refactor to simplify main pipeline
This commit is contained in:
@@ -4,7 +4,7 @@
|
||||
parameters:
|
||||
- name: fail-on-cvss
|
||||
container:
|
||||
image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
|
||||
image: {{ include "template.tools-image" . | quote }}
|
||||
imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
|
||||
command:
|
||||
- node
|
||||
|
||||
@@ -0,0 +1,64 @@
|
||||
{{- define "template.workflow.security-pipeline.tasks" -}}
|
||||
- name: clone
|
||||
template: clone-repo
|
||||
arguments:
|
||||
parameters:
|
||||
- name: repo-url
|
||||
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
|
||||
- name: git-revision
|
||||
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
|
||||
- name: scanners
|
||||
dependencies:
|
||||
- clone
|
||||
template: parallel-scanners
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
|
||||
- name: enforce-policy
|
||||
dependencies:
|
||||
- scanners
|
||||
template: enforce-policy
|
||||
arguments:
|
||||
parameters:
|
||||
- name: fail-on-cvss
|
||||
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
|
||||
{{- if .Values.storage.enabled }}
|
||||
- name: upload-storage
|
||||
dependencies:
|
||||
- scanners
|
||||
template: upload-storage
|
||||
{{- end }}
|
||||
{{- if .Values.defectdojo.enabled }}
|
||||
- name: upload-defectdojo
|
||||
dependencies:
|
||||
- scanners
|
||||
template: upload-defectdojo
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "template.workflow.parallel-scanners.tasks" -}}
|
||||
{{- /* Scanner fan-out is data-driven from pipeline.scanners in values.yaml. */ -}}
|
||||
{{- range $scanner := .Values.pipeline.scanners }}
|
||||
- name: {{ $scanner }}
|
||||
template: scan-{{ $scanner }}
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "template.workflow.named-templates" -}}
|
||||
{{- /* Keep the main workflow file focused on orchestration; implementations are included here. */ -}}
|
||||
{{- range $scanner := .Values.pipeline.scanners }}
|
||||
{{ include (printf "template.scan-%s" $scanner) $ }}
|
||||
{{- end }}
|
||||
{{- if .Values.storage.enabled }}
|
||||
{{ include "template.upload-storage" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.defectdojo.enabled }}
|
||||
{{ include "template.upload-defectdojo" . }}
|
||||
{{- end }}
|
||||
{{ include "template.enforce-policy" . }}
|
||||
{{- end }}
|
||||
@@ -2,9 +2,9 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: ClusterWorkflowTemplate
|
||||
metadata:
|
||||
name: {{ .Values.pipeline.name | quote }}
|
||||
name: {{ .Values.pipeline.name }}
|
||||
spec:
|
||||
serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }}
|
||||
serviceAccountName: {{ .Values.pipeline.serviceAccountName }}
|
||||
entrypoint: security-pipeline
|
||||
onExit: pipeline-exit-hook
|
||||
volumeClaimTemplates:
|
||||
@@ -15,7 +15,7 @@ spec:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.pipeline.workspace.storage | quote }}
|
||||
storage: {{ .Values.pipeline.workspace.storage }}
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
@@ -26,52 +26,20 @@ spec:
|
||||
- name: git-revision
|
||||
value: {{ .Values.pipeline.gitRevision | quote }}
|
||||
templates:
|
||||
# Top-level DAG wiring lives here so the workflow flow stays readable.
|
||||
- name: security-pipeline
|
||||
dag:
|
||||
tasks:
|
||||
- name: clone
|
||||
template: clone-repo
|
||||
arguments:
|
||||
parameters:
|
||||
- name: repo-url
|
||||
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
|
||||
- name: git-revision
|
||||
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
|
||||
- name: scanners
|
||||
dependencies:
|
||||
- clone
|
||||
template: parallel-scanners
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
|
||||
- name: enforce-policy
|
||||
dependencies:
|
||||
- scanners
|
||||
template: enforce-policy
|
||||
arguments:
|
||||
parameters:
|
||||
- name: fail-on-cvss
|
||||
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
|
||||
{{- if .Values.storage.enabled }}
|
||||
- name: upload-storage
|
||||
dependencies:
|
||||
- scanners
|
||||
template: upload-storage
|
||||
{{- end }}
|
||||
{{- if .Values.defectdojo.enabled }}
|
||||
- name: upload-defectdojo
|
||||
dependencies:
|
||||
- scanners
|
||||
template: upload-defectdojo
|
||||
{{- end }}
|
||||
{{ include "template.workflow.security-pipeline.tasks" . | nindent 10 }}
|
||||
|
||||
# Concrete task implementations stay below.
|
||||
- name: clone-repo
|
||||
inputs:
|
||||
parameters:
|
||||
- name: repo-url
|
||||
- name: git-revision
|
||||
container:
|
||||
image: {{ .Values.images.git | quote }}
|
||||
image: {{ .Values.images.git }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
@@ -80,23 +48,18 @@ spec:
|
||||
volumeMounts:
|
||||
- name: workspace
|
||||
mountPath: /workspace
|
||||
|
||||
- name: parallel-scanners
|
||||
inputs:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
dag:
|
||||
tasks:
|
||||
{{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }}
|
||||
- name: {{ $scanner }}
|
||||
template: scan-{{ $scanner }}
|
||||
arguments:
|
||||
parameters:
|
||||
- name: working-dir
|
||||
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
|
||||
{{- end }}
|
||||
{{ include "template.workflow.parallel-scanners.tasks" . | nindent 10 }}
|
||||
|
||||
- name: pipeline-exit-hook
|
||||
container:
|
||||
image: {{ .Values.images.curl | quote }}
|
||||
image: {{ .Values.images.curl }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
@@ -104,17 +67,5 @@ spec:
|
||||
- |
|
||||
set -eu
|
||||
echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
|
||||
{{ include "template.scan-trufflehog" . | nindent 4 }}
|
||||
{{ include "template.scan-semgrep" . | nindent 4 }}
|
||||
{{ include "template.scan-kics" . | nindent 4 }}
|
||||
{{ include "template.scan-socketdev" . | nindent 4 }}
|
||||
{{ include "template.scan-syft-grype" . | nindent 4 }}
|
||||
{{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
|
||||
{{- if .Values.storage.enabled }}
|
||||
{{ include "template.upload-storage" . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.defectdojo.enabled }}
|
||||
{{ include "template.upload-defectdojo" . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{ include "template.enforce-policy" . | nindent 4 }}
|
||||
{{ include "template.workflow.named-templates" . | nindent 4 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -8,6 +8,14 @@ pipeline:
|
||||
workspace:
|
||||
storage: 1Gi
|
||||
repoName: agentguard-ci
|
||||
# Order here matches the scanner fan-out in the workflow DAG.
|
||||
scanners:
|
||||
- trufflehog
|
||||
- semgrep
|
||||
- kics
|
||||
- socketdev
|
||||
- syft-grype
|
||||
- pulumi-crossguard
|
||||
toolsImage:
|
||||
repository: agentguard-tools
|
||||
tag: latest
|
||||
|
||||
Reference in New Issue
Block a user