Commit 2ac8990b authored by Anamika Agrawal's avatar Anamika Agrawal Committed by GitHub Enterprise
Browse files

Merge pull request #51 from open-toolchain/feat/update-cra-v2

update cra v2
parents dbb6188d 5b571c82
......@@ -126,108 +126,17 @@ spec:
workspaces:
- name: output
workspace: pipeline-ws
- name: cra-discovery-scan
- name: code-risk-analyzer
runAfter:
- build-source
taskRef:
name: cra-discovery
name: cra-v2-cra
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: revision
value: $(params.branch)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: directory-name
value: ""
- name: commit-timestamp
value: $(params.commit-timestamp)
- name: code-vulnerability-scan
runAfter:
- cra-discovery-scan
taskRef:
name: cra-vulnerability-remediation
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: source-repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: cra-cis-check
taskRef:
name: cra-cis-check
runAfter:
- cra-discovery-scan
workspaces:
- name: secrets
workspace: pipeline-ws
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: source-repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: directory-name
value: ""
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: cra-bom
taskRef:
name: cra-bom
runAfter:
- cra-discovery-scan
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: source-repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: target-branch
value: $(params.branch)
- name: target-commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: unit-tests
taskRef:
name: tester-run-tests
......
---
apiVersion: tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: github-ent-pr-binding
spec:
params:
- name: branch
value: $(event.pull_request.head.ref)
- name: target-branch
value: $(event.pull_request.base.ref)
- name: commit-id
value: $(event.pull_request.head.sha)
- name: commit-timestamp
value: $(event.pull_request.head.repo.pushed_at)
- name: target-commit-id
value: $(event.pull_request.base.sha)
- name: pr-url
value: $(event.pull_request.url)
- name: pr-number
value: $(event.pull_request.number)
- name: pr-name
value: $(event.pull_request.user.login)
- name: repository
value: $(event.repository.html_url)
- name: scm-type
value: "github-ent"
---
apiVersion: tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: github-pr-binding
spec:
params:
- name: branch
value: $(event.pull_request.head.ref)
- name: target-branch
value: $(event.pull_request.base.ref)
- name: commit-id
value: $(event.pull_request.head.sha)
- name: commit-timestamp
value: $(event.pull_request.head.repo.pushed_at)
- name: target-commit-id
value: $(event.pull_request.base.sha)
- name: pr-url
value: $(event.pull_request.url)
- name: pr-number
value: $(event.pull_request.number)
- name: pr-name
value: $(event.pull_request.user.login)
value: $(event.after)
- name: pr-branch
value: $(event.pull_request.head.ref)
- name: pr-repository
value: $(event.pull_request.head.repo.html_url)
- name: repository
value: $(event.repository.html_url)
- name: scm-type
value: "github"
---
apiVersion: tekton.dev/v1beta1
kind: TriggerBinding
......@@ -60,24 +23,12 @@ metadata:
spec:
params:
- name: branch
value: $(event.object_attributes.source_branch)
- name: target-branch
value: $(event.object_attributes.target_branch)
- name: commit-id
value: $(event.object_attributes.last_commit.id)
- name: commit-timestamp
value: $(event.object_attributes.last_commit.timestamp)
- name: target-commit-id
value: $(event.merge_request.base.sha)
- name: pr-url
value: $(event.object_attributes.url)
- name: pr-number
value: $(event.object_attributes.iid)
- name: pr-name
value: $(event.user.username)
- name: project-id
value: $(event.project.id)
- name: scm-type
value: "gitlab"
- name: pr-branch
value: $(event.object_attributes.source_branch)
- name: pr-repository
value: $(event.object_attributes.source.http_url)
- name: repository
value: $(event.project.http_url)
value: $(event.project.http_url)
\ No newline at end of file
......@@ -5,8 +5,8 @@ metadata:
name: github-pr-listener
spec:
triggers:
- bindings:
- name: github-pr-binding
- bindings:
- name: github-pr-binding
template:
name: pr-template
---
......@@ -16,18 +16,7 @@ metadata:
name: gitlab-pr-listener
spec:
triggers:
- bindings:
- bindings:
- name: gitlab-pr-binding
template:
name: pr-template
---
apiVersion: tekton.dev/v1beta1
kind: EventListener
metadata:
name: github-ent-pr-listener
spec:
triggers:
- bindings:
- name: github-ent-pr-binding
template:
name: pr-template
name: pr-template
\ No newline at end of file
......@@ -5,31 +5,94 @@ metadata:
name: pr-pipeline
spec:
params:
- name: ibmcloud-api
description: The ibmcloud api
