Skip to content

Commit dc41381

Browse files
author
Your Name
committed
Refactor biogears-complete-pipeline.yml to streamline security processes and remove JFrog Artifactory integration. Enhance SBOM generation and vulnerability scanning, while consolidating demo materials for supply chain security. Update reporting mechanisms for comprehensive progress tracking.
1 parent 7eaed1c commit dc41381

31 files changed

+1783
-938
lines changed

.github/workflows/biogears-complete-pipeline.yml

Lines changed: 1232 additions & 938 deletions
Large diffs are not rendered by default.

docker/arm64/Dockerfile.builder

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
FROM biogears-arm64-external:latest
2+
WORKDIR /opt/biogears
3+
COPY . .
4+
RUN mkdir -p build/artifacts/lib build/artifacts/bin
5+
WORKDIR /opt/biogears/build
6+
RUN cmake -DCMAKE_INSTALL_PREFIX=/opt/biogears/build/install -DARA_Biogears_BUILD_JAVATOOLS=OFF -DARA_Biogears_BUILD_HOWTOS=ON -DCMAKE_BUILD_TYPE=Release .. && make -j4
7+
RUN make install
8+
RUN mkdir -p /artifacts/lib /artifacts/bin
9+
RUN cp -r install/lib/* /artifacts/lib/ && cp -r install/bin/* /artifacts/bin/

docker/arm64/Dockerfile.external

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
FROM ubuntu:20.04
2+

docker/modified/Dockerfile.builder

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
FROM localhost/biogears-amd64-external:latest
2+
RUN git clone https://github.com/BioGearsEngine/core.git && mkdir core/build
3+
WORKDIR core/build
4+
RUN cmake -DCMAKE_INSTALL_PREFIX=/opt/biogears/usr -DARA_Biogears_BUILD_JAVATOOLS=OFF -DARA_Biogears_BUILD_HOWTOS=ON -DCMAKE_BUILD_TYPE=Release .. && make -j4
5+
WORKDIR runtime
6+

docker/modified/Dockerfile.direct

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
FROM 4d8e34c48c57
2+
RUN mkdir -p /artifacts/lib /artifacts/bin /opt/biogears/core
3+
WORKDIR /opt/biogears/core
4+
# Copy only what we need to build BioGears
5+
COPY ./CMakeLists.txt ./
6+
COPY ./cmake ./cmake/
7+
COPY ./projects ./projects/
8+
COPY ./share ./share/
9+
# Build BioGears
10+
RUN mkdir -p build
11+
WORKDIR /opt/biogears/core/build
12+
RUN cmake -DCMAKE_INSTALL_PREFIX=/opt/biogears/build/install -DARA_Biogears_BUILD_JAVATOOLS=OFF -DARA_Biogears_BUILD_HOWTOS=ON -DCMAKE_BUILD_TYPE=Release .. && make -j4
13+
RUN make install
14+
# Copy artifacts to standard location
15+
RUN mkdir -p /artifacts/lib /artifacts/bin
16+
RUN cp -r install/lib/* /artifacts/lib/ || true
17+
RUN cp -r install/bin/* /artifacts/bin/ || true

docker/modified/Dockerfile.local

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
FROM biogears-amd64-external:latest as builder
2+
RUN mkdir -p /artifacts/lib /artifacts/bin /opt/biogears/core
3+
WORKDIR /opt/biogears/core
4+
# Copy only what we need to build BioGears
5+
COPY ./CMakeLists.txt ./
6+
COPY ./cmake ./cmake/
7+
COPY ./projects ./projects/
8+
COPY ./share ./share/
9+
# Build BioGears
10+
RUN mkdir -p build
11+
WORKDIR /opt/biogears/core/build
12+
RUN cmake -DCMAKE_INSTALL_PREFIX=/opt/biogears/build/install -DARA_Biogears_BUILD_JAVATOOLS=OFF -DARA_Biogears_BUILD_HOWTOS=ON -DCMAKE_BUILD_TYPE=Release .. && make -j4
13+
RUN make install
14+
# Copy artifacts to standard location
15+
RUN mkdir -p /artifacts/lib /artifacts/bin
16+
RUN cp -r install/lib/* /artifacts/lib/ || true
17+
RUN cp -r install/bin/* /artifacts/bin/ || true

