Skip to content

Commit

Permalink
Test security workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@mattops
mattops committed Oct 15, 2024
1 parent 3347066 commit 970172c
Show file tree
Hide file tree
Showing 5 changed files with 87 additions and 82 deletions.
118 changes: 36 additions & 82 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,13 @@
version: 2.1

orbs:
hmpps: ministryofjustice/hmpps@10

parameters:
alerts-slack-channel:
type: string
default: PIPELINE_SECURITY_SLACK_CHANNEL
releases-slack-channel:
type: string
default: SLACK_RELEASES_CHANNEL

jobs:
validate:
executor:
Expand All @@ -32,7 +29,6 @@ jobs:
path: build/test-results
- store_artifacts:
path: build/reports/tests

workflows:
version: 2
build-test-and-deploy:
Expand Down Expand Up @@ -65,81 +61,39 @@ workflows:
- build_docker
- helm_lint
helm_timeout: 5m
# - request-preprod-approval:
# type: approval
# requires:
# - deploy_dev
# - hmpps/deploy_env:
# name: deploy_preprod
# env: "preprod"
# jira_update: true
# jira_env_type: staging
# pipeline_id: <<pipeline.id>>
# pipeline_number: <<pipeline.number>>
# context:
# - hmpps-common-vars
# - hmpps-template-kotlin-preprod
# requires:
# - request-preprod-approval
# helm_timeout: 5m
# - request-prod-approval:
# type: approval
# requires:
# - deploy_preprod
# - hmpps/deploy_env:
# name: deploy_prod
# env: "prod"
# jira_update: true
# jira_env_type: production
# pipeline_id: <<pipeline.id>>
# pipeline_number: <<pipeline.number>>
# slack_notification: true
# slack_channel_name: << pipeline.parameters.releases-slack-channel >>
# context:
# - hmpps-common-vars
# - hmpps-template-kotlin-prod
# requires:
# - request-prod-approval
# helm_timeout: 5m

security:
triggers:
- schedule:
cron: "15 7 * * 1-5"
filters:
branches:
only:
- main
jobs:
- hmpps/gradle_owasp_dependency_check:
cache_key: "v2_0"
jdk_tag: "21.0"
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- hmpps-common-vars
- hmpps/trivy_latest_scan:
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- hmpps-common-vars
- hmpps/veracode_pipeline_scan:
jdk_tag: "21.0"
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- veracode-credentials
- hmpps-common-vars
security-weekly:
triggers:
- schedule:
cron: "0 5 * * 1"
filters:
branches:
only:
- main
jobs:
- hmpps/veracode_policy_scan:
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- veracode-credentials
- hmpps-common-vars


# - request-preprod-approval:
# type: approval
# requires:
# - deploy_dev
# - hmpps/deploy_env:
# name: deploy_preprod
# env: "preprod"
# jira_update: true
# jira_env_type: staging
# pipeline_id: <<pipeline.id>>
# pipeline_number: <<pipeline.number>>
# context:
# - hmpps-common-vars
# - hmpps-template-kotlin-preprod
# requires:
# - request-preprod-approval
# helm_timeout: 5m
# - request-prod-approval:
# type: approval
# requires:
# - deploy_preprod
# - hmpps/deploy_env:
# name: deploy_prod
# env: "prod"
# jira_update: true
# jira_env_type: production
# pipeline_id: <<pipeline.id>>
# pipeline_number: <<pipeline.number>>
# slack_notification: true
# slack_channel_name: << pipeline.parameters.releases-slack-channel >>
# context:
# - hmpps-common-vars
# - hmpps-template-kotlin-prod
# requires:
# - request-prod-approval
# helm_timeout: 5m
12 changes: 12 additions & 0 deletions .github/workflows/security_owasp.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Security OWASP dependency check
on:
workflow_dispatch:
schedule:
- cron: "19 6 * * MON-FRI" # Every weekday at 06:19 UTC
jobs:
security-kotlin-owasp-check:
name: Kotlin security OWASP dependency check
uses: ministryofjustice/hmpps-github-actions/.github/workflows/[email protected] # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets: inherit
13 changes: 13 additions & 0 deletions .github/workflows/security_trivy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Security trivy dependency check
on:
push:
workflow_dispatch:
schedule:
- cron: "19 6 * * MON-FRI" # Every weekday at 06:19 UTC
jobs:
security-kotlin-trivy-check:
name: Project security trivy dependency check
uses: ministryofjustice/hmpps-github-actions/.github/workflows/[email protected] # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets: inherit
13 changes: 13 additions & 0 deletions .github/workflows/security_veracode_pipeline_scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Security veracode pipeline scan
on:
push:
workflow_dispatch:
schedule:
- cron: "19 6 * * MON-FRI" # Every weekday at 06:19 UTC
jobs:
security-veracode-pipeline-scan:
name: Project security veracode pipeline scan
uses: ministryofjustice/hmpps-github-actions/.github/workflows/[email protected] # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets: inherit
13 changes: 13 additions & 0 deletions .github/workflows/security_veracode_policy_scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Security veracode policy scan
on:
push:
workflow_dispatch:
schedule:
- cron: "34 6 * * 1" # Every Monday at 06:34 UTC
jobs:
security-veracode-policy-check:
name: Project security veracode policy scan
uses: ministryofjustice/hmpps-github-actions/.github/workflows/[email protected] # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets: inherit

0 comments on commit 970172c

Please sign in to comment.