Merge pull request #1 from kusaridev/pxp928-add-ci-template

add ci template for gitlab and github

Author: pxp928

.github/workflows/kusari-scan-v1.yml

@@ -0,0 +1,134 @@
+# Kusari GitHub Actions Reusable Workflow
+#
+# This workflow provides automated security scanning for pull requests using Kusari Inspector.
+# It automatically posts scan results as comments on pull requests when issues are found.
+#
+# USAGE:
+#   Create a workflow file in your repository (e.g., .github/workflows/kusari-scan.yml):
+#
+#   name: Kusari Security Scan
+#   on:
+#     pull_request:
+#       branches: [main, master]
+#
+#   jobs:
+#     kusari-scan:
+#       uses: kusaridev/kusari-ci-templates/.github/workflows/kusari-scan-v1.yml@v1
+#       permissions:
+#         contents: read
+#         pull-requests: write
+#       secrets:
+#         KUSARI_CLIENT_ID: ${{ secrets.KUSARI_CLIENT_ID }}
+#         KUSARI_CLIENT_SECRET: ${{ secrets.KUSARI_CLIENT_SECRET }}
+#       with:
+#         fail_on_issues: false
+#         post_comment: true
+#
+# REQUIRED SECRETS (set in GitHub repository/organization settings):
+#   - KUSARI_CLIENT_ID: Your Kusari client ID
+#   - KUSARI_CLIENT_SECRET: Your Kusari client secret
+#
+# REQUIRED PERMISSIONS:
+#   The calling workflow MUST specify these permissions:
+#     permissions:
+#       contents: read        # Required to checkout code
+#       pull-requests: write  # Required to post PR comments
+#
+# OPTIONAL INPUTS:
+#   - kusari_cli_image: Override the default Kusari CLI image
+#   - fail_on_issues: Set to true to fail workflow on security issues (default: false)
+#   - post_comment: Set to true to post results as PR comment (default: true)
+
+name: Kusari Security Scan
+
+on:
+  workflow_call:
+    inputs:
+      kusari_cli_image:
+        description: 'Kusari CLI container image'
+        required: false
+        type: string
+        default: 'ghcr.io/kusaridev/kusari-cli@sha256:955262cae4d161f68cb623b273cb9a3d589004a2e7f661b15ff0d1697e494903'
+      fail_on_issues:
+        description: 'Fail workflow if security issues are found'
+        required: false
+        type: boolean
+        default: false
+      post_comment:
+        description: 'Post scan results as PR comment'
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      KUSARI_CLIENT_ID:
+        description: 'Kusari client ID'
+        required: true
+      KUSARI_CLIENT_SECRET:
+        description: 'Kusari client secret'
+        required: true
+
+jobs:
+  kusari-scan:
+    name: Kusari Security Scan
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ inputs.kusari_cli_image }}
+
+    steps:
+      - name: Install dependencies
+        run: apk add --no-cache git jq gnutar bzip2
+
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Fetch base branch
+        env:
+          BASE_REF: ${{ github.base_ref }}
+        run: git fetch origin "$BASE_REF"
+
+      - name: Authenticate with Kusari
+        run: kusari auth login --client-id="${{ secrets.KUSARI_CLIENT_ID }}" --client-secret="${{ secrets.KUSARI_CLIENT_SECRET }}"
+
+      - name: Run Kusari scan
+        id: scan
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          POST_COMMENT: ${{ inputs.post_comment }}
+          BASE_REF: ${{ github.base_ref }}
+        run: |
+          GITHUB_COMMENT_FLAG=""
+          if [ "$POST_COMMENT" = "true" ]; then
+            GITHUB_COMMENT_FLAG="--comment github"
+          fi
+          kusari repo scan -w --output-format sarif $GITHUB_COMMENT_FLAG . "origin/$BASE_REF" > kusari_results.sarif
+
+      - name: Display scan results
+        run: |
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo "KUSARI SECURITY SCAN RESULTS"
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo ""
+          COMMENT_BODY=$(jq -r '.runs[0].results[0].message.markdown // "No results found"' kusari_results.sarif)
+          echo "$COMMENT_BODY"
+          echo ""
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+      - name: Check for security issues
+        if: inputs.fail_on_issues
+        run: |
+          SHOULD_PROCEED=$(jq -r '.runs[0].results[0].properties.should_proceed // "true"' kusari_results.sarif)
+          if [ "$SHOULD_PROCEED" = "false" ]; then
+            echo "Security issues found - failing workflow"
+            exit 1
+          fi
+
+      - name: Upload SARIF results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
+        if: always()
+        with:
+          name: kusari-sarif-results
+          path: kusari_results.sarif
+          retention-days: 30