extracted-policies/rego/build_attestation_policy.rego

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
package build_attestation
2+
3+
# Required build metadata fields
4+
required_fields = {
5+
"builder_id",
6+
"build_type",
7+
"source_repo",
8+
"commit_hash",
9+
"build_timestamp",
10+
"build_platform"
11+
}
12+
13+
# Check if all required fields are present
14+
has_required_fields {
15+
field := required_fields[_]
16+
input[field]
17+
}
18+
19+
missing_fields[field] {
20+
field := required_fields[_]
21+
not input[field]
22+
}
23+
24+
# Verify the build type is allowed
25+
allowed_build_types = {"Release", "Debug"}
26+
27+
has_valid_build_type {
28+
input.build_type == allowed_build_types[_]
29+
}
30+
31+
# Verify the build platform is allowed
32+
allowed_platforms = {"linux", "macos", "windows"}
33+
34+
has_valid_platform {
35+
input.build_platform == allowed_platforms[_]
36+
}
37+
38+
# Deny reasons
39+
deny[msg] {
40+
count(missing_fields) > 0
41+
msg := sprintf("Missing required build metadata fields: %v", [missing_fields])
42+
}
43+
44+
deny[msg] {
45+
not has_valid_build_type
46+
msg := sprintf("Invalid build type: %s. Allowed types: %v", [input.build_type, allowed_build_types])
47+
}
48+
49+
deny[msg] {
50+
not has_valid_platform
51+
msg := sprintf("Invalid build platform: %s. Allowed platforms: %v", [input.build_platform, allowed_platforms])
52+
}
53+
54+
# Build attestation is valid if there are no violations
55+
valid {
56+
count(deny) == 0
57+
}
58+
59+
# Generate an attestation statement
60+
attestation[result] {
61+
result := {
62+
"valid": valid,
63+
"builder_id": input.builder_id,
64+
"build_type": input.build_type,
65+
"source_repo": input.source_repo,
66+
"commit_hash": input.commit_hash,
67+
"build_timestamp": input.build_timestamp,
68+
"build_platform": input.build_platform,
69+
"timestamp": time.now_ns()
70+
}
71+
}

extracted-policies/rego/build_attestation_policy.rego.sig

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
MEYCIQD+q235MkwR+vh1/ts80nEDiENqAGDHOLlR1YjXVIyO9wIhAOOb0sP9PG935KCkDv4KDaauc9uczjfDK+H035ilovKi

extracted-policies/rego/container_scan_policy.rego

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
package container_scan
2+
3+
# Maximum allowed counts for different vulnerability severities
4+
max_critical = 0
5+
max_high = 5
6+
max_medium = 20
7+
8+
# Count vulnerabilities by severity
9+
critical_count = count {
10+
count = count([v | v = input.Results[_].Vulnerabilities[_]; v.Severity == "CRITICAL"])
11+
}
12+
13+
high_count = count {
14+
count = count([v | v = input.Results[_].Vulnerabilities[_]; v.Severity == "HIGH"])
15+
}
16+
17+
medium_count = count {
18+
count = count([v | v = input.Results[_].Vulnerabilities[_]; v.Severity == "MEDIUM"])
19+
}
20+
21+
# Vulnerability policy violations
22+
violations[msg] {
23+
critical_count > max_critical
24+
msg := sprintf("Critical vulnerabilities found: %d (maximum allowed: %d)", [critical_count, max_critical])
25+
}
26+
27+
violations[msg] {
28+
high_count > max_high
29+
msg := sprintf("High vulnerabilities found: %d (maximum allowed: %d)", [high_count, max_high])
30+
}
31+
32+
violations[msg] {
33+
medium_count > max_medium
34+
msg := sprintf("Medium vulnerabilities found: %d (maximum allowed: %d)", [medium_count, max_medium])
35+
}
36+
37+
# Image scan is compliant if there are no violations
38+
compliant {
39+
count(violations) == 0
40+
}
41+
42+
# Generate an attestation statement
43+
attestation[result] {
44+
result := {
45+
"compliant": compliant,
46+
"critical_vulnerabilities": critical_count,
47+
"high_vulnerabilities": high_count,
48+
"medium_vulnerabilities": medium_count,
49+
"timestamp": time.now_ns()
50+
}
51+
}

extracted-policies/rego/container_scan_policy.rego.sig

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
MEUCIQCupLJeYyQzabDOtQEWjWCSFKt/5OXNySVZAVcAHzoYjgIgYVqOrXejeXLSgeretdFQVHpyRpG/nd5XD7mFiaq+fqY=

0 commit comments

Comments
 (0)