Skip to content

Commit 1d6f055

Browse files
ntsemahgalnoam
ntsemah
authored and
galnoam
committed
[CI] issue: HPCINFRA-2780 Add secret scan step
Make Secrets Scanner run as a step in CI Signed-off-by: Noam Tsemah <[email protected]>
1 parent dd20160 commit 1d6f055

File tree

2 files changed

+27
-10
lines changed

2 files changed

+27
-10
lines changed

.ci/matrix_job.yaml

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ job: LIBXLIO
33

44
step_allow_single_selector: false
55

6-
registry_host: harbor.mellanox.com
6+
registry_host: nbu-harbor.gtm.nvidia.com
77
registry_auth: swx-infra_harbor_credentials
88
registry_path: /swx-infra/media
99

@@ -17,10 +17,10 @@ kubernetes:
1717
arch_table:
1818
x86_64:
1919
nodeSelector: 'kubernetes.io/arch=amd64'
20-
jnlpImage: 'harbor.mellanox.com/toolbox/c3po-jnlp:latest'
20+
jnlpImage: '${registry_host}/toolbox/c3po-jnlp:latest'
2121
aarch64:
2222
nodeSelector: 'kubernetes.io/arch=arm64'
23-
jnlpImage: 'harbor.mellanox.com/toolbox/c3po-jnlp:latest'
23+
jnlpImage: '${registry_host}/toolbox/c3po-jnlp:latest'
2424

2525
credentials:
2626
- {credentialsId: 'media_coverity_credentials', usernameVariable: 'XLIO_COV_USER', passwordVariable: 'XLIO_COV_PASSWORD'}
@@ -83,8 +83,8 @@ runs_on_dockers:
8383
build_args: '--no-cache --target style',
8484
category: 'tool'
8585
}
86-
- {name: 'toolbox', url: 'harbor.mellanox.com/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
87-
- {name: 'header-check', url: 'harbor.mellanox.com/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
86+
- {name: 'toolbox', url: '${registry_host}/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
87+
- {name: 'header-check', url: '${registry_host}/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
8888
# static tests
8989
- {
9090
file: '.ci/dockerfiles/Dockerfile.rhel8.6',
@@ -103,7 +103,7 @@ runs_on_dockers:
103103
build_args: '--no-cache --target static',
104104
category: 'tool'
105105
}
106-
- {name: 'xlio_static.csbuild', url: 'harbor.mellanox.com/swx-infra/media/x86_64/xlio_static.csbuild-clang18:20250515', category: 'tool', arch: 'x86_64' }
106+
- {name: 'xlio_static.csbuild', url: '${registry_host}/swx-infra/media/x86_64/xlio_static.csbuild-clang18:20250515', category: 'tool', arch: 'x86_64' }
107107
# tests
108108
- {
109109
file: '.ci/dockerfiles/Dockerfile.ubuntu22.04',
@@ -123,7 +123,7 @@ runs_on_dockers:
123123
- {
124124
arch: 'x86_64',
125125
name: 'vg-worker-threads',
126-
url: 'harbor.mellanox.com/swx-infra/media/xlio/x86_64/ubuntu22.04/vg:20250219',
126+
url: '${registry_host}/swx-infra/media/xlio/x86_64/ubuntu22.04/vg:20250219',
127127
category: 'tool',
128128
annotations: [{ key: 'k8s.v1.cni.cncf.io/networks', value: 'sriov-cx6dx-p2' }],
129129
limits: '{memory: 10Gi, cpu: 10000m, hugepages-2Mi: 10Gi, nvidia.com/sriov-cx6dx-p2: 1}',
@@ -150,7 +150,7 @@ runs_on_dockers:
150150
- {
151151
arch: 'x86_64',
152152
name: 'sockperf-worker-threads',
153-
url: 'harbor.mellanox.com/swx-infra/media/xlio/x86_64/ubuntu22.04/sockperf:20251015',
153+
url: '${registry_host}/swx-infra/media/xlio/x86_64/ubuntu22.04/sockperf:20251015',
154154
category: 'tests',
155155
annotations: [{ key: 'k8s.v1.cni.cncf.io/networks', value: 'sriov-cx6dx-p1' }],
156156
limits: '{memory: 10Gi, cpu: 10000m, hugepages-2Mi: 10Gi, nvidia.com/sriov-cx6dx-p1: 1}',
@@ -177,6 +177,7 @@ runs_on_dockers:
177177
category: 'tool',
178178
build_args: '--no-cache --target build',
179179
}
180+
- {name: 'secret-scan', url: '${registry_host}/toolbox/secret_scan:0.0.27', arch: 'x86_64', tag: '0.0.27', category: 'tool'}
180181

181182
runs_on_agents:
182183
- {nodeLabel: 'beni09', category: 'base'}
@@ -209,6 +210,18 @@ steps:
209210
echo
210211
parallel: false
211212

213+
- name: Secret Scan
214+
credentialsId: 'mellanox_github_credentials'
215+
enable: ${do_secretscan}
216+
containerSelector:
217+
- "{name: 'secret-scan', category: 'tool'}"
218+
agentSelector:
219+
- "{nodeLabel: 'skip-agent'}"
220+
run: |
221+
env GITHUB_TOKEN=$MELLANOX_GH_TOKEN /opt/nvidia/secret_scan.py --path $WORKSPACE --git-repo $WORKSPACE --report-file secret_scan.html
222+
archiveArtifacts: '*.html'
223+
parallel: false
224+
212225
- name: Install Doca-host
213226
containerSelector:
214227
- "{category: 'base'}"
@@ -219,12 +232,12 @@ steps:
219232
- "{nodeLabel: 'skip-agent'}"
220233
run: |
221234
echo "Installing DOCA: ${DOCA_VERSION} ..."
222-
.ci/scripts/doca_install.sh
235+
.ci/scripts/doca_install.sh
223236
224237
- name: Install Doca-host on Tools
225238
run: |
226239
echo "Installing DOCA: ${DOCA_VERSION} ..."
227-
.ci/scripts/doca_install.sh
240+
.ci/scripts/doca_install.sh
228241
containerSelector:
229242
- "{name: 'style', category: 'tool', variant: 1}"
230243
agentSelector:

.ci/opensource_jjb.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,10 @@
113113
name: "do_copyrights"
114114
default: true
115115
description: "Check copyrights in source headers"
116+
- bool:
117+
name: "do_secretscan"
118+
default: true
119+
description: "Check for secrets in source code"
116120
triggers:
117121
- github-pull-request:
118122
cron: 'H/5 * * * *'

0 commit comments

Comments
 (0)