-
Notifications
You must be signed in to change notification settings - Fork 1
/
orb.yml
127 lines (122 loc) · 3.89 KB
/
orb.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Use the latest 2.1 version of CircleCI pipeline processing engine, see https://circleci.com/docs/2.0/configuration-reference/
version: 2.1
description: "Salus security scanner coordinator (SAST)"
executors:
salus:
docker:
- image: coinbase/salus:2.4.2
jobs:
scan:
executor: << parameters.salus_executor >>
working_directory: /home/repo
parameters:
salus_executor:
description: Executor for Salus
type: executor
default: salus
active_scanners:
description: Scanners to run
type: string
default: "all"
enforced_scanners:
description: lists all scanners that should cause Salus to exit with a non-zero status if they find a security vulnerability.
type: string
default: "all"
report_uri:
description: Defines where to send Salus reports
type: string
default: "file://../salus-report.json"
report_format:
description: Defines the format of the report (json, yaml, txt)
type: string
default: "json"
report_verbosity:
description: Defines whether the report should be verbose
type: boolean
default: true
configuration_file:
description: Location of the Salus configuration file
type: string
default: ""
steps:
- checkout
- run:
name: Create configuration
command: |
echo "
config_version: 1
active_scanners: << parameters.active_scanners >>
enforced_scanners: << parameters.enforced_scanners >>
reports:
- uri: << parameters.report_uri >>
format: << parameters.report_format >>
verbose: << parameters.report_verbosity >>" | tee salus-configuration.yaml
working_directory: /home
- run:
name: Run scan
command: |
configuration_file="<<parameters.configuration_file>>"
if [[ -n "${configuration_file}" ]]; then
if [[ ! -f "repo/${configuration_file}" ]]; then
echo "repo/${configuration_file} does not exist, aborting."
exit 1
else
bundle exec /home/bin/salus scan --repo_path $CIRCLE_WORKING_DIRECTORY --config "file://${configuration_file}"
fi
else
bundle exec /home/bin/salus scan --repo_path $CIRCLE_WORKING_DIRECTORY --config "file://../salus-configuration.yaml"
fi
environment:
BUNDLE_GEMFILE: /home/Gemfile
working_directory: /home
- store_artifacts:
path: /home/salus-report.json
examples:
blocking_scan:
description: A Salus scan that blocks on any potential vulnerabilities
usage:
version: 2.1
orbs:
salus: federacy/salus@1.0.2
workflows:
salus_scan:
jobs:
- salus/scan
non_blocking_scan:
description: A Salus scan that does not block on potential vulnerabilities
usage:
version: 2.1
orbs:
salus: federacy/salus@1.0.2
workflows:
salus_scan:
jobs:
- salus/scan:
enforced_scanners: "none"
specify_scanners:
description: A Salus scan using specific scanners
usage:
version: 2.1
orbs:
salus: federacy/salus@1.0.2
workflows:
salus_scan:
jobs:
- salus/scan:
active_scanners: "\n - Brakeman"
specify_executor_scan:
description: A Salus scan that blocks on any potential vulnerabilities
usage:
version: 2.1
orbs:
salus: federacy/salus@1.0.2
executors:
salus_latest:
docker:
- image: coinbase/salus:latest
workflows:
salus_scan:
jobs:
- salus/scan:
salus_executor:
name: salus_latest