Skip to content

Commit

Permalink
SDIT-2050: 👷 Switch to github actions for security jobs (#2273)
Browse files Browse the repository at this point in the history
  • Loading branch information
petergphillips authored Sep 20, 2024
1 parent b1f220c commit 856db88
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 59 deletions.
66 changes: 7 additions & 59 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
@@ -1,24 +1,16 @@
version: 2.1

orbs:
hmpps: ministryofjustice/hmpps@10

executor:
&executor
executor: &executor
executor:
name: hmpps/java
tag: "21.0"
environment:
# Setting max gradle workers to 1 (which means 1 running concurrently, not max 1!) - because although this doesn't stop the ktlint workers from starting it does seem to prevent the test executor from needing as much memory.
_JAVA_OPTIONS: -Xmx2048m -XX:ParallelGCThreads=2 -XX:ConcGCThreads=2
-XX:ParallelGCThreads=2
-Djava.util.concurrent.ForkJoinPool.common.parallelism=2
-Dorg.gradle.daemon=false -Dorg.gradle.jvmargs=-XX:+UseContainerSupport
-Dkotlin.compiler.execution.strategy=in-process -Dorg.gradle.workers.max=1

_JAVA_OPTIONS: -Xmx2048m -XX:ParallelGCThreads=2 -XX:ConcGCThreads=2 -XX:ParallelGCThreads=2 -Djava.util.concurrent.ForkJoinPool.common.parallelism=2 -Dorg.gradle.daemon=false -Dorg.gradle.jvmargs=-XX:+UseContainerSupport -Dkotlin.compiler.execution.strategy=in-process -Dorg.gradle.workers.max=1
jobs:
check:
<<: *executor
!!merge <<: *executor
steps:
- run:
command: |
Expand Down Expand Up @@ -51,15 +43,14 @@ jobs:
# The resource_class feature allows configuring CPU and RAM resources for each job. Different resource classes are available for different executors. https://circleci.com/docs/2.0/configuration-reference/#resourceclass
resource_class: large
test-integration:
<<: *executor
!!merge <<: *executor
steps:
- checkout
- restore_cache:
key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }}
- restore_cache:
key: gradle-cache-{{ checksum "build.gradle.kts" }}
- run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit"
-Dkotlin.daemon.jvm.options="--illegal-access=permit" testIntegration
- run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit" -Dkotlin.daemon.jvm.options="--illegal-access=permit" testIntegration
- save_cache:
key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }}
paths:
Expand All @@ -77,16 +68,14 @@ jobs:
# The resource_class feature allows configuring CPU and RAM resources for each job. Different resource classes are available for different executors. https://circleci.com/docs/2.0/configuration-reference/#resourceclass
resource_class: large
test-schema-nomis:
<<: *executor
!!merge <<: *executor
steps:
- checkout
- restore_cache:
key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }}
- restore_cache:
key: gradle-cache-{{ checksum "build.gradle.kts" }}
- run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit"
-Dkotlin.daemon.jvm.options="--illegal-access=permit"
testWithSchemaNomis
- run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit" -Dkotlin.daemon.jvm.options="--illegal-access=permit" testWithSchemaNomis
- save_cache:
key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }}
paths:
Expand All @@ -102,7 +91,6 @@ jobs:
- store_artifacts:
path: build/libs
resource_class: large

workflows:
version: 2
build-test-and-deploy:
Expand Down Expand Up @@ -146,7 +134,6 @@ workflows:
type: approval
requires:
- deploy_dev

- hmpps/deploy_env:
name: deploy_preprod
env: "preprod"
Expand All @@ -159,12 +146,10 @@ workflows:
- prison-api-preprod
requires:
- request-preprod-approval

