tyler.durden/centreon-plugins
1
0
Fork 0
mirror of https://github.com/centreon/centreon-plugins.git synced 2025-09-24 02:08:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

ci(secu): backport new pipeline and gitleaks changes (#5754)

Browse Source
This commit is contained in:
Stéphane Chapron 2025-09-16 22:26:56 +02:00 committed by GitHub
parent c052b85a7d
commit cc2184e480
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 31 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.githooks/pre-commit Executable file
View File

@ -0,0 +1,12 @@
#!/usr/bin/env sh
set -eu
# ensure gitleaks is available
if ! command -v gitleaks >/dev/null 2>&1; then
echo "Error: gitleaks is not installed or not in PATH." >&2
echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
exit 1
fi
# scan for secrets before commit
gitleaks detect --no-git --verbose

2
.github/CODEOWNERS vendored
View File

@ -24,4 +24,4 @@ selinux/** @centreon/owners-pipelines
.gitleaks.toml @centreon/owners-security .gitleaks.toml @centreon/owners-security
.gitleaksignore @centreon/owners-security .gitleaksignore @centreon/owners-security
**/checkmarx-analysis.yml @centreon/owners-security **/security-checks.yml @centreon/owners-security

13
.github/workflows/actionlint.yml vendored
View File

@ -19,18 +19,18 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Checkout sources - name: Checkout sources
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Download actionlint - name: Download actionlint
id: get_actionlint id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/v1.7.7/scripts/download-actionlint.bash)
shell: bash shell: bash
- name: Check workflow files - name: Check workflow files
run: | run: |
${{ steps.get_actionlint.outputs.executable }} \ ${{ steps.get_actionlint.outputs.executable }} \
-ignore 'label "centreon-common" is unknown' \ -ignore 'label "centreon-(common|collect-arm64)" is unknown' \
-ignore 'label "centreon-collect-arm64" is unknown' \ -ignore 'label "ubuntu-(24.04|24.04-arm)" is unknown' \
-ignore '"github.head_ref" is potentially untrusted' \ -ignore '"github.head_ref" is potentially untrusted' \
-shellcheck= \ -shellcheck= \
-pyflakes= \ -pyflakes= \
@ -39,12 +39,15 @@ jobs:
- name: Ensure SHA pinned actions - name: Ensure SHA pinned actions
uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3 uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3
with:
allowlist: |
centreon/security-tools
yaml-lint: yaml-lint:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Checkout sources - name: Checkout sources
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install Yaml - name: Install Yaml
run: | run: |

68
.github/workflows/checkmarx-analysis.yml vendored
View File

@ -1,68 +0,0 @@
name: Checkmarx scans
on:
workflow_call:
inputs:
module_name:
required: true
type: string
module_directory:
required: false
type: string
secrets:
base_uri:
required: true
cx_tenant:
required: true
cx_client_id:
required: true
cx_client_secret:
required: true
jobs:
pipeline-scan:
name: Run a pipeline scan
runs-on: ubuntu-24.04
steps:
- name: routing
run: |
# Quality gate settings
ENABLE_QG="true"
if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "yes" ]]; then
# disabling all QG in case of incident with the service
ENABLE_QG="false"
echo "Skipping analysis. Caused by QG override"
elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then
# disabling the QG in case of pull request opened by dependabot bot
# As dependabot will not be able to access GH secrets
ENABLE_QG="false"
echo "Skipping analysis. Caused by dependabot PR"
fi
# Check forced full scan
SCAN_MODE="--sast-incremental"
if [[ "${{ github.event_name }}" == "schedule" || "${{ vars.CHECKMARX_FORCE_FULL_SCAN }}" == "yes" ]]; then
SCAN_MODE="--sast-incremental=false"
fi
echo "scan_mode=$SCAN_MODE" >> $GITHUB_ENV
echo "enable_analysis=$ENABLE_QG" >> $GITHUB_ENV
cat $GITHUB_ENV
- name: Checkout
if: env.enable_analysis == 'true'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkmarx One CLI Action
if: env.enable_analysis == 'true'
uses: checkmarx/ast-github-action@44adb082541fa1f47bcfca6de1517ff28990d813 # v2.3.22
with:
project_name: ${{ inputs.module_name }}
base_uri: ${{ secrets.base_uri }}
cx_tenant: ${{ secrets.cx_tenant }}
cx_client_id: ${{ secrets.cx_client_id }}
cx_client_secret: ${{ secrets.cx_client_secret }}
source_dir: "./"
additional_params: --scan-types "sast,sca,api-security" ${{ env.scan_mode }}

26
.github/workflows/gitleaks.yml vendored
View File

@ -1,26 +0,0 @@
name: gitleaks
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
on:
pull_request:
workflow_dispatch:
jobs:
scan:
name: gitleaks
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: Centreon
GITLEAKS_ENABLE_COMMENTS: false
GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
GITLEAKS_ENABLE_SUMMARY: false

27
.github/workflows/plugins-analysis.yml → .github/workflows/security-checks.yml vendored
View File

@ -1,13 +1,10 @@
name: plugins-analysis name: security-checks
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
on: on:
workflow_dispatch:
schedule:
- cron: '30 0 * * 1-5'
pull_request: pull_request:
branches: branches:
- develop - develop
@ -16,26 +13,22 @@ on:
branches: branches:
- develop - develop
- master - master
workflow_dispatch:
schedule:
- cron: 0 1 * * 1-5
jobs: jobs:
get-environment: secrets_scan:
uses: ./.github/workflows/get-environment.yml uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main
checkmarx-analysis: code_scan:
needs: [get-environment] uses: centreon/security-tools/.github/workflows/checkmarx-analysis.yml@main
if: |
needs.get-environment.outputs.skip_workflow == 'false' &&
github.event.pull_request.draft != 'true'
uses: ./.github/workflows/checkmarx-analysis.yml
with: with:
module_directory:
module_name: centreon-plugins module_name: centreon-plugins
exclude_list:
secrets: secrets:
base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
set-skip-label:
needs: [get-environment, checkmarx-analysis]
if: needs.get-environment.outputs.skip_workflow == 'false'
uses: ./.github/workflows/set-pull-request-skip-label.yml

0
.gitleaksignore Normal file
View File