Commit 170af2da authored by HUA YUEN HUI's avatar HUA YUEN HUI Committed by GitHub Enterprise
Browse files

Add Cra v2 (#14)

parent e2f92792
......@@ -172,20 +172,6 @@ services:
PROD_RESOURCE_GROUP: "{{form.pipeline.parameters.prod-resource-group}}"
PROD_CLUSTER_NAME: "{{form.pipeline.parameters.prod-cluster-name}}"
PROD_CLUSTER_NAMESPACE: "{{form.pipeline.parameters.prod-cluster-namespace}}"
APP_REPO_FULL: >
if ( $env.source_provider === 'githubconsolidated' ) {
"https://github.com/{{services.repo.parameters.owner_id}}/{{services.repo.parameters.repo_name}}";
} else if ( $env.source_provider === 'hostedgit' && $env.env_id === 'ibm:yp:au-syd' ) {
"https://au-syd.git.cloud.ibm.com/{{services.repo.parameters.owner_id}}/{{services.repo.parameters.repo_name}}"
} else if ( $env.source_provider === 'gitlab' ) {
"https://gitlab.com/{{services.repo.parameters.owner_id}}/{{services.repo.parameters.repo_name}}";
} else if ( $env.source_provider === 'bitbucketgit' ) {
"https://bitbucket.org/{{services.repo.parameters.owner_id}}/{{services.repo.parameters.repo_name}}";
} else if ( $env.source_provider === 'github_integrated' ) {
"https://github.ibm.com/{{services.repo.parameters.owner_id}}/{{services.repo.parameters.repo_name}}";
} else {
"https://us-south.git.cloud.ibm.com/{{services.repo.parameters.owner_id}}/{{services.repo.parameters.repo_name}}"
}
PIPELINE_REPO: pipeline-repo
PIPELINE_REPO_BRANCH: >
$env.branch ? $env.branch :
......
......@@ -121,102 +121,17 @@ spec:
value: $(tasks.git-clone.results.git-branch)
- name: git-commit
value: $(tasks.git-clone.results.git-commit)
- name: cra-discovery-scan
- name: code-risk-analyzer
runAfter:
- git-clone
taskRef:
name: cra-discovery
workspaces:
- name: artifacts
workspace: pipeline-ws
name: cra-v2-cra
params:
- name: repository
value: $(tasks.extract-repository-url.results.extracted-value)
- name: revision
value: $(params.branch)
- name: commit-id
value: $(tasks.git-clone.results.git-commit)
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: directory-name
value: ""
- name: commit-timestamp
value: $(params.commit-timestamp)
- name: code-vulnerability-scan
runAfter:
- cra-discovery-scan
taskRef:
name: cra-vulnerability-remediation
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.extract-repository-url.results.extracted-value)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone.results.git-commit)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: cra-cis-check
taskRef:
name: cra-cis-check
runAfter:
- cra-discovery-scan
workspaces:
- name: secrets
workspace: pipeline-ws
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.extract-repository-url.results.extracted-value)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone.results.git-commit)
- name: directory-name
value: ""
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: cra-bom
taskRef:
name: cra-bom
runAfter:
- cra-discovery-scan
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.extract-repository-url.results.extracted-value)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone.results.git-commit)
- name: target-branch
value: $(params.branch)
- name: target-commit-id
value: $(tasks.git-clone.results.git-commit)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: docker-lint
runAfter: [git-clone]
taskRef:
......
