# Rendered reference for the default chart values in helm/values.yaml. # This is intended for reading and review, so you can inspect the final Argo object # without also mentally evaluating Helm templates. # # Notes: # - Optional storage, DefectDojo, and Infisical resources are omitted because they are # disabled by default. # - Argo placeholders such as {{workflow.parameters.repo-url}} are expected and remain # in the rendered object because Argo resolves them at workflow runtime. apiVersion: argoproj.io/v1alpha1 kind: ClusterWorkflowTemplate metadata: name: amp-security-pipeline-v1.0.0 spec: serviceAccountName: default entrypoint: security-pipeline onExit: pipeline-exit-hook volumeClaimTemplates: - metadata: name: workspace spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi arguments: parameters: - name: working-dir value: "." - name: fail-on-cvss value: "7.0" - name: repo-url - name: git-revision value: "main" templates: - name: security-pipeline dag: tasks: - name: clone template: clone-repo arguments: parameters: - name: repo-url value: "{{workflow.parameters.repo-url}}" - name: git-revision value: "{{workflow.parameters.git-revision}}" - name: scanners dependencies: - clone template: parallel-scanners arguments: parameters: - name: working-dir value: "{{workflow.parameters.working-dir}}" - name: enforce-policy dependencies: - scanners template: enforce-policy arguments: parameters: - name: fail-on-cvss value: "{{workflow.parameters.fail-on-cvss}}" - name: clone-repo inputs: parameters: - name: repo-url - name: git-revision container: image: alpine/git:2.45.2 command: - sh - -c args: - git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace volumeMounts: - name: workspace mountPath: /workspace - name: parallel-scanners inputs: parameters: - name: working-dir dag: tasks: - name: trufflehog template: scan-trufflehog arguments: parameters: - name: working-dir value: "{{inputs.parameters.working-dir}}" - name: semgrep template: scan-semgrep arguments: parameters: - name: working-dir value: "{{inputs.parameters.working-dir}}" - name: kics template: scan-kics arguments: parameters: - name: working-dir value: "{{inputs.parameters.working-dir}}" - name: socketdev template: scan-socketdev arguments: parameters: - name: working-dir value: "{{inputs.parameters.working-dir}}" - name: syft-grype template: scan-syft-grype arguments: parameters: - name: working-dir value: "{{inputs.parameters.working-dir}}" - name: pulumi-crossguard template: scan-pulumi-crossguard arguments: parameters: - name: working-dir value: "{{inputs.parameters.working-dir}}" - name: pipeline-exit-hook container: image: curlimages/curl:8.8.0 command: - sh - -c args: - | set -eu echo "Pipeline completed with status: {{workflow.status}}" - name: scan-trufflehog inputs: parameters: - name: working-dir container: image: trufflesecurity/trufflehog:latest command: - sh - -c args: - | set -eu mkdir -p /workspace/reports trufflehog filesystem "/workspace/{{inputs.parameters.working-dir}}" --json > /workspace/reports/trufflehog.json || true volumeMounts: - name: workspace mountPath: /workspace - name: scan-semgrep inputs: parameters: - name: working-dir container: image: returntocorp/semgrep:1.85.0 command: - sh - -c args: - | set -eu mkdir -p /workspace/reports semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif "/workspace/{{inputs.parameters.working-dir}}" || true volumeMounts: - name: workspace mountPath: /workspace - name: scan-kics inputs: parameters: - name: working-dir container: image: checkmarx/kics:1.7.14 command: - sh - -c args: - | set -eu mkdir -p /workspace/reports kics scan -p "/workspace/{{inputs.parameters.working-dir}}" -o /workspace/reports --report-formats sarif,json --output-name kics || true if [ -f /workspace/reports/kics.sarif ]; then exit 0 fi if [ -f /workspace/reports/kics.json ]; then cp /workspace/reports/kics.json /workspace/reports/kics.sarif fi volumeMounts: - name: workspace mountPath: /workspace - name: scan-socketdev inputs: parameters: - name: working-dir container: image: socketdev/socketcli:latest env: - name: SOCKET_DEV_API_KEY valueFrom: secretKeyRef: name: amp-security-pipeline-secrets key: SOCKET_DEV_API_KEY command: - sh - -c args: - | set -eu mkdir -p /workspace/reports socketdev scan "/workspace/{{inputs.parameters.working-dir}}" --format json --output /workspace/reports/socketdev.json || true volumeMounts: - name: workspace mountPath: /workspace - name: scan-syft-grype inputs: parameters: - name: working-dir container: image: anchore/syft:latest command: - sh - -c args: - | set -eu mkdir -p /workspace/reports syft scan dir:/workspace/{{inputs.parameters.working-dir}} -o cyclonedx-json=/workspace/reports/sbom.json || true grype sbom:/workspace/reports/sbom.json -o sarif=/workspace/reports/grype.sarif || true volumeMounts: - name: workspace mountPath: /workspace - name: scan-pulumi-crossguard inputs: parameters: - name: working-dir container: image: pulumi/pulumi:3.154.0 env: - name: PULUMI_ACCESS_TOKEN valueFrom: secretKeyRef: name: amp-security-pipeline-secrets key: PULUMI_ACCESS_TOKEN command: - sh - -c args: - | set -eu mkdir -p /workspace/reports cd "/workspace/{{inputs.parameters.working-dir}}" pulumi preview --policy-pack "policy-pack" > /workspace/reports/pulumi-crossguard.json 2>&1 || true volumeMounts: - name: workspace mountPath: /workspace - name: enforce-policy inputs: parameters: - name: fail-on-cvss container: image: agentguard-tools:latest imagePullPolicy: IfNotPresent command: - node - /app/dist/enforce-policy.js env: - name: FAIL_ON_CVSS value: "{{inputs.parameters.fail-on-cvss}}" volumeMounts: - name: workspace mountPath: /workspace