From 4d0bbb546b2ea2864c2230d6fc6c964e25138c6f Mon Sep 17 00:00:00 2001 From: Scott Hussey Date: Thu, 31 May 2018 15:51:01 -0500 Subject: [PATCH] (zuul) Add a bandit scanning gate - Add a gate for bandit code scanning Change-Id: I27bf7e6fb5ddc5bf854796c4d15ef0e40eebfbff --- .zuul.yaml | 25 ++++++++++++++++++----- Makefile | 4 ++++ tools/gate/playbooks/security-bandit.yaml | 20 ++++++++++++++++++ 3 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 tools/gate/playbooks/security-bandit.yaml diff --git a/.zuul.yaml b/.zuul.yaml index 71d9884e..af74b34b 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -18,6 +18,7 @@ voting: false - airship-shipyard-tox-py35 - airship-shipyard-pep8 + - airship-shipyard-security-bandit - airship-shipyard-image gate: jobs: @@ -30,14 +31,21 @@ # - ^releasenotes/.*$ - airship-shipyard-tox-py35 - airship-shipyard-pep8 + - airship-shipyard-security-bandit - airship-shipyard-image +- nodeset: + name: airship-shipyard-single-node + nodes: + - name: primary + label: ubuntu-xenial + - job: name: airship-shipyard-linter description: | Lints all files by checking them for whitespace. run: tools/gate/playbooks/zuul-linter.yaml - nodeset: openstack-helm-single-node + nodeset: airship-shipyard-single-node - job: name: airship-shipyard-base @@ -63,7 +71,7 @@ - job: name: airship-shipyard-ubuntu parent: airship-shipyard-base - nodeset: openstack-helm-single-node + nodeset: airship-shipyard-single-node - job: name: airship-shipyard-tox-base @@ -90,7 +98,7 @@ Run tox-based tests for the Airship Shipyard project under cPython version 3.5. parent: airship-shipyard-tox-base - nodeset: openstack-helm-single-node + nodeset: airship-shipyard-single-node vars: tox_envlist: py35 @@ -100,10 +108,17 @@ Run pep8 tests for the Airship Shipyard project under cPython version 3.5. parent: airship-shipyard-tox-base - nodeset: openstack-helm-single-node + nodeset: airship-shipyard-single-node vars: tox_envlist: pep8 +- job: + name: airship-shipyard-security-bandit + description: | + Run bandit code scans for the Airship Shipyard project + run: tools/gate/playbooks/security-bandit.yaml + nodeset: airship-shipyard-single-node + - job: name: airship-shipyard-image-base description: | @@ -127,4 +142,4 @@ description: | Run shipyard-image build. parent: airship-shipyard-image-base - nodeset: openstack-helm-single-node + nodeset: airship-shipyard-single-node diff --git a/Makefile b/Makefile index 50103758..21016bb2 100644 --- a/Makefile +++ b/Makefile @@ -57,6 +57,10 @@ dry-run: clean .PHONY: docs docs: clean build_docs +.PHONY: security +security: + cd $(BUILD_CTX)/shipyard_airflow; tox -e bandit + cd $(BUILD_CTX)/shipyard_client; tox -e bandit .PHONY: tests tests: diff --git a/tools/gate/playbooks/security-bandit.yaml b/tools/gate/playbooks/security-bandit.yaml new file mode 100644 index 00000000..927ea05f --- /dev/null +++ b/tools/gate/playbooks/security-bandit.yaml @@ -0,0 +1,20 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: primary + tasks: + - name: Execute the make target for security scanning + make: + chdir: "{{ zuul.project.src_dir }}" + target: security + register: result + failed_when: result.failed