Integration with D2iQ dispatch¶
Create a Dispatchfile in starlark, CUE, Json or Yaml format. The below example uses starlark format.
#!mesosphere/dispatch-starlark:v0.5 # vi:syntax=python #Load library to define a git resource and process a pull request load("github.com/mesosphere/dispatch-catalog/starlark/stable/[email protected]", "git_resource", "pull_request") #Load library to execute Scan load("github.com/shiftleftsecurity/sast-scan/starlark/[email protected]", "sast_scan") #Resources Define the git repo as a resource git = git_resource("helloworld-git") #Tasks that performs a Security Scan against the Resource sast_scan("sastscan-check", git) #Actions that trigger against any pull request or the chatops command /build action(tasks=["sastscan-check"], on=pull_request()) action(tasks=["sastscan-check"], on=pull_request(chatops=["build"]))
While being brief, the pipeline, which is also stored in the application's repo, will perform a scan against the repository where the Dispatchfile resides. The libraries with the three functions "git_resource", "pull_request", and "sast_scan" are loaded at runtime. The pipeline can be triggered either by a pull request against the repository or by executing the ChatOps command "/build" against a pull request.
Next, open up a PR against the application repo and a webhook will be subsequently generated. This will trigger the pipeline to kick off on your running instance of Dispatch.
There are multiple ways to view the results of the pipeline via your Git provider or the Dispatch UI.
In the Dispatch UI, you can see the pipeline run status. In the below example, dispatch failed the pipeline run due to Scan determining that there were security flaws in the application.
Selecting the pipeline run takes you to the results of the Scan where you can see the results directly in the console.
Using environment variables¶
GITHUB_TOKEN to enable package lookups for dependency scan, pass
env array as third argument while invoking
sast_scan as shown:
load("github.com/mesosphere/dispatch-catalog/starlark/stable/[email protected]", "secret_var") sast_scan("sastscan-check", git, env=[ k8s.corev1.EnvVar(name = "WORKSPACE", value = "$(context.git.url)"), k8s.corev1.EnvVar(name = "COMMIT_SHA", value = "$(context.git.commit)"), k8s.corev1.EnvVar(name = "BRANCH", value = "$(context.git.branch)"), k8s.corev1.EnvVar(name = "GITHUB_TOKEN", valueFrom = secret_var("scmtoken", "password")) ])
In the above snippet,
scmtoken is the name of the Kubernetes secret and
password is the key.
secret_var function would then load the secret dynamically as an environment variable during execution.
$ dispatch login github --secret scmsecret --user hello --token world --namespace custom INFO Creating 'Secret:default/scmsecret' apiVersion: v1 data: password: d29ybGQ= scm.provider.name: Z2l0aHVi scm.provider.skiptlsverify: ZmFsc2U= scm.provider.url: aHR0cHM6Ly9hcGkuZ2l0aHViLmNvbQ== username: aGVsbG8= kind: Secret metadata: annotations: tekton.dev/git-0: https://github.com creationTimestamp: null name: scmsecret namespace: custom type: kubernetes.io/basic-auth ---
You can create the secret manually using kubectl as well, it is a standard k8 secret and there is nothing special Dispatch CLI does except adding in the yaml template to make things easier. You can read more about credentials here.