Add security.md (#256)

* added security scan to ci and release pipelines

* added SECURITY.md file

* moved from mockery to gomock library

.golangci.yaml

@@ -3,6 +3,10 @@
 
 # options for analysis running
 run:
+  # https://github.com/golangci/golangci-lint/issues/2649
+  # enable go 1.17 linting, will not allow generics
+  go: "1.17"
+
   # default concurrency is a available CPU number
   concurrency: 4
 
@@ -30,4 +34,4 @@ linters-settings:
 
   gocyclo:
     # minimal code complexity to report, 30 by default (but we recommend 10-20)
-    min-complexity: 18
+    min-complexity: 18

Makefile

@@ -102,6 +102,7 @@ $(OUT_DIR)/$(CLI_NAME).image: $(CLI_SRCS)
 
 .PHONY: lint
 lint: $(GOBIN)/golangci-lint tidy
+	@golangci-lint version
 	@echo linting go code...
 	@golangci-lint run --fix --timeout 6m
 
@@ -110,7 +111,7 @@ test:
 	./hack/test.sh
 
 .PHONY: codegen
-codegen: $(GOBIN)/mockery
+codegen: $(GOBIN)/mockgen
 	rm -f docs/commands/*
 	go generate ./...
 
@@ -149,25 +150,11 @@ tidy:
 check-worktree:
 	@./hack/check_worktree.sh
 
-$(GOBIN)/mockery:
-	@mkdir dist || true
-	@echo installing: mockery
-	@curl -L -o dist/mockery.tar.gz -- https://github.com/vektra/mockery/releases/download/v2.8.0/mockery_2.8.0_$(shell uname -s)_$(shell uname -m).tar.gz
-	@tar zxvf dist/mockery.tar.gz mockery
-	@rm dist/mockery.tar.gz
-	@chmod +x mockery
-	@mkdir -p $(GOBIN)
-	@mv mockery $(GOBIN)/mockery
-	@mockery --version
+$(GOBIN)/mockgen:
+	@go install github.com/golang/mock/[email protected]
+	@mockgen -version
 
 $(GOBIN)/golangci-lint:
 	@mkdir dist || true
 	@echo installing: golangci-lint
-	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.36.0
-
-$(GOBIN)/interfacer: cwd=$(shell pwd)
-$(GOBIN)/interfacer:
-	@cd /tmp
-	@echo installing: interfacer
-	@GO111MODULE=on go get -v github.com/rjeczalik/interfaces/cmd/[email protected]
-	@cd ${cwd}
+	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.45.2

SECURITY.md

@@ -0,0 +1,48 @@
+# Security Policy for Argo-CD Autopilot
+
+## Preface
+
+Argo-CD Autopilot is a tool that helps users to get an opinionated gitops
+repository and bootstrapped Argo-CD installation. To achieve its goals
+Argo-CD Autopilot requires access to the Kubernetes cluster you want to
+install Argo-CD on and optionally to other Kubernetes clusters you want
+to connect to the Argo-CD instance as target clusters for deployments.
+
+Because Argo-CD Autopilot is a gitops tool it also requires access to
+your git repositories. Currently it requires pull and push access to
+your gitops repo (permission to create repositories is also required
+if you want to also create the repository as part of the bootstrapping
+process). Though, there are [plans](https://github.com/argoproj-labs/argocd-autopilot/issues/51) 
+to have an optional <i>local</i> mode of operation where the user can
+tell Argo-CD Autopilot to make changes to a local copy of the repo, 
+making the git repository access completely optional.
+
+## Security Scans
+
+We use the following static code analysis tools:
+
+* golangci-lint and tslint for compile time linting
+* snyk.io - for image scanning
+
+These are run on each pull request and before each release.
+
+Additionally, Dependabot is configured to scan and report new security 
+vulnerabilities in our dependancy tree on a daily basis.
+
+## Reporting a Vulnerability
+
+If you find a security related bug in Argo-CD Autopilot, we kindly ask you 
+for responsible disclosure and for giving us appropriate time to react, 
+analyze and develop a fix to mitigate the found security vulnerability.
+
+Please report vulnerabilities by e-mail to the following address: 
+
+* [email protected]
+
+All vulnerabilities and associated information will be treated with full confidentiality. 
+
+## Public Disclosure
+
+Security vulnerabilities will be disclosed via release notes and using the
+[GitHub Security Advisories](https://github.com/argoproj-labs/argocd-autopilot/security/advisories)
+feature to keep our community well informed, and will credit you for your findings (unless you prefer to stay anonymous, of course).

build/ci.yml

@@ -109,6 +109,25 @@ steps:
         on:
         - success
 
+  scan-image:
+    stage: Build
+    title: scan docker image
+    image: quay.io/codefresh/snyk-cli:latest
+    shell: bash
+    environment:
+    - SNYK_TOKEN=${{SNYK_TOKEN}}
+    - LOCAL_IMAGE_REF=${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
+    commands:
+    - |
+      snyk test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} || fail=1
+      snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
+      if [ "$fail" == "1" ]; then exit 1; fi
+    when:
+      steps:
+      - name: build
+        on:
+        - success
+
   push_dev:
     stage: Push Dev
     title: push with dev tags

build/release.yml

@@ -97,7 +97,7 @@ steps:
       - name: test
         on:
         - success
-  
+
   build:
     stage: Build
     title: build docker image
@@ -112,6 +112,25 @@ steps:
         on:
         - success
 
+  scan-image:
+    stage: Build
+    title: scan docker image
+    image: quay.io/codefresh/snyk-cli:latest
+    shell: bash
+    environment:
+    - SNYK_TOKEN=${{SNYK_TOKEN}}
+    - LOCAL_IMAGE_REF=${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
+    commands:
+    - |
+      snyk test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} || fail=1
+      snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
+      if [ "$fail" == "1" ]; then exit 1; fi
+    when:
+      steps:
+      - name: build
+        on:
+        - success
+
   build_binaries:
     <<: *deps
     stage: Build
@@ -153,7 +172,7 @@ steps:
       - name: lint
         on:
         - success
-  
+
   create_release:
     <<: *deps
     stage: Release