init

.github/workflows/ci.yaml

@@ -0,0 +1,143 @@
+name: CI
+
+on:
+  # pull_request:
+  push:
+    branches:
+      - 'init'
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - 'demo/**'
+      - 'docs/**'
+      - 'LICENSE'
+      - 'README.md'
+  workflow_dispatch:
+
+env:
+  DAGGER_VERSION: "0.13.7"
+  DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
+  DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
+  DOCKER_REGISTRY_USERNAME: ${{ vars.DOCKER_REGISTRY_USERNAME }}
+  DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+  GH_DOCKER_REPOSITORY: ${{ vars.GH_DOCKER_REPOSITORY }}
+  GH_HELM_REPOSITORY: ${{ vars.GH_HELM_REPOSITORY }}
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        target: ["debug", "prod"]
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set short SHA
+        id: sha
+        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_ENV
+
+      - name: Set image tag
+        id: tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/init" ]; then
+            if [[ "${{ matrix.target }}" == "debug" ]]; then
+              echo "tag=unstable-debug" >> $GITHUB_ENV
+            else
+              echo "tag=unstable" >> $GITHUB_ENV
+            fi
+          else
+            if [[ "${{ matrix.target }}" == "debug" ]]; then
+              echo "tag=build-${{ env.short_sha }}-debug" >> $GITHUB_ENV
+            else
+              echo "tag=build-${{ env.short_sha }}" >> $GITHUB_ENV
+            fi
+          fi
+
+      - name: Publish Docker image
+        uses: dagger/dagger-for-github@v6
+        env:
+          GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          engine-stop: false
+          module: github.com/opopops/daggerverse/docker@v1.0.0
+          verb: call
+          args: |
+            --registry=ghcr.io \
+            --username=${{ github.actor }} \
+            --password=env:GH_REGISTRY_PASSWORD \
+            build \
+              --context=. \
+              --target=${{ matrix.target }} \
+              --platform=linux/amd64,linux/arm64 \
+            publish \
+              --image=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ env.tag }} \
+
+
+      - name: Scan Docker image
+        uses: dagger/dagger-for-github@v6
+        env:
+          GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          module: github.com/opopops/daggerverse/grype@v1.0.0
+          verb: call
+          args: |
+            with-registry-auth \
+              --address=ghcr.io \
+              --username=${{ github.actor }} \
+              --secret=env:GH_REGISTRY_PASSWORD \
+            scan \
+              --source=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ env.tag }} \
+
+  helm:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Lint
+        uses: dagger/dagger-for-github@v6
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          engine-stop: false
+          module: github.com/purpleclay/daggerverse/helm-oci@v0.4.0
+          verb: call
+          args: |
+            lint \
+              --dir chart \
+              --strict \
+
+      - name: Publish Helm chart
+        uses: dagger/dagger-for-github@v6
+        env:
+          GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          engine-stop: false
+          module: github.com/purpleclay/daggerverse/helm-oci@v0.4.0
+          verb: call
+          args: |
+            package-push \
+              --dir chart \
+              --version="0.0.0" \
+              --appVersion="1.0.0" \
+              --registry=ghcr.io/${GH_HELM_REPOSITORY} \
+              --username=${{ github.actor }} \
+              --password=env:GH_REGISTRY_PASSWORD \

.github/workflows/release.yaml

@@ -0,0 +1,75 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  DAGGER_VERSION: "0.13.7"
+  DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
+  DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
+  DOCKER_REGISTRY_USERNAME: ${{ vars.DOCKER_REGISTRY_USERNAME }}
+  DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+
+jobs:
+  docker:
+    if: startsWith(github.event.ref, 'refs/tags/v')
+
+    name: Release Docker image
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        target: ["debug", "prod"]
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Publish Docker image
+        uses: dagger/dagger-for-github@v6
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
+          engine-stop: false
+          module: github.com/opopops/daggerverse/docker@v1.0.0
+          verb: call
+          args: |
+            --registry=${DOCKER_REGISTRY} \
+            --username=${DOCKER_REGISTRY_USERNAME} \
+            --password=env:DOCKER_REGISTRY_PASSWORD \
+            build \
+              --context=. \
+              --target=${{ matrix.target }} \
+              --platform=linux/amd64,linux/arm64 \
+            publish \
+              --image=${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}:${{ github.ref_name }} \
+            sign \
+              --password=env:COSIGN_PASSWORD \
+              --private-key=env:COSIGN_PRIVATE_KEY \
+
+      - name: Scan Docker image
+        uses: dagger/dagger-for-github@v6
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
+          module: github.com/opopops/daggerverse/grype@v1.0.0
+          verb: call
+          args: |
+            with-registry-auth \
+              --address=${DOCKER_REGISTRY} \
+              --username=${DOCKER_REGISTRY_USERNAME} \
+              --secret=env:DOCKER_REGISTRY_PASSWORD \
+            scan \
+              --source=${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}:${{ github.ref_name }} \
+              --fail-on=high \