---
apiVersion: tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: github-ent-pr-binding
spec:
params:
- name: target-repository
value: $(event.repository.html_url)
- name: target-commit-id
value: $(event.pull_request.base.sha)
- name: target-branch
value: $(event.pull_request.base.ref)
- name: pr-repository
value: $(event.pull_request.head.repo.clone_url)
- name: pr-branch
value: $(event.pull_request.head.ref)
- name: pr-commit-id
value: $(event.pull_request.head.sha)
- name: pr-commit-timestamp
value: $(event.pull_request.head.repo.pushed_at)
- name: pr-url
value: $(event.pull_request.url)
- name: pr-number
value: $(event.pull_request.number)
- name: pr-name
value: $(event.pull_request.user.login)
- name: scm-type
value: "github-ent"
---
apiVersion: tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: github-pr-binding
spec:
params:
- name: target-repository
value: $(event.repository.html_url)
- name: target-branch
- name: branch
value: $(event.pull_request.base.ref)
- name: target-commit-id
value: $(event.pull_request.base.sha)
- name: pr-repository
value: $(event.pull_request.head.repo.clone_url)
- name: commit-id
value: $(event.after)
- name: pr-branch
value: $(event.pull_request.head.ref)
- name: pr-commit-id
value: $(event.pull_request.head.sha)
- name: pr-commit-timestamp
value: $(event.pull_request.head.repo.pushed_at)
- name: pr-url
value: $(event.pull_request.url)
- name: pr-number
value: $(event.pull_request.number)
- name: pr-name
value: $(event.pull_request.user.login)
- name: scm-type
value: "github"
- name: pr-repository
value: $(event.pull_request.head.repo.html_url)
- name: repository
value: $(event.repository.html_url)
---
apiVersion: tekton.dev/v1beta1
kind: TriggerBinding
......@@ -63,27 +22,13 @@ metadata:
name: gitlab-pr-binding
spec:
params:
- name: target-repository
value: $(event.project.http_url)
- name: target-branch
- name: branch
value: $(event.object_attributes.target_branch)
- name: target-commit-id
value: $(event.merge_request.base.sha)
- name: pr-repository
value: "$(event.object_attributes.source.git_http_url)"
- name: commit-id
value: $(event.object_attributes.last_commit.id)
- name: pr-branch
value: $(event.object_attributes.source_branch)
- name: pr-commit-id
value: $(event.object_attributes.last_commit.id)
- name: pr-commit-timestamp
value: $(event.object_attributes.last_commit.timestamp)
- name: pr-url
value: $(event.object_attributes.url)
- name: pr-number
value: $(event.object_attributes.iid)
- name: pr-name
value: $(event.user.username)
- name: project-id
value: $(event.project.id)
- name: scm-type
value: "gitlab"
- name: pr-repository
value: $(event.object_attributes.source.http_url)
- name: repository
value: $(event.project.http_url)
......@@ -5,8 +5,8 @@ metadata:
name: github-pr-listener
spec:
triggers:
- bindings:
- name: github-pr-binding
- bindings:
- name: github-pr-binding
template:
name: pr-template
---
......@@ -16,18 +16,7 @@ metadata:
name: gitlab-pr-listener
spec:
triggers:
- bindings:
- bindings:
- name: gitlab-pr-binding
template:
name: pr-template
---
apiVersion: tekton.dev/v1beta1
kind: EventListener
metadata:
name: github-ent-pr-listener
spec:
triggers:
- bindings:
- name: github-ent-pr-binding
template:
name: pr-template
......@@ -2,78 +2,125 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: pr-pipeline
name: pipeline-cra
spec:
params:
- name: target-repository
description: the git repo containing source code
- name: target-branch
description: branch
- name: target-commit-id
description: commit id in the target
- name: ibmcloud-api
description: The ibmcloud api
- name: ibmcloud-region
description: (Optional) ibmcloud region to use
- name: pipeline-debug
description: Toggles debug mode for the pipeline
- name: registry-region
description: (Optional) The ibmcloud container registry region
- name: resource-group
description: (Optional) Target resource group (name or id) for the ibmcloud login operation
# Event params
- name: branch
description: The git branch
- name: commit-id
description: commit id
- name: pr-branch
description: branch
- name: pr-commit-id
description: the git revision/commit for the git repo
default: ""
description: The branch in the forked git repo from where the PR is made
- name: pr-repository
description: pr repo
- name: pr-commit-timestamp
- name: pr-url
description: pr URL
- name: scm-type
- name: project-id
default: ""
- name: pipeline-debug
description: toggles debug mode for the pipeline
description: The forked git repo from where the PR is made
- name: repository
description: The git repo
# Common command related params
- name: custom-script
description: (Optional) A custom script to be ran prior to CRA scanning
- name: env-props
description: (Optional) A custom configuration of environment properties to source before execution, ex. 'export ABC=123 export DEF=456'
- name: fileignore
description: (Optional) Filepath to .fileignore
- name: ibmcloud-trace
description: (Optional) Enables IBMCLOUD_TRACE for ibmcloud cli logging
- name: output
description: (Optional) Prints command result to console
- name: path
description: Repository path to scan
- name: strict
description: (Optional) Enables strict mode for scanning
- name: toolchainid
description: (Optional) The target toolchain id to be used. Defaults to the current toolchain id
- name: verbose
description: (Optional) Enable verbose log messages
# BOM related params
- name: asset-type
description: Security checks to run (apps, image, os, all)
- name: bom-report
description: Filepath to store generated Bill of Materials. Default to `./bom.json`
- name: docker-build-flags
description: (Optional) Customize docker build command for build stage scanning
- name: docker-registry-url
