-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
113 lines (106 loc) · 2.5 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# SPDX-FileCopyrightText: © 2024 Gilles Bellot <gilles.bellot@bell0bytes.eu>
# SPDX-License-Identifier: AGPL-3.0-or-later
workflow:
name: 'Security & Code Quality'
stages:
- security
- test
- quality
# PyTest
pytest:
stage: test
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "schedule"
when: always
- when: never
image:
name: python:3.11
entrypoint: [""]
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
cache:
paths:
- .cache/pip
- env/
artifacts:
paths:
- coverage.xml
expire_in: 1 week
before_script:
- cp ${ERTIE_TEST_CONFIGURATION} .env
- python3 -V
- python3 -m venv env
- source env/bin/activate
- pip install -r requirements.txt
script:
- python3 -m pytest
# SonarQube Scan
sonarqube:
stage: quality
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "schedule"
when: always
- when: never
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
GIT_DEPTH: "0"
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner -Dsonar.qualitygate.wait=true -Dsonar.python.coverage.reportPaths=coverage.xml
# GitGuardian Secret Scanning
gitguardian:
stage: security
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: always
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: never
- if: $CI_PIPELINE_SOURCE == "schedule"
when: always
- when: never
image: gitguardian/ggshield:latest
variables:
GITGUARDIAN_API_KEY: $GITGUARDIAN_API_KEY
script:
- ggshield secret scan ci
# Snyk Dependency Scanning
snyk:
stage: security
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
changes:
- requirements.txt
when: always
- if: $CI_PIPELINE_SOURCE == "schedule"
when: always
- when: never
image:
name: python:3.11
entrypoint: [""]
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
cache:
paths:
- .cache/pip
- env/
before_script:
- python3 -V
- python3 -m venv env
- source env/bin/activate
- pip install -r requirements.txt
script:
- apt-get update -y
- apt-get install nodejs npm -y
- npm install -g snyk
- snyk auth $SNYK_TOKEN
- snyk config set org=bell0bytes
- snyk monitor --project-name=$CI_PROJECT_NAME
- snyk test