From 74c30518156eae570098b9a147f0dc66677559c9 Mon Sep 17 00:00:00 2001 From: Fatih Degirmenci Date: Tue, 13 Dec 2016 12:26:05 +0100 Subject: [PATCH] security scan: Add example job for scanning python files This is an example job configuration to run security scan against the functest python code. It will not vote on the patches at this phase. The job opnfv-security-scan-verify-{stream} gets triggered whenever a patch containing python code change is sent to Functest. Change-Id: Id05950af70afedb2afbd61062c3f8d41ef1aaacd Signed-off-by: Fatih Degirmenci --- jjb/securityscanning/opnfv-security-scan.yml | 109 +++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 jjb/securityscanning/opnfv-security-scan.yml diff --git a/jjb/securityscanning/opnfv-security-scan.yml b/jjb/securityscanning/opnfv-security-scan.yml new file mode 100644 index 000000000..6b7cd4747 --- /dev/null +++ b/jjb/securityscanning/opnfv-security-scan.yml @@ -0,0 +1,109 @@ +######################## +# Job configuration for opnfv-lint +######################## +- project: + + name: security-scan + + project: anteaterfw + + jobs: + - 'opnfv-security-scan-verify-{stream}' + + stream: + - master: + branch: '{stream}' + gs-pathname: '' + disabled: false + +######################## +# job templates +######################## +- job-template: + name: 'opnfv-security-scan-verify-{stream}' + + disabled: '{obj:disabled}' + + parameters: + - project-parameter: + project: $GERRIT_PROJECT + - gerrit-parameter: + branch: '{branch}' + + scm: + - gerrit-trigger-scm: + credentials-id: '{ssh-credentials}' + refspec: '$GERRIT_REFSPEC' + choosing-strategy: 'gerrit' + + triggers: + - gerrit: + server-name: 'gerrit.opnfv.org' + trigger-on: + - patchset-created-event: + exclude-drafts: 'false' + exclude-trivial-rebase: 'false' + exclude-no-code-change: 'false' + - draft-published-event + - comment-added-contains-event: + comment-contains-value: 'recheck' + - comment-added-contains-event: + comment-contains-value: 'reverify' + projects: + - project-compare-type: 'REG_EXP' + project-pattern: 'functest' + branches: + - branch-compare-type: 'ANT' + branch-pattern: '**/{branch}' + file-paths: + - compare-type: ANT + pattern: '**/*.py' + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + + builders: + - security-scan-python-code + - report-security-scan-result-to-gerrit +######################## +# builder macros +######################## +- builder: + name: security-scan-python-code + builders: + - shell: | + #!/bin/bash + set -o errexit + set -o pipefail + set -o xtrace + export PATH=$PATH:/usr/local/bin/ + + # this is where the security/license scan script will be executed + echo "Hello World!" +- builder: + name: report-security-scan-result-to-gerrit + builders: + - shell: | + #!/bin/bash + set -o errexit + set -o pipefail + set -o xtrace + export PATH=$PATH:/usr/local/bin/ + + # If no violations were found, no lint log will exist. + if [[ -e securityscan.log ]] ; then + echo -e "\nposting security scan report to gerrit...\n" + + cat securityscan.log + echo + + ssh -p 29418 gerrit.opnfv.org \ + "gerrit review -p $GERRIT_PROJECT \ + -m \"$(cat securityscan.log)\" \ + $GERRIT_PATCHSET_REVISION \ + --notify NONE" + + exit 1 + fi -- 2.16.6