest tag: latest