Add Relyance github action (#107012)

* add relyance workflow * add relyance config * exclude folders and patterns from scanning * add security as codeowner of relyance
1 week ago · dcea36dffc
parent b1c50d6354
commit dcea36dffc
3 changed files with 136 additions and 0 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -876,3 +876,7 @@ embed.go @grafana/grafana-as-code
 /conf/provisioning/datasources/ @grafana/plugins-platform-backend
 /conf/provisioning/plugins/ @grafana/plugins-platform-backend
 /conf/provisioning/sample/ @grafana/grafana-git-ui-sync-team
+
+# Security
+/relyance.yaml @grafana/security-team
+/.github/workflows/relyance-scan.yml @grafana/security-team
--- a/.github/workflows/relyance-scan.yml
+++ b/.github/workflows/relyance-scan.yml
@ -0,0 +1,33 @@
+name: Relyance Compliance Inspection
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run daily at 00:00 UTC
+  workflow_dispatch: # Allow for manual trigger
+
+jobs:
+  relyance-compliance-inspector:
+    permissions:
+      contents: read
+      id-token: write # Needed for Vault access
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Get API key
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # get-vault-secrets-v1.2.0
+        with:
+          repo_secrets: |
+            API_KEY=relyance:API_KEY
+
+      - name: Run Relyance scan
+        env:
+          API_KEY: "${{ fromJSON(steps.vault-secrets.outputs.secrets).API_KEY }}"
+        run: |
+          docker pull gcr.io/relyance-ext/compliance_inspector:release && \
+          docker run --rm -v ${{ github.workspace }}:/repo --env "API_KEY=${{ env.API_KEY }}" gcr.io/relyance-ext/compliance_inspector:release
--- a/relyance.yaml
+++ b/relyance.yaml
@ -0,0 +1,99 @@
+# Relyance Compliance Inspector Configuration
+
+repository: grafana/grafana
+
+# Services and Code Relationship
+# Purpose: Configuration used to visualize the code base and relationships between microservices and code.
+# Note: Directory paths are relative to the repository's root directory. 
+# Note: Need a separate entry for each microservice. See example below.
+services:
+
+
+
+# Example: Services and Code Relationship 
+# Note: Do not use below. It is an example.
+# Note: Directory paths are relative to the repository's root directory
+#- service: paymentservice
+#  source:
+#     - src/payments 
+#     - src/checkout_service
+#- service: catalogservice
+#  source:
+#     - src/catalog 
+
+
+# Source Directories to Exclude
+# Purpose: Configuration is used to exclude directories from analysis such as test directories etc.
+# Note: Directory paths are relative to the repository's root directory
+exclude:
+  # Test and development environments
+  - e2e
+  - devenv
+  - hack
+  - scripts
+  - tools
+  - pkg/tests
+
+  # Documentation and examples
+  - docs
+  - contribute
+  - grafana-mixin
+
+  # Build artifacts and dependencies
+  - packaging
+  - data
+  - bin
+  - plugins-bundled
+  - vendor
+  - node_modules
+
+  # Static UI assets
+  - public/fonts
+  - public/img
+  - public/locales
+  - public/vendor
+  - public/lib
+
+  # Configuration templates
+  - conf
+  - emails
+  - cue.mod
+  - kinds
+  - kindsv2
+
+  # Temporary and cache directories
+  - tmp
+  - cache
+  - .cache
+  - venv
+
+
+# Excluding files and directories using patterns (enable lines as needed)
+exclude_patterns:
+  # Test and mock files
+  - "**/*_test.go"
+  - "**/*.test.ts"
+  - "**/*.spec.ts"
+  - "**/testdata/**"
+  - "**/*_mock.go"
+  - "**/mocks/**"
+
+  # Generated code
+  - "**/*_gen.go"
+  - "**/wire_gen.go"
+
+  # Documentation and examples
+  - "**/*.md"
+  - "**/README.*"
+  - "**/LICENSE*"
+  - "**/*.example.*"
+
+  # System files and dependencies
+  - "**/.DS_Store"
+  - "**/*.log"
+  - "**/go.sum"
+  - "**/yarn.lock"
+
+  # Generated specs
+  - "**/swagger.json"
+  - "**/openapi*.json"