(zuul) Add a bandit scanning gate

- Add a gate for bandit code scanning Change-Id: I27bf7e6fb5ddc5bf854796c4d15ef0e40eebfbff
2018-05-31 15:51:01 -05:00 · 2018-05-31 15:51:01 -05:00 · 4d0bbb546b
commit 4d0bbb546b
parent b87569abe8
3 changed files with 44 additions and 5 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -18,6 +18,7 @@
            voting: false
        - airship-shipyard-tox-py35
        - airship-shipyard-pep8
+        - airship-shipyard-security-bandit
        - airship-shipyard-image
    gate:
      jobs:
@ -30,14 +31,21 @@
        #       - ^releasenotes/.*$
        - airship-shipyard-tox-py35
        - airship-shipyard-pep8
+        - airship-shipyard-security-bandit
        - airship-shipyard-image

+- nodeset:
+    name: airship-shipyard-single-node
+    nodes:
+      - name: primary
+        label: ubuntu-xenial
+
 - job:
    name: airship-shipyard-linter
    description: |
      Lints all files by checking them for whitespace.
    run: tools/gate/playbooks/zuul-linter.yaml
-    nodeset: openstack-helm-single-node
+    nodeset: airship-shipyard-single-node

 - job:
    name: airship-shipyard-base
@ -63,7 +71,7 @@
 - job:
    name: airship-shipyard-ubuntu
    parent: airship-shipyard-base
-    nodeset: openstack-helm-single-node
+    nodeset: airship-shipyard-single-node

 - job:
    name: airship-shipyard-tox-base
@ -90,7 +98,7 @@
      Run tox-based tests for the Airship Shipyard project under
      cPython version 3.5.
    parent: airship-shipyard-tox-base
-    nodeset: openstack-helm-single-node
+    nodeset: airship-shipyard-single-node
    vars:
      tox_envlist: py35

@ -100,10 +108,17 @@
      Run pep8 tests for the Airship Shipyard project under
      cPython version 3.5.
    parent: airship-shipyard-tox-base
-    nodeset: openstack-helm-single-node
+    nodeset: airship-shipyard-single-node
    vars:
      tox_envlist: pep8

+- job:
+    name: airship-shipyard-security-bandit
+    description: |
+      Run bandit code scans for the Airship Shipyard project
+    run: tools/gate/playbooks/security-bandit.yaml
+    nodeset: airship-shipyard-single-node
+
 - job:
    name: airship-shipyard-image-base
    description: |
@ -127,4 +142,4 @@
    description: |
      Run shipyard-image build.
    parent: airship-shipyard-image-base
-    nodeset: openstack-helm-single-node
+    nodeset: airship-shipyard-single-node
--- a/4
+++ b/4
@ -57,6 +57,10 @@ dry-run: clean
 .PHONY: docs
 docs: clean build_docs

+.PHONY: security
+security:
+	cd $(BUILD_CTX)/shipyard_airflow; tox -e bandit
+	cd $(BUILD_CTX)/shipyard_client; tox -e bandit

 .PHONY: tests
 tests:
--- a/tools/gate/playbooks/security-bandit.yaml
+++ b/tools/gate/playbooks/security-bandit.yaml
@ -0,0 +1,20 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- hosts: primary
+  tasks:
+    - name: Execute the make target for security scanning
+      make:
+        chdir: "{{ zuul.project.src_dir }}"
+        target: security
+      register: result
+      failed_when: result.failed