- name: ibmcloud-region
description: (Optional) ibmcloud region to use
- name: pipeline-debug
description: Toggles debug mode for the pipeline
- name: registry-region
description: (Optional) The ibmcloud container registry region
- name: resource-group
description: (Optional) Target resource group (name or id) for the ibmcloud login operation
# Event params
- name: branch
description: branch
description: The git branch
- name: commit-id
description: commit id
- name: pr-branch
description: The branch in the forked git repo from where the PR is made
- name: pr-repository
description: The forked git repo from where the PR is made
- name: repository
description: The git repo
- name: region
- name: revision
description: the git revision/commit for the git repo
default: ""
- name: pipeline-debug
description: toggles debug mode for the pipeline
- name: pr-url
description: pr url
- name: repository
description: the git repo containing source code. If empty, the repository url will be found from toolchain
default: ""
- name: commit-timestamp
- name: scm-type
- name: project-id
default: ""
- name: region
default: ""
- name: scripts-subpath
description: The subpath to the script repo from root
- name: scripts-repo
description: The variable storing git integration for the repository storing build and deploying source code
- name: scripts-repo-branch
description: The branch of the scripts-repo
description: The branch of the scripts-repo
- name: custom-script
description: (Optional) A custom script to be ran prior to CRA scanning
default: ""
- name: env-props
description: (Optional) A custom configuration of environment properties to source before execution, ex. 'export ABC=123 export DEF=456'
- name: fileignore
description: (Optional) Filepath to .fileignore
- name: ibmcloud-trace
description: (Optional) Enables IBMCLOUD_TRACE for ibmcloud cli logging
- name: output
description: (Optional) Prints command result to console
- name: path
description: Repository path to scan
- name: strict
description: (Optional) Enables strict mode for scanning
- name: toolchainid
description: (Optional) The target toolchain id to be used. Defaults to the current toolchain id
- name: verbose
description: (Optional) Enable verbose log messages
# BOM related params
- name: asset-type
description: Security checks to run (apps, image, os, all)
- name: bom-report
description: Filepath to store generated Bill of Materials. Default to `./bom.json`
- name: docker-build-flags
description: (Optional) Customize docker build command for build stage scanning
- name: docker-registry-url
description: Registry url to use for docker login
- name: docker-registry-username
description: Username to authenticate for docker-registry-url
- name: gradle-exclude-configs
description: (Optional) Exclude gradle configurations, ex. 'runtimeClasspath,testCompileClasspath'
- name: maven-exclude-scopes
description: (Optional) Exclude maven scopes, ex. 'test,compile'
- name: nodejs-create-package-lock
description: (Optional) Enable the task to build the package-lock.json for node.js projects
- name: prev-report
description: Filepath to previous BoM report to skip Dockerfile or application manifest scans
# Deploy Analytic related params
- name: deploy-report
description: Filepath to store generated Deploy Analytic report. Default to `./deploy.json`
# Vulnerability related params
- name: cveignore
description: (Optional) Filepath to cveignore
- name: exclude-dev
description: (Optional) Exclude dev dependencies during vulnerability scan
- name: vulnerability-report
description: Filepath to store Vulnerability report, not stored if empty. Default to `./vulnerability.json`
# User control params
- name: cra-scan-image
description: Image to use for `scan` task. Default to `icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.2`
workspaces:
- name: pipeline-ws
- name: pipeline-ws
tasks:
- name: git-clone-application-repo
taskRef:
......@@ -88,220 +151,68 @@ spec:
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: cra-discovery-scan
runAfter:
- git-clone-application-repo
taskRef:
name: cra-discovery
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(params.repository)
- name: revision
value: $(params.branch)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: directory-name
value: ""
- name: commit-timestamp
value: $(params.commit-timestamp)
- name: code-vulnerability-status-pending
- name: code-risk-analyzer
runAfter:
- git-clone-application-repo
- git-clone-scripts-repo
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
name: cra-v2-cra
params:
- name: state
value: pending
- name: description