.github/workflows/release.yml

@@ -0,0 +1,49 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        with:
+          persist-credentials: false
+
+      - name: Update major version tag
+        run: |
+          # Get the tag that triggered this workflow
+          TAG=${GITHUB_REF#refs/tags/}
+
+          # Extract major version (v1 from v1.0.1)
+          MAJOR_VERSION=$(echo "$TAG" | grep -oE '^v[0-9]+')
+
+          if [ -z "$MAJOR_VERSION" ]; then
+            echo "Could not extract major version from tag: $TAG"
+            exit 1
+          fi
+
+          echo "Full tag: $TAG"
+          echo "Major version tag: $MAJOR_VERSION"
+
+          # Configure git
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Delete the major version tag locally if it exists
+          git tag -d "$MAJOR_VERSION" 2>/dev/null || true
+
+          # Create the major version tag pointing to current commit
+          git tag "$MAJOR_VERSION"
+
+          # Force push the major version tag
+          git push origin "$MAJOR_VERSION" --force
+
+          echo "Successfully updated $MAJOR_VERSION to point to $TAG"

README.md

@@ -1 +1,112 @@
-# kusari-ci-templates
+# Kusari CI/CD Templates
+
+Reusable CI/CD templates for integrating [Kusari Inspector](https://www.kusari.dev/inspector) security scanning into your GitLab and GitHub workflows. These templates automatically scan pull requests and merge requests for security vulnerabilities and post results as comments.
+
+## Features
+
+- **Automated Security Scanning**: Runs on every pull/merge request
+- **Auto-commenting**: Posts scan results directly to PRs/MRs when issues are found
+- **SARIF Output**: Generates industry-standard SARIF reports
+- **Configurable**: Control failure behavior and comment posting
+- **Zero Setup**: Just add secrets and include the template
+
+## Available Templates
+
+### GitLab CI/CD Template
+
+Location: [`gitlab/kusari-scan-v1.yml`](gitlab/kusari-scan-v1.yml)
+
+**Usage:**
+
+```yaml
+# .gitlab-ci.yml
+include:
+  - remote: 'https://raw.githubusercontent.com/kusaridev/kusari-ci-templates/v1/gitlab/kusari-scan-v1.yml'
+```
+
+**Required Setup:**
+1. Add CI/CD variables in GitLab (Settings > CI/CD > Variables):
+   - `KUSARI_CLIENT_ID`: Your Kusari client ID
+   - `KUSARI_CLIENT_SECRET`: Your Kusari client secret (mark as masked)
+
+2. For MR comments, choose one option:
+   - **Option A (Recommended)**: Create a Project Access Token with `api` scope and add as `GITLAB_TOKEN` variable
+   - **Option B**: Enable CI job token API access in Settings > CI/CD > Token Access
+
+See [`gitlab/kusari-scan-v1.yml`](gitlab/kusari-scan-v1.yml) for detailed configuration options.
+
+---
+
