Skip to content

Commit c679b22

Browse files
ntsemahntsemah
committed
[CI] issue: HPCINFRA-2780 Add secret scan step
Make Secrets Scanner run as a step in CI Signed-off-by: Noam Tsemah <[email protected]>
1 parent a698fb7 commit c679b22

File tree

2 files changed

+27
-10
lines changed

2 files changed

+27
-10
lines changed

.ci/matrix_job.yaml

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ job: LIBXLIO
33

44
step_allow_single_selector: false
55

6-
registry_host: harbor.mellanox.com
6+
registry_host: nbu-harbor.gtm.nvidia.com
77
registry_auth: swx-infra_harbor_credentials
88
registry_path: /swx-infra/media
99

@@ -17,10 +17,10 @@ kubernetes:
1717
arch_table:
1818
x86_64:
1919
nodeSelector: 'kubernetes.io/arch=amd64'
20-
jnlpImage: 'harbor.mellanox.com/toolbox/c3po-jnlp:latest'
20+
jnlpImage: '${registry_host}/toolbox/c3po-jnlp:latest'
2121
aarch64:
2222
nodeSelector: 'kubernetes.io/arch=arm64'
23-
jnlpImage: 'harbor.mellanox.com/toolbox/c3po-jnlp:latest'
23+
jnlpImage: '${registry_host}/toolbox/c3po-jnlp:latest'
2424

2525
credentials:
2626
- {credentialsId: 'media_coverity_credentials', usernameVariable: 'XLIO_COV_USER', passwordVariable: 'XLIO_COV_PASSWORD'}
@@ -86,8 +86,8 @@ runs_on_dockers:
8686
build_args: '--no-cache --target style',
8787
category: 'tool'
8888
}
89-
- {name: 'toolbox', url: 'harbor.mellanox.com/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
90-
- {name: 'header-check', url: 'harbor.mellanox.com/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
89+
- {name: 'toolbox', url: '${registry_host}/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
90+
- {name: 'header-check', url: '${registry_host}/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
9191
# static tests
9292
- {
9393
file: '.ci/dockerfiles/Dockerfile.rhel8.6',
@@ -106,7 +106,7 @@ runs_on_dockers:
106106
build_args: '--no-cache --target static',
107107
category: 'tool'
108108
}
109-
- {name: 'xlio_static.csbuild', url: 'harbor.mellanox.com/swx-infra/media/x86_64/xlio_static.csbuild-clang18:20250515', category: 'tool', arch: 'x86_64' }
109+
- {name: 'xlio_static.csbuild', url: '${registry_host}/swx-infra/media/x86_64/xlio_static.csbuild-clang18:20250515', category: 'tool', arch: 'x86_64' }
110110
# tests
111111
- {
112112
file: '.ci/dockerfiles/Dockerfile.ubuntu22.04',
@@ -126,7 +126,7 @@ runs_on_dockers:
126126
- {
127127
arch: 'x86_64',
128128
name: 'vg-worker-threads',
129-
url: 'harbor.mellanox.com/swx-infra/media/xlio/x86_64/ubuntu22.04/vg:20250219',
129+
url: '${registry_host}/swx-infra/media/xlio/x86_64/ubuntu22.04/vg:20250219',
130130
category: 'tool',
131131
annotations: [{ key: 'k8s.v1.cni.cncf.io/networks', value: 'sriov-cx6dx-p2' }],
132132
limits: '{memory: 10Gi, cpu: 10000m, hugepages-2Mi: 10Gi, nvidia.com/sriov-cx6dx-p2: 1}',
@@ -153,7 +153,7 @@ runs_on_dockers:
153153
- {
154154
arch: 'x86_64',
155155
name: 'sockperf-worker-threads',
156-
url: 'harbor.mellanox.com/swx-infra/media/xlio/x86_64/ubuntu22.04/sockperf:20251015',
156+
url: '${registry_host}/swx-infra/media/xlio/x86_64/ubuntu22.04/sockperf:20251015',
157157
category: 'tests',
158158
annotations: [{ key: 'k8s.v1.cni.cncf.io/networks', value: 'sriov-cx6dx-p1' }],
159159
limits: '{memory: 10Gi, cpu: 10000m, hugepages-2Mi: 10Gi, nvidia.com/sriov-cx6dx-p1: 1}',
@@ -180,6 +180,7 @@ runs_on_dockers:
180180
category: 'tool',
181181
build_args: '--no-cache --target build',
182182
}
183+
- {name: 'secret-scan', url: '${registry_host}/toolbox/secret_scan:0.0.27', arch: 'x86_64', tag: '0.0.27', category: 'tool'}
183184

184185
runs_on_agents:
185186
- {nodeLabel: 'beni09', category: 'base'}
@@ -212,6 +213,18 @@ steps:
212213
echo
213214
parallel: false
214215

216+
- name: Secret Scan
217+
credentialsId: 'mellanox_github_credentials'
218+
enable: ${do_secretscan}
219+
containerSelector:
220+
- "{name: 'secret-scan', category: 'tool'}"
221+
agentSelector:
222+
- "{nodeLabel: 'skip-agent'}"
223+
run: |
224+
env GITHUB_TOKEN=$MELLANOX_GH_TOKEN /opt/nvidia/secret_scan.py --path $WORKSPACE --git-repo $WORKSPACE --report-file secret_scan.html
225+
archiveArtifacts: '*.html'
226+
parallel: false
227+
215228
- name: Install Doca-host
216229
containerSelector:
217230
- "{category: 'base'}"
@@ -222,12 +235,12 @@ steps:
222235
- "{nodeLabel: 'skip-agent'}"
223236
run: |
224237
echo "Installing DOCA: ${DOCA_VERSION} ..."
225-
.ci/scripts/doca_install.sh
238+
.ci/scripts/doca_install.sh
226239
227240
- name: Install Doca-host on Tools
228241
run: |
229242
echo "Installing DOCA: ${DOCA_VERSION} ..."
230-
.ci/scripts/doca_install.sh
243+
.ci/scripts/doca_install.sh
231244
containerSelector:
232245
- "{name: 'style', category: 'tool', variant: 1}"
233246
agentSelector:

.ci/opensource_jjb.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,10 @@
117117
name: "do_copyrights"
118118
default: true
119119
description: "Check copyrights in source headers"
120+
- bool:
121+
name: "do_secretscan"
122+
default: true
123+
description: "Check for secrets in source code"
120124
triggers:
121125
- github-pull-request:
122126
cron: 'H/5 * * * *'

0 commit comments

Comments
 (0)