ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ada/agentguard-ci:0099dc1e4a5ceb2753880993fb53f3362a309342
Branches Tags
ada/agentguard-ci:main
..
compare: ada/agentguard-ci:1e849976aabe1e2933206fd10483cb18c0671f0f
Branches Tags
ada/agentguard-ci:main

4 Commits
0099dc1e4a .. 1e849976aa

Author SHA1 Message Date
ada 1e849976aa adding examples to make it easier to understand the project 2026-04-20 21:17:31 -06:00
ada 35ad38dda7 other changes 2026-04-20 21:10:38 -06:00
ada 78f30b9608 refactor to simplify main pipeline 2026-04-20 21:10:27 -06:00
ada 749afaebf7 putting s3 secrets in one object 2026-04-20 21:09:45 -06:00
10 changed files with 116 additions and 119 deletions
Expand all files Collapse all files
README.md
+11 -2
View File
@@ -29,7 +29,16 @@ Install these separately in your cluster before using this chart:
- DefectDojo, if you want report ingestion enabled
- MinIO or another S3-compatible store, if you want raw report uploads enabled
You will also need the corresponding credentials for Socket.dev, Pulumi, AWS or MinIO, and DefectDojo.
You will also need the corresponding credentials for Socket.dev, Pulumi, S3-compatible object storage, and DefectDojo.
## Reading the chart
If the Helm templates start to feel too abstract, use these two files together:
- [`helm/values.schema.json`](helm/values.schema.json) documents the expected shape and meaning of the values file.
- [`docs/rendered/default-clusterworkflowtemplate.yaml`](docs/rendered/default-clusterworkflowtemplate.yaml) shows the default rendered `ClusterWorkflowTemplate` without Helm directives in the way.
The rendered reference reflects the default values in `helm/values.yaml`, so optional storage, DefectDojo, and Infisical resources are intentionally omitted there.
## Validation workflow
@@ -84,7 +93,7 @@ defectdojo:
Keep `storage.enabled` and `defectdojo.enabled` disabled until those services are actually installed and reachable. Keep `infisical.enabled` disabled until the operator is installed and your project identifiers are ready.
If you do not use Infisical, create the `amp-security-pipeline-secrets` secret yourself before running the workflow.
If you do not use Infisical, create the `amp-security-pipeline-secrets` secret yourself before running the workflow. For storage uploads, the secret should contain `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`.
### 3. Deploy the chart
helm/templates/_enforce-policy.yaml
+1 -1
View File
@@ -4,7 +4,7 @@
parameters:
- name: fail-on-cvss
container:
image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
image: {{ include "template.tools-image" . | quote }}
imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
command:
- node
helm/templates/_helpers.tpl
+3
View File
@@ -0,0 +1,3 @@
{{- define "template.tools-image" -}}
{{- printf "%s:%s" .Values.pipeline.toolsImage.repository .Values.pipeline.toolsImage.tag -}}
{{- end }}
helm/templates/_scan-pulumi-crossguard.yaml
+2 -12
View File
@@ -4,23 +4,13 @@
parameters:
- name: working-dir
container:
image: {{ .Values.images.pulumiCrossguard | quote }}
image: {{ .Values.images.pulumiCrossguard }}
env:
- name: PULUMI_ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: PULUMI_ACCESS_TOKEN
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: AWS_SECRET_ACCESS_KEY
command:
- sh
- -c
@@ -29,7 +19,7 @@
set -eu
mkdir -p /workspace/reports
cd "/workspace/{{ `{{inputs.parameters.working-dir}}` }}"
pulumi preview --policy-pack "{{ .Values.pulumi.policyPackPath }}" > /workspace/reports/pulumi-crossguard.json 2>&1 || true
pulumi preview --policy-pack {{ .Values.pulumi.policyPackPath | quote }} > /workspace/reports/pulumi-crossguard.json 2>&1 || true
volumeMounts:
- name: workspace
mountPath: /workspace
helm/templates/_upload-defectdojo.yaml
+4 -11
View File
@@ -1,19 +1,12 @@
