fix(Gitlab): Correcting support for JSON 2020 Draft with Regex

hypery2k · hypery2k · commit 06977932f68d · 2025-04-28T11:51:46.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -52,27 +52,13 @@ jobs:
           npm run clean
           npm run build
 
-      - name: Write version vars
+      - name: Test Container Image
+        id: test-image
         run: |
-          BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
-          BRANCH=${GITHUB_REF_NAME#v}
-          APP_VERSION=$(cat package.json | grep version| head -1 | awk -F: '{ print $2 }' | sed 's/[",]//g')
-          echo Version: $APP_VERSION
-          echo "VERSION=$APP_VERSION" >> $GITHUB_ENV
-          echo "APP_VERSION=$APP_VERSION" >> $GITHUB_ENV
-          echo "BUILD_DATE=$BUILD_DATE" >> $GITHUB_ENV
-
-      - name: Build Container Image
-        id: build-image
-        uses: redhat-actions/buildah-build@v2
-        with:
-          image: continuoussecuritytooling/ajv-cli
-          tags: "latest next ${{env.APP_VERSION}} ${{env.APP_VERSION}}_rc"
-          containerfiles: |
-            ./Dockerfile
-          build-args: |
-            BUILD_DATE=${{env.BUILD_DATE}}
-            APP_VERSION=${{env.APP_VERSION}}
+          docker build -t continuoussecuritytooling/ajv-cli:${{github.run_number}} .
+          wget https://gitlab.com/gitlab-org/gitlab/-/raw/master/ee/app/validators/json_schemas/security_orchestration_policy.json
+          docker run -u 0 -v $(pwd):/build continuoussecuritytooling/ajv-cli:${{github.run_number}} migrate --spec=draft2020 -s /build/security_orchestration_policy.json
+          docker run -u 0 -v $(pwd):/build continuoussecuritytooling/ajv-cli:${{github.run_number}} validate --spec=draft2020 --strict=false --validate-formats=true  -c ajv-formats --unicodeRegExp=false -s /build/security_orchestration_policy.json -d /build/test/gitlab/policy.yml
 
   build-results:
     name: Build results
diff --git a/test/gitlab/policy.yml b/test/gitlab/policy.yml
@@ -0,0 +1,59 @@
+---
+approval_policy:
+  - name: security-secret-scan
+    description: "Secrets Scan"
+    enabled: true
+    rules:
+      - type: scan_finding
+        scanners:
+          - secret_detection
+        vulnerabilities_allowed: 0
+        severity_levels:
+          - critical
+          - high
+        vulnerability_states: []
+        branch_type: default
+    actions:
+      - type: send_bot_message
+        enabled: true
+    approval_settings:
+      block_branch_modification: true
+      block_group_branch_modification: true
+      prevent_pushing_and_force_pushing: true
+      prevent_approval_by_author: true
+      prevent_approval_by_commit_author: true
+      remove_approvals_with_new_commit: true
+      require_password_to_approve: false
+    fallback_behavior:
+      fail: closed
+  - name: security-sast-scan
+    description: "SAST Scan"
+    enabled: true
+    policy_scope:
+      projects:
+        excluding:
+          - id: 1
+          - id: 2
+    rules:
+      - type: scan_finding
+        scanners:
+          - sast
+        vulnerabilities_allowed: 0
+        severity_levels:
+          - critical
+          - high
+        vulnerability_states: []
+        branch_type: default
+    actions:
+      - type: send_bot_message
+        enabled: true
+    approval_settings:
+      block_branch_modification: true
+      block_group_branch_modification: true
+      prevent_pushing_and_force_pushing: true
+      prevent_approval_by_author: true
+      prevent_approval_by_commit_author: true
+      remove_approvals_with_new_commit: true
+      require_password_to_approve: false
+    fallback_behavior:
+      fail: closed
