|
1 | 1 | version: 2.1 |
| 2 | +infra_container: &infra_container |
| 3 | + eu.gcr.io/cirro-io/swissknife@sha256:1dceb221bfc058c4ba22fe4dcbf4f30dfdc10951bc2293d5c53aebc4f87037f3 |
| 4 | + |
| 5 | +# Configure authentication in private registry |
| 6 | +infra_container_registry_auth: |
| 7 | + &infra_container_registry_auth |
| 8 | + auth: |
| 9 | + username: _json_key # default username when using a JSON key file to authenticate |
| 10 | + password: $GOOGLE_JSON_KEY |
2 | 11 |
|
3 | 12 | jobs: |
4 | | - build: |
| 13 | + test: |
5 | 14 | docker: |
6 | 15 | - image: circleci/ruby:2.7.1-node |
7 | 16 | environment: |
|
25 | 34 | - run: |
26 | 35 | name: Check code style |
27 | 36 | command: bundle exec rubocop |
| 37 | + |
28 | 38 | deploy: |
29 | 39 | docker: |
30 | 40 | - image: circleci/ruby:2.7.1-node |
@@ -56,14 +66,76 @@ jobs: |
56 | 66 | gem push cirro-ruby-client-$version.gem |
57 | 67 | shred -u ~/.gem/credentials |
58 | 68 |
|
| 69 | + defectdojo: |
| 70 | + docker: |
| 71 | + - image: *infra_container |
| 72 | + <<: *infra_container_registry_auth |
| 73 | + environment: |
| 74 | + - DEFECTDOJO_URL: defectdojo.testcloud.io |
| 75 | + - DEFECTDOJO_PRODUCT: Cirro Ruby Client |
| 76 | + - DEFECTDOJO_ENG_NAME: CircleCI Scan |
| 77 | + steps: |
| 78 | + - checkout |
| 79 | + - run: |
| 80 | + name: Setup access to GCP |
| 81 | + command: | |
| 82 | + echo $GOOGLE_JSON_KEY > ${HOME}/gcloud-service-key.json && \ |
| 83 | + gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json |
| 84 | + gcloud auth configure-docker |
| 85 | + - run: |
| 86 | + name: Scans |
| 87 | + command: | |
| 88 | + unset GITHUB_TOKEN && trivy fs --exit-code 0 --no-progress --ignorefile .trivyignore-fake --format json --output filesystem-scan.json . |
| 89 | + gitleaks detect --no-git --exit-code 0 --report-format json --report-path gitleaks.json |
| 90 | + - run: |
| 91 | + name: Send data to DefectDojo |
| 92 | + command: | |
| 93 | + export DEFECTDOJO_TOKEN=$(gcloud secrets versions access latest \ |
| 94 | + --secret="defectdojo_token" \ |
| 95 | + --project=cirro-io \ |
| 96 | + --quiet) |
| 97 | +
|
| 98 | + # Send Trivy filesystem scan |
| 99 | + curl --fail --request POST https://$DEFECTDOJO_URL/api/v2/reimport-scan/ \ |
| 100 | + --header "Authorization: Token $DEFECTDOJO_TOKEN" \ |
| 101 | + --form "active=true" \ |
| 102 | + --form "auto_create_context=true" \ |
| 103 | + --form "branch_tag=${CIRCLE_BRANCH}" \ |
| 104 | + --form "commit_hash=${CIRCLE_SHA1}" \ |
| 105 | + --form "close_old_findings=true" \ |
| 106 | + --form "scan_type=Trivy Scan" \ |
| 107 | + --form "test_title=Trivy application scan" \ |
| 108 | + --form "engagement_name=${DEFECTDOJO_ENG_NAME}" \ |
| 109 | + --form "product_name=${DEFECTDOJO_PRODUCT}" \ |
| 110 | + |
| 111 | +
|
| 112 | + # Send Gitleaks scan |
| 113 | + curl --fail --request POST https://$DEFECTDOJO_URL/api/v2/reimport-scan/ \ |
| 114 | + --header "Authorization: Token $DEFECTDOJO_TOKEN" \ |
| 115 | + --form "active=true" \ |
| 116 | + --form "auto_create_context=true" \ |
| 117 | + --form "branch_tag=${CIRCLE_BRANCH}" \ |
| 118 | + --form "commit_hash=${CIRCLE_SHA1}" \ |
| 119 | + --form "close_old_findings=true" \ |
| 120 | + --form "scan_type=Gitleaks Scan" \ |
| 121 | + --form "test_title=Gitleaks Scan" \ |
| 122 | + --form "engagement_name=${DEFECTDOJO_ENG_NAME}" \ |
| 123 | + --form "product_name=${DEFECTDOJO_PRODUCT}" \ |
| 124 | + |
| 125 | +
|
59 | 126 | workflows: |
60 | 127 | version: 2 |
61 | 128 | deploy_the_gem: |
62 | 129 | jobs: |
63 | | - - build |
| 130 | + - test |
64 | 131 | - deploy: |
65 | 132 | requires: |
66 | | - - build |
| 133 | + - test |
| 134 | + filters: |
| 135 | + branches: |
| 136 | + only: |
| 137 | + - master |
| 138 | + - defectdojo: |
67 | 139 | filters: |
68 | 140 | branches: |
69 | 141 | only: |
|
0 commit comments