diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6c4fcf5f..e6e48274 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -78,3 +78,20 @@ jobs: git remote add bitbucket https://${{ secrets.BITBUCKET_USERNAME }}:${{ secrets.BITBUCKET_SYNC_TOKEN }}@bitbucket.org/squid-protocol/gitgalaxy.git git push -f bitbucket HEAD:main git push -f --tags bitbucket + + azure-sync: + name: Sync to Azure DevOps + needs: pypi-publish + runs-on: ubuntu-latest + steps: + - name: Checkout GitHub Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Sync Code and Tags to Azure + run: | + # Note: Azure Organization, Project, and Repository are all named gitgalaxy + git remote add azure https://${{ secrets.AZURE_DEVOPS_TOKEN }}@https://dev.azure.com/gitgalaxy/gitgalaxy/_git/gitgalaxy + git push -f azure HEAD:main + git push -f --tags azure diff --git a/.gitignore b/.gitignore index a5d8a29d..8d3ca2fc 100644 --- a/.gitignore +++ b/.gitignore @@ -101,4 +101,4 @@ telemetry_out/ tests/telemetry_out/ # Force tracking of the Golden Master despite global *.json ignore -!tests/golden_master_audit.json \ No newline at end of file +!tests/golden_master_audit.json*.vsix diff --git a/azure-pipelines.yml b/azure-pipelines.yml new file mode 100644 index 00000000..927176df --- /dev/null +++ b/azure-pipelines.yml @@ -0,0 +1,63 @@ +# GitGalaxy Enterprise Security Scanner +# Integration: Azure DevOps Pipelines + +trigger: + branches: + include: + - main + tags: + include: + - v* + +variables: + GG_TOOL: 'galaxyscope' + GG_TARGET: '.' + GG_ARGS: '--max-systemic-threat 150.0 --fail-on-secrets --fail-on-malware --sarif-only --output $(Build.ArtifactStagingDirectory)/gitgalaxy-results.json' + PIP_CACHE_DIR: '$(Pipeline.Workspace)/.pip-cache' + GITGALAXY_LICENSE_KEY: 'COMMUNITY_FREE_TIER' + +stages: +- stage: SecurityScan + displayName: 'GitGalaxy Zero-Trust Audit' + jobs: + - job: RunGalaxyScope + displayName: 'GalaxyScope Static Analysis' + pool: + vmImage: 'ubuntu-latest' + steps: + - task: UsePythonVersion@0 + inputs: + versionSpec: '3.12' + displayName: 'Initialize Python Environment' + + - task: Cache@2 + inputs: + key: 'pip | "$(Agent.OS)"' + path: $(PIP_CACHE_DIR) + cacheHitVar: PIP_CACHE_RESTORED + displayName: 'Configure Dependency Caching' + + # 1. Install the tool globally FIRST (Immune to Poisoned PRs) + - script: | + python -m pip install --upgrade pip + pip install gitgalaxy networkx tiktoken xgboost pandas numpy + displayName: 'Install GitGalaxy & Heavy Physics Engines' + + # 2. NOW pull the potentially untrusted code onto the runner + - checkout: self + fetchDepth: 0 + displayName: 'Checkout Repository (Full Depth)' + + # 3. Execute the scan (No package managers allowed down here) + - script: | + echo "Running: $(GG_TOOL) $(GG_TARGET)$(GG_ARGS)" + $(GG_TOOL) $(GG_TARGET)$(GG_ARGS) + displayName: 'Execute Zero-Trust Spectral Audit' + + - task: PublishPipelineArtifact@1 + inputs: + targetPath: '$(Build.ArtifactStagingDirectory)/gitgalaxy-results.json' + artifact: 'GitGalaxySecurityLogs' + publishLocation: 'pipeline' + displayName: 'Upload SARIF Security Metrics' + condition: always() \ No newline at end of file diff --git a/templates/azure/azure-pipelines.yml b/templates/azure/azure-pipelines.yml index d131e854..927176df 100644 --- a/templates/azure/azure-pipelines.yml +++ b/templates/azure/azure-pipelines.yml @@ -2,11 +2,19 @@ # Integration: Azure DevOps Pipelines trigger: - - main + branches: + include: + - main + tags: + include: + - v* variables: - GITGALAXY_MAX_RISK: '80' + GG_TOOL: 'galaxyscope' + GG_TARGET: '.' + GG_ARGS: '--max-systemic-threat 150.0 --fail-on-secrets --fail-on-malware --sarif-only --output $(Build.ArtifactStagingDirectory)/gitgalaxy-results.json' PIP_CACHE_DIR: '$(Pipeline.Workspace)/.pip-cache' + GITGALAXY_LICENSE_KEY: 'COMMUNITY_FREE_TIER' stages: - stage: SecurityScan @@ -22,7 +30,6 @@ stages: versionSpec: '3.12' displayName: 'Initialize Python Environment' - # Cache pip packages to optimize enterprise build speeds - task: Cache@2 inputs: key: 'pip | "$(Agent.OS)"' @@ -30,20 +37,27 @@ stages: cacheHitVar: PIP_CACHE_RESTORED displayName: 'Configure Dependency Caching' + # 1. Install the tool globally FIRST (Immune to Poisoned PRs) - script: | python -m pip install --upgrade pip - pip install gitgalaxy>=2.4.0 - displayName: 'Install GitGalaxy CLI Engine' + pip install gitgalaxy networkx tiktoken xgboost pandas numpy + displayName: 'Install GitGalaxy & Heavy Physics Engines' + # 2. NOW pull the potentially untrusted code onto the runner + - checkout: self + fetchDepth: 0 + displayName: 'Checkout Repository (Full Depth)' + + # 3. Execute the scan (No package managers allowed down here) - script: | - galaxyscope . --max-risk-exposure $(GITGALAXY_MAX_RISK) --fail-on-secrets --fail-on-malware --sarif-only --output $(Build.ArtifactStagingDirectory)/gitgalaxy-results_sarif.json + echo "Running: $(GG_TOOL) $(GG_TARGET)$(GG_ARGS)" + $(GG_TOOL) $(GG_TARGET)$(GG_ARGS) displayName: 'Execute Zero-Trust Spectral Audit' - # Publish SARIF telemetry back to the Azure Pipeline runs - task: PublishPipelineArtifact@1 inputs: - targetPath: '$(Build.ArtifactStagingDirectory)/gitgalaxy-results_sarif.json' + targetPath: '$(Build.ArtifactStagingDirectory)/gitgalaxy-results.json' artifact: 'GitGalaxySecurityLogs' publishLocation: 'pipeline' displayName: 'Upload SARIF Security Metrics' - condition: always() + condition: always() \ No newline at end of file