WIP: run security checks on working branch

ministryofjustice · Oct 3, 2024 · 80e6a12 · 80e6a12
1 parent db1e2aa
commit 80e6a12
Show file tree

Hide file tree

Showing 5 changed files with 162 additions and 34 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,11 +1,14 @@
 version: 2.1
+
 orbs:
  hmpps: ministryofjustice/hmpps@7.1.0
  slack: circleci/slack@4.12.1
+
 parameters:
  alerts-slack-channel:
  type: string
  default: pecs-dev
+
 aliases:
  - &notify_slack_on_failure
  slack/notify:
@@ -44,15 +47,111 @@ aliases:
  - &notify_slack_on_release_start
  slack/notify:
  channel: $BUILD_NOTIFICATIONS_CHANNEL_ID
- custom: '{ "blocks": [ { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*API is being prepared for release :building_construction:*" } ] }, { "type": "section", "text": { "type": "mrkdwn", "text": "A new release was created by ${CIRCLE_USERNAME}" }, "fields": [ { "type": "mrkdwn", "text": "@here" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Changelog" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md" } ] } ] }'
+ custom: '{
+ "blocks": [
+ {
+ "type": "section",
+ "fields": [
+ {
+ "type": "mrkdwn",
+ "text": "*API is being prepared for release :building_construction:*"
+ }
+ ]
+ },
+ {
+ "type": "section",
+ "text": {
+ "type": "mrkdwn",
+ "text": "A new release was created by ${CIRCLE_USERNAME}"
+ },
+ "fields": [
+ {
+ "type": "mrkdwn",
+ "text": "@here"
+ }
+ ]
+ },
+ {
+ "type": "actions",
+ "elements": [
+ {
+ "type": "button",
+ "text": {
+ "type": "plain_text",
+ "text": "Changelog"
+ },
+ "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md"
+ }
+ ]
+ }
+ ]
+ }'
  - &notify_slack_of_approval
  slack/notify:
  channel: $BUILD_NOTIFICATIONS_CHANNEL_ID
- custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "API release *requires your approval* before it can be deployed :eyes:" }, "fields": [ { "type": "mrkdwn", "text": "${BUILD_NOTIFICATIONS_MENTION_ID}" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Workflow" }, "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}" } ] } ] }'
+ custom: '{
+ "blocks": [
+ {
+ "type": "section",
+ "text": {
+ "type": "mrkdwn",
+ "text": "API release *requires your approval* before it can be deployed :eyes:"
+ },
+ "fields": [
+ {
+ "type": "mrkdwn",
+ "text": "${BUILD_NOTIFICATIONS_MENTION_ID}"
+ }
+ ]
+ },
+ {
+ "type": "actions",
+ "elements": [
+ {
+ "type": "button",
+ "text": {
+ "type": "plain_text",
+ "text": "View Workflow"
+ },
+ "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}"
+ }
+ ]
+ }
+ ]
+ }'
  - &notify_slack_on_release_end
  slack/notify:
  channel: $BUILD_NOTIFICATIONS_CHANNEL_ID
- custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "*API has been deployed* :rocket:" }, "fields": [ { "type": "mrkdwn", "text": "@here This release was successfully deployed to production" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Release" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases" } ] } ] }'
+ custom: '{
+ "blocks": [
+ {
+ "type": "section",
+ "text": {
+ "type": "mrkdwn",
+ "text": "*API has been deployed* :rocket:"
+ },
+ "fields": [
+ {
+ "type": "mrkdwn",
+ "text": "@here This release was successfully deployed to production"
+ }
+ ]
+ },
+ {
+ "type": "actions",
+ "elements": [
+ {
+ "type": "button",
+ "text": {
+ "type": "plain_text",
+ "text": "Release"
+ },
+ "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases"
+ }
+ ]
+ }
+ ]
+ }'
  - &all_tags
  filters:
  tags:
@@ -84,6 +183,7 @@ aliases:
  only: /^v.*/
  branches:
  ignore: /.*/
+
 # Not so keen on using references, but keeping them for now in case they have DRYness benefits.
 # Likely to flatten then into the respective commands section.
 references:
@@ -128,7 +228,11 @@ references:
  _load_wiremock_mappings: &load_wiremock_mappings
  run:
  name: Load mappings into wiremock
- command: "echo \"Loading wiremock mappings...\"\nfind spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary \"@{}\" \\;\ncurl -vv http://localhost:8888/__admin/mappings \necho \"Done\"\n"
+ command: |
+ echo "Loading wiremock mappings..."
+ find spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary "@{}" \;
+ curl -vv http://localhost:8888/__admin/mappings 
+ echo "Done"
  _notify_sentry_release: &notify_sentry_release
  run:
  name: Create release and notify Sentry of deploy
@@ -156,16 +260,19 @@ references:
  _attach-tmp-workspace: &attach-tmp-workspace
  attach_workspace:
  at: .
+
 executors:
  basic-executor:
  docker:
  - image: cimg/base:2022.11
+
  cloud-platform-executor:
  docker:
  - image: ${ECR_ENDPOINT}/cloud-platform/tools:circleci
  environment:
  GITHUB_TEAM_NAME_SLUG: book-a-secure-move
  REPO_NAME: hmpps-book-secure-move-api
+
  test-executor:
  docker:
  # Check https://circleci.com/docs/2.0/language-ruby/ for more details
@@ -185,29 +292,34 @@ executors:
  LANG: C.utf8
  - image: wiremock/wiremock:2.32.0-alpine
