-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
61 lines (55 loc) · 2.03 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
default:
image: python:3.9.1
stages:
- pre_deploy_testing
- deploy
- post_deploy_testing
#- reporting_post_deploy
before_script:
- python -m pip install --upgrade pip
- pip install -r requirements.txt
- pip install faraday-cli
Run_Bandit:
stage: pre_deploy_testing
tags:
- digitalocean-dev
script:
- bandit -r . -f xml -o flaskapp_faraday_bandit.xml || true
- cat flaskapp_faraday_bandit.xml
- if [[ $(grep -c testcase flaskapp_faraday_bandit.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report flaskapp_faraday_bandit.xml -w $DEVSECOPS_WORKSPACE --vuln-tag "$CI_PROJECT_NAME" --vuln-tag "$CI_COMMIT_REF_NAME"); else (echo 'Bandit - no vulns dettected' && exit 0); fi
rules:
- allow_failure: true
Push_to_Heroku:
stage: deploy
tags:
- digitalocean-dev
script:
- git remote remove heroku
- git remote add heroku https://heroku:[email protected]/$HEROKU_APP_NAME.git
- git push heroku HEAD:master -f
Run_Zap:
stage: post_deploy_testing
tags:
- digitalocean-dev
image: owasp/zap2docker-stable
script:
- mkdir /zap/wrk/
- cp -r * /zap/wrk/
- zap-baseline.py -t $ZAP_SCAN_URL -x zap-report.xml || echo 0
- cp /zap/wrk/zap-report.xml .
- cat /zap/wrk/zap-report.xml
- faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report zap-report.xml -w $DEVSECOPS_WORKSPACE --vuln-tag "$CI_PROJECT_NAME" --vuln-tag "$CI_COMMIT_REF_NAME"
artifacts:
paths:
- zap-report.xml
# Zap_Reporting:
# stage: reporting_post_deploy
# tags:
# - digitalocean-dev
# script:
# - if [[ $(grep -c testcase zap-report.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report zap-report.xml -w $DEVSECOPS_WORKSPACE --vuln-tag "$CI_PROJECT_NAME" --vuln-tag "$CI_COMMIT_REF_NAME"); else (echo 'Zap - no vulns dettected' && exit 0); fi
# needs:
# - job: Run_Zap
# artifacts: true
# rules:
# - when: on_success