diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3aa6389b..976fa73c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,69 +1,56 @@ stages: - - deploy + - scan -deploy-dev: - stage: deploy - image: alpine:3.20 - variables: - DEPLOY_APP: "LTI-MBUGROUP" - - before_script: - - echo "🧰 Installing dependencies..." - - apk update && apk add --no-cache openssh git curl - - mkdir -p ~/.ssh - - echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa - - chmod 600 ~/.ssh/id_rsa - - eval $(ssh-agent -s) - - ssh-add ~/.ssh/id_rsa - - ssh-keyscan -H "$SERVER_IP" >> ~/.ssh/known_hosts +cache: + paths: + - .sonar/cache + - .cache +# ============================================================ +# 🧠 Step 1: Security Scan dengan gosec +# ============================================================ +gosec_scan: + stage: scan + image: golang:1.23 script: - - echo "🚀 Deploying latest code to $SERVER_USER@$SERVER_IP" - - > - if ssh -o StrictHostKeyChecking=no "$SERVER_USER@$SERVER_IP" " - cd /home/devops/docker/deployment/development/lti-api && - git fetch origin development && - git reset --hard origin/development && - docker compose restart dev-api-lti || docker compose up -d dev-api-lti - "; then - STATUS='success'; - else - STATUS='failed'; - fi; - - RUN_URL="${CI_PROJECT_URL}/-/pipelines/${CI_PIPELINE_ID}"; - - if [ "$STATUS" = "success" ]; then - COLOR=3066993; - TITLE="✅ Deployment API Succeeded"; - DESC="Deployment job on branch \`${CI_COMMIT_REF_NAME}\` completed successfully."; - else - COLOR=15158332; - TITLE="❌ Deployment API Failed Gaes"; - DESC="Deployment job on branch \`${CI_COMMIT_REF_NAME}\` failed."; - fi; - - echo "{ - \"username\": \"CI Bot\", - \"embeds\": [{ - \"title\": \"$TITLE\", - \"description\": \"$DESC\", - \"color\": $COLOR, - \"fields\": [ - {\"name\": \"Repository\", \"value\": \"${CI_PROJECT_PATH}\", \"inline\": true}, - {\"name\": \"Actor\", \"value\": \"${GITLAB_USER_LOGIN}\", \"inline\": true}, - {\"name\": \"Commit\", \"value\": \"${CI_COMMIT_SHA}\", \"inline\": false}, - {\"name\": \"Pipeline\", \"value\": \"[Open run](${RUN_URL})\", \"inline\": false} - ] - }] - }" > payload.json; - - echo "📡 Sending notification to Discord..."; - curl -sS -H "Content-Type: application/json" \ - -d @payload.json "$DISCORD_WEBHOOK_URL"; - + - go install github.com/securego/gosec/v2/cmd/gosec@latest + - echo "🔍 Menjalankan scan keamanan Go..." + - gosec -fmt=json -out=gosec-report.json ./... + - cat gosec-report.json | jq '.Issues | length' + artifacts: + when: always + paths: + - gosec-report.json + expire_in: 1 week + allow_failure: false only: - - development + - merge_requests + - branches - environment: - name: development \ No newline at end of file +# ============================================================ +# 🧱 Step 2: Analisis SonarQube +# ============================================================ +sonarqube_analysis: + stage: scan + image: sonarsource/sonar-scanner-cli:latest + script: + - echo "🚀 Menjalankan analisis SonarQube..." + - sonar-scanner \ + -Dsonar.projectKey="mbu-lti-backend" \ + -Dsonar.projectName="MBU LTI Backend" \ + -Dsonar.sources="." \ + -Dsonar.host.url="https://status.mbugroup.id/sonar" \ + -Dsonar.login="sqp_97b3cb2f80ce932fb07b5641aeecc8704b76d1a7" \ + -Dsonar.sourceEncoding="UTF-8" \ + -Dsonar.verbose=true + only: + - merge_requests + - branches + allow_failure: false + dependencies: + - gosec_scan + artifacts: + when: always + paths: + - .scannerwork + expire_in: 1 week \ No newline at end of file