Merge branch 'master' of github.com:pluralsh/kas

pluralsh · Oct 20, 2023 · 0ae6b3a · 0ae6b3a
2 parents b9d06bc + 88acf66
commit 0ae6b3a
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 51 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,44 @@
+name: CI
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+env:
+  GOPATH: /home/runner/go/
+  GOPROXY: "https://proxy.golang.org"
+jobs:
+  build-kas:
+    name: Build kas
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - run: TARGET_DIRECTORY=. make kas
+  build-agentk:
+    name: Build agentk
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - run: TARGET_DIRECTORY=. make agentk
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,36 @@
+name: Trivy
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  trivy-scan:
+    name: Trivy IaC scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          hide-progress: false
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          scanners: 'vuln,secret,config'
+          ignore-unfixed: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.gitlab/.gitlab-ci.yml b/.gitlab/.gitlab-ci.yml
@@ -26,7 +26,6 @@ variables:
 
 stages:
   - test
-  - scan
   - push_image
   - create_release
 
@@ -112,22 +111,6 @@ verify:
   script:
     - make verify-ci
 
-lint:
-  image: golangci/golangci-lint:v1.54.0-alpine
-  stage: test
-  tags:
-    - saas-linux-large-amd64
-  script:
-    # Write the code coverage report to gl-code-quality-report.json
-    # and print linting issues to stdout in the format: path/to/file:line description
-    - apk --no-cache add jq
-    - golangci-lint run --out-format code-climate | tee gl-code-quality-report.json | jq -r '.[] | "\(.location.path):\(.location.lines.begin) \(.description)"'
-  artifacts:
-    reports:
-      codequality: gl-code-quality-report.json
-    paths:
-      - gl-code-quality-report.json
-
 # You can override the included template(s) by including variable overrides
 # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
 # Note that environment variables can be set in several places
@@ -243,40 +226,6 @@ create_release:
     ref: "$CI_COMMIT_TAG"
     description: "Release for tag $CI_COMMIT_TAG"
 
-# Broken, disable for now https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/jobs/2308411911
-## see https://docs.gitlab.com/ee/user/project/code_intelligence.html#configuration
-#code_navigation:
-#  image: sourcegraph/lsif-go:v1
-#  allow_failure: true # recommended
-#  script:
-#    - lsif-go
-#  artifacts:
-#    reports:
-#      lsif: dump.lsif
-
-container_scanning:
-  stage: scan
-  variables:
-    CI_APPLICATION_REPOSITORY: "$CI_REGISTRY_IMAGE/agentk"
-    CI_APPLICATION_TAG: latest
-
-# enable container scanning with https://gitlab.com/gitlab-com/gl-security/appsec/container-scanners
-appsec_container_scanning:
-  stage: scan
-  image: registry.gitlab.com/gitlab-com/gl-security/appsec/container-scanners:latest
-  environment:
-    name: appsec_container_scanning
-    action: prepare
-  script:
-    - /run/appsec-container-scan "$CI_REGISTRY_IMAGE/agentk:latest,$CI_REGISTRY_IMAGE/agentk:latest-race,$CI_REGISTRY_IMAGE/agentk-fips:stable" > gl-container-scanning-report.json
-  artifacts:
-    reports:
-      container_scanning: gl-container-scanning-report.json
-  rules:
-    # Skip on forks, because external contributors can't run this pipeline
-    - if: $CONTAINER_SCAN_PIPELINE_TRIGGER_TOKEN
-      allow_failure: true
-
 build-package-and-qa:
   stage: test
   trigger: