From 47aebea38ab4421c56cde44704a8306b46e2bf3f Mon Sep 17 00:00:00 2001 From: Paul Wheeler Date: Sat, 22 Feb 2025 11:44:41 -1000 Subject: [PATCH] wip: enabled portage code scan and debugging deployment job --- .github/workflows/code-scan.yml | 23 ++++++++++++++++ .portage.yml | 48 +++++++++++++++++---------------- 2 files changed, 48 insertions(+), 23 deletions(-) create mode 100644 .github/workflows/code-scan.yml diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml new file mode 100644 index 0000000..95d1e23 --- /dev/null +++ b/.github/workflows/code-scan.yml @@ -0,0 +1,23 @@ +name: Scan gatecheck +run-name: "Scan the gatecheck codebase" +permissions: + contents: read + checks: write + packages: write +on: + workflow_dispatch: + push: + branches: [ '*' ] + tags: [ '*' ] +jobs: + code_scan: + runs-on: ubuntu-latest + name: Portage Code Scan + steps: + - uses: actions/checkout@v4 + + - name: Run Portage CD Scans + uses: easy-up/portage-cd-actions/image-build-scan-publish/docker@debug-deploy-job + with: + image_build_enabled: 'false' + image_scan_enabled: 'false' diff --git a/.portage.yml b/.portage.yml index 1eac232..c01e9d6 100644 --- a/.portage.yml +++ b/.portage.yml @@ -1,39 +1,42 @@ # Base Configuration version: "1" -imageTag: "ghcr.io/easy-up/gatecheck:latest" # The full image tag for the target container image (e.g. my-org/my-app:latest) +# gatecheck doesn't have an official Dockerfile +# imageTag: "ghcr.io/easy-up/gatecheck:latest" # The full image tag for the target container image (e.g. my-org/my-app:latest) artifactDir: "artifacts" # Directory for generated artifacts (e.g. ./artifacts) gatecheckBundleFilename: "gatecheck-bundle.tar.gz" # Filename for the gatecheck bundle (e.g. gatecheck-bundle.tar.gz) -# Image Build Configuration +# Image Build Configuration (gatecheck doesn't have an official Dockerfile) imageBuild: enabled: false # Enable/Disable the image build pipeline (true/false) - buildDir: "." # Build directory for image (e.g. ./cmd/portage) + buildDir: "." # Build directory for image (e.g. ./cmd/portage) dockerfile: "Dockerfile" # Dockerfile to use (e.g. ./cmd/portage/Dockerfile) - platform: "" # Target platform (e.g. linux/amd64, linux/arm64) - target: "" # Target stage for multi-stage builds (e.g. build, test, publish) - cacheTo: "" # Cache export location (e.g. type=local,dest=path) - cacheFrom: "" # Cache import location (e.g. type=local,src=path) - squashLayers: false # Whether to squash layers (true/false) - args: {} # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value) + platform: "" # Target platform (e.g. linux/amd64, linux/arm64) + target: "" # Target stage for multi-stage builds (e.g. build, test, publish) + cacheTo: "" # Cache export location (e.g. type=local,dest=path) + cacheFrom: "" # Cache import location (e.g. type=local,src=path) + squashLayers: false # Whether to squash layers (true/false) + args: {} # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value) -# Image Scan Configuration +# Image Scan Configuration (gatecheck doesn't have an official Dockerfile) imageScan: - enabled: false # Enable/Disable the image scan pipeline (true/false) - syftFilename: "syft-sbom-report.json" # Filename for the syft sbom report (e.g. syft-sbom-report.json) - grypeConfigFilename: "" # Filename for the grype config (e.g. grype-config.json) + enabled: false # Enable/Disable the image scan pipeline (true/false) + syftFilename: "syft-sbom-report.json" # Filename for the syft sbom report (e.g. syft-sbom-report.json) + grypeConfigFilename: "" # Filename for the grype config (e.g. grype-config.json) grypeFilename: "grype-vulnerability-report-full.json" # Filename for the grype vulnerability report (e.g. grype-vulnerability-report-full.json) - clamavFilename: "clamav-virus-report.txt" # Filename for the clamav virus report (e.g. clamav-virus-report.txt) + clamavFilename: "clamav-virus-report.txt" # Filename for the clamav virus report (e.g. clamav-virus-report.txt) # Code Scan Configuration codeScan: - enabled: true # Enable/Disable the code scan pipeline (true/false) + enabled: true # Enable/Disable the code scan pipeline (true/false) gitleaksFilename: "gitleaks-secrets-report.json" gitleaksSrcDir: "." semgrepFilename: "semgrep-sast-report.json" # Filename for the semgrep sast report (e.g. semgrep-sast-report.json) - semgrepRules: "p/default" # Semgrep rules to use (e.g. p/default) - semgrepExperimental: false # Whether to use experimental semgrep rules (true/false) - coverageFile: "" #"coverage/cobertura-coverage.xml" # Externally generated code coverage file - semgrepSrcDir: "." # Target directory for semgrep scan (e.g. ./cmd/portage) + semgrepRules: "p/default" # Semgrep rules to use (e.g. p/default) + # This is overridden in the portage Dockerfile, but is set to false for runs on local systems + # where the standard Python semgrep is installed + semgrepExperimental: false # Whether to use the experimental semgrep CLI (true/false) + coverageFile: "" # "coverage/cobertura-coverage.xml" # Externally generated code coverage file + semgrepSrcDir: "." # Target directory for semgrep scan (e.g. ./cmd/portage) # Image Publish Configuration imagePublish: @@ -42,9 +45,8 @@ imagePublish: # Deploy Configuration deploy: - enabled: true # Enable/Disable the deploy pipeline (true/false). When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used. - gatecheckConfigFilename: ".custom-gatecheck.yml" # Filename for gatecheck config (e.g. gatecheck-config.json) - submit: false # Whether to submit the artifacts to the configured API endpoint (true/false) + enabled: false # Enable/Disable the deploy pipeline (true/false). When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used. + gatecheckConfigFilename: ".custom-gatecheck.yml" # Filename for gatecheck config (e.g. gatecheck-config.json) successWebhooks: - - url: "http://localhost:5168/Build/SubmitArtifacts" # Using the same endpoint from .custom-gatecheck.yml for consistency + - url: "https://belay-api.dev.holomuatech.online/Build/SubmitArtifacts" # Using the same endpoint from .custom-gatecheck.yml for consistency authorizationVar: "DEPLOY_WEBHOOK_AUTH_TOKEN" # Environment variable containing the auth token