value: "Tekton PR Pipeline Status"
- name: ibmcloud-api
value: $(params.ibmcloud-api)
- name: ibmcloud-region
value: $(params.ibmcloud-region)
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "Vulnerability scan"
- name: repository
value: $(params.repository)
- name: code-vulnerability-scan
runAfter:
- cra-discovery-scan
taskRef:
name: cra-vulnerability-remediation
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(params.repository)
- name: source-repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: code-vulnerability-scan-status-finished
runAfter:
- code-vulnerability-scan
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(params.repository)
- name: state
value: "$(tasks.code-vulnerability-scan.results.status)"
- name: context
value: "Vulnerability scan"
- name: description
value: "Tekton PR Pipeline Status"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: code-cis-scan-status-pending
runAfter:
- git-clone-application-repo
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: state
value: pending
- name: description
value: "Tekton PR Pipeline Status"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "CIS scan"
- name: repository
value: $(params.repository)
- name: cra-cis-check
taskRef:
name: cra-cis-check
runAfter:
- cra-discovery-scan
workspaces:
- name: secrets
workspace: pipeline-ws
- name: artifacts
workspace: pipeline-ws
params:
- name: repository
value: $(params.repository)
- name: source-repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: directory-name
value: ""
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: code-cis-scan-status-finished
runAfter:
- cra-cis-check
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: state
value: "$(tasks.cra-cis-check.results.status)"
- name: description
value: "Tekton PR Pipeline Status"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "CIS scan"
- name: repository
value: $(params.repository)
- name: code-bom-check-status-pending
runAfter:
- git-clone-application-repo
taskRef:
name: git-set-commit-status
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: state
value: pending
- name: description
value: "Tekton PR Pipeline Status"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context
value: "BOM check"
- name: repository
value: $(params.repository)
- name: cra-bom
taskRef:
name: cra-bom
runAfter:
- cra-discovery-scan
workspaces:
- name: artifacts
workspace: pipeline-ws
- name: secrets
workspace: pipeline-ws
params:
- name: repository
value: $(params.repository)
- name: revision
value: $(params.branch)
- name: pr-url
value: $(params.pr-url)
- name: commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: target-branch
value: $(params.branch)
- name: target-commit-id
value: $(tasks.git-clone-application-repo.results.git-commit)
- name: scm-type
value: $(params.scm-type)
- name: project-id
value: $(params.project-id)
- name: source-repository
value: $(tasks.git-clone-application-repo.results.git-repository)
- name: code-bom-check-status-finished
runAfter:
- cra-bom
taskRef:
name: git-set-commit-status
- name: registry-region
value: $(params.registry-region)
- name: resource-group
value: $(params.resource-group)
- name: custom-script
value: $(params.custom-script)
- name: env-props
value: $(params.env-props)
- name: fileignore
value: $(params.fileignore)
- name: ibmcloud-trace
value: $(params.ibmcloud-trace)
- name: output
value: $(params.output)
- name: path
value: $(params.path)
- name: strict
value: $(params.strict)
- name: toolchainid
value: $(params.toolchainid)
- name: verbose
value: $(params.verbose)
- name: asset-type
value: $(params.asset-type)
- name: bom-report
value: $(params.bom-report)
- name: docker-build-flags
value: $(params.docker-build-flags)
- name: docker-registry-url
value: $(params.docker-registry-url)
- name: docker-registry-username
value: $(params.docker-registry-username)
- name: gradle-exclude-configs
value: $(params.gradle-exclude-configs)
- name: maven-exclude-scopes
value: $(params.maven-exclude-scopes)
- name: nodejs-create-package-lock
value: $(params.nodejs-create-package-lock)
- name: prev-report
value: $(params.prev-report)
- name: deploy-report
value: $(params.deploy-report)
- name: cveignore
value: $(params.cveignore)
- name: exclude-dev
value: $(params.exclude-dev)
- name: vulnerability-report
value: $(params.vulnerability-report)
- name: cra-scan-image
value: $(params.cra-scan-image)
workspaces:
- name: artifacts
workspace: pipeline-ws
params:
- name: state
value: "$(tasks.cra-bom.results.status)"
- name: description
value: "Tekton PR Pipeline Status"
- name: pipeline-debug
value: $(params.pipeline-debug)
- name: context