-
Notifications
You must be signed in to change notification settings - Fork 26
127 lines (111 loc) · 3.83 KB
/
devguard-scanner.yaml
File metadata and controls
127 lines (111 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# DevSecOps Workflow Definition
# This workflow is triggered on every push to the repository
name: DevGuard-Workflow
on:
workflow_dispatch:
push:
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- uses: actions/setup-go@v5
with:
go-version: '1.24'
cache: false
- name: golangci-lint
uses: golangci/golangci-lint-action@v8
with:
args: --timeout=30m
version: v2.1.6
tests:
name: tests
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.24'
- name: Run unittests
run: go test $(go list ./... | grep -v "/mocks") -coverprofile=coverage.out && go tool cover -func=coverage.out
- name: Archive code coverage results
uses: actions/upload-artifact@v4
with:
name: code-coverage
path: coverage.out
devguard:
uses: l3montree-dev/devguard-action/.github/workflows/full.yml@main
with:
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
api-url: https://api.main.devguard.org
fail-on-risk: high
fail-on-cvss: high
should-deploy: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
build-args: "--context=. --dockerfile=Dockerfile --build-arg GITHUB_REF_NAME=$GITHUB_REF_NAME"
build-scanner-image:
uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
with:
artifact-name: "scanner"
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
api-url: https://api.main.devguard.org
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
build-args: "--context=. --dockerfile=Dockerfile.scanner"
# Image scanning job to detect vulnerabilities in the built Docker image
scanner-container-scanning:
uses: l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
needs:
- build-scanner-image
with:
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
api-url: https://api.main.devguard.org
artifact-name: "scanner"
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
deploy-scanner:
needs:
- build-scanner-image
- scanner-container-scanning
- devguard
uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
with:
artifact-name: "scanner"
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
api-url: https://api.main.devguard.org
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/troubleshooting-sast'
sign-scanner:
needs:
- build-scanner-image
- scanner-container-scanning
- devguard
uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
with:
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
api-url: https://api.main.devguard.org
artifact-name: "scanner"
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
attest-scanner:
needs:
- build-scanner-image
- scanner-container-scanning
- devguard
uses: l3montree-dev/devguard-action/.github/workflows/attest.yml@main
with:
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
api-url: https://api.main.devguard.org
artifact-name: "scanner"
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}