First commit - veracode discovery (#1)

.github/actions/cloud-platform-auth/action.yml

@@ -0,0 +1,31 @@
+name: Cloud Platform Auth
+description: Authenticate with MOJ Cloud Platform
+
+inputs:
+  api:
+    description: The KUBE_ENV_API
+    required: true
+  cert:
+    description: The KUBE_CERT
+    required: true
+  cluster:
+    description: The KUBE_CLUSTER
+    required: true
+  namespace:
+    description: The KUBE_NAMESPACE
+    required: true
+  token:
+    description: The KUBE_TOKEN
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Authenticate
+      shell: bash
+      run: |
+        echo "${{ inputs.cert }}" > ca.crt
+        kubectl config set-cluster ${{ inputs.cluster }} --certificate-authority=./ca.crt --server=${{ inputs.api }}
+        kubectl config set-credentials cd-serviceaccount --token=${{ inputs.token }}
+        kubectl config set-context ${{ inputs.cluster }} --cluster=${{ inputs.cluster }} --user=cd-serviceaccount --namespace=${{ inputs.namespace }}
+        kubectl config use-context ${{ inputs.cluster }}

.github/actions/cloud-platform-deploy/action.yml

@@ -0,0 +1,59 @@
+name: Cloud Platform Deploy
+description: Deploy to Cloud Platform using Helm
+
+inputs:
+  environment:
+    description: The environment to deploy to (dev/preprod/prod)
+    required: true
+  version:
+    description: The version of the service to deploy
+    required: true
+  api:
+    description: The KUBE_ENV_API
+    required: true
+  cert:
+    description: The KUBE_CERT
+    required: true
+  cluster:
+    description: The KUBE_CLUSTER
+    required: true
+  namespace:
+    description: The KUBE_NAMESPACE
+    required: true
+  token:
+    description: The KUBE_TOKEN
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v3
+
+    - name: Authenticate
+      uses: ./.github/actions/cloud-platform-auth
+      with:
+        api: ${{ inputs.api }}
+        cert: ${{ inputs.cert }}
+        cluster: ${{ inputs.cluster }}
+        namespace: ${{ inputs.namespace }}
+        token: ${{ inputs.token }}
+
+    - name: Deploy
+      shell: bash
+      run: |
+        eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+        brew install helm
+        cd helm_deploy/${{ github.event.repository.name }}
+        yq -i ".appVersion = \"${{ inputs.version }}\"" "Chart.yaml"
+        helm dependency update .
+        exec helm upgrade '${{ github.event.repository.name }}' . \
+          --atomic \
+          --history-max 10 \
+          --force \
+          --install \
+          --reset-values \
+          --set 'generic-service.image.tag=${{ inputs.version }}' \
+          --set 'version=${{ inputs.version }}' \
+          --timeout 10m \
+          --values '${{ steps.env.outputs.values-file }}' \
+          --wait

.github/actions/docker-build/action.yml

@@ -0,0 +1,34 @@
+name: Build Docker image
+description: Build, and optionally push, a Docker image
+
+inputs:
+  project:
+    description: Project name
+  push:
+    description: Whether to push images to the registry
+    default: 'false'
+  version:
+    description: Version
+
+runs:
+  using: "composite"
+  steps:
+    - uses: docker/setup-qemu-action@v2
+    - uses: docker/setup-buildx-action@v2
+    - uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
+
+    - name: Build Docker images
+      uses: docker/build-push-action@v4
+      with:
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        context: .
+        push: ${{ inputs.push }}
+        provenance: false
+        tags: |
+          ghcr.io/ministryofjustice/${{ inputs.project }}:latest
+          ghcr.io/ministryofjustice/${{ inputs.project }}:${{ inputs.version }}

.github/workflows/build.yml

@@ -0,0 +1,54 @@
+name: Build
+
+permissions:
+  packages: write
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      push:
+        type: boolean
+        default: false
+      force-deploy:
+        type: boolean
+        default: false
+    outputs:
+      version:
+        value: ${{ jobs.build-docker.outputs.version }}
+  workflow_dispatch:
+    inputs:
+      push:
+        description: Push images
+        type: boolean
+        default: false
+
+env:
+  push: ${{ inputs.push }}
+
+jobs:
+  build-docker:
+    name: Docker build
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        project:
+          - hmpps-veracode-discovery
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set version
+        id: version
+        run: |
+          version=$(date '+%Y-%m-%d').${{ github.run_number }}.$(echo ${{ github.sha }} | cut -c1-7)
+          echo "version=$version" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Build Docker images
+        uses: ./.github/actions/docker-build
+        id: build
+        with:
+          project: ${{ matrix.project }}
+          push: ${{ env.push }}
+          version: ${{ steps.version.outputs.version }}