.gitignore

@@ -0,0 +1 @@
+.local/

Dockerfile

@@ -0,0 +1,94 @@
+# syntax=docker/dockerfile:1
+
+ARG REGISTRY="cgr.dev"
+
+### Base
+FROM --platform=$BUILDPLATFORM ${REGISTRY}/chainguard/wolfi-base:latest AS base
+
+LABEL org.opencontainers.image.authors="GitGuardian SRE Team <support@gitguardian.com>"
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+RUN apk add --no-cache \
+  curl
+
+### WSTunnel
+FROM base AS wstunnel
+
+ARG WSTUNNEL_VERSION="10.1.5"
+ENV WSTUNNEL_VERSION=$WSTUNNEL_VERSION
+RUN curl -fsSL https://github.com/erebe/wstunnel/releases/download/v${WSTUNNEL_VERSION}/wstunnel_${WSTUNNEL_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz | \
+  tar xvzf - -C /usr/bin wstunnel && \
+  chmod 755 /usr/bin/wstunnel
+USER 65532
+
+FROM base AS builder
+
+RUN apk add --no-cache \
+  bash \
+  git \
+  go
+
+
+### Build
+FROM builder AS build
+
+WORKDIR /build
+COPY go.mod .
+COPY main.go .
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+  go build -o ggbridge -ldflags "-w" .
+
+
+### Dev
+FROM builder AS dev
+
+RUN apk add --no-cache \
+  nano \
+  openssl \
+  vim
+
+COPY --link --from=wstunnel --chmod=755 /usr/bin/wstunnel /usr/bin/wstunnel
+
+
+### Debug
+FROM base AS debug
+
+LABEL org.opencontainers.image.description="ggbridge - connect your on-prem VCS with the GitGuardian Platform"
+
+RUN apk add --no-cache \
+  bash \
+  curl \
+  nginx-mainline \
+  openssl
+
+RUN install -d -m 755 -o 65532 -g 65532 \
+  /var/lib/nginx \
+  /var/lib/nginx/html \
+  /var/lib/nginx/logs && \
+  install -d -m 777 -o 65532 -g 65532 \
+  /var/lib/nginx/tmp \
+  /var/run
+
+COPY --link --from=wstunnel --chmod=755 /usr/bin/wstunnel /usr/bin/wstunnel
+COPY --link --from=build --chmod=755 /build/ggbridge /usr/bin/ggbridge
+
+USER 65532
+
+ENTRYPOINT []
+CMD ["/bin/sh", "-l"]
+
+
+### Prod
+FROM ${REGISTRY}/chainguard/glibc-dynamic:latest AS prod
+
+LABEL org.opencontainers.image.authors="GitGuardian SRE Team <support@gitguardian.com>"
+LABEL org.opencontainers.image.description="ggbridge - connect your on-prem VCS with the GitGuardian Platform"
+
+COPY --link --from=wstunnel --chmod=755 /usr/bin/wstunnel /usr/bin/wstunnel
+COPY --link --from=build --chmod=755 /build/ggbridge /usr/bin/ggbridge
+
+ENTRYPOINT ["/usr/bin/ggbridge"]
+CMD ["client"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Germain
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1 +1,18 @@
-# ggbridge
+# ggbridge: connect your on-prem VCS with the GitGuardian Platform
+
+**ggbridge** is a tool designed to facilitate secure connections between the GitGuardian SaaS platform and your on-premise Version Control Systems (VCS) that are not exposed to the public internet. By acting as a secure bridge, GGBridge enables GitGuardian to access repositories located in isolated environments, ensuring that your sensitive code data remains protected while taking advantage of GitGuardian’s powerful scanning capabilities.
+
+With ggbirdge, organizations can maintain their internal infrastructure and security protocols without sacrificing the ability to integrate with GitGuardian’s monitoring and alerting features.
+
+## How it Works
+
+![ggbridge](./docs/assets/ggbridge.drawio.png)
+
+**ggbridge** is composed of two main parts:
+
+- **Server**: Installed on the GitGuardian's network.
+- **Client**: Installed on the customer’s private network.
+
+The client component connects to the server using the WebSocket protocol to establish a secure, mutually authenticated (mTLS) tunnel between the customer’s network and the GitGuardian SaaS platform. This ensures both ends are securely authenticated.
+
+Once the tunnel is established, a proxy server is deployed on the GitGuardian side, which allows secure access to the client’s on-prem VCS through the tunnel. This proxy connection enables GitGuardian to scan and monitor your repositories without requiring your VCS to be publicly accessible.

chart/.gitignore

@@ -0,0 +1,2 @@
+values-local*.yaml
+values-local*.yml

chart/.helmignore

@@ -0,0 +1,26 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+values-local.yaml
+values-local.yml

chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: ggbridge
+description: A Helm chart for installing ggbridge
+type: application
+version: 0.0.0
+appVersion: "1.0.0"