variables:
VAULT_ROLE: 'python-sast-readonly'
VAULT_ADDR: 'https://tluav-lb.faradaysec.com'
VAULT_SECRET_PATH: 'gitlab/SAST'
include:
- local: .gitlab/ci/fetch-secrets.yml
stages:
- SAST
- pre_testing
- testing
- post_testing
- publish
before_script:
- apt-get update -qy
- pip install pip -U
workflow:
rules:
- if: $CI_MERGE_REQUEST_ID
when: never
- when: always
.install_faraday_venv: &install_faraday_venv
- pip3 install virtualenv
- virtualenv -p python3 faraday_venv
- source faraday_venv/bin/activate
- pip3 install pytest pytest-xdist pytest-cov
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/faradaysec/faraday.git
- cd faraday
- pip3 install $PIP_FLAGS .
- pip uninstall faraday-plugins -y # we need to install fardaysec for marshmallow schemas, we remove plugins from pypi
- cd ..
.clone_reports: &clone_reports
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/faradaysec/support/report-collection.git
- cd report-collection
- (git branch -a | grep $CI_COMMIT_BRANCH) && export REPORT_REF=$CI_COMMIT_BRANCH || export REPORT_REF=master
- git checkout $REPORT_REF
- cd ..
bandit:
stage: SAST
image: python:3
tags:
- faradaytests
script:
- pip3 install bandit
- mkdir /results
- "bandit -r ${CI_PROJECT_DIR} -o /results/output.xml -f xml"
after_script:
- curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
- apt update
- apt-get install software-properties-common -y
- apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com focal main"
- apt update
- apt install vault -y
- setcap cap_ipc_lock= /usr/bin/vault
- !reference [ .get_secrets, script ]
- pip3 install faraday-cli
- if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report /results/output.xml -w $DEVSECOPS_WORKSPACE --tag-vuln $CI_PROJECT_NAME --tag-vuln $CI_COMMIT_REF_NAME); else (echo 'no vulns dettected' && exit 0); fi
rules:
- when: on_success
allow_failure: true
flake8:
image: python:3
stage: pre_testing
before_script:
- pip install flake8
# Help flake8 to find the Python files without .py extension.
- find . -name '*.py' >> files.txt
- sort -u files.txt | tee files.processed
script:
- python -m flake8 --statistics --count $(cat files.processed) --verbose
after_script:
- wc -l files.processed
.test_base:
stage: testing
coverage: '/TOTAL\s+\d+\s+\d+\s+(\d+%)/'
script:
- *clone_reports
- *install_faraday_venv
- pip3 install $PIP_FLAGS .
- pytest tests --capture=sys -v --cov=faraday_plugins --color=yes --disable-warnings $PYTEST_FLAGS
tests:
extends: .test_base
image: python:3
test_performance:
extends: .test_base
image: python:3
stage: post_testing
allow_failure: true
variables:
PYTEST_FLAGS: --performance
rules:
- if: '$CI_COMMIT_BRANCH == "dev"'
when: on_success
publish_pypi:
image: python:3
stage: publish
script:
- apt-get update -qy
- apt-get install twine -y
- python setup.py sdist bdist_wheel
- twine upload -u $PYPI_USER -p $PYPI_PASS dist/* --verbose
rules:
- if: '$CI_COMMIT_TAG'
when: on_success