description: Registry url to use for docker login
- name: docker-registry-username
description: Username to authenticate for docker-registry-url
- name: gradle-exclude-configs
description: (Optional) Exclude gradle configurations, ex. 'runtimeClasspath,testCompileClasspath'
- name: maven-exclude-scopes
description: (Optional) Exclude maven scopes, ex. 'test,compile'
- name: nodejs-create-package-lock
description: (Optional) Enable the task to build the package-lock.json for node.js projects
- name: prev-report
description: Filepath to previous BoM report to skip Dockerfile or application manifest scans
# Deploy Analytic related params
- name: deploy-report
description: Filepath to store generated Deploy Analytic report. Default to `./deploy.json`
# Vulnerability related params
- name: cveignore
description: (Optional) Filepath to cveignore
- name: exclude-dev
description: (Optional) Exclude dev dependencies during vulnerability scan
- name: vulnerability-report
description: Filepath to store Vulnerability report, not stored if empty. Default to `./vulnerability.json`
# User control params
- name: cra-scan-image
description: Image to use for `scan` task. Default to `icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.2`
workspaces:
- name: pipeline-ws
- name: artifacts
tasks:
- name: extract-repository-url
taskRef:
name: toolchain-extract-value
params:
- name: expression
# if a params.repository is given, it takes precedence
value: '. as $toolchain | ["$(params.repository)"] | if .[0]=="" then $toolchain | .services[] | select(.toolchain_binding.name=="repo") | .dashboard_url else .[0] end'
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: git-clone
taskRef:
name: git-clone-repo
params:
- name: branch
value: $(params.branch)
- name: continuous-delivery-context-secret
value: "secure-properties"
- name: ibmcloud-api
value: $(params.ibmcloud-api)
- name: ibmcloud-apikey-secret-key
value: "apikey"
- name: repository
value: $(params.target-repository)
- name: branch
value: $(params.target-branch)
- name: revision
value: $(params.target-commit-id)
- name: pr-repository
value: $(params.pr-repository)
- name: pr-branch
value: $(params.pr-branch)
- name: pr-revision
value: $(params.pr-commit-id)
- name: pipeline-debug
value: $(params.pipeline-debug)
workspaces:
- name: output
workspace: pipeline-ws
- name: unit-tests-status-pending
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: pr-branch
value: $(params.pr-branch)
- name: pr-repository
value: $(params.pr-repository)
- name: repository
value: $(params.target-repository)
value: $(tasks.extract-repository-url.results.extracted-value)
- name: revision
value: $(params.pr-commit-id)
- name: context
value: "Unit tests"
- name: description
value: "Unit tests successfull"
- name: state
value: "pending"
- name: pipeline-debug
value: $(params.pipeline-debug)
value: $(params.commit-id)
workspaces:
- name: output
workspace: artifacts
- name: unit-tests
runAfter: [git-clone]
taskRef:
......@@ -88,283 +135,69 @@ spec:
fi
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: cra-discovery-scan-pending
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-commit-id)
- name: context
value: "Discovery"
- name: description
value: "Deep discovery completed"
- name: state
value: "pending"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: cra-discovery-scan
runAfter:
- git-clone
- cra-discovery-scan-pending
taskRef:
name: cra-discovery
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(params.pr-repository)
- name: revision
value: $(params.pr-branch)
- name: commit-id
value: $(params.pr-commit-id)
- name: commit-timestamp
value: $(params.pr-commit-timestamp)
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: directory-name
value: ""
- name: code-vulnerability-scan-status-pending
runAfter:
- git-clone
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: state
value: pending
- name: description
value: "Vulnerability scan successfull"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "Vulnerability scan"
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-commit-id)
- name: code-vulnerability-scan
runAfter:
- cra-discovery-scan
- code-vulnerability-scan-status-pending
taskRef:
name: cra-vulnerability-remediation
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(params.pr-commit-id)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: code-cis-check-status-pending
runAfter:
- git-clone
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: state
value: pending
- name: description
value: "CIS scan successfull"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "CIS scan"
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-commit-id)
- name: cra-cis-check
taskRef:
name: cra-cis-check
runAfter:
- cra-discovery-scan
- code-cis-check-status-pending
workspaces:
- name: secrets
workspace: pipeline-ws
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(params.pr-commit-id)
- name: directory-name
value: ""
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: code-bom-check-status-pending
workspace: artifacts
- name: code-risk-analyzer
runAfter:
- git-clone
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
name: cra-v2-cra
params:
- name: state
value: pending
- name: description
value: "BOM check successfull"
- name: ibmcloud-api
value: $(params.ibmcloud-api)
- name: ibmcloud-region
value: $(params.ibmcloud-region)
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "BOM check"
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-commit-id)
- name: cra-bom
taskRef:
name: cra-bom
runAfter:
- cra-discovery-scan
- code-bom-check-status-pending
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(params.target-repository)
- name: revision
value: $(params.pr-branch)