.github/workflows/deploy.yml

@@ -0,0 +1,58 @@
+name: Deploy
+
+on:
+  workflow_call:
+    inputs:
+      github_environment:
+        description: The name of the github environment for deployment secrets
+        type: string
+        required: true        
+      environment:
+        description: The name of the environment to deploy to
+        type: string
+        required: true
+      version:
+        description: The image version to deploy
+        type: string
+        required: true
+
+  workflow_dispatch:
+    inputs:
+      github_environment:
+        description: The name of the github environment for deployment secrets
+        type: choice
+        required: true
+        options:
+          - development
+          - production
+      environment:
+        description: Environment
+        type: choice
+        required: true
+        options:
+          - dev
+      version:
+        description: Image version
+        type: string
+        required: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    environment:
+      name: ${{ inputs.github_environment }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Deploy to Cloud Platform
+        uses: ./.github/actions/cloud-platform-deploy
+        with:
+          environment: ${{ inputs.environment }}
+          version: ${{ inputs.version }}
+          api: https://${{ secrets.DEVELOPMENT_KUBE_CLUSTER }}
+          cert: ${{ secrets.DEVELOPMENT_KUBE_CERT }}
+          cluster: ${{ secrets.DEVELOPMENT_KUBE_CLUSTER }}
+          namespace: ${{ secrets.DEVELOPMENT_KUBE_NAMESPACE }}
+          token: ${{ secrets.DEVELOPMENT_KUBE_TOKEN }}

.github/workflows/pipeline.yml

@@ -0,0 +1,29 @@
+name: Pipeline
+
+permissions:
+  packages: write
+  contents: read
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch: # Can be triggered manually from a branch
+
+jobs:
+  build:
+    name: Build
+    uses: ./.github/workflows/build.yml
+    with:
+      push: true
+    secrets: inherit
+
+  deploy-to-dev:
+    name: Deploy to dev
+    uses: ./.github/workflows/deploy.yml
+    needs: build
+    with:
+      github_environment: development
+      environment: dev
+      version: ${{ needs.build.outputs.version }}
+    secrets: inherit

.gitignore

@@ -0,0 +1,10 @@
+# dotenv environment variables file
+.env*
+
+.python-version
+.idea
+.vscode
+**/Chart.lock
+__pycache__/
+**/.DS_Store
+helm_deploy/hmpps-github-discovery/charts/*

Dockerfile

@@ -0,0 +1,27 @@
+FROM python:3.10 AS builder
+COPY requirements.txt .
+
+RUN addgroup --gid 2000 --system appgroup && \
+    adduser --uid 2000 --system appuser --gid 2000 --home /home/appuser
+
+USER 2000
+
+# install dependencies to the local user directory
+RUN pip install --user -r requirements.txt
+
+FROM python:3.10-slim
+WORKDIR /app
+
+RUN addgroup --gid 2000 --system appgroup && \
+    adduser --uid 2000 --system appuser --gid 2000 --home /home/appuser
+
+# copy the dependencies from builder stage
+COPY --chown=appuser:appgroup --from=builder /home/appuser/.local /home/appuser/.local
+COPY ./veracode_discovery.py .
+
+# update PATH environment variable
+ENV PATH=/home/appuser/.local:$PATH
+
+USER 2000
+
+CMD [ "python", "-u", "veracode_discovery.py" ]

README.md

@@ -1,2 +1,12 @@
-# hmpps-veracode-discovery
-Service that queries the veracode api and collects information about hmpps projects and pushes it to the service catalogue.
+# HMPPS Veracode Discovery
+
+This app queries the Veracode api for information about the latest SAST scans results for all hmpps projects, and pushes that information into the hmpps service catalogue.
+
+The app does the following:
+- Retrieves a list of all components (microservices) from the service catalogue.
+- For each component it fetches the latest scan summary/results/score.
+- It then updates each component in the service catalogue with this data.
+
+Results are visible via the developer portal, e.g.
+
+https://developer-portal.hmpps.service.justice.gov.uk/components/veracode

helm_deploy/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm_deploy/hmpps-github-discovery/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

helm_deploy/hmpps-github-discovery/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: '1.0'
+description: A Helm chart for Kubernetes
+name: hmpps-veracode-discovery
+version: 0.2.0
+dependencies:
+  - name: generic-service
+    version: "2.8"
+    repository: https://ministryofjustice.github.io/hmpps-helm-charts
+  - name: generic-prometheus-alerts
+    version: 1.3.2
+    repository: https://ministryofjustice.github.io/hmpps-helm-charts