Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from loadsmart/features/send_metrics
Configuring sast-check.sh script to send metrics to DataDog
- Loading branch information
Showing
2 changed files
with
106 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
FROM python:3.8-alpine | ||
|
||
RUN apk add jq | ||
RUN pip install bandit | ||
|
||
ADD sast-check.sh /bin/sast-check | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,115 @@ | ||
#!/bin/sh | ||
|
||
export NOW="$(date +%s)" | ||
TMP_REPORT="$(mktemp)" | ||
|
||
# Run Bandit and save report on temporary folder | ||
set -euo pipefail | ||
bandit --version | ||
bandit -r -a vuln -ii -ll -x .git,.svn,.mvn,.idea,dist,bin,obj,backup,docs,tests,test,tmp,reports,venv "$@" | ||
# EXITCODE=$? | ||
bandit -r -a vuln -ii -ll -x .git,.svn,.mvn,.idea,dist,bin,obj,backup,docs,tests,test,tmp,reports,venv "$@" -f json -o "${TMP_REPORT}" | ||
|
||
# EXITCODE=$? | ||
# RESULT="${RESULT//'%'/'%25'}" | ||
# RESULT="${RESULT//$'\n'/'%0A'}" | ||
# RESULT="${RESULT//$'\r'/'%0D'}" | ||
# echo "::set-output name=result::${RESULT}" | ||
|
||
# exit ${EXITCODE} | ||
|
||
# Print Report on screen to developers | ||
cat "${TMP_REPORT}" | ||
|
||
if [ -z "$DD_CLIENT_API_KEY"] || [ -z "$GITHUB_REPOSITORY" ] | ||
then | ||
echo "\$DD_CLIENT_API_KEY or \$SGITHUB_REPOSITORY are empty. I can't send metrics to DataDog without this information!" | ||
else | ||
# Reading metrics and save to variables | ||
read confidence_high confidence_medium severity_high severity_medium loc \ | ||
< <(echo $(cat ${TMP_REPORT} | jq -r '.metrics._totals."CONFIDENCE.HIGH", .metrics._totals."CONFIDENCE.MEDIUM", \ | ||
.metrics._totals."SEVERITY.HIGH", .metrics._totals."SEVERITY.MEDIUM", .metrics._totals.loc')) | ||
|
||
# Sending metrics to DataDog | ||
curl -X POST "https://api.datadoghq.com/api/v1/series?api_key=${DD_CLIENT_API_KEY}" \ | ||
-H "Content-Type: application/json" \ | ||
-d @- << EOF | ||
{ | ||
"series": [ | ||
{ | ||
"metric": "security.sast.execution", | ||
"points": [ | ||
[ | ||
"${NOW}", | ||
1 | ||
] | ||
], | ||
"tags":[ | ||
"repo:${GITHUB_REPOSITORY}" | ||
] | ||
}, | ||
{ | ||
"metric": "security.sast.results.confidence_high", | ||
"points": [ | ||
[ | ||
"${NOW}", | ||
${confidence_high} | ||
], | ||
], | ||
"tags":[ | ||
"repo:${GITHUB_REPOSITORY}" | ||
] | ||
}, | ||
{ | ||
"metric": "security.sast.results.confidence_medium", | ||
"points": [ | ||
[ | ||
"${NOW}", | ||
${confidence_medium} | ||
] | ||
], | ||
"tags":[ | ||
"repo:${GITHUB_REPOSITORY}" | ||
] | ||
}, | ||
{ | ||
"metric": "security.sast.results.severity_high", | ||
"points": [ | ||
[ | ||
"${NOW}", | ||
${severity_high} | ||
] | ||
], | ||
"tags":[ | ||
"repo:${GITHUB_REPOSITORY}" | ||
] | ||
}, | ||
{ | ||
"metric": "security.sast.results.severity_medium", | ||
"points": [ | ||
[ | ||
"${NOW}", | ||
${severity_medium} | ||
] | ||
], | ||
"tags":[ | ||
"repo:${GITHUB_REPOSITORY}" | ||
] | ||
}, | ||
{ | ||
"metric": "security.sast.results.loc", | ||
"points": [ | ||
[ | ||
"${NOW}", | ||
${loc} | ||
] | ||
], | ||
"tags":[ | ||
"repo:${GITHUB_REPOSITORY}" | ||
] | ||
} | ||
] | ||
} | ||
EOF | ||
fi | ||
# Removing temporary files | ||
rm -rf "${TMP_REPORT}" |