diff --git a/ci/partials/audit-admin.yml b/ci/partials/audit-admin.yml new file mode 100644 index 000000000..a8995848e --- /dev/null +++ b/ci/partials/audit-admin.yml @@ -0,0 +1,8 @@ +platform: linux +inputs: [name: src] +outputs: [name: src] +run: + dir: src/admin-client + path: bash + # https://classic.yarnpkg.com/lang/en/docs/cli/audit + args: [-c, "yarn audit; [[ $? -ge $VULN_THRESHOLD ]] && exit 1 || exit 0"] diff --git a/ci/partials/audit.yml b/ci/partials/audit.yml new file mode 100644 index 000000000..215ef4d94 --- /dev/null +++ b/ci/partials/audit.yml @@ -0,0 +1,8 @@ +platform: linux +inputs: [name: src] +outputs: [name: src] +run: + dir: src + path: bash + # https://classic.yarnpkg.com/lang/en/docs/cli/audit + args: [-c, "yarn audit; [[ $? -ge $VULN_THRESHOLD ]] && exit 1 || exit 0"] diff --git a/ci/pipeline-dev.yml b/ci/pipeline-dev.yml index 548528343..cd7a2a423 100644 --- a/ci/pipeline-dev.yml +++ b/ci/pipeline-dev.yml @@ -342,6 +342,50 @@ jobs: username: ((slack-username)) icon_url: ((slack-icon-url)) + - name: audit-dependencies + plan: + - get: src + resource: pr-((deploy-env)) + trigger: true + passed: [set-pipeline] + - get: node + in_parallel: + - task: audit-app + file: src/ci/partials/audit.yml + image: node + params: + VULN_THRESHOLD: 8 # errors on critical or high + - task: audit-admin + file: src/ci/partials/audit-admin.yml + image: node + params: + VULN_THRESHOLD: 8 # errors on critical or high + on_failure: + in_parallel: + - put: gh-status + inputs: [src] + params: {state: failure} + - put: slack + params: + text: | + :x: FAILED: dependency audit on pages ((deploy-env)) + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME?vars.deploy-env="((deploy-env))"|View build details> + channel: ((slack-channel)) + username: ((slack-username)) + icon_url: ((slack-icon-url)) + on_success: + in_parallel: + - put: gh-status + inputs: [src] + params: {state: success} + - put: slack + params: + text: | + :white_check_mark: SUCCESS: Successfully passed dependency audit on pages ((deploy-env)) + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME?vars.deploy-env="((deploy-env))"|View build details> + channel: ((slack-channel)) + username: ((slack-username)) + icon_url: ((slack-icon-url)) - name: set-pipeline plan: diff --git a/ci/pipeline-production.yml b/ci/pipeline-production.yml index d259e8472..aced9b138 100644 --- a/ci/pipeline-production.yml +++ b/ci/pipeline-production.yml @@ -342,6 +342,51 @@ jobs: username: ((slack-username)) icon_url: ((slack-icon-url)) + - name: audit-dependencies + plan: + - get: src + resource: pr-((deploy-env)) + trigger: true + passed: [set-pipeline] + - get: node + in_parallel: + - task: audit-app + file: src/ci/partials/audit.yml + image: node + params: + VULN_THRESHOLD: 8 # errors on critical or high + - task: audit-admin + file: src/ci/partials/audit-admin.yml + image: node + params: + VULN_THRESHOLD: 8 # errors on critical or high + on_failure: + in_parallel: + - put: gh-status + inputs: [src] + params: {state: failure} + - put: slack + params: + text: | + :x: FAILED: dependency audit on pages ((deploy-env)) + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME?vars.deploy-env="((deploy-env))"|View build details> + channel: ((slack-channel)) + username: ((slack-username)) + icon_url: ((slack-icon-url)) + on_success: + in_parallel: + - put: gh-status + inputs: [src] + params: {state: success} + - put: slack + params: + text: | + :white_check_mark: SUCCESS: Successfully passed dependency audit on pages ((deploy-env)) + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME?vars.deploy-env="((deploy-env))"|View build details> + channel: ((slack-channel)) + username: ((slack-username)) + icon_url: ((slack-icon-url)) + - name: set-pipeline plan: - get: src diff --git a/ci/pipeline-staging.yml b/ci/pipeline-staging.yml index 2976dca6b..b86e7a6b7 100644 --- a/ci/pipeline-staging.yml +++ b/ci/pipeline-staging.yml @@ -416,6 +416,51 @@ jobs: username: ((slack-username)) icon_url: ((slack-icon-url)) + - name: audit-dependencies + plan: + - get: src + resource: pr-((deploy-env)) + trigger: true + passed: [set-pipeline] + - get: node + in_parallel: + - task: audit-app + file: src/ci/partials/audit.yml + image: node + params: + VULN_THRESHOLD: 8 # errors on critical or high + - task: audit-admin + file: src/ci/partials/audit-admin.yml + image: node + params: + VULN_THRESHOLD: 8 # errors on critical or high + on_failure: + in_parallel: + - put: gh-status + inputs: [src] + params: {state: failure} + - put: slack + params: + text: | + :x: FAILED: dependency audit on pages ((deploy-env)) + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME?vars.deploy-env="((deploy-env))"|View build details> + channel: ((slack-channel)) + username: ((slack-username)) + icon_url: ((slack-icon-url)) + on_success: + in_parallel: + - put: gh-status + inputs: [src] + params: {state: success} + - put: slack + params: + text: | + :white_check_mark: SUCCESS: Successfully passed dependency audit on pages ((deploy-env)) + <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME?vars.deploy-env="((deploy-env))"|View build details> + channel: ((slack-channel)) + username: ((slack-username)) + icon_url: ((slack-icon-url)) + - name: set-pipeline plan: - get: src