{{- define "template.upload-defectdojo" -}}
- name: upload-defectdojo
container:
image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
image: {{ include "template.tools-image" . | quote }}
imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
envFrom:
- secretRef:
name: amp-security-pipeline-secrets
env:
- name: DEFECTDOJO_URL
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: DEFECTDOJO_URL
- name: DEFECTDOJO_API_TOKEN
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: DEFECTDOJO_API_TOKEN
- name: DEFECTDOJO_PRODUCT_TYPE_NAME
value: {{ .Values.defectdojo.productTypeName | quote }}
- name: DEFECTDOJO_PRODUCT_NAME
helm/templates/_upload-storage.yaml
+6 -21
View File
@@ -1,28 +1,11 @@
{{- define "template.upload-storage" -}}
- name: upload-storage
container:
image: {{ .Values.images.awsCli | quote }}
image: {{ .Values.images.awsCli }}
envFrom:
- secretRef:
name: amp-security-pipeline-secrets
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: AWS_SECRET_ACCESS_KEY
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: MINIO_ROOT_USER
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: amp-security-pipeline-secrets
key: MINIO_ROOT_PASSWORD
- name: REPORTS_BUCKET
value: {{ .Values.storage.reportsBucket | quote }}
- name: REPO_NAME
@@ -35,6 +18,8 @@
args:
- |
set -eu
export AWS_ACCESS_KEY_ID="${S3_ACCESS_KEY_ID:-}"
export AWS_SECRET_ACCESS_KEY="${S3_SECRET_ACCESS_KEY:-}"
commit_sha="${GIT_COMMIT_SHA:-unknown}"
report_date="$(date -u +%F)"
sync_target="s3://${REPORTS_BUCKET}/${REPO_NAME}/${report_date}/${commit_sha}/"
helm/templates/_workflow-templates.yaml
+64
View File
@@ -0,0 +1,64 @@
{{- define "template.workflow.security-pipeline.tasks" -}}
- name: clone
template: clone-repo
arguments:
parameters:
- name: repo-url
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
- name: git-revision
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners
dependencies:
- clone
template: parallel-scanners
arguments:
parameters:
- name: working-dir
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: enforce-policy
dependencies:
- scanners
template: enforce-policy
arguments:
parameters:
- name: fail-on-cvss
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
- name: upload-storage
dependencies:
- scanners
template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
{{- end }}
{{- end }}
{{- define "template.workflow.parallel-scanners.tasks" -}}
{{- /* Scanner fan-out is data-driven from pipeline.scanners in values.yaml. */ -}}
{{- range $scanner := .Values.pipeline.scanners }}
- name: {{ $scanner }}
template: scan-{{ $scanner }}
arguments:
parameters:
- name: working-dir
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }}
{{- end }}
{{- define "template.workflow.named-templates" -}}
{{- /* Keep the main workflow file focused on orchestration; implementations are included here. */ -}}
{{- range $scanner := .Values.pipeline.scanners }}
{{ include (printf "template.scan-%s" $scanner) $ }}
{{- end }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . }}
{{- end }}
{{ include "template.enforce-policy" . }}
{{- end }}
helm/templates/clusterworkflowtemplate.yaml
+13 -62
View File
@@ -2,9 +2,9 @@
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
name: {{ .Values.pipeline.name | quote }}
name: {{ .Values.pipeline.name }}
spec:
serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }}
serviceAccountName: {{ .Values.pipeline.serviceAccountName }}
entrypoint: security-pipeline
onExit: pipeline-exit-hook
volumeClaimTemplates:
@@ -15,7 +15,7 @@ spec:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.pipeline.workspace.storage | quote }}
storage: {{ .Values.pipeline.workspace.storage }}
arguments:
parameters:
- name: working-dir
@@ -26,52 +26,20 @@ spec:
- name: git-revision
value: {{ .Values.pipeline.gitRevision | quote }}
templates:
