From: Fatih Degirmenci Date: Tue, 13 Dec 2016 11:26:05 +0000 (+0100) Subject: security scan: Add example job for scanning python files X-Git-Tag: danube.1.0~556^2 X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F49%2F25849%2F3;p=releng.git security scan: Add example job for scanning python files This is an example job configuration to run security scan against the functest python code. It will not vote on the patches at this phase. The job opnfv-security-scan-verify-{stream} gets triggered whenever a patch containing python code change is sent to Functest. Change-Id: Id05950af70afedb2afbd61062c3f8d41ef1aaacd Signed-off-by: Fatih Degirmenci --- diff --git a/jjb/securityscanning/opnfv-security-scan.yml b/jjb/securityscanning/opnfv-security-scan.yml new file mode 100644 index 000000000..6b7cd4747 --- /dev/null +++ b/jjb/securityscanning/opnfv-security-scan.yml @@ -0,0 +1,109 @@ +######################## +# Job configuration for opnfv-lint +######################## +- project: + + name: security-scan + + project: anteaterfw + + jobs: + - 'opnfv-security-scan-verify-{stream}' + + stream: + - master: + branch: '{stream}' + gs-pathname: '' + disabled: false + +######################## +# job templates +######################## +- job-template: + name: 'opnfv-security-scan-verify-{stream}' + + disabled: '{obj:disabled}' + + parameters: + - project-parameter: + project: $GERRIT_PROJECT + - gerrit-parameter: + branch: '{branch}' + + scm: + - gerrit-trigger-scm: + credentials-id: '{ssh-credentials}' + refspec: '$GERRIT_REFSPEC' + choosing-strategy: 'gerrit' + + triggers: + - gerrit: + server-name: 'gerrit.opnfv.org' + trigger-on: + - patchset-created-event: + exclude-drafts: 'false' + exclude-trivial-rebase: 'false' + exclude-no-code-change: 'false' + - draft-published-event + - comment-added-contains-event: + comment-contains-value: 'recheck' + - comment-added-contains-event: + comment-contains-value: 'reverify' + projects: + - project-compare-type: 'REG_EXP' + project-pattern: 'functest' + branches: + - branch-compare-type: 'ANT' + branch-pattern: '**/{branch}' + file-paths: + - compare-type: ANT + pattern: '**/*.py' + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + + builders: + - security-scan-python-code + - report-security-scan-result-to-gerrit +######################## +# builder macros +######################## +- builder: + name: security-scan-python-code + builders: + - shell: | + #!/bin/bash + set -o errexit + set -o pipefail + set -o xtrace + export PATH=$PATH:/usr/local/bin/ + + # this is where the security/license scan script will be executed + echo "Hello World!" +- builder: + name: report-security-scan-result-to-gerrit + builders: + - shell: | + #!/bin/bash + set -o errexit + set -o pipefail + set -o xtrace + export PATH=$PATH:/usr/local/bin/ + + # If no violations were found, no lint log will exist. + if [[ -e securityscan.log ]] ; then + echo -e "\nposting security scan report to gerrit...\n" + + cat securityscan.log + echo + + ssh -p 29418 gerrit.opnfv.org \ + "gerrit review -p $GERRIT_PROJECT \ + -m \"$(cat securityscan.log)\" \ + $GERRIT_PATCHSET_REVISION \ + --notify NONE" + + exit 1 + fi