Full DevGuard Scan
This reusable workflow performs a comprehensive security scan of your codebase using DevGuard.
It includes:
It includes:
- Container Scanning
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
- Secret Scanning
- Infrastructure as Code (IaC) scanning
- Image building
- Image signing
- Image deployment
The full-scan workflow accepts the following inputs:
| Name | Description | Required | Default Value |
|---|---|---|---|
api_url | The DevGuard API URL | No | https://api.main.devguard.org |
asset_name | Name of the asset to scan | Yes | |
token | API token for authenticating with DevGuard | Yes | |
runner_tags | The runner tags used to select appropriate CI runners. | No | "" |
scan_stage | The stage where the scan is run | No | test |
build_stage | The stage where the image is built and tagged | No | build |
build_args | The build arguments to pass to the Kaniko build command’ | No | --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile |
deploy_stage | The stage where the scan is run | No | deploy |
small_artifact_registry | Pushes image directly to registry if artifact size is too large for GitLab | No | false |
license_scanning_decision_file | The path to the dependency decisions file | No | ./docs/dependency_decisions.yml |
license_scanning_environment | The environment to scan [go, npm] | No | go |
iac_config_file | The path to the config file (e.g. checkov.yaml) | No | "" |
Usage Example: Here’s an example of how to call this component:
include:
- remote: "https://gitlab.com/l3montree/devguard/-/raw/main/templates/full.yml@main
inputs:
asset_name: "myOrgnaization/projects/myProject/assets/myAsset"
token: "$DEVGUARD_TOKEN"