Skip to content

Commit

Permalink
Migrate CI Security pipeline
Browse files Browse the repository at this point in the history
  • Loading branch information
@tobyprivett
tobyprivett committed Oct 2, 2024
1 parent 14783b0 commit db1e2aa
Show file tree
Hide file tree
Showing 5 changed files with 69 additions and 169 deletions.
190 changes: 21 additions & 169 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
version: 2.1

orbs:
hmpps: ministryofjustice/[email protected]
slack: circleci/[email protected]

parameters:
alerts-slack-channel:
type: string
default: pecs-dev

aliases:
- &notify_slack_on_failure
slack/notify:
Expand Down Expand Up @@ -47,111 +44,15 @@ aliases:
- &notify_slack_on_release_start
slack/notify:
channel: $BUILD_NOTIFICATIONS_CHANNEL_ID
custom: '{
"blocks": [
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*API is being prepared for release :building_construction:*"
}
]
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "A new release was created by ${CIRCLE_USERNAME}"
},
"fields": [
{
"type": "mrkdwn",
"text": "@here"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "Changelog"
},
"url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md"
}
]
}
]
}'
custom: '{ "blocks": [ { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*API is being prepared for release :building_construction:*" } ] }, { "type": "section", "text": { "type": "mrkdwn", "text": "A new release was created by ${CIRCLE_USERNAME}" }, "fields": [ { "type": "mrkdwn", "text": "@here" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Changelog" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md" } ] } ] }'
- &notify_slack_of_approval
slack/notify:
channel: $BUILD_NOTIFICATIONS_CHANNEL_ID
custom: '{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "API release *requires your approval* before it can be deployed :eyes:"
},
"fields": [
{
"type": "mrkdwn",
"text": "${BUILD_NOTIFICATIONS_MENTION_ID}"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Workflow"
},
"url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}"
}
]
}
]
}'
custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "API release *requires your approval* before it can be deployed :eyes:" }, "fields": [ { "type": "mrkdwn", "text": "${BUILD_NOTIFICATIONS_MENTION_ID}" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Workflow" }, "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}" } ] } ] }'
- &notify_slack_on_release_end
slack/notify:
channel: $BUILD_NOTIFICATIONS_CHANNEL_ID
custom: '{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*API has been deployed* :rocket:"
},
"fields": [
{
"type": "mrkdwn",
"text": "@here This release was successfully deployed to production"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "Release"
},
"url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases"
}
]
}
]
}'
custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "*API has been deployed* :rocket:" }, "fields": [ { "type": "mrkdwn", "text": "@here This release was successfully deployed to production" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Release" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases" } ] } ] }'
- &all_tags
filters:
tags:
Expand Down Expand Up @@ -183,7 +84,6 @@ aliases:
only: /^v.*/
branches:
ignore: /.*/

# Not so keen on using references, but keeping them for now in case they have DRYness benefits.
# Likely to flatten then into the respective commands section.
references:
Expand Down Expand Up @@ -228,11 +128,7 @@ references:
_load_wiremock_mappings: &load_wiremock_mappings
run:
name: Load mappings into wiremock
command: |
echo "Loading wiremock mappings..."
find spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary "@{}" \;
curl -vv http://localhost:8888/__admin/mappings
echo "Done"
command: "echo \"Loading wiremock mappings...\"\nfind spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary \"@{}\" \\;\ncurl -vv http://localhost:8888/__admin/mappings \necho \"Done\"\n"
_notify_sentry_release: &notify_sentry_release
run:
name: Create release and notify Sentry of deploy
Expand Down Expand Up @@ -260,19 +156,16 @@ references:
_attach-tmp-workspace: &attach-tmp-workspace
attach_workspace:
at: .

executors:
basic-executor:
docker:
- image: cimg/base:2022.11

cloud-platform-executor:
docker:
- image: ${ECR_ENDPOINT}/cloud-platform/tools:circleci
environment:
GITHUB_TEAM_NAME_SLUG: book-a-secure-move
REPO_NAME: hmpps-book-secure-move-api

test-executor:
docker:
# Check https://circleci.com/docs/2.0/language-ruby/ for more details
Expand All @@ -292,34 +185,29 @@ executors:
LANG: C.utf8
- image: wiremock/wiremock:2.32.0-alpine
command: --port 8888

commands:
build-base:
description: "Checkout app code and fetch dependencies for running tests"
steps:
- *restore-cache
- *install-dependencies
- *save-cache

seed-database:
description: "Create and seed the Database"
steps:
- *create-db
- *migrate-db

jobs:
notify_of_approval:
resource_class: small
executor: basic-executor
steps:
- *notify_slack_of_approval

notify_of_release:
resource_class: small
executor: basic-executor
steps:
- *notify_slack_on_release_start

setup_test_environment:
resource_class: small
executor: test-executor
Expand All @@ -328,7 +216,6 @@ jobs:
- setup_remote_docker
- build-base
- seed-database

