scan_sources Trait

Attributes

name

required?

default

type

explanation

notify

no

email_recipients

Notify

whom to notify about found issues

email_recipients

no

()

List[str]

optional list of email recipients to be notified about critical scan results

filters

no

{}

FilterCfg

config to include and exclude sources, resources or whole components

checkmarx

no

()

CheckmarxCfg

if present, perform checkmarx scanning

issue_policies

no

max_processing_time_days:
  blocker: 0
  high: 30
  low: 120
  medium: 90
  very_high_or_greater: 30

IssuePolicies

defines issues policies (e.g. SLAs for maximum processing times

overwrite_github_issues_tgt_repository_url

no

None

str

if set, and notify is set to github_issues, overwrite target github repository

github_issue_templates

no

None

List[GithubIssueTemplateCfg]

use to configure custom github-issue-templates (sub-attr: body) use python3’s format-str syntax available variables: - summary # contains name, version, etc in a table - component_name - component_version - resource_name - resource_version - resource_type - greatest_cve - report_url - delivery_dashboard_url

github_issue_labels_to_preserve

no

None

List[str]

optional list of regexes for labels that will never be removed upon ticket-update

notify Enumeration Values

  • email_recipients

  • nobody

  • component_owners

  • github_issues

filters (FilterCfg) Attributes

name

required?

default

type

explanation

type

yes

None

str

defines type to apply filter on, (component|source|resource)

match

yes

None

One of:

  • dict

  • bool

matches artifacts (list of regex|true|false)

action

yes

None

str

defines action to matched artifacts (include|exclude)

checkmarx (CheckmarxCfg) Attributes

name

required?

default

type

explanation

team_id

yes

None

int

checkmarx team id

severity_threshold

no

medium

str

threshold for creating issues (high, medium, low, info)

cfg_name

yes

None

str

config name for checkmarx

include_path_regexes

no

()

List[str]

paths which should be included in the scan

exclude_path_regexes

no

()

List[str]

paths which should be excluded in the scan

scan_timeout

no

3600

int

consider scan as failed if scan time exceeds timeout (in seconds)

issue_policies (IssuePolicies) Attributes

name

required?

default

type

explanation

max_processing_time_days

no

blocker: 0
high: 30
low: 120
medium: 90
very_high_or_greater: 30

MaxProcessingTimesDays

issue_policies.max_processing_time_days (MaxProcessingTimesDays) Attributes

name

required?

default

type

explanation

blocker

no

0

int

very_high_or_greater

no

30

int

high

no

30

int

medium

no

90

int

low

no

120

int

github_issue_templates[] (GithubIssueTemplateCfg) Attributes

name

required?

default

type

explanation

body

yes

None

str

type

yes

None

str

Dependencies

This trait requires the following traits to be declared:

This trait enables different compliance scans for sources and resources of your component descriptor.

Path filtering semantics

  • no paths specified: no filtering, all files will be scanned

  • only exclude paths: scan everything except excplicitly excluded

  • only include paths: scan only excplicitly included

  • include and exclude paths specified: only included then filter out excluded

Supported labels

checkmarx

The checkmarx scan will be triggered when the source_analysis label is absent or the source defines the label with the policy set to ‘scan’.

If the checkmarx scan should be skipped define the label with the policy attribute set to skip.

name

type

description

policy

enum

whether to scan source or not. Must either be ‘scan’ or ‘skip’

exclude_paths

list[str]

(optional) regex paths of your source to exclude from the scan

include_paths

list[str]

(optional) regex paths of your source to include from the scan

Example label:

- name: 'cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1'
  value:
    policy: 'scan' # | 'skip'
    path_config:
      include_paths:
      - 'src/.*'
      - 'pgk/.*'
      exclude_paths:
      - 'src/test.*'
      - 'pkg/hack.*'

protecode

TBD