# Top-level DAG wiring lives here so the workflow flow stays readable.
- name: security-pipeline
dag:
tasks:
- name: clone
template: clone-repo
arguments:
parameters:
- name: repo-url
value: {{ `{{workflow.parameters.repo-url}}` | quote }}
- name: git-revision
value: {{ `{{workflow.parameters.git-revision}}` | quote }}
- name: scanners
dependencies:
- clone
template: parallel-scanners
arguments:
parameters:
- name: working-dir
value: {{ `{{workflow.parameters.working-dir}}` | quote }}
- name: enforce-policy
dependencies:
- scanners
template: enforce-policy
arguments:
parameters:
- name: fail-on-cvss
value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
- name: upload-storage
dependencies:
- scanners
template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
- name: upload-defectdojo
dependencies:
- scanners
template: upload-defectdojo
{{- end }}
{{ include "template.workflow.security-pipeline.tasks" . | nindent 10 }}
# Concrete task implementations stay below.
- name: clone-repo
inputs:
parameters:
- name: repo-url
- name: git-revision
container:
image: {{ .Values.images.git | quote }}
image: {{ .Values.images.git }}
command:
- sh
- -c
@@ -80,23 +48,18 @@ spec:
volumeMounts:
- name: workspace
mountPath: /workspace
- name: parallel-scanners
inputs:
parameters:
- name: working-dir
dag:
tasks:
{{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }}
- name: {{ $scanner }}
template: scan-{{ $scanner }}
arguments:
parameters:
- name: working-dir
value: {{ `{{inputs.parameters.working-dir}}` | quote }}
{{- end }}
{{ include "template.workflow.parallel-scanners.tasks" . | nindent 10 }}
- name: pipeline-exit-hook
container:
image: {{ .Values.images.curl | quote }}
image: {{ .Values.images.curl }}
command:
- sh
- -c
@@ -104,17 +67,5 @@ spec:
- |
set -eu
echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
{{ include "template.scan-trufflehog" . | nindent 4 }}
{{ include "template.scan-semgrep" . | nindent 4 }}
{{ include "template.scan-kics" . | nindent 4 }}
{{ include "template.scan-socketdev" . | nindent 4 }}
{{ include "template.scan-syft-grype" . | nindent 4 }}
{{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . | nindent 4 }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . | nindent 4 }}
{{- end }}
{{ include "template.enforce-policy" . | nindent 4 }}
{{ include "template.workflow.named-templates" . | nindent 4 }}
{{- end }}
helm/templates/infisical-secret.yaml
+4 -10
View File
@@ -16,18 +16,12 @@ spec:
- secretKey: PULUMI_ACCESS_TOKEN
remoteRef:
key: PULUMI_ACCESS_TOKEN
- secretKey: AWS_ACCESS_KEY_ID
- secretKey: S3_ACCESS_KEY_ID
remoteRef:
key: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
key: S3_ACCESS_KEY_ID
- secretKey: S3_SECRET_ACCESS_KEY
remoteRef:
key: AWS_SECRET_ACCESS_KEY
- secretKey: MINIO_ROOT_USER
remoteRef:
key: MINIO_ROOT_USER
- secretKey: MINIO_ROOT_PASSWORD
remoteRef:
key: MINIO_ROOT_PASSWORD
key: S3_SECRET_ACCESS_KEY
- secretKey: DEFECTDOJO_URL
remoteRef:
key: DEFECTDOJO_URL
helm/values.yaml
+8
View File
@@ -8,6 +8,14 @@ pipeline:
workspace:
storage: 1Gi
repoName: agentguard-ci
# Order here matches the scanner fan-out in the workflow DAG.
scanners:
- trufflehog
- semgrep
- kics
- socketdev
- syft-grype
- pulumi-crossguard
toolsImage:
repository: agentguard-tools
tag: latest