summaryrefslogtreecommitdiffstats
path: root/jjb/securityscanning
diff options
context:
space:
mode:
authorFatih Degirmenci <fatih.degirmenci@ericsson.com>2016-12-13 12:26:05 +0100
committerFatih Degirmenci <fatih.degirmenci@ericsson.com>2016-12-14 08:21:25 +0100
commit74c30518156eae570098b9a147f0dc66677559c9 (patch)
tree07a1a4aa56cc3214e552930d35c61d939e38bec5 /jjb/securityscanning
parentd298029ded18eb39ceec4d198ba8ca83d2f21709 (diff)
security scan: Add example job for scanning python files
This is an example job configuration to run security scan against the functest python code. It will not vote on the patches at this phase. The job opnfv-security-scan-verify-{stream} gets triggered whenever a patch containing python code change is sent to Functest. Change-Id: Id05950af70afedb2afbd61062c3f8d41ef1aaacd Signed-off-by: Fatih Degirmenci <fatih.degirmenci@ericsson.com>
Diffstat (limited to 'jjb/securityscanning')
-rw-r--r--jjb/securityscanning/opnfv-security-scan.yml109
1 files changed, 109 insertions, 0 deletions
diff --git a/jjb/securityscanning/opnfv-security-scan.yml b/jjb/securityscanning/opnfv-security-scan.yml
new file mode 100644
index 000000000..6b7cd4747
--- /dev/null
+++ b/jjb/securityscanning/opnfv-security-scan.yml
@@ -0,0 +1,109 @@
+########################
+# Job configuration for opnfv-lint
+########################
+- project:
+
+ name: security-scan
+
+ project: anteaterfw
+
+ jobs:
+ - 'opnfv-security-scan-verify-{stream}'
+
+ stream:
+ - master:
+ branch: '{stream}'
+ gs-pathname: ''
+ disabled: false
+
+########################
+# job templates
+########################
+- job-template:
+ name: 'opnfv-security-scan-verify-{stream}'
+
+ disabled: '{obj:disabled}'
+
+ parameters:
+ - project-parameter:
+ project: $GERRIT_PROJECT
+ - gerrit-parameter:
+ branch: '{branch}'
+
+ scm:
+ - gerrit-trigger-scm:
+ credentials-id: '{ssh-credentials}'
+ refspec: '$GERRIT_REFSPEC'
+ choosing-strategy: 'gerrit'
+
+ triggers:
+ - gerrit:
+ server-name: 'gerrit.opnfv.org'
+ trigger-on:
+ - patchset-created-event:
+ exclude-drafts: 'false'
+ exclude-trivial-rebase: 'false'
+ exclude-no-code-change: 'false'
+ - draft-published-event
+ - comment-added-contains-event:
+ comment-contains-value: 'recheck'
+ - comment-added-contains-event:
+ comment-contains-value: 'reverify'
+ projects:
+ - project-compare-type: 'REG_EXP'
+ project-pattern: 'functest'
+ branches:
+ - branch-compare-type: 'ANT'
+ branch-pattern: '**/{branch}'
+ file-paths:
+ - compare-type: ANT
+ pattern: '**/*.py'
+ skip-vote:
+ successful: true
+ failed: true
+ unstable: true
+ notbuilt: true
+
+ builders:
+ - security-scan-python-code
+ - report-security-scan-result-to-gerrit
+########################
+# builder macros
+########################
+- builder:
+ name: security-scan-python-code
+ builders:
+ - shell: |
+ #!/bin/bash
+ set -o errexit
+ set -o pipefail
+ set -o xtrace
+ export PATH=$PATH:/usr/local/bin/
+
+ # this is where the security/license scan script will be executed
+ echo "Hello World!"
+- builder:
+ name: report-security-scan-result-to-gerrit
+ builders:
+ - shell: |
+ #!/bin/bash
+ set -o errexit
+ set -o pipefail
+ set -o xtrace
+ export PATH=$PATH:/usr/local/bin/
+
+ # If no violations were found, no lint log will exist.
+ if [[ -e securityscan.log ]] ; then
+ echo -e "\nposting security scan report to gerrit...\n"
+
+ cat securityscan.log
+ echo
+
+ ssh -p 29418 gerrit.opnfv.org \
+ "gerrit review -p $GERRIT_PROJECT \
+ -m \"$(cat securityscan.log)\" \
+ $GERRIT_PATCHSET_REVISION \
+ --notify NONE"
+
+ exit 1
+ fi