version: 2.1 infra_container: &infra_container us.gcr.io/oi-tset/swissknife@sha256:e8b74aab06de688b29c600785782a614efdaf2c20df7ef9b53b2b0276815fb0c # Configure authentication in private registry infra_container_registry_auth: &infra_container_registry_auth auth: username: _json_key # default username when using a JSON key file to authenticate password: $GOOGLE_JSON_KEY_OI_TSET jobs: test: docker: - image: cimg/ruby:3.2.2-node environment: - RAILS_ENV=test - RACK_ENV=test steps: - checkout - restore_cache: keys: - bundle-{{ .Branch }}-{{ checksum "Gemfile.lock" }} - run: name: Install gems command: bundle install --path ~/.cache/bundle - save_cache: key: bundle-{{.Branch}}-{{ checksum "Gemfile.lock" }} paths: - ~/.cache/bundle - run: name: Run tests command: bundle exec rspec - run: name: Check code style command: bundle exec rubocop deploy: docker: - image: cimg/ruby:3.2.2-node steps: - checkout - run: name: Tag the version command: | git fetch --tags version=$(cat lib/cirro_io/client/version.rb | grep VERSION | awk -F' = ' '{print $2}' | xargs) if git rev-parse v"$version" >/dev/null 2>&1; then echo "This version already exists. Please update the version"; exit 1 else git tag v"$version" git push origin v"$version" fi - run: name: build gem command: gem build cirro-ruby-client.gemspec - run: name: push to rubygems command: | version=$(cat lib/cirro_io/client/version.rb | grep VERSION | awk -F' = ' '{print $2}' | xargs) echo "gem `gem --version`" mkdir ~/.gem cat .circleci/gem_credentials | sed -e "s/__RUBYGEMS_API_KEY__/${RUBYGEMS_API_KEY}/" > ~/.gem/credentials chmod 0600 ~/.gem/credentials gem push cirro-ruby-client-$version.gem shred -u ~/.gem/credentials defectdojo: docker: - image: *infra_container <<: *infra_container_registry_auth environment: - DEFECTDOJO_URL: defectdojo.testcloud.io - DEFECTDOJO_PRODUCT: Cirro Ruby Client - DEFECTDOJO_ENG_NAME: CircleCI Scan steps: - checkout - run: name: Setup access to GCP command: | echo $GOOGLE_JSON_KEY_OI_TSET > ${HOME}/gcloud-service-key.json && \ gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json gcloud auth configure-docker - run: name: Scans command: | unset GITHUB_TOKEN && trivy fs --exit-code 0 --no-progress --ignorefile .trivyignore-fake --format json --output filesystem-scan.json . gitleaks detect --no-git --exit-code 0 --report-format json --report-path gitleaks.json - run: name: Send data to DefectDojo command: | export DEFECTDOJO_TOKEN=$(gcloud secrets versions access latest \ --secret="defectdojo_token" \ --project=oi-tset \ --quiet) # Send Trivy filesystem scan curl --fail --request POST https://$DEFECTDOJO_URL/api/v2/reimport-scan/ \ --header "Authorization: Token $DEFECTDOJO_TOKEN" \ --form "active=true" \ --form "auto_create_context=true" \ --form "branch_tag=${CIRCLE_BRANCH}" \ --form "commit_hash=${CIRCLE_SHA1}" \ --form "close_old_findings=true" \ --form "scan_type=Trivy Scan" \ --form "test_title=Trivy application scan" \ --form "engagement_name=${DEFECTDOJO_ENG_NAME}" \ --form "product_name=${DEFECTDOJO_PRODUCT}" \ --form "file=@filesystem-scan.json" # Send Gitleaks scan curl --fail --request POST https://$DEFECTDOJO_URL/api/v2/reimport-scan/ \ --header "Authorization: Token $DEFECTDOJO_TOKEN" \ --form "active=true" \ --form "auto_create_context=true" \ --form "branch_tag=${CIRCLE_BRANCH}" \ --form "commit_hash=${CIRCLE_SHA1}" \ --form "close_old_findings=true" \ --form "scan_type=Gitleaks Scan" \ --form "test_title=Gitleaks Scan" \ --form "engagement_name=${DEFECTDOJO_ENG_NAME}" \ --form "product_name=${DEFECTDOJO_PRODUCT}" \ --form "file=@gitleaks.json" workflows: version: 2 deploy_the_gem: jobs: - test - deploy: requires: - test filters: branches: only: - master - defectdojo: filters: branches: only: - master