feat: add Phase 9 — Security Scanning
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
S
68
phase9_post_check.sh
Executable file
68
phase9_post_check.sh
Executable file
@@ -0,0 +1,68 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# =============================================================================
|
||||
# phase9_post_check.sh — Verify Phase 9 (Security Scanning) succeeded
|
||||
# Checks for each repo:
|
||||
# 1. security-scan.yml exists in .gitea/workflows/
|
||||
# 2. If SECURITY_FAIL_ON_ERROR=true, branch protection includes security checks
|
||||
# Exits 0 only if ALL checks pass.
|
||||
# =============================================================================
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
source "${SCRIPT_DIR}/lib/common.sh"
|
||||
|
||||
load_env
|
||||
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
|
||||
REPO_1_NAME REPO_2_NAME REPO_3_NAME \
|
||||
SECURITY_FAIL_ON_ERROR PROTECTED_BRANCH
|
||||
|
||||
log_info "=== Phase 9 Post-Check ==="
|
||||
|
||||
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
|
||||
PASS=0
|
||||
FAIL=0
|
||||
|
||||
run_check() {
|
||||
local description="$1"; shift
|
||||
if "$@" 2>/dev/null; then
|
||||
log_success "$description"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
log_error "FAIL: $description"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
for repo in "${REPOS[@]}"; do
|
||||
log_info "--- Checking repo: ${repo} ---"
|
||||
|
||||
# Check 1: security-scan.yml exists
|
||||
run_check "security-scan.yml exists in ${repo}" \
|
||||
gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/contents/.gitea/workflows/security-scan.yml" -o /dev/null
|
||||
|
||||
# Check 2: Branch protection includes security checks (if required)
|
||||
if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then
|
||||
check_status_checks() {
|
||||
local protection
|
||||
protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}")
|
||||
local contexts
|
||||
contexts=$(printf '%s' "$protection" | jq -r '.status_check_contexts // [] | join(",")')
|
||||
# Verify all three security checks are present
|
||||
[[ "$contexts" == *"semgrep"* ]] && [[ "$contexts" == *"trivy"* ]] && [[ "$contexts" == *"gitleaks"* ]]
|
||||
}
|
||||
run_check "Branch protection includes security checks for ${repo}" check_status_checks "$repo"
|
||||
fi
|
||||
done
|
||||
|
||||
# Summary
|
||||
printf '\n'
|
||||
log_info "Results: ${PASS} passed, ${FAIL} failed"
|
||||
|
||||
if [[ $FAIL -gt 0 ]]; then
|
||||
log_error "Phase 9 post-check FAILED"
|
||||
exit 1
|
||||
else
|
||||
log_success "Phase 9 post-check PASSED — security scanning active"
|
||||
exit 0
|
||||
fi
|
||||
Reference in New Issue
Block a user