faraday_plugins/.gitlab-ci.yml at master · infobyte/faraday_plugins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
variables:
  VAULT_SERVER_URL: https://tluav-lb.faradaysec.com
  VAULT_AUTH_ROLE: python-sast-readonly
  VAULT_AUTH_PATH: jwt


include:
  - local: .gitlab/ci/get-secrets.yml

stages:
  - SAST
  - pre_testing
  - testing
  - post_testing
  - publish

before_script:
  - apt-get update -qy
  - pip install pip -U

workflow:
  rules:
    - if: $CI_MERGE_REQUEST_ID
      when: never
    - when: always

.parse-secrets: &parse-secrets
- DEVSECOPS_WORKSPACE=$(cat $DEVSECOPS_WORKSPACE)
- FARADAY_PASSWORD=$(cat $FARADAY_PASSWORD)
- FARADAY_URL=$(cat $FARADAY_URL)
- FARADAY_USER=$(cat $FARADAY_USER)

.install_faraday_venv: &install_faraday_venv
- pip3 install virtualenv
- virtualenv -p python3 faraday_venv
- source faraday_venv/bin/activate
- pip3 install pytest pytest-xdist pytest-cov
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/faradaysec/faraday.git
- cd faraday
- pip3 install $PIP_FLAGS .
- pip uninstall faraday-plugins -y # we need to install fardaysec for marshmallow schemas, we remove plugins from pypi
- cd ..

.clone_reports: &clone_reports
  - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/faradaysec/support/report-collection.git
  - cd report-collection
  - |
    SUFFIX="${CI_COMMIT_BRANCH#*_}"
    MATCH_BRANCH=$(git branch -r --list "*_reports_for_${SUFFIX}" | sed 's|origin/||' | head -n 1 | xargs)
    if [ -n "$MATCH_BRANCH" ]; then
        echo "Using branch from report-collection: $MATCH_BRANCH"
        REPORT_REF="$MATCH_BRANCH"
    else
        echo "Can't find branch *_reports_for_${SUFFIX}, will use master"
        REPORT_REF="master"
    fi
    git checkout "$REPORT_REF"
  - cd ..

bandit:
  stage: SAST
  image: python:3.11
  tags:
    - faradaytests
  extends:
    - .get-secrets
  script:
    - pip3 install virtualenv
    - virtualenv -p python3 faraday_venv
    - source faraday_venv/bin/activate
    - pip3 install bandit
    - mkdir /results
    - "bandit -r ${CI_PROJECT_DIR}/faraday-plugins -o /results/output.xml -f xml --skip B101,B104,B405,B314"
    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (cat /results/output.xml); fi
  after_script:
    - *parse-secrets
    - apt update && apt-get install lsb-release gpg wget -y
    - apt-get install software-properties-common -y
    - wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
    - gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
    - echo "deb [ signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg ] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
    - apt update &&  apt install vault -y
    - setcap cap_ipc_lock= /usr/bin/vault
    - pip3 install faraday-cli
    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report /results/output.xml -w $DEVSECOPS_WORKSPACE --vuln-tag $CI_PROJECT_NAME --vuln-tag $CI_COMMIT_REF_NAME); else (echo 'no vulns detected' && exit 0); fi
  rules:
    - when: on_success

flake8:
    image: python:3.11
    stage: pre_testing
    before_script:
      - pip install flake8
      # Help flake8 to find the Python files without .py extension.
      - find . -name '*.py' >> files.txt
      - sort -u files.txt | tee files.processed
    script:
        - python -m flake8 --statistics --count $(cat files.processed) --verbose
    after_script:
        - wc -l files.processed

.test_base:
  stage: testing
  coverage: '/TOTAL\s+\d+\s+\d+\s+(\d+%)/'
  script:
    - *clone_reports
    - *install_faraday_venv
    - pip3 install $PIP_FLAGS .
    - pytest tests --capture=sys -v --cov=faraday_plugins --color=yes --disable-warnings $PYTEST_FLAGS

tests:
  extends: .test_base
  image: python:3.11

test_performance:
  extends: .test_base
  image: python:3.11
  stage: post_testing
  allow_failure: true
  variables:
    PYTEST_FLAGS: --performance
  rules:
    - if: '$CI_COMMIT_BRANCH == "dev"'
      when: on_success

publish_pypi:
  image: python:3.11
  stage: publish
  script:
    - pip install twine
    - python setup.py sdist bdist_wheel
    - twine upload -u $PYPI_USER -p $PYPI_PASS dist/* --verbose
  rules:
    - if: '$CI_COMMIT_TAG'
      when: on_success