feat: add security

opsta · Nov 2, 2024 · df921ed · df921ed
1 parent f792e26
commit df921ed
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 51 deletions.
diff --git a/.github/workflows/nonprd.yaml b/.github/workflows/nonprd.yaml
@@ -65,22 +65,22 @@ jobs:
       argocd_app_name: ${{ vars.PREFIX_K8S_NAMESPACE }}-${{ env.DEPLOY_ENV }}/${{ vars.PREFIX_IAC_FILENAME }}-${{ env.DEPLOY_ENV }}
 
   # SECURITY PIPELINE
-  # sec-predeploy:
-  #   uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
-  #   needs:
-  #     - setup
-  #   with:
-  #     github_repo_name: ${{ github.event.repository.name }}
-  #     image_tag: ${{ needs.setup.outputs.image_tag }}
-  #     deploy_env: ${{ needs.setup.outputs.deploy_env }}
-  #     sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
-  #     helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
-  #     helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
-  #     helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
-  #   secrets:
-  #     sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
-  #     sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
-  #     sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
+  sec-predeploy:
+    uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
+    needs:
+      - setup
+    with:
+      github_repo_name: ${{ github.event.repository.name }}
+      image_tag: ${{ needs.setup.outputs.image_tag }}
+      deploy_env: ${{ needs.setup.outputs.deploy_env }}
+      sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
+      helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
+      helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
+      helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
+    secrets:
+      sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
+      sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
+      sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
 
   build-push:
     runs-on: ubuntu-latest
@@ -114,16 +114,16 @@ jobs:
           DOCKER_BUILD_RECORD_UPLOAD: false
 
   # SECURITY PIPELINE
-  # sec-postbuild:
-  #   uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
-  #   needs:
-  #     - setup
-  #     - build-push
-  #   with:
-  #     image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
-  #   secrets:
-  #     registry_username: ${{ github.actor }}
-  #     registry_password: ${{ secrets.GITHUB_TOKEN }}
+  sec-postbuild:
+    uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
+    needs:
+      - setup
+      - build-push
+    with:
+      image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.GITHUB_TOKEN }}
 
   gitops-argocd:
     uses: opsta/.github/.github/workflows/gitops-argocd.yaml@main
@@ -143,17 +143,17 @@ jobs:
       argocd_auth_token: ${{ secrets.ARGOCD_AUTH_TOKEN }}
 
   # SECURITY PIPELINE
-  # sec-postdeploy:
-  #   uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
-  #   needs:
-  #     - setup
-  #     - gitops-argocd
-  #   with:
-  #     github_repo_name: ${{ github.event.repository.name }}
-  #     zap_target: ${{ needs.setup.outputs.deploy_url }}
-  #     deploy_env: ${{ needs.setup.outputs.deploy_env }}
-  #     defectdojo_product_name: ${{ github.event.repository.name }}
-  #   secrets:
-  #     defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
-  #     defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
-  #     defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
+  sec-postdeploy:
+    uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
+    needs:
+      - setup
+      - gitops-argocd
+    with:
+      github_repo_name: ${{ github.event.repository.name }}
+      zap_target: ${{ needs.setup.outputs.deploy_url }}
+      deploy_env: ${{ needs.setup.outputs.deploy_env }}
+      defectdojo_product_name: ${{ github.event.repository.name }}
+    secrets:
+      defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
+      defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
+      defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
diff --git a/.github/workflows/tagging.yaml b/.github/workflows/tagging.yaml
@@ -20,22 +20,22 @@ on:
 
 jobs:
   # SECURITY PIPELINE
-  # defectdojo:
-  #   uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
-  #   if: ${{ !inputs.skip-security-gate }}
-  #   with:
-  #     defectdojo_product_name: ${{ github.event.repository.name }}
-  #   secrets:
-  #     defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
-  #     defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
-  #     defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
+  defectdojo:
+    uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
+    if: ${{ !inputs.skip-security-gate }}
+    with:
+      defectdojo_product_name: ${{ github.event.repository.name }}
+    secrets:
+      defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
+      defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
+      defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
 
   tag:
     uses: opsta/.github/.github/workflows/tag-and-release.yaml@main
     if: ${{ !cancelled() && !failure() }}
     # SECURITY PIPELINE
-    # needs:
-    #   - defectdojo
+    needs:
+      - defectdojo
     with:
       bump: ${{ inputs.bump }}
       image_name: ${{ vars.IMAGE_NAME }}