api_docs:
resource_class: small
executor: test-executor
Expand All @@ -346,7 +233,6 @@ jobs:
- swagger/v1/swagger.yaml
- swagger/v2/swagger.yaml
- *notify_slack_on_failure

rspec_tests:
executor: test-executor
parallelism: 1
Expand All @@ -360,7 +246,6 @@ jobs:
- *wait-for-wiremock
- *load_wiremock_mappings
- *rspec

linters:
resource_class: medium
executor: test-executor
Expand All @@ -369,34 +254,32 @@ jobs:
- build-base
- *attach-tmp-workspace
- *rubocop

workflows:
version: 2

test-build-deploy:
jobs:
- notify_of_release:
context:
- hmpps-common-vars
<<: *only_deploy_tags
!!merge <<: *only_deploy_tags
- setup_test_environment:
<<: *all_tags
!!merge <<: *all_tags
- api_docs:
context:
- hmpps-common-vars
<<: *all_tags
!!merge <<: *all_tags
requires:
- setup_test_environment
- rspec_tests:
<<: *all_tags
!!merge <<: *all_tags
requires:
- setup_test_environment
- linters:
<<: *all_tags
!!merge <<: *all_tags
requires:
- setup_test_environment
- hmpps/build_docker:
<<: *test_only
!!merge <<: *test_only
requires:
- api_docs
- rspec_tests
Expand All @@ -405,29 +288,21 @@ workflows:
image_name: "quay.io/hmpps/hmpps-book-secure-move-api"
publish: false
additional_docker_build_args: >
--label build.git.sha=${CIRCLE_SHA1}
--label build.git.branch=${CIRCLE_BRANCH}
--label build.date=$(date -Is)
--build-arg APP_BUILD_DATE=$(date -Is)
--build-arg APP_BUILD_TAG=${CIRCLE_BRANCH}
--build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
--label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
- hmpps/build_docker:
<<: *only_for_deployment
!!merge <<: *only_for_deployment
requires:
- api_docs
- rspec_tests
- linters
name: build_image
image_name: "quay.io/hmpps/hmpps-book-secure-move-api"
additional_docker_build_args: >
--label build.git.sha=${CIRCLE_SHA1}
--label build.git.branch=${CIRCLE_BRANCH}
--label build.date=$(date -Is)
--build-arg APP_BUILD_DATE=$(date -Is)
--build-arg APP_BUILD_TAG=${CIRCLE_BRANCH}
--build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
--label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
- hmpps/deploy_env:
<<: *only_main
!!merge <<: *only_main
name: deploy_staging
env: "staging"
context:
Expand All @@ -436,7 +311,7 @@ workflows:
requires:
- build_image
- hmpps/deploy_env:
<<: *only_deploy_tags
!!merge <<: *only_deploy_tags
name: deploy_uat
env: "uat"
context:
Expand All @@ -445,7 +320,7 @@ workflows:
requires:
- build_image
- hmpps/deploy_env:
<<: *only_deploy_tags
!!merge <<: *only_deploy_tags
name: deploy_preprod
env: "preprod"
context:
Expand All @@ -454,45 +329,22 @@ workflows:
requires:
- build_image
- hold_production:
<<: *only_deploy_tags
!!merge <<: *only_deploy_tags
type: approval
requires:
- build_image
- notify_of_approval:
context:
- hmpps-common-vars
<<: *only_deploy_tags
!!merge <<: *only_deploy_tags
requires:
- build_image
- hmpps/deploy_env:
<<: *only_deploy_tags
!!merge <<: *only_deploy_tags
name: deploy_production
env: "production"
context:
- hmpps-common-vars
- basm-api-production
requires:
- hold_production

security:
triggers:
- schedule:
cron: "0 7 * * 1-5"
filters:
branches:
only:
- main
jobs:
- hmpps/gradle_owasp_dependency_check:
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- hmpps-common-vars
- hmpps/trivy_latest_scan:
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- hmpps-common-vars
- hmpps/veracode_policy_scan:
slack_channel: << pipeline.parameters.alerts-slack-channel >>
context:
- veracode-credentials
- hmpps-common-vars
12 changes: 12 additions & 0 deletions .github/workflows/security_owasp.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Security OWASP dependency check
on:
workflow_dispatch:
schedule:
- cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC
jobs:
security-kotlin-owasp-check:
name: Kotlin security OWASP dependency check
uses: ministryofjustice/hmpps-github-actions/.github/workflows/[email protected] # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets: inherit
12 changes: 12 additions & 0 deletions .github/workflows/security_trivy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Security trivy dependency check
on:
workflow_dispatch:
schedule:
- cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC
jobs:
security-kotlin-trivy-check:
name: Project security trivy dependency check
uses: ministryofjustice/hmpps-github-actions/.github/workflows/[email protected] # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets: inherit
Loading

0 comments on commit db1e2aa

Please sign in to comment.