diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 13c155ac1af..ec932f79bf3 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -876,3 +876,7 @@ embed.go @grafana/grafana-as-code /conf/provisioning/datasources/ @grafana/plugins-platform-backend /conf/provisioning/plugins/ @grafana/plugins-platform-backend /conf/provisioning/sample/ @grafana/grafana-git-ui-sync-team + +# Security +/relyance.yaml @grafana/security-team +/.github/workflows/relyance-scan.yml @grafana/security-team diff --git a/.github/workflows/relyance-scan.yml b/.github/workflows/relyance-scan.yml new file mode 100644 index 00000000000..29d68e00416 --- /dev/null +++ b/.github/workflows/relyance-scan.yml @@ -0,0 +1,33 @@ +name: Relyance Compliance Inspection +on: + schedule: + - cron: '0 0 * * *' # Run daily at 00:00 UTC + workflow_dispatch: # Allow for manual trigger + +jobs: + relyance-compliance-inspector: + permissions: + contents: read + id-token: write # Needed for Vault access + + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Get API key + id: vault-secrets + uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # get-vault-secrets-v1.2.0 + with: + repo_secrets: | + API_KEY=relyance:API_KEY + + - name: Run Relyance scan + env: + API_KEY: "${{ fromJSON(steps.vault-secrets.outputs.secrets).API_KEY }}" + run: | + docker pull gcr.io/relyance-ext/compliance_inspector:release && \ + docker run --rm -v ${{ github.workspace }}:/repo --env "API_KEY=${{ env.API_KEY }}" gcr.io/relyance-ext/compliance_inspector:release diff --git a/relyance.yaml b/relyance.yaml new file mode 100644 index 00000000000..41a798d27f2 --- /dev/null +++ b/relyance.yaml @@ -0,0 +1,99 @@ +# Relyance Compliance Inspector Configuration + +repository: grafana/grafana + +# Services and Code Relationship +# Purpose: Configuration used to visualize the code base and relationships between microservices and code. +# Note: Directory paths are relative to the repository's root directory. +# Note: Need a separate entry for each microservice. See example below. +services: + + + +# Example: Services and Code Relationship +# Note: Do not use below. It is an example. +# Note: Directory paths are relative to the repository's root directory +#- service: paymentservice +# source: +# - src/payments +# - src/checkout_service +#- service: catalogservice +# source: +# - src/catalog + + +# Source Directories to Exclude +# Purpose: Configuration is used to exclude directories from analysis such as test directories etc. +# Note: Directory paths are relative to the repository's root directory +exclude: + # Test and development environments + - e2e + - devenv + - hack + - scripts + - tools + - pkg/tests + + # Documentation and examples + - docs + - contribute + - grafana-mixin + + # Build artifacts and dependencies + - packaging + - data + - bin + - plugins-bundled + - vendor + - node_modules + + # Static UI assets + - public/fonts + - public/img + - public/locales + - public/vendor + - public/lib + + # Configuration templates + - conf + - emails + - cue.mod + - kinds + - kindsv2 + + # Temporary and cache directories + - tmp + - cache + - .cache + - venv + + +# Excluding files and directories using patterns (enable lines as needed) +exclude_patterns: + # Test and mock files + - "**/*_test.go" + - "**/*.test.ts" + - "**/*.spec.ts" + - "**/testdata/**" + - "**/*_mock.go" + - "**/mocks/**" + + # Generated code + - "**/*_gen.go" + - "**/wire_gen.go" + + # Documentation and examples + - "**/*.md" + - "**/README.*" + - "**/LICENSE*" + - "**/*.example.*" + + # System files and dependencies + - "**/.DS_Store" + - "**/*.log" + - "**/go.sum" + - "**/yarn.lock" + + # Generated specs + - "**/swagger.json" + - "**/openapi*.json"