mirror of
https://github.com/sourcegraph/sourcegraph.git
synced 2026-02-06 12:51:55 +00:00
feat(ci): Trigger security scanner from release pipeline (#63280)
<!-- 💡 To write a useful PR description, make sure that your description covers: - WHAT this PR is changing: - How was it PREVIOUSLY. - How it will be from NOW on. - WHY this PR is needed. - CONTEXT, i.e. to which initiative, project or RFC it belongs. The structure of the description doesn't matter as much as covering these points, so use your best judgement based on your context. Learn how to write good pull request description: https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e?pvs=4 --> Resolves [REL-100](https://linear.app/sourcegraph/issue/REL-100/automate-posting-the-security-check-step) by calling the security scanner as part of the release pipeline, during the internal image creation time. @WillDollman kindly dropped me some notes on how to use this, notably in this PR I've removed `dryRun=true` given how this will only be run from the release process. I'm also using a `tag` with no `images` listed. I've added the token will sent me to 1Password under `image-scanner-webhook` and added a check to ensure it exists when being called. ### Will's Notes: ``` curl --location 'https://incoming.sgdev.org/new-image-scan?images=sourcegraph%2Fgitserver%2Csourcegraph%2Ffrontend&tag=5.3.0&scanType=release&dev=true&dryRun=true' \ --header 'X-Special-Header: <key-shared-in-1password>' ``` > it’s not quite set up for releases yet, but you can play around - results are sent to elastic which you don’t have access to, and there’s no api to get the results > to scan everything at a specific tag, remove the images parameter and set tag to the image tag > dryRun=true will ensure it doesn’t actually run a scan, but will still return a json response - best to leave that enabled while you’re working on it otherwise you’ll trigger lots of scans 😛 ## Test plan <!-- All pull requests REQUIRE a test plan: https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles --> Ran `sg release create --version=auto --pretend` to ensure the script still works ## Changelog <!-- 1. Ensure your pull request title is formatted as: $type($domain): $what 2. Add bullet list items for each additional detail you want to cover (see example below) 3. You can edit this after the pull request was merged, as long as release shipping it hasn't been promoted to the public. 4. For more information, please see this how-to https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c? Audience: TS/CSE > Customers > Teammates (in that order). Cheat sheet: $type = chore|fix|feat $domain: source|search|ci|release|plg|cody|local|... --> <!-- Example: Title: fix(search): parse quotes with the appropriate context Changelog section: ## Changelog - When a quote is used with regexp pattern type, then ... - Refactored underlying code. --> - Added security scanner to the release pipeline
This commit is contained in:
Anish Lakhwara
GitHub
parent
1a038db04d
commit
c82fd5c44e
@ -73,6 +73,9 @@ internal:
|
||||
echo "Release created, see:"
|
||||
echo $body
|
||||
fi
|
||||
- name: 'Trigger Security scan'
|
||||
cmd: |
|
||||
curl --location 'https://incoming.sgdev.org/new-image-scan?tag={{tag}}&scanType=release&dev=true' --header 'X-Special-Header: ${SCANNER_TOKEN}'
|
||||
- name: 'notifications'
|
||||
cmd: |
|
||||
set -eu
|
||||
|
||||
Loading…
Reference in New Issue
Block a user