Skip to content
17 changes: 17 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,20 @@ jobs:
git remote add bitbucket https://${{ secrets.BITBUCKET_USERNAME }}:${{ secrets.BITBUCKET_SYNC_TOKEN }}@bitbucket.org/squid-protocol/gitgalaxy.git
git push -f bitbucket HEAD:main
git push -f --tags bitbucket

azure-sync:
name: Sync to Azure DevOps
needs: pypi-publish
runs-on: ubuntu-latest
steps:
- name: Checkout GitHub Repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Sync Code and Tags to Azure
run: |
# Note: Azure Organization, Project, and Repository are all named gitgalaxy
git remote add azure https://${{ secrets.AZURE_DEVOPS_TOKEN }}@https://dev.azure.com/gitgalaxy/gitgalaxy/_git/gitgalaxy
git push -f azure HEAD:main
git push -f --tags azure
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -101,4 +101,4 @@ telemetry_out/
tests/telemetry_out/

# Force tracking of the Golden Master despite global *.json ignore
!tests/golden_master_audit.json
!tests/golden_master_audit.json*.vsix
63 changes: 63 additions & 0 deletions azure-pipelines.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# GitGalaxy Enterprise Security Scanner
# Integration: Azure DevOps Pipelines

trigger:
branches:
include:
- main
tags:
include:
- v*

variables:
GG_TOOL: 'galaxyscope'
GG_TARGET: '.'
GG_ARGS: '--max-systemic-threat 150.0 --fail-on-secrets --fail-on-malware --sarif-only --output $(Build.ArtifactStagingDirectory)/gitgalaxy-results.json'
PIP_CACHE_DIR: '$(Pipeline.Workspace)/.pip-cache'
GITGALAXY_LICENSE_KEY: 'COMMUNITY_FREE_TIER'

stages:
- stage: SecurityScan
displayName: 'GitGalaxy Zero-Trust Audit'
jobs:
- job: RunGalaxyScope
displayName: 'GalaxyScope Static Analysis'
pool:
vmImage: 'ubuntu-latest'
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '3.12'
displayName: 'Initialize Python Environment'

- task: Cache@2
inputs:
key: 'pip | "$(Agent.OS)"'
path: $(PIP_CACHE_DIR)
cacheHitVar: PIP_CACHE_RESTORED
displayName: 'Configure Dependency Caching'

# 1. Install the tool globally FIRST (Immune to Poisoned PRs)
- script: |
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
python -m pip install --upgrade pip
pip install gitgalaxy networkx tiktoken xgboost pandas numpy
displayName: 'Install GitGalaxy & Heavy Physics Engines'

# 2. NOW pull the potentially untrusted code onto the runner
- checkout: self
fetchDepth: 0
displayName: 'Checkout Repository (Full Depth)'

# 3. Execute the scan (No package managers allowed down here)
- script: |
echo "Running: $(GG_TOOL) $(GG_TARGET)$(GG_ARGS)"
$(GG_TOOL) $(GG_TARGET)$(GG_ARGS)
displayName: 'Execute Zero-Trust Spectral Audit'

- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)/gitgalaxy-results.json'
artifact: 'GitGalaxySecurityLogs'
publishLocation: 'pipeline'
displayName: 'Upload SARIF Security Metrics'
condition: always()
32 changes: 23 additions & 9 deletions templates/azure/azure-pipelines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,19 @@
# Integration: Azure DevOps Pipelines

trigger:
- main
branches:
include:
- main
tags:
include:
- v*

variables:
GITGALAXY_MAX_RISK: '80'
GG_TOOL: 'galaxyscope'
GG_TARGET: '.'
GG_ARGS: '--max-systemic-threat 150.0 --fail-on-secrets --fail-on-malware --sarif-only --output $(Build.ArtifactStagingDirectory)/gitgalaxy-results.json'
PIP_CACHE_DIR: '$(Pipeline.Workspace)/.pip-cache'
GITGALAXY_LICENSE_KEY: 'COMMUNITY_FREE_TIER'

stages:
- stage: SecurityScan
Expand All @@ -22,28 +30,34 @@ stages:
versionSpec: '3.12'
displayName: 'Initialize Python Environment'

# Cache pip packages to optimize enterprise build speeds
- task: Cache@2
inputs:
key: 'pip | "$(Agent.OS)"'
path: $(PIP_CACHE_DIR)
cacheHitVar: PIP_CACHE_RESTORED
displayName: 'Configure Dependency Caching'

# 1. Install the tool globally FIRST (Immune to Poisoned PRs)
- script: |
python -m pip install --upgrade pip
pip install gitgalaxy>=2.4.0
displayName: 'Install GitGalaxy CLI Engine'
pip install gitgalaxy networkx tiktoken xgboost pandas numpy
displayName: 'Install GitGalaxy & Heavy Physics Engines'

# 2. NOW pull the potentially untrusted code onto the runner
- checkout: self
fetchDepth: 0
displayName: 'Checkout Repository (Full Depth)'

# 3. Execute the scan (No package managers allowed down here)
- script: |
galaxyscope . --max-risk-exposure $(GITGALAXY_MAX_RISK) --fail-on-secrets --fail-on-malware --sarif-only --output $(Build.ArtifactStagingDirectory)/gitgalaxy-results_sarif.json
echo "Running: $(GG_TOOL) $(GG_TARGET)$(GG_ARGS)"
$(GG_TOOL) $(GG_TARGET)$(GG_ARGS)
displayName: 'Execute Zero-Trust Spectral Audit'

# Publish SARIF telemetry back to the Azure Pipeline runs
- task: PublishPipelineArtifact@1
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)/gitgalaxy-results_sarif.json'
targetPath: '$(Build.ArtifactStagingDirectory)/gitgalaxy-results.json'
artifact: 'GitGalaxySecurityLogs'
publishLocation: 'pipeline'
displayName: 'Upload SARIF Security Metrics'
condition: always()
condition: always()
Loading