Skip to content

sast push to SaaS

sast push to SaaS #164

Workflow file for this run

name: Accuknox-Job Workflow
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-*"
pull_request_target:
branches:
- "*"
env:
AK_URL: "https://cspm.accuknox.com"
AK_SAST_LABEL: "SAST"
jobs:
tag-validate:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: rubenesp87/[email protected]
with:
version: ${{ github.ref_name }}
sonarqube-code-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: accuknox/common-gh-actions/actions/sonarqube@main
with:
token: ${{ secrets.SQ_TOKEN }}
qualityGateCheck: 'false'
args: >
-Dsonar.projectKey=accuknox-jobs
-Dsonar.sources=.
projectKey: accuknox-jobs
pushToSaas: startsWith(github.ref, 'refs/tags/v')
ak_url: ${{ env.AK_URL }}
ak_tok: ${{ secrets.AK_PROD_ACCUKNOXTECH_TOKEN }}
tenant_id: ${{ secrets.AK_PROD_ACCUKNOXTECH_TENANT_ID }}
label: ${{ env.AK_SAST_LABEL }}
helm_chart_validation:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Install Helm
run: |
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
- name: Validate cis-k8s-job
run: |
helm lint cis-k8s-job
helm template cis-k8s-job --dry-run > /dev/null
- name: Validate k8s-risk-assessment-job
run: |
helm lint k8s-risk-assessment-job
helm template k8s-risk-assessment-job --dry-run > /dev/null
- name: Validate k8tls-job
run: |
helm lint k8tls-job
helm template k8tls-job --dry-run > /dev/null
- name: Validate kiem-job
run: |
helm lint kiem-job
helm template kiem-job --dry-run > /dev/null
helm_push_to_ecr:
runs-on: ubuntu-latest
needs: [helm_chart_validation,tag-validate]
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Install Helm
run: |
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
- name: Login to AWS ECR
run: |
aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin ${{ secrets.REPO }}
- name: Chart versioning
if: ( github.event_name != 'pull_request' && github.event_name != 'pull_request_target' )
shell: bash
id: chart-version
run: |
for CHART_DIR in cis-k8s-job k8s-risk-assessment-job k8tls-job kiem-job; do
sed -i "s/^version:.*$/version: ${{ github.ref_name }}/" $CHART_DIR/Chart.yaml
sed -i "s/^appVersion:.*$/appVersion: ${{ github.ref_name }}/" $CHART_DIR/Chart.yaml
done
- name: Package and Push Helm Charts
run: |
for CHART_DIR in cis-k8s-job k8s-risk-assessment-job k8tls-job kiem-job; do
helm package $CHART_DIR
HELM_PACKAGE=$(ls $CHART_DIR-*.tgz)
helm push $HELM_PACKAGE oci://${{ secrets.REPO }}
done