  command: --port 8888
+
 commands:
  build-base:
  description: "Checkout app code and fetch dependencies for running tests"
  steps:
  - *restore-cache
  - *install-dependencies
  - *save-cache
+
  seed-database:
  description: "Create and seed the Database"
  steps:
  - *create-db
  - *migrate-db
+
 jobs:
  notify_of_approval:
  resource_class: small
  executor: basic-executor
  steps:
  - *notify_slack_of_approval
+
  notify_of_release:
  resource_class: small
  executor: basic-executor
  steps:
  - *notify_slack_on_release_start
+
  setup_test_environment:
  resource_class: small
  executor: test-executor
@@ -216,6 +328,7 @@ jobs:
  - setup_remote_docker
  - build-base
  - seed-database
+
  api_docs:
  resource_class: small
  executor: test-executor
@@ -233,6 +346,7 @@ jobs:
  - swagger/v1/swagger.yaml
  - swagger/v2/swagger.yaml
  - *notify_slack_on_failure
+
  rspec_tests:
  executor: test-executor
  parallelism: 1
@@ -246,6 +360,7 @@ jobs:
  - *wait-for-wiremock
  - *load_wiremock_mappings
  - *rspec
+
  linters:
  resource_class: medium
  executor: test-executor
@@ -254,32 +369,34 @@ jobs:
  - build-base
  - *attach-tmp-workspace
  - *rubocop
+
 workflows:
  version: 2
+
  test-build-deploy:
  jobs:
  - notify_of_release:
  context:
  - hmpps-common-vars
- !!merge <<: *only_deploy_tags
+ <<: *only_deploy_tags
  - setup_test_environment:
- !!merge <<: *all_tags
+ <<: *all_tags
  - api_docs:
  context:
  - hmpps-common-vars
- !!merge <<: *all_tags
+ <<: *all_tags
  requires:
  - setup_test_environment
  - rspec_tests:
- !!merge <<: *all_tags
+ <<: *all_tags
  requires:
  - setup_test_environment
  - linters:
- !!merge <<: *all_tags
+ <<: *all_tags
  requires:
  - setup_test_environment
  - hmpps/build_docker:
- !!merge <<: *test_only
+ <<: *test_only
  requires:
  - api_docs
  - rspec_tests
@@ -288,21 +405,29 @@ workflows:
  image_name: "quay.io/hmpps/hmpps-book-secure-move-api"
  publish: false
  additional_docker_build_args: >
- --label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
-
+ --label build.git.sha=${CIRCLE_SHA1}
+ --label build.git.branch=${CIRCLE_BRANCH}
+ --label build.date=$(date -Is)
+ --build-arg APP_BUILD_DATE=$(date -Is)
+ --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH}
+ --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
  - hmpps/build_docker:
- !!merge <<: *only_for_deployment
+ <<: *only_for_deployment
  requires:
  - api_docs
  - rspec_tests
  - linters
  name: build_image
  image_name: "quay.io/hmpps/hmpps-book-secure-move-api"
  additional_docker_build_args: >
- --label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
-
+ --label build.git.sha=${CIRCLE_SHA1}
+ --label build.git.branch=${CIRCLE_BRANCH}
+ --label build.date=$(date -Is)
+ --build-arg APP_BUILD_DATE=$(date -Is)
+ --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH}
+ --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1}
  - hmpps/deploy_env:
- !!merge <<: *only_main
+ <<: *only_main
  name: deploy_staging
  env: "staging"
  context:
@@ -311,7 +436,7 @@ workflows:
  requires:
  - build_image
  - hmpps/deploy_env:
- !!merge <<: *only_deploy_tags
+ <<: *only_deploy_tags
  name: deploy_uat
  env: "uat"
  context:
@@ -320,7 +445,7 @@ workflows:
  requires:
  - build_image
  - hmpps/deploy_env:
- !!merge <<: *only_deploy_tags
+ <<: *only_deploy_tags
  name: deploy_preprod
  env: "preprod"
  context:
@@ -329,22 +454,31 @@ workflows:
  requires:
  - build_image
  - hold_production:
- !!merge <<: *only_deploy_tags
+ <<: *only_deploy_tags
  type: approval
  requires:
  - build_image
  - notify_of_approval:
  context:
  - hmpps-common-vars
- !!merge <<: *only_deploy_tags
+ <<: *only_deploy_tags
  requires:
  - build_image
  - hmpps/deploy_env:
- !!merge <<: *only_deploy_tags
+ <<: *only_deploy_tags
  name: deploy_production
  env: "production"
  context:
  - hmpps-common-vars
  - basm-api-production
  requires:
  - hold_production
+
+ security:
+ triggers:
+ - schedule:
+ cron: "0 7 * * 1-5"
+ filters:
+ branches:
+ only:
+ - main
diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml
diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml
@@ -1,5 +1,7 @@
 name: Security trivy dependency check
-on:
+on: 
+ push:
+ branches: [MAP-1652-migrate-CI-security-pipeline]
  workflow_dispatch:
  schedule:
  - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC

diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml
@@ -1,5 +1,7 @@
 name: Security veracode pipeline scan
 on:
+ push:
+ branches: [MAP-1652-migrate-CI-security-pipeline]
  workflow_dispatch:
  schedule:
  - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC

diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml
@@ -1,5 +1,7 @@
 name: Security veracode policy scan
 on:
+ push:
+ branches: [MAP-1652-migrate-CI-security-pipeline]
  workflow_dispatch:
  schedule:
  - cron: "58 6 * * 1" # Every Monday at 06:58 UTC