bat9go
/
Ycsecurity
镜像来自 https://github.com/yandex-cloud/yc-solution-library-for-security


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
							stages:
    - checkov-test-files
    - tfplan
    - checkov-test-tfplan
    - tf-apply

#Checkov test terrafrom files
checkov-test-files:
  stage: checkov-test-files
  allow_failure: false  # True for AutoDevOps compatibility
  image:
    name: bridgecrew/checkov:latest
    entrypoint:
      - '/usr/bin/env'
      - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.yml'
        - '**/*.yaml'
        - '**/*.json'
        - '**/*.template'
        - '**/*.tf'      
        - '**/serverless.yml'
        - '**/serverless.yaml'
  script:
    # Use `script` to emulate `tty` for colored output.
    - script -q -c 'checkov -d . ; echo $? > CKVEXIT'
    - exit $(cat CKVEXIT)


#Terraform generate plan
tfplan:
  stage: tfplan
  allow_failure: false  # True for AutoDevOps compatibility
  image:
    name: hashicorp/terraform:light
    entrypoint:
      - '/usr/bin/env'
      - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
  script:
    # Use `script` to emulate `tty` for colored output.
    - terraform --version
    - cp ./.terraformrc ~/.terraformrc
    - terraform init
    - terraform plan -out tf.plan
    - terraform show -json tf.plan  > tf_plan.json 
  artifacts:
      paths:
        - tf_plan.json 
      name: tf_plan.json


#Checkov test terrafrom plan file
checkov-test-tfplan:
  stage: checkov-test-tfplan
  allow_failure: false  # True for AutoDevOps compatibility
  image:
    name: bridgecrew/checkov:latest
    entrypoint:
      - '/usr/bin/env'
      - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.yml'
        - '**/*.yaml'
        - '**/*.json'
        - '**/*.template'
        - '**/*.tf'      
        - '**/serverless.yml'
        - '**/serverless.yaml'
  script:
    # Use `script` to emulate `tty` for colored output.
    - script -q -c 'checkov -f ./tf_plan.json; echo $? > CKVEXIT'
    - exit $(cat CKVEXIT)


#Terraform apply
tf-apply:
  stage: tf-apply
  allow_failure: false  # True for AutoDevOps compatibility
  image:
    name: hashicorp/terraform:light
    entrypoint:
      - '/usr/bin/env'
      - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
  script:
    # Use `script` to emulate `tty` for colored output.
    - terraform --version
    - cp ./.terraformrc ~/.terraformrc
    - terraform init
    - terraform plan # change to apply in prod