scan_sources Trait
Attributes
name |
required? |
default |
type |
explanation |
|---|---|---|---|---|
notify |
no |
|
Notify |
whom to notify about found issues |
email_recipients |
no |
() |
List[str] |
optional list of email recipients to be notified about critical scan results |
filters |
no |
{}
|
FilterCfg |
config to include and exclude sources, resources or whole components |
checkmarx |
no |
() |
CheckmarxCfg |
if present, perform checkmarx scanning |
issue_policies |
no |
max_processing_time_days:
blocker: 0
high: 30
low: 120
medium: 90
very_high_or_greater: 30
|
IssuePolicies |
defines issues policies (e.g. SLAs for maximum processing times |
overwrite_github_issues_tgt_repository_url |
no |
None |
str |
if set, and notify is set to github_issues, overwrite target github repository |
github_issue_templates |
no |
None |
list |
use to configure custom github-issue-templates (sub-attr: |
github_issue_labels_to_preserve |
no |
None |
list |
optional list of regexes for labels that will never be removed upon ticket-update |
notify Enumeration Values
email_recipientsnobodycomponent_ownersgithub_issues
filters (FilterCfg) Attributes
name |
required? |
default |
type |
explanation |
|---|---|---|---|---|
type |
yes |
None |
str |
defines type to apply filter on, (component|source|resource) |
match |
yes |
None |
One of:
|
matches artifacts (list of regex|true|false) |
action |
yes |
None |
str |
defines action to matched artifacts (include|exclude) |
checkmarx (CheckmarxCfg) Attributes
name |
required? |
default |
type |
explanation |
|---|---|---|---|---|
team_id |
yes |
None |
int |
checkmarx team id |
severity_threshold |
no |
medium |
str |
threshold for creating issues (high, medium, low, info) |
cfg_name |
yes |
None |
str |
config name for checkmarx |
include_path_regexes |
no |
() |
List[str] |
paths which should be included in the scan |
exclude_path_regexes |
no |
() |
List[str] |
paths which should be excluded in the scan |
scan_timeout |
no |
3600 |
int |
consider scan as failed if scan time exceeds timeout (in seconds) |
Dependencies
This trait requires the following traits to be declared:
This trait enables different compliance scans for sources and resources of your component descriptor.
Path filtering semantics
no paths specified: no filtering, all files will be scanned
only exclude paths: scan everything except excplicitly excluded
only include paths: scan only excplicitly included
include and exclude paths specified: only included then filter out excluded
Supported labels
checkmarx
The checkmarx scan will be triggered when the source_analysis label is absent or the source defines the label with the policy set to ‘scan’.
If the checkmarx scan should be skipped define the label with the policy attribute set to skip.
name |
type |
description |
|---|---|---|
policy |
enum |
whether to scan source or not. Must either be ‘scan’ or ‘skip’ |
exclude_paths |
list[str] |
(optional) regex paths of your source to exclude from the scan |
include_paths |
list[str] |
(optional) regex paths of your source to include from the scan |
Example label:
- name: 'cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1'
value:
policy: 'scan' # | 'skip'
path_config:
include_paths:
- 'src/.*'
- 'pgk/.*'
exclude_paths:
- 'src/test.*'
- 'pkg/hack.*'
protecode
TBD