Skip to content

Enabled portage code scan #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sflanker wants to merge 1 commit into from
Closed

Enabled portage code scan #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/code-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Scan gatecheck
run-name: "Scan the gatecheck codebase"
permissions:
contents: read
checks: write
packages: write
on:
workflow_dispatch:
push:
branches: [ '*' ]
tags: [ '*' ]
jobs:
code_scan:
runs-on: ubuntu-latest
name: Portage Code Scan
steps:
- uses: actions/checkout@v4

- name: Run Portage CD Scans
uses: easy-up/portage-cd-actions/image-build-scan-publish/docker@debug-deploy-job
with:
image_build_enabled: 'false'
image_scan_enabled: 'false'
48 changes: 25 additions & 23 deletions .portage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,39 +1,42 @@
# Base Configuration
version: "1"
imageTag: "ghcr.io/easy-up/gatecheck:latest" # The full image tag for the target container image (e.g. my-org/my-app:latest)
# gatecheck doesn't have an official Dockerfile
# imageTag: "ghcr.io/easy-up/gatecheck:latest" # The full image tag for the target container image (e.g. my-org/my-app:latest)
artifactDir: "artifacts" # Directory for generated artifacts (e.g. ./artifacts)
gatecheckBundleFilename: "gatecheck-bundle.tar.gz" # Filename for the gatecheck bundle (e.g. gatecheck-bundle.tar.gz)

# Image Build Configuration
# Image Build Configuration (gatecheck doesn't have an official Dockerfile)
imageBuild:
enabled: false # Enable/Disable the image build pipeline (true/false)
buildDir: "." # Build directory for image (e.g. ./cmd/portage)
buildDir: "." # Build directory for image (e.g. ./cmd/portage)
dockerfile: "Dockerfile" # Dockerfile to use (e.g. ./cmd/portage/Dockerfile)
platform: "" # Target platform (e.g. linux/amd64, linux/arm64)
target: "" # Target stage for multi-stage builds (e.g. build, test, publish)
cacheTo: "" # Cache export location (e.g. type=local,dest=path)
cacheFrom: "" # Cache import location (e.g. type=local,src=path)
squashLayers: false # Whether to squash layers (true/false)
args: {} # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value)
platform: "" # Target platform (e.g. linux/amd64, linux/arm64)
target: "" # Target stage for multi-stage builds (e.g. build, test, publish)
cacheTo: "" # Cache export location (e.g. type=local,dest=path)
cacheFrom: "" # Cache import location (e.g. type=local,src=path)
squashLayers: false # Whether to squash layers (true/false)
args: {} # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value)

# Image Scan Configuration
# Image Scan Configuration (gatecheck doesn't have an official Dockerfile)
imageScan:
enabled: false # Enable/Disable the image scan pipeline (true/false)
syftFilename: "syft-sbom-report.json" # Filename for the syft sbom report (e.g. syft-sbom-report.json)
grypeConfigFilename: "" # Filename for the grype config (e.g. grype-config.json)
enabled: false # Enable/Disable the image scan pipeline (true/false)
syftFilename: "syft-sbom-report.json" # Filename for the syft sbom report (e.g. syft-sbom-report.json)
grypeConfigFilename: "" # Filename for the grype config (e.g. grype-config.json)
grypeFilename: "grype-vulnerability-report-full.json" # Filename for the grype vulnerability report (e.g. grype-vulnerability-report-full.json)
clamavFilename: "clamav-virus-report.txt" # Filename for the clamav virus report (e.g. clamav-virus-report.txt)
clamavFilename: "clamav-virus-report.txt" # Filename for the clamav virus report (e.g. clamav-virus-report.txt)

# Code Scan Configuration
codeScan:
enabled: true # Enable/Disable the code scan pipeline (true/false)
enabled: true # Enable/Disable the code scan pipeline (true/false)
gitleaksFilename: "gitleaks-secrets-report.json"
gitleaksSrcDir: "."
semgrepFilename: "semgrep-sast-report.json" # Filename for the semgrep sast report (e.g. semgrep-sast-report.json)
semgrepRules: "p/default" # Semgrep rules to use (e.g. p/default)
semgrepExperimental: false # Whether to use experimental semgrep rules (true/false)
coverageFile: "" #"coverage/cobertura-coverage.xml" # Externally generated code coverage file
semgrepSrcDir: "." # Target directory for semgrep scan (e.g. ./cmd/portage)
semgrepRules: "p/default" # Semgrep rules to use (e.g. p/default)
# This is overridden in the portage Dockerfile, but is set to false for runs on local systems
# where the standard Python semgrep is installed
semgrepExperimental: false # Whether to use the experimental semgrep CLI (true/false)
coverageFile: "" # "coverage/cobertura-coverage.xml" # Externally generated code coverage file
semgrepSrcDir: "." # Target directory for semgrep scan (e.g. ./cmd/portage)

# Image Publish Configuration
imagePublish:
Expand All @@ -42,9 +45,8 @@ imagePublish:

# Deploy Configuration
deploy:
enabled: true # Enable/Disable the deploy pipeline (true/false). When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used.
gatecheckConfigFilename: ".custom-gatecheck.yml" # Filename for gatecheck config (e.g. gatecheck-config.json)
submit: false # Whether to submit the artifacts to the configured API endpoint (true/false)
enabled: false # Enable/Disable the deploy pipeline (true/false). When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used.
gatecheckConfigFilename: ".custom-gatecheck.yml" # Filename for gatecheck config (e.g. gatecheck-config.json)
successWebhooks:
- url: "http://localhost:5168/Build/SubmitArtifacts" # Using the same endpoint from .custom-gatecheck.yml for consistency
- url: "https://belay-api.dev.holomuatech.online/Build/SubmitArtifacts" # Using the same endpoint from .custom-gatecheck.yml for consistency
authorizationVar: "DEPLOY_WEBHOOK_AUTH_TOKEN" # Environment variable containing the auth token
Loading