security scan: Add example job for scanning python files

This is an example job configuration to run security scan
against the functest python code. It will not vote on the patches
at this phase.

The job opnfv-security-scan-verify-{stream} gets triggered
whenever a patch containing python code change is sent to Functest.

Change-Id: Id05950af70afedb2afbd61062c3f8d41ef1aaacd
Signed-off-by: Fatih Degirmenci <fatih.degirmenci@ericsson.com>

diff --git a/jjb/securityscanning/opnfv-security-scan.yml b/jjb/securityscanning/opnfv-security-scan.yml
new file mode 100644 (file)
index 0000000..6b7cd47
--- /dev/null
+++ b/jjb/securityscanning/opnfv-security-scan.yml
@@ -0,0 +1,109 @@
+########################
+# Job configuration for opnfv-lint
+########################
+- project:
+
+    name: security-scan
+
+    project: anteaterfw
+
+    jobs:
+        - 'opnfv-security-scan-verify-{stream}'
+
+    stream:
+        - master:
+            branch: '{stream}'
+            gs-pathname: ''
+            disabled: false
+
+########################
+# job templates
+########################
+- job-template:
+    name: 'opnfv-security-scan-verify-{stream}'
+
+    disabled: '{obj:disabled}'
+
+    parameters:
+        - project-parameter:
+            project: $GERRIT_PROJECT
+        - gerrit-parameter:
+            branch: '{branch}'
+
+    scm:
+        - gerrit-trigger-scm:
+            credentials-id: '{ssh-credentials}'
+            refspec: '$GERRIT_REFSPEC'
+            choosing-strategy: 'gerrit'
+
+    triggers:
+        - gerrit:
+            server-name: 'gerrit.opnfv.org'
+            trigger-on:
+                - patchset-created-event:
+                    exclude-drafts: 'false'
+                    exclude-trivial-rebase: 'false'
+                    exclude-no-code-change: 'false'
+                - draft-published-event
+                - comment-added-contains-event:
+                    comment-contains-value: 'recheck'
+                - comment-added-contains-event:
+                    comment-contains-value: 'reverify'
+            projects:
+              - project-compare-type: 'REG_EXP'
+                project-pattern: 'functest'
+                branches:
+                  - branch-compare-type: 'ANT'
+                    branch-pattern: '**/{branch}'
+                file-paths:
+                  - compare-type: ANT
+                    pattern: '**/*.py'
+          skip-vote:
+            successful: true
+            failed: true
+            unstable: true
+            notbuilt: true
+
+    builders:
+        - security-scan-python-code
+        - report-security-scan-result-to-gerrit
+########################
+# builder macros
+########################
+- builder:
+    name: security-scan-python-code
+    builders:
+        - shell: |
+            #!/bin/bash
+            set -o errexit
+            set -o pipefail
+            set -o xtrace
+            export PATH=$PATH:/usr/local/bin/
+
+            # this is where the security/license scan script will be executed
+            echo "Hello World!"
+- builder:
+    name: report-security-scan-result-to-gerrit
+    builders:
+        - shell: |
+            #!/bin/bash
+            set -o errexit
+            set -o pipefail
+            set -o xtrace
+            export PATH=$PATH:/usr/local/bin/
+
+            # If no violations were found, no lint log will exist.
+            if [[ -e securityscan.log ]] ; then
+                echo -e "\nposting security scan report to gerrit...\n"
+
+                cat securityscan.log
+                echo
+
+                ssh -p 29418 gerrit.opnfv.org \
+                    "gerrit review -p $GERRIT_PROJECT \
+                     -m \"$(cat securityscan.log)\" \
+                     $GERRIT_PATCHSET_REVISION \
+                     --notify NONE"
+
+                exit 1
+            fi