add defectdojo support

Author: alekseikulik

.circleci/config.yml

@@ -1,4 +1,13 @@
 version: 2.1
+infra_container: &infra_container
+  eu.gcr.io/cirro-io/swissknife@sha256:1dceb221bfc058c4ba22fe4dcbf4f30dfdc10951bc2293d5c53aebc4f87037f3
+
+# Configure authentication in private registry
+infra_container_registry_auth:
+  &infra_container_registry_auth
+    auth:
+      username: _json_key # default username when using a JSON key file to authenticate
+      password: $GOOGLE_JSON_KEY
 
 jobs:
   build:
@@ -25,6 +34,7 @@ jobs:
       - run:
           name: Check code style
           command: bundle exec rubocop
+
   deploy:
     docker:
       - image: circleci/ruby:2.7.1-node
@@ -56,6 +66,63 @@ jobs:
             gem push cirro-ruby-client-$version.gem
             shred -u ~/.gem/credentials
 
+  defectdojo:
+    docker:
+      - image: *infra_container
+        <<: *infra_container_registry_auth
+    environment:
+      - DEFECTDOJO_URL: defectdojo.testcloud.io
+      - DEFECTDOJO_PRODUCT: Cirro Ruby Client
+      - DEFECTDOJO_ENG_NAME: CircleCI Scan
+    steps:
+      - checkout
+      - run: 
+          name: Setup access to GCP
+          command: |
+            echo $GOOGLE_JSON_KEY > ${HOME}/gcloud-service-key.json && \
+            gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
+            gcloud auth configure-docker
+      - run:
+          name: Scans
+          command: |
+            unset GITHUB_TOKEN && trivy fs --exit-code 0 --no-progress --ignorefile .trivyignore-fake --format json --output filesystem-scan.json .
+            gitleaks detect --no-git --exit-code 0 --report-format json --report-path gitleaks.json
+      - run:
+          name: Send data to DefectDojo
+          command: |
+            export DEFECTDOJO_TOKEN=$(gcloud secrets versions access latest \
+            --secret="defectdojo_token" \
+            --project=cirro-io \
+            --quiet)
+
+            # Send Trivy filesystem scan
+            curl --fail --request POST https://$DEFECTDOJO_URL/api/v2/reimport-scan/ \
+            --header "Authorization: Token $DEFECTDOJO_TOKEN" \
+            --form "active=true" \
+            --form "auto_create_context=true" \
+            --form "branch_tag=${CIRCLE_BRANCH}" \
+            --form "commit_hash=${CIRCLE_SHA1}" \
+            --form "close_old_findings=true" \
+            --form "scan_type=Trivy Scan" \
+            --form "test_title=Trivy application scan" \
+            --form "engagement_name=${DEFECTDOJO_ENG_NAME}" \
+            --form "product_name=${DEFECTDOJO_PRODUCT}" \
+            --form "[email protected]"
+
+            # Send Gitleaks scan
+            curl --fail --request POST https://$DEFECTDOJO_URL/api/v2/reimport-scan/ \
+            --header "Authorization: Token $DEFECTDOJO_TOKEN" \
+            --form "active=true" \
+            --form "auto_create_context=true" \
+            --form "branch_tag=${CIRCLE_BRANCH}" \
+            --form "commit_hash=${CIRCLE_SHA1}" \
+            --form "close_old_findings=true" \
+            --form "scan_type=Gitleaks Scan" \
+            --form "test_title=Gitleaks Scan" \
+            --form "engagement_name=${DEFECTDOJO_ENG_NAME}" \
+            --form "product_name=${DEFECTDOJO_PRODUCT}" \
+            --form "[email protected]"
+
 workflows:
   version: 2
   deploy_the_gem:
@@ -68,3 +135,8 @@ workflows:
             branches:
               only:
                 - master
+      - defectdojo:
+          filters:
+            branches:
+              only:
+                - master