- request-prod-approval:
type: approval
requires:
- deploy_preprod

- hmpps/deploy_env:
name: deploy_prod
env: "prod"
Expand All @@ -178,40 +163,3 @@ workflows:
- prison-api-prod
requires:
- request-prod-approval

security:
triggers:
- schedule:
cron: "46 6 * * 1-5"
filters:
branches:
only:
- main
jobs:
- hmpps/gradle_owasp_dependency_check:
cache_key: "v2_0"
jdk_tag: "21.0"
context:
- hmpps-common-vars
- hmpps/trivy_latest_scan:
context:
- hmpps-common-vars
- hmpps/veracode_pipeline_scan:
jdk_tag: "21.0"
context:
- hmpps-common-vars
- veracode-credentials
security-weekly:
triggers:
- schedule:
cron: "51 5 * * 1"
filters:
branches:
only:
- main
jobs:
- hmpps/veracode_policy_scan:
jdk_tag: "21.0"
context:
- veracode-credentials
- hmpps-common-vars
13 changes: 13 additions & 0 deletions .github/workflows/security_owasp.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Security OWASP dependency check
on:
workflow_dispatch:
schedule:
- cron: "23 9 * * MON-FRI" # Every weekday at 09:23 UTC
jobs:
security-kotlin-owasp-check:
name: Kotlin security OWASP dependency check
uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@0.2 # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets:
SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
13 changes: 13 additions & 0 deletions .github/workflows/security_trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Security trivy dependency check
on:
workflow_dispatch:
schedule:
- cron: "23 9 * * MON-FRI" # Every weekday at 09:23 UTC
jobs:
security-kotlin-trivy-check:
name: Project security trivy dependency check
uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@0.2 # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets:
SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
23 changes: 23 additions & 0 deletions .github/workflows/security_veracode_pipeline_scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Security veracode pipeline check
on:
workflow_dispatch:
schedule:
- cron: "23 9 * * MON-FRI" # Every weekday at 09:23 UTC
jobs:
security-veracode-policy-check:
name: Project security veracode policy scan
uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@0.2 # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets:
SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
VERACODE_API_ID_0: ${{ secrets.HMPPS_VERACODE_API_ID_0 }}
VERACODE_API_ID_1: ${{ secrets.HMPPS_VERACODE_API_ID_1 }}
VERACODE_API_ID_2: ${{ secrets.HMPPS_VERACODE_API_ID_2 }}
VERACODE_API_ID_3: ${{ secrets.HMPPS_VERACODE_API_ID_3 }}
VERACODE_API_ID_4: ${{ secrets.HMPPS_VERACODE_API_ID_4 }}
VERACODE_API_KEY_0: ${{ secrets.HMPPS_VERACODE_API_KEY_0 }}
VERACODE_API_KEY_1: ${{ secrets.HMPPS_VERACODE_API_KEY_1 }}
VERACODE_API_KEY_2: ${{ secrets.HMPPS_VERACODE_API_KEY_2 }}
VERACODE_API_KEY_3: ${{ secrets.HMPPS_VERACODE_API_KEY_3 }}
VERACODE_API_KEY_4: ${{ secrets.HMPPS_VERACODE_API_KEY_4 }}
23 changes: 23 additions & 0 deletions .github/workflows/security_veracode_policy_scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Security veracode policy check
on:
workflow_dispatch:
schedule:
- cron: "32 9 * * 1" # Every Monday at 09:32 UTC
jobs:
security-veracode-policy-check:
name: Project security veracode policy scan
uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@0.2 # WORKFLOW_VERSION
with:
channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
secrets:
SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
VERACODE_API_ID_0: ${{ secrets.HMPPS_VERACODE_API_ID_0 }}
VERACODE_API_ID_1: ${{ secrets.HMPPS_VERACODE_API_ID_1 }}
VERACODE_API_ID_2: ${{ secrets.HMPPS_VERACODE_API_ID_2 }}
VERACODE_API_ID_3: ${{ secrets.HMPPS_VERACODE_API_ID_3 }}
VERACODE_API_ID_4: ${{ secrets.HMPPS_VERACODE_API_ID_4 }}
VERACODE_API_KEY_0: ${{ secrets.HMPPS_VERACODE_API_KEY_0 }}
VERACODE_API_KEY_1: ${{ secrets.HMPPS_VERACODE_API_KEY_1 }}
VERACODE_API_KEY_2: ${{ secrets.HMPPS_VERACODE_API_KEY_2 }}
VERACODE_API_KEY_3: ${{ secrets.HMPPS_VERACODE_API_KEY_3 }}
VERACODE_API_KEY_4: ${{ secrets.HMPPS_VERACODE_API_KEY_4 }}

0 comments on commit 856db88

Please sign in to comment.