From c82fd5c44e0727a6cfd6a1fe2b586b507ddb923a Mon Sep 17 00:00:00 2001
From: Anish Lakhwara <anish+github@lakhwara.com>
Date: Wed, 19 Jun 2024 12:16:36 -0700
Subject: [PATCH] feat(ci): Trigger security scanner from release pipeline
 (#63280)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!-- 💡 To write a useful PR description, make sure that your description
covers:
- WHAT this PR is changing:
    - How was it PREVIOUSLY.
    - How it will be from NOW on.
- WHY this PR is needed.
- CONTEXT, i.e. to which initiative, project or RFC it belongs.

The structure of the description doesn't matter as much as covering
these points, so use
your best judgement based on your context.
Learn how to write good pull request description:
https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e?pvs=4
-->

Resolves
[REL-100](https://linear.app/sourcegraph/issue/REL-100/automate-posting-the-security-check-step)
by calling the security scanner as part of the release pipeline, during
the internal image creation time.

@WillDollman kindly dropped me some notes on how to use this, notably in
this PR I've removed `dryRun=true` given how this will only be run from
the release process. I'm also using a `tag` with no `images` listed.

I've added the token will sent me to 1Password under
`image-scanner-webhook` and added a check to ensure it exists when being
called.

### Will's Notes:

```
curl --location 'https://incoming.sgdev.org/new-image-scan?images=sourcegraph%2Fgitserver%2Csourcegraph%2Ffrontend&tag=5.3.0&scanType=release&dev=true&dryRun=true' \
--header 'X-Special-Header: <key-shared-in-1password>'
```

> it’s not quite set up for releases yet, but you can play around -
results are sent to elastic which you don’t have access to, and there’s
no api to get the results

> to scan everything at a specific tag, remove the images parameter and
set tag to the image tag

> dryRun=true will ensure it doesn’t actually run a scan, but will still
return a json response - best to leave that enabled while you’re working
on it otherwise you’ll trigger lots of scans :stuck_out_tongue:
## Test plan

<!-- All pull requests REQUIRE a test plan:
https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles
-->
Ran `sg release create --version=auto --pretend` to ensure the script
still works

## Changelog

<!--
1. Ensure your pull request title is formatted as: $type($domain): $what
2. Add bullet list items for each additional detail you want to cover
(see example below)
3. You can edit this after the pull request was merged, as long as
release shipping it hasn't been promoted to the public.
4. For more information, please see this how-to
https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c?

Audience: TS/CSE > Customers > Teammates (in that order).

Cheat sheet: $type = chore|fix|feat $domain:
source|search|ci|release|plg|cody|local|...
-->

<!--
Example:

Title: fix(search): parse quotes with the appropriate context
Changelog section:

## Changelog

- When a quote is used with regexp pattern type, then ...
- Refactored underlying code.
-->
- Added security scanner to the release pipeline
---
 release.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/release.yaml b/release.yaml
index 83d0cb8f299..83c3f29af66 100644
--- a/release.yaml
+++ b/release.yaml
@@ -73,6 +73,9 @@ internal:
             echo "Release created, see:"
             echo $body
           fi
+      - name: 'Trigger Security scan'
+        cmd: |
+          curl --location 'https://incoming.sgdev.org/new-image-scan?tag={{tag}}&scanType=release&dev=true' --header 'X-Special-Header: ${SCANNER_TOKEN}'
       - name: 'notifications'
         cmd: |
           set -eu