+### GitHub Actions Reusable Workflow
+
+Location: [`.github/workflows/kusari-scan-v1.yml`](.github/workflows/kusari-scan-v1.yml)
+
+**Usage:**
+
+Create `.github/workflows/kusari-scan.yml` in your repository:
+
+```yaml
+name: Kusari Security Scan
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  kusari-scan:
+    uses: kusaridev/kusari-ci-templates/.github/workflows/kusari-scan-v1.yml@v1
+    permissions:
+      contents: read
+      pull-requests: write  # Required for PR comments
+    secrets:
+      KUSARI_CLIENT_ID: ${{ secrets.KUSARI_CLIENT_ID }}
+      KUSARI_CLIENT_SECRET: ${{ secrets.KUSARI_CLIENT_SECRET }}
+    with:
+      fail_on_issues: false  # Optional: fail workflow on security issues
+      post_comment: true     # Optional: post results as PR comment
+```
+
+**Required Setup:**
+1. Add repository secrets (Settings > Secrets and variables > Actions):
+   - `KUSARI_CLIENT_ID`: Your Kusari client ID
+   - `KUSARI_CLIENT_SECRET`: Your Kusari client secret
+
+2. Ensure the workflow has `pull-requests: write` permission for commenting
+
+See [`.github/workflows/kusari-scan-v1.yml`](.github/workflows/kusari-scan-v1.yml) for detailed configuration options.
+
+## Configuration Options
+
+| Option | GitLab | GitHub | Description | Default |
+|--------|--------|--------|-------------|---------|
+| Fail on issues | `KUSARI_FAIL_ON_ISSUES` | `fail_on_issues` | Fail pipeline/workflow when security issues found | `false` |
+| Post comment | `KUSARI_POST_COMMENT` | `post_comment` | Post scan results as MR/PR comment | `true` |
+| CLI image | `KUSARI_CLI_IMAGE` | `kusari_cli_image` | Override default Kusari CLI container image | Latest stable |
+
+## Getting Kusari Credentials
+
+To use these templates, you need Kusari Inspector credentials:
+
+1. Sign up at [https://us.kusari.cloud/signup](https://us.kusari.cloud/signup)
+2. Get your `KUSARI_CLIENT_ID` and `KUSARI_CLIENT_SECRET`
+3. Add them to your CI/CD platform's secrets/variables
+
+## Enterprise / Self-Hosted Setup
+
+For air-gapped or self-hosted environments:
+
+1. Mirror `ghcr.io/kusaridev/kusari-cli` to your internal container registry
+2. Copy the template files to your internal Git repository
+3. Update the `KUSARI_CLI_IMAGE` / `kusari_cli_image` to point to your internal registry
+4. Include/reference from your internal location
+
+## Support
+
+- Documentation: [https://docs.us.kusari.cloud/Inspector/](https://docs.us.kusari.cloud/Inspector/)
+- Website: [https://www.kusari.dev/inspector](https://www.kusari.dev/inspector)
+
+## Version Tagging
+
+This repository uses major version tags for easy updates:
+- Use `@v1` to always get the latest v1.x.x release
+- Use `@v1.0.1` to pin to a specific version

