-
Notifications
You must be signed in to change notification settings - Fork 0
109 lines (89 loc) · 3.22 KB
/
ci-pipeline.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: CI Pipeline
permissions:
contents: read
pull-requests: write
checks: write
actions: read
on:
push:
branches:
- main
pull_request:
jobs:
build-verification:
name: Build Verification
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.9.3
terraform_wrapper: false
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: 1.21
- name: Terraform Validate
run: |
terraform init -backend=false
terraform validate
working-directory: infrastructure
- name: Run Integration Tests
run: |
terraform init -backend=false
terraform test
working-directory: tests/integration-tests
- name: Run End to End Tests
run: |
go mod tidy
go test -v -timeout 30m
working-directory: tests/end-to-end-tests
env:
GOMAXPROCS: 8
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
TF_STATE_RESOURCE_GROUP: ${{ secrets.TF_STATE_RESOURCE_GROUP }}
TF_STATE_STORAGE_ACCOUNT: ${{ secrets.TF_STATE_STORAGE_ACCOUNT }}
TF_STATE_STORAGE_CONTAINER: ${{ secrets.TF_STATE_STORAGE_CONTAINER }}
static-code-analysis:
name: Static Code Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.9.3
- name: Run Terraform Format
run: terraform fmt -check
working-directory: infrastructure
- name: Run Terraform Lint
uses: terraform-linters/setup-tflint@v1
with:
tflint_version: latest
- run: tflint
- name: Install Checkov
run: sudo apt-get update && sudo apt-get install -y python3-pip && pip3 install checkov
- name: Run Checkov Scan
run: checkov --directory infrastructure --skip-path example --list
- name: Install GitLeaks
run: |
curl -sSL https://github.com/zricethezav/gitleaks/releases/download/v8.2.4/gitleaks_8.2.4_linux_x64.tar.gz | tar -xz
sudo mv gitleaks /usr/local/bin/
- name: Run GitLeaks Scan
run: gitleaks detect --source . --config .gitleaks.toml
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
- name: Run Trivy Scan
run: trivy filesystem --security-checks vuln,config --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed .