From 270b565f2552a9175287ea4fe68d8149aa755f63 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 04:50:23 +0100 Subject: [PATCH 01/30] added sonar for SAST --- cloudbuild.yaml | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index b145e86..d158c0b 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -1,26 +1,19 @@ steps: - # Step 1: Compile the Go Application - - name: 'gcr.io/cloud-builders/go' - id: 'Compile application' - env: ['GOPATH=/gopath'] - args: ['build', '-o', 'main', 'main.go'] + - name: 'golang:1.19.1' + entrypoint: 'sh' + args: ['-c', 'go mod tidy && go build -o opsgo'] - # Step 2: Build the Docker image for the Go application - - name: 'gcr.io/cloud-builders/docker' - id: 'Build Docker image' - args: ['build', '-t', '-docker.pkg.dev/$PROJECT_ID/my-repository/hello-cloudbuild:', '.'] - - # Step 3: Push the Docker image to Artifact Registry - - name: 'gcr.io/cloud-builders/docker' - id: 'Push Docker image' - args: ['push', '-docker.pkg.dev/$PROJECT_ID/my-repository/hello-cloudbuild:'] - - # Step 4: Apply the production deployment YAML file to the production namespace - - name: 'gcr.io/cloud-builders/kubectl' - id: 'Deploy' - args: ['-n', 'prod', 'apply', '-f', 'prod/deployment.yaml'] + - name: 'docker.io/sonarsource/sonar-scanner-cli' + entrypoint: 'sonar-scanner' + args: + - '-Dsonar.projectKey=opsgo' + - '-Dsonar.sources=.' + - '-Dsonar.host.url=http://34.10.176.217:9000' + - '-Dsonar.login=$SONAR_TOKEN' env: - - 'CLOUDSDK_COMPUTE_REGION=' - - 'CLOUDSDK_CONTAINER_CLUSTER=hello-cluster' -options: - logging: CLOUD_LOGGING_ONLY \ No newline at end of file + - 'SONAR_TOKEN' + +availableSecrets: + secretManager: + - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest + env: 'SONAR_TOKEN' From ca8aa81f62d26350cf8cd56335fccf5fd88aa415 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:20:22 +0100 Subject: [PATCH 02/30] added sonar for SAST --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index d158c0b..254cd55 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -14,6 +14,6 @@ steps: - 'SONAR_TOKEN' availableSecrets: - secretManager: + secretManager:git reset HEAD~1 - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest env: 'SONAR_TOKEN' From eb6e815ea65c85ba2d497bf42f13d7e6edc34f46 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:24:31 +0100 Subject: [PATCH 03/30] added sonar for SAST, fixed typo --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 254cd55..d158c0b 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -14,6 +14,6 @@ steps: - 'SONAR_TOKEN' availableSecrets: - secretManager:git reset HEAD~1 + secretManager: - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest env: 'SONAR_TOKEN' From eb534e5fd8f562ba2b92211eeefc9600688a9d36 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:29:55 +0100 Subject: [PATCH 04/30] added the option CLOUD_LOGGING_ONLY --- cloudbuild.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index d158c0b..046dd5e 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -1,3 +1,6 @@ +options: + logging: CLOUD_LOGGING_ONLY + steps: - name: 'golang:1.19.1' entrypoint: 'sh' From 4dad629940d240d0cd9bfa1242d24e0386f809bb Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:34:11 +0100 Subject: [PATCH 05/30] fix var refs --- cloudbuild.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 046dd5e..0146389 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -14,9 +14,9 @@ steps: - '-Dsonar.host.url=http://34.10.176.217:9000' - '-Dsonar.login=$SONAR_TOKEN' env: - - 'SONAR_TOKEN' + - '$SONAR_TOKEN' availableSecrets: secretManager: - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest - env: 'SONAR_TOKEN' + env: '$SONAR_TOKEN' From b3448ac48621dd65d32ad7bb8932fab9dcd5785b Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:35:02 +0100 Subject: [PATCH 06/30] fix var refs --- cloudbuild.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 0146389..046dd5e 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -14,9 +14,9 @@ steps: - '-Dsonar.host.url=http://34.10.176.217:9000' - '-Dsonar.login=$SONAR_TOKEN' env: - - '$SONAR_TOKEN' + - 'SONAR_TOKEN' availableSecrets: secretManager: - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest - env: '$SONAR_TOKEN' + env: 'SONAR_TOKEN' From c3bd2c2c2351de7723648af22ecfeca46a509e47 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:44:18 +0100 Subject: [PATCH 07/30] refactor the config and add docs --- cloudbuild.yaml | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 046dd5e..900329c 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -1,22 +1,47 @@ +# Cloud Build configuration to build a Go application and run a SonarQube scan. + options: + # Configure logging for the build. + # CLOUD_LOGGING_ONLY sends logs exclusively to Cloud Logging, + # useful for centralized log management. logging: CLOUD_LOGGING_ONLY steps: + # Step 1: Build the Go application + # Uses the official Golang Docker image to manage dependencies and compile the binary. - name: 'golang:1.19.1' entrypoint: 'sh' - args: ['-c', 'go mod tidy && go build -o opsgo'] + args: + # 'go mod tidy' ensures module dependencies are consistent. + # 'go build -o opsgo' compiles the Go application into an executable named 'opsgo'. + - '-c' + - 'go mod tidy && go build -o opsgo' + id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. + # Step 2: Run SonarQube analysis + # Uses the SonarScanner CLI Docker image to perform code analysis. - name: 'docker.io/sonarsource/sonar-scanner-cli' entrypoint: 'sonar-scanner' args: + # Define the SonarQube project key. - '-Dsonar.projectKey=opsgo' + # Specify the source directory for analysis (current directory). - '-Dsonar.sources=.' + # Provide the URL of your SonarQube server. - '-Dsonar.host.url=http://34.10.176.217:9000' + # Pass the SonarQube authentication token. + # '$SONAR_TOKEN' is automatically populated from the availableSecret. - '-Dsonar.login=$SONAR_TOKEN' - env: - - 'SONAR_TOKEN' + id: 'run-sonar-scan' # A unique identifier for this step. availableSecrets: - secretManager: - - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest - env: 'SONAR_TOKEN' + # Define secrets to be made available during the build process. + # These secrets are securely fetched from Google Secret Manager. + - secretManager: + # Specifies the full resource path to the secret version in Secret Manager. + # Cloud Build will fetch the 'latest' version of the 'SONAR_TOKEN' secret + # from the specified project. + version: projects/391675659319/secrets/SONAR_TOKEN/versions/latest + # Exposes the secret's value as an environment variable named 'SONAR_TOKEN' + # to all subsequent build steps. This allows the sonar-scanner step to use it directly. + env: 'SONAR_TOKEN' \ No newline at end of file From 02ae0679574354ac3f8eb3658801ac0422023cf0 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 05:56:54 +0100 Subject: [PATCH 08/30] refactor the config and add docs --- cloudbuild.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 900329c..dca2f3d 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -16,6 +16,7 @@ steps: # 'go build -o opsgo' compiles the Go application into an executable named 'opsgo'. - '-c' - 'go mod tidy && go build -o opsgo' + secretEnv: ['SONAR_TOKEN'] id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. # Step 2: Run SonarQube analysis @@ -37,11 +38,11 @@ steps: availableSecrets: # Define secrets to be made available during the build process. # These secrets are securely fetched from Google Secret Manager. - - secretManager: + secretManager: # Specifies the full resource path to the secret version in Secret Manager. # Cloud Build will fetch the 'latest' version of the 'SONAR_TOKEN' secret # from the specified project. - version: projects/391675659319/secrets/SONAR_TOKEN/versions/latest + - versionName: projects/$PROJECT_ID/secrets/SONAR_TOKEN/versions/latest # Exposes the secret's value as an environment variable named 'SONAR_TOKEN' # to all subsequent build steps. This allows the sonar-scanner step to use it directly. - env: 'SONAR_TOKEN' \ No newline at end of file + - env: 'SONAR_TOKEN' \ No newline at end of file From 496f4d7dd966ad966184566e58e01e95c10f9392 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 06:01:34 +0100 Subject: [PATCH 09/30] refactor the config and add docs 2 --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index dca2f3d..b7edade 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -16,7 +16,6 @@ steps: # 'go build -o opsgo' compiles the Go application into an executable named 'opsgo'. - '-c' - 'go mod tidy && go build -o opsgo' - secretEnv: ['SONAR_TOKEN'] id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. # Step 2: Run SonarQube analysis @@ -33,6 +32,7 @@ steps: # Pass the SonarQube authentication token. # '$SONAR_TOKEN' is automatically populated from the availableSecret. - '-Dsonar.login=$SONAR_TOKEN' + secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. availableSecrets: From df51c3c9c41c69ef8c5021db46e53271a6a091ba Mon Sep 17 00:00:00 2001 From: pbashizi Date: Thu, 12 Jun 2025 06:07:24 +0100 Subject: [PATCH 10/30] refactor the config and add docs 3 --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index b7edade..92fded8 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -42,7 +42,7 @@ availableSecrets: # Specifies the full resource path to the secret version in Secret Manager. # Cloud Build will fetch the 'latest' version of the 'SONAR_TOKEN' secret # from the specified project. - - versionName: projects/$PROJECT_ID/secrets/SONAR_TOKEN/versions/latest + - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest # Exposes the secret's value as an environment variable named 'SONAR_TOKEN' # to all subsequent build steps. This allows the sonar-scanner step to use it directly. - env: 'SONAR_TOKEN' \ No newline at end of file From 1519f37364ce9abc78dfc087e984844be6f9976a Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 18:52:07 +0100 Subject: [PATCH 11/30] updated cloudbuild docs and created a Secret Manager Accessor IAM permission for the service account --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 92fded8..8ae0d26 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -8,7 +8,7 @@ options: steps: # Step 1: Build the Go application - # Uses the official Golang Docker image to manage dependencies and compile the binary. + # Uses the official ( but old version by purpose ) Golang Docker image to manage dependencies and compile the binary. - name: 'golang:1.19.1' entrypoint: 'sh' args: From 3fa1bedca40a72bf66cc8878de0c925a6f53d482 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 19:35:52 +0100 Subject: [PATCH 12/30] fix synthax error --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 8ae0d26..c2c43c0 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -45,4 +45,4 @@ availableSecrets: - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest # Exposes the secret's value as an environment variable named 'SONAR_TOKEN' # to all subsequent build steps. This allows the sonar-scanner step to use it directly. - - env: 'SONAR_TOKEN' \ No newline at end of file + env: 'SONAR_TOKEN' \ No newline at end of file From 98d0ae3091defa4e09af9d640b8c4bba654b311d Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 21:06:42 +0100 Subject: [PATCH 13/30] fix synthax error --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index c2c43c0..dac38db 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -31,7 +31,7 @@ steps: - '-Dsonar.host.url=http://34.10.176.217:9000' # Pass the SonarQube authentication token. # '$SONAR_TOKEN' is automatically populated from the availableSecret. - - '-Dsonar.login=$SONAR_TOKEN' + - '-Dsonar.login=$$SONAR_TOKEN' secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. From 1c8f93d1d5e803b33d4d6e9b44b4f3e6ddc41177 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 21:14:34 +0100 Subject: [PATCH 14/30] fix golang version format --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index dac38db..fa0b5d3 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -9,7 +9,7 @@ options: steps: # Step 1: Build the Go application # Uses the official ( but old version by purpose ) Golang Docker image to manage dependencies and compile the binary. - - name: 'golang:1.19.1' + - name: 'golang:1.19' entrypoint: 'sh' args: # 'go mod tidy' ensures module dependencies are consistent. From a55cf1a520d192b4ed500ac4e3f61b7f168d5fc1 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 21:34:34 +0100 Subject: [PATCH 15/30] fix golang version in gomod --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index e6a7c03..dc80299 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module opsgo -go 1.24.2 +go 1.19 From a8ae57da1118d42e551a9d15449db14896a2e361 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 22:05:22 +0100 Subject: [PATCH 16/30] fix snarqube project id --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index fa0b5d3..3fe7c88 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -24,7 +24,7 @@ steps: entrypoint: 'sonar-scanner' args: # Define the SonarQube project key. - - '-Dsonar.projectKey=opsgo' + - '-Dsonar.projectKey=opsgo-sonar' # Specify the source directory for analysis (current directory). - '-Dsonar.sources=.' # Provide the URL of your SonarQube server. From 3dcd8af37b86578bf1e4f936d96a150cdeb86812 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 22:29:24 +0100 Subject: [PATCH 17/30] debugging sonar token --- cloudbuild.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 3fe7c88..320fde4 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -18,6 +18,17 @@ steps: - 'go mod tidy && go build -o opsgo' id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. + - name: 'alpine' + entrypoint: 'sh' + args: + - '-c' + - | + echo "🔍 SONAR_TOKEN is set." + echo "Starts with: $${SONAR_TOKEN:0:4}" + secretEnv: ['SONAR_TOKEN'] + id: 'debug-secret' + + # Step 2: Run SonarQube analysis # Uses the SonarScanner CLI Docker image to perform code analysis. - name: 'docker.io/sonarsource/sonar-scanner-cli' From 01c589847f1e45e2323c1c26571a5582dc71a07d Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 22:57:04 +0100 Subject: [PATCH 18/30] debugging sonar token --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 320fde4..b327b48 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -41,7 +41,7 @@ steps: # Provide the URL of your SonarQube server. - '-Dsonar.host.url=http://34.10.176.217:9000' # Pass the SonarQube authentication token. - # '$SONAR_TOKEN' is automatically populated from the availableSecret. + # '$SONAR_TOKEN' is the sonar user token automatically populated from the availableSecret. - '-Dsonar.login=$$SONAR_TOKEN' secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. From dade0f862ce05597dc43f4fc9964b1bfe34a68ed Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 23:48:45 +0100 Subject: [PATCH 19/30] debugging sonar token --- cloudbuild.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index b327b48..105ae27 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -40,8 +40,8 @@ steps: - '-Dsonar.sources=.' # Provide the URL of your SonarQube server. - '-Dsonar.host.url=http://34.10.176.217:9000' - # Pass the SonarQube authentication token. - # '$SONAR_TOKEN' is the sonar user token automatically populated from the availableSecret. + # Pass the SonarQube authentication token.sqp_72f20ad3a3c4cf0b07cbdcd4bb44ec50b4f63677 + # '$SONAR_TOKEN' is automatically populated from the availableSecret. - '-Dsonar.login=$$SONAR_TOKEN' secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. From 24e647b6adff2b3d53782800e913305d15172edd Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 23:55:42 +0100 Subject: [PATCH 20/30] debugging sonar token --- cloudbuild.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 105ae27..81e57ae 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -43,6 +43,7 @@ steps: # Pass the SonarQube authentication token.sqp_72f20ad3a3c4cf0b07cbdcd4bb44ec50b4f63677 # '$SONAR_TOKEN' is automatically populated from the availableSecret. - '-Dsonar.login=$$SONAR_TOKEN' + - '-Dsonar.password=' secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. From 02c5cd77efc62a33e85d9e60cae9e6dc80b4531e Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sat, 14 Jun 2025 23:59:23 +0100 Subject: [PATCH 21/30] debugging sonar token --- cloudbuild.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 81e57ae..7abf640 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -24,7 +24,7 @@ steps: - '-c' - | echo "🔍 SONAR_TOKEN is set." - echo "Starts with: $${SONAR_TOKEN:0:4}" + echo "Starts with: $${SONAR_TOKEN:0:6}" secretEnv: ['SONAR_TOKEN'] id: 'debug-secret' @@ -42,8 +42,7 @@ steps: - '-Dsonar.host.url=http://34.10.176.217:9000' # Pass the SonarQube authentication token.sqp_72f20ad3a3c4cf0b07cbdcd4bb44ec50b4f63677 # '$SONAR_TOKEN' is automatically populated from the availableSecret. - - '-Dsonar.login=$$SONAR_TOKEN' - - '-Dsonar.password=' + - '-Dsonar.token=$$SONAR_TOKEN' secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. From 71da9146050c623c9e69376d241424bd4cc23c0f Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sun, 15 Jun 2025 01:14:49 +0100 Subject: [PATCH 22/30] set sonar working directory --- cloudbuild.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 7abf640..bc137ab 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -38,6 +38,8 @@ steps: - '-Dsonar.projectKey=opsgo-sonar' # Specify the source directory for analysis (current directory). - '-Dsonar.sources=.' + # Set the working directory for SonarQube + - '-Dsonar.working.directory=.sonar' # Provide the URL of your SonarQube server. - '-Dsonar.host.url=http://34.10.176.217:9000' # Pass the SonarQube authentication token.sqp_72f20ad3a3c4cf0b07cbdcd4bb44ec50b4f63677 From 7c48f1a7e05a23aae6f4b2ebd050e610dc67b884 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sun, 15 Jun 2025 01:28:16 +0100 Subject: [PATCH 23/30] set sonar working directory --- cloudbuild.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index bc137ab..37b1119 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -28,6 +28,13 @@ steps: secretEnv: ['SONAR_TOKEN'] id: 'debug-secret' + # Create the sonar dir before the SonarQube scan + - name: 'alpine' + entrypoint: 'sh' + args: + - '-c' + - 'mkdir -p .sonar && chmod 777 .sonar' + id: 'prepare-sonar-dir' # Step 2: Run SonarQube analysis # Uses the SonarScanner CLI Docker image to perform code analysis. From a16ab96d88d48242421d5afbd933eabbb92ce7b0 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sun, 15 Jun 2025 01:55:28 +0100 Subject: [PATCH 24/30] prepare a sonarqube working dir with permission before running the scam --- cloudbuild-debug.yaml | 0 cloudbuild.yaml | 18 ------------------ 2 files changed, 18 deletions(-) create mode 100644 cloudbuild-debug.yaml diff --git a/cloudbuild-debug.yaml b/cloudbuild-debug.yaml new file mode 100644 index 0000000..e69de29 diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 37b1119..ca500d2 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -18,24 +18,6 @@ steps: - 'go mod tidy && go build -o opsgo' id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. - - name: 'alpine' - entrypoint: 'sh' - args: - - '-c' - - | - echo "🔍 SONAR_TOKEN is set." - echo "Starts with: $${SONAR_TOKEN:0:6}" - secretEnv: ['SONAR_TOKEN'] - id: 'debug-secret' - - # Create the sonar dir before the SonarQube scan - - name: 'alpine' - entrypoint: 'sh' - args: - - '-c' - - 'mkdir -p .sonar && chmod 777 .sonar' - id: 'prepare-sonar-dir' - # Step 2: Run SonarQube analysis # Uses the SonarScanner CLI Docker image to perform code analysis. - name: 'docker.io/sonarsource/sonar-scanner-cli' From 0bfc88a6c9bcf21b319d102853cc07c23050e86a Mon Sep 17 00:00:00 2001 From: pbashizi Date: Sun, 15 Jun 2025 02:45:25 +0100 Subject: [PATCH 25/30] factorize the project_id --- cloudbuild.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index ca500d2..975dc8f 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -18,7 +18,16 @@ steps: - 'go mod tidy && go build -o opsgo' id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. - # Step 2: Run SonarQube analysis + # Step 2.1: Run SonarQube analysis + # Create the sonar dir before the SonarQube scan + - name: 'alpine' + entrypoint: 'sh' + args: + - '-c' + - 'mkdir -p .sonar && chmod 777 .sonar' + id: 'prepare-sonar-dir' + + # Step 2.2: Run SonarQube analysis # Uses the SonarScanner CLI Docker image to perform code analysis. - name: 'docker.io/sonarsource/sonar-scanner-cli' entrypoint: 'sonar-scanner' @@ -44,7 +53,7 @@ availableSecrets: # Specifies the full resource path to the secret version in Secret Manager. # Cloud Build will fetch the 'latest' version of the 'SONAR_TOKEN' secret # from the specified project. - - versionName: projects/391675659319/secrets/SONAR_TOKEN/versions/latest + - versionName: projects/$PROJECT_ID/secrets/SONAR_TOKEN/versions/latest # Exposes the secret's value as an environment variable named 'SONAR_TOKEN' # to all subsequent build steps. This allows the sonar-scanner step to use it directly. env: 'SONAR_TOKEN' \ No newline at end of file From 7fadac04dcb6c7bf0504d8a13678b21f3866b385 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Wed, 18 Jun 2025 15:47:59 +0100 Subject: [PATCH 26/30] added a code smell on purpose --- main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/main.go b/main.go index 3bc6b17..3983425 100644 --- a/main.go +++ b/main.go @@ -28,6 +28,7 @@ import ( const port string = ":8080" func main() { + var unused int // This will trigger a code smell warning http.HandleFunc("/blue", blueHandler) fmt.Println("Listening on port " + port) http.ListenAndServe(port, nil) From d8019072a68678a4d054dc874547b163d8382197 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Wed, 18 Jun 2025 16:57:31 +0100 Subject: [PATCH 27/30] added hardcoded creds by purpose --- main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index 3983425..22fc848 100644 --- a/main.go +++ b/main.go @@ -28,7 +28,9 @@ import ( const port string = ":8080" func main() { - var unused int // This will trigger a code smell warning + password := "SuperSecret123!" // 🔥 Insecure: hardcoded credentials + fmt.Println("Authenticating with password:", password) + http.HandleFunc("/blue", blueHandler) fmt.Println("Listening on port " + port) http.ListenAndServe(port, nil) From 3931d84fda1daae6ffd7f444f16fb21040b04052 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Wed, 18 Jun 2025 18:10:34 +0100 Subject: [PATCH 28/30] make cloud build fail if sonar scan fais --- cloudbuild.yaml | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 975dc8f..36da612 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -8,7 +8,7 @@ options: steps: # Step 1: Build the Go application - # Uses the official ( but old version by purpose ) Golang Docker image to manage dependencies and compile the binary. + # Uses the official (but old version by purpose) Golang Docker image to manage dependencies and compile the binary. - name: 'golang:1.19' entrypoint: 'sh' args: @@ -18,8 +18,8 @@ steps: - 'go mod tidy && go build -o opsgo' id: 'build-go-app' # A unique identifier for this step, helpful for dependencies. - # Step 2.1: Run SonarQube analysis - # Create the sonar dir before the SonarQube scan + # Step 2.1: Prepare SonarQube working directory + # Creates the .sonar directory with proper permissions before running the scan. - name: 'alpine' entrypoint: 'sh' args: @@ -36,23 +36,44 @@ steps: - '-Dsonar.projectKey=opsgo-sonar' # Specify the source directory for analysis (current directory). - '-Dsonar.sources=.' - # Set the working directory for SonarQube + # Set the working directory for SonarQube (where temp files are stored). - '-Dsonar.working.directory=.sonar' # Provide the URL of your SonarQube server. - '-Dsonar.host.url=http://34.10.176.217:9000' - # Pass the SonarQube authentication token.sqp_72f20ad3a3c4cf0b07cbdcd4bb44ec50b4f63677 - # '$SONAR_TOKEN' is automatically populated from the availableSecret. + # Pass the SonarQube authentication token. + # '$$SONAR_TOKEN' is automatically populated from the availableSecret. - '-Dsonar.token=$$SONAR_TOKEN' secretEnv: ['SONAR_TOKEN'] id: 'run-sonar-scan' # A unique identifier for this step. + # Step 2.3: Verify SonarQube Quality Gate Status + # Checks if the SonarQube quality gate passed (fails build if not). + - name: 'curlimages/curl' + entrypoint: 'sh' + args: + - '-c' + - | + # Wait a few seconds for SonarQube to process the analysis. + sleep 10 + # Fetch the quality gate status using the SonarQube API. + RESULT=$(curl -s -u "$$SONAR_TOKEN:" "http://34.10.176.217:9000/api/qualitygates/project_status?projectKey=opsgo-sonar" | jq -r '.projectStatus.status') + # Fail the build if the quality gate status is not "OK". + if [ "$RESULT" != "OK" ]; then + echo "❌ SonarQube Quality Gate Failed: $RESULT" + exit 1 + else + echo "✅ SonarQube Quality Gate Passed" + fi + secretEnv: ['SONAR_TOKEN'] + id: 'check-quality-gate' + availableSecrets: # Define secrets to be made available during the build process. # These secrets are securely fetched from Google Secret Manager. secretManager: - # Specifies the full resource path to the secret version in Secret Manager. - # Cloud Build will fetch the 'latest' version of the 'SONAR_TOKEN' secret - # from the specified project. + # Specifies the full resource path to the secret version in Secret Manager. + # Cloud Build will fetch the 'latest' version of the 'SONAR_TOKEN' secret + # from the specified project. - versionName: projects/$PROJECT_ID/secrets/SONAR_TOKEN/versions/latest # Exposes the secret's value as an environment variable named 'SONAR_TOKEN' # to all subsequent build steps. This allows the sonar-scanner step to use it directly. From 8ba61671369d673304c50943f059f285f4ccc5c0 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Wed, 18 Jun 2025 18:18:49 +0100 Subject: [PATCH 29/30] fix var naming --- cloudbuild.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 36da612..0783e5a 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -58,11 +58,11 @@ steps: # Fetch the quality gate status using the SonarQube API. RESULT=$(curl -s -u "$$SONAR_TOKEN:" "http://34.10.176.217:9000/api/qualitygates/project_status?projectKey=opsgo-sonar" | jq -r '.projectStatus.status') # Fail the build if the quality gate status is not "OK". - if [ "$RESULT" != "OK" ]; then - echo "❌ SonarQube Quality Gate Failed: $RESULT" + if [ "$R$ESULT" != "OK" ]; then + echo "❌ SonarQube Quality Gate Failed: $$RESULT !!" exit 1 else - echo "✅ SonarQube Quality Gate Passed" + echo "✅ SonarQube Quality Gate Passed !" fi secretEnv: ['SONAR_TOKEN'] id: 'check-quality-gate' From 23bf26df7d94f804663e89f30bf74febb48abc90 Mon Sep 17 00:00:00 2001 From: pbashizi Date: Wed, 18 Jun 2025 19:56:59 +0100 Subject: [PATCH 30/30] fix typo --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 0783e5a..75f3b92 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -58,7 +58,7 @@ steps: # Fetch the quality gate status using the SonarQube API. RESULT=$(curl -s -u "$$SONAR_TOKEN:" "http://34.10.176.217:9000/api/qualitygates/project_status?projectKey=opsgo-sonar" | jq -r '.projectStatus.status') # Fail the build if the quality gate status is not "OK". - if [ "$R$ESULT" != "OK" ]; then + if [ "$$RESULT" != "OK" ]; then echo "❌ SonarQube Quality Gate Failed: $$RESULT !!" exit 1 else