gitlab/kusari-scan-v1.yml

@@ -0,0 +1,93 @@
+# Kusari GitLab CI/CD Template
+#
+# This template provides automated security scanning for merge requests using Kusari Inspector.
+# It automatically posts scan results as comments on merge requests when issues are found.
+#
+# PUBLIC GITLAB.COM USAGE:
+#   include:
+#     - remote: 'https://raw.githubusercontent.com/kusaridev/kusari-cli/v0.17.9/ci-templates/gitlab/kusari-scan.yml'
+#
+# ENTERPRISE/SELF-HOSTED GITLAB USAGE:
+#   1. Mirror ghcr.io/kusaridev/kusari-cli to your internal container registry
+#   2. Copy this file to your internal GitLab instance (e.g., gitlab.corp.com/platform/ci-templates)
+#   3. Update KUSARI_CLI_IMAGE variable to point to your internal registry
+#   4. Include in your projects:
+#
+#   include:
+#     - project: 'platform/ci-templates'
+#       ref: 'main'
+#       file: '/gitlab/kusari-scan.yml'
+#
+# REQUIRED CI/CD VARIABLES (set in GitLab project/group settings):
+#   - KUSARI_CLIENT_ID: Your Kusari client ID
+#   - KUSARI_CLIENT_SECRET: Your Kusari client secret (mark as masked)
+#
+# REQUIRED FOR MR COMMENTS (choose one option):
+#   Option A - Use a GitLab Token (Recommended):
+#     1. Create a Project Access Token or Personal Access Token with 'api' scope
+#        (Settings > Access Tokens > Add new token > Select 'api' scope)
+#     2. Add the token as a CI/CD variable named GITLAB_TOKEN (mark as masked)
+#        (Settings > CI/CD > Variables > Add variable)
+#
+#   Option B - Enable CI_JOB_TOKEN API Access:
+#     1. Go to Settings > CI/CD > Token Access
+#     2. Enable "Allow CI job tokens from this project to access this project's API"
+#     Note: This option has more limited permissions and may not work in all scenarios
+#
+# OPTIONAL VARIABLES:
+#   - KUSARI_CLI_IMAGE: Override the default Kusari CLI image
+#   - KUSARI_FAIL_ON_ISSUES: Set to "true" to fail pipeline on security issues (default: "false")
+#   - KUSARI_POST_COMMENT: Set to "true" to post results as MR comment (default: "true")
+
+variables:
+  KUSARI_CLI_IMAGE: "ghcr.io/kusaridev/kusari-cli@sha256:955262cae4d161f68cb623b273cb9a3d589004a2e7f661b15ff0d1697e494903"
+  KUSARI_FAIL_ON_ISSUES: "false"
+  KUSARI_POST_COMMENT: "true"
+
+.kusari-scan:
+  image:
+    name: ${KUSARI_CLI_IMAGE}
+    entrypoint: [""]
+  stage: test
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+  before_script:
+    - apk add --no-cache git jq gnutar bzip2
+  script:
+    - git fetch origin ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}
+    - kusari auth login --client-id="${KUSARI_CLIENT_ID}" --client-secret="${KUSARI_CLIENT_SECRET}"
+    # Run scan with GitLab comment posting (if enabled)
+    # The --comment gitlab flag will post results directly to the MR if issues are found
+    - |
+      GITLAB_COMMENT_FLAG=""
+      if [ "$KUSARI_POST_COMMENT" = "true" ]; then
+        GITLAB_COMMENT_FLAG="--comment gitlab"
+      fi
+      kusari repo scan -w --output-format sarif $GITLAB_COMMENT_FLAG . origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME} > kusari_results.sarif
+    - |
+      echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+      echo "KUSARI SECURITY SCAN RESULTS"
+      echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+      echo ""
+      COMMENT_BODY=$(jq -r '.runs[0].results[0].message.markdown // "No results found"' kusari_results.sarif)
+      SHOULD_PROCEED=$(jq -r '.runs[0].results[0].properties.should_proceed // "true"' kusari_results.sarif)
+      echo "$COMMENT_BODY"
+      echo ""
+      echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    - |
+      SHOULD_PROCEED=$(jq -r '.runs[0].results[0].properties.should_proceed // "true"' kusari_results.sarif)
+      if [ "$KUSARI_FAIL_ON_ISSUES" = "true" ] && [ "$SHOULD_PROCEED" = "false" ]; then
+        echo "Security issues found - failing pipeline"
+        exit 1
+      fi
+  artifacts:
+    reports:
+      sast: kusari_results.sarif
+    paths:
+      - kusari_results.sarif
+    expire_in: 30 days
+    when: always
+
+kusari-repo-scan:
+  extends: .kusari-scan
+  allow_failure: true