chore: add additional security scanning for backstage image and plugins

syntasso · Mar 25, 2024 · 82cded8 · 82cded8
1 parent c964c11
commit 82cded8
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,6 +8,7 @@ orbs:
   queue: eddiewebb/queue@2.2.1
   snyk: snyk/snyk@2.0.2
   slack: circleci/slack@3.4.2
+  node: circleci/node@5.2.0
 
 executors:
   machine-medium:
@@ -114,6 +115,14 @@ commands:
           command: |
             go mod download
 
+  install_node:
+    steps:
+      - node/install:
+          install-yarn: true
+          node-version: "20.5.1"
+      - attach_workspace:
+          at: .
+
   configure_git:
     steps:
       - run:
@@ -142,6 +151,13 @@ commands:
             - "4b:78:81:17:99:0c:1d:63:42:dc:bb:1f:bd:d6:54:a8" # deploy key for helm-charts
       - configure_git
 
+  setup_git_backstage:
+    steps:
+      - add_ssh_keys:
+          fingerprints:
+            - "SHA256:uuVDD9uT5dujNQ1PJ3wYFknIO3JrkF2xBxsv4k/Jq0Y" # deploy key for pulling backstage repo
+      - configure_git
+
 jobs:
   clone-helm-charts:
     executor: machine-medium
@@ -164,6 +180,24 @@ jobs:
           paths:
             - .
 
+  clone-backstage:
+    executor: machine-medium
+    steps:
+      - setup_git_backstage
+      - run:
+          name: Clone Backstage repo
+          command: |
+            git clone --depth 1 git@github.com:syntasso/backstage.git ~/repo/backstage-plugins
+      - run:
+          name: Install Dependencies
+          command: |
+            cd ~/repo/backstage-plugins/plugins/ske-backend && yarn install
+            cd ~/repo/backstage-plugins/plugins/ske-frontend && yarn install
+      - persist_to_workspace:
+          root: .
+          paths:
+            - backstage-plugins/
+
   kratix-security-scan:
     executor: machine-medium
     environment:
@@ -190,6 +224,25 @@ jobs:
           severity-threshold: high
       - notify-slack:
           only_for_branches: "main"
+
+  ske-security-scan:
+    executor: machine-medium
+    steps:
+      - checkout
+      - install_node
+      - snyk/scan:
+          severity-threshold: high
+          docker-image-name: $BACKSTAGE_GENERATOR_IMAGE_NAME:latest
+          additional-arguments: "--username=$GITHUB_USER --password=$GITHUB_PACKAGE_TOKEN"
+      - snyk/scan:
+          severity-threshold: high
+          additional-arguments: "--file=$BACKSTAGE_BACKEND_PLUGIN_PACKAGE_JSON_PATH"
+      - snyk/scan:
+          severity-threshold: high
+          additional-arguments: "--file=$BACKSTAGE_FRONTEND_PLUGIN_PACKAGE_JSON_PATH"
+      - notify-slack:
+          only_for_branches: "main"
+
   test:
     executor: machine-xlarge
     steps:
@@ -479,5 +532,8 @@ workflows:
               only: [main]
     jobs:
       - clone-kratix
+      - clone-backstage
       - kratix-security-scan:
           requires: [clone-kratix]
+      - ske-security-scan:
+          requires: [clone-backstage]