-
Notifications
You must be signed in to change notification settings - Fork 6
/
services.schema.json
202 lines (202 loc) · 8.52 KB
/
services.schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
{
"$id": "services.schema.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"description": "Artemis Service Configuration",
"type": "object",
"required": [
"services",
"repos",
"scan_orgs",
"external_orgs"
],
"properties": {
"services": {
"type": "object",
"descriptipn": "Configuration of a VCS service integration",
"required": [
"secret_loc",
"type",
"hostname",
"url",
"branch_url",
"diff_url",
"allow_all",
"api_key_add",
"use_deploy_key",
"batch_queries",
"nat_connect",
"app_integration",
"http_basic_auth",
"initial_page",
"secrets_management",
"application_metadata"
],
"properties": {
"secret_loc": {
"type": [
"string",
"null"
],
"description": "Secrets Manager key within the application namespace that contains the API key for this service"
},
"type": {
"type": "enum",
"value": [
"github",
"gitlab",
"bitbucket",
"ado"
],
"description": "VCS type for this service"
},
"hostname": {
"type": [
"string",
"null"
],
"description": "Hostname to put in the 'Host' header in HTTP requests"
},
"url": {
"type": "string",
"description": "API URL for this VCS service, such as https://api.github.com/graphql for GitHub"
},
"branch_url": {
"type": [
"string",
"null"
],
"description": "URL to API for doing branch operations. For example, the GitLab GraphQL endpoint is used for most operations but the REST API is used for branch information."
},
"diff_url": {
"type": [
"string",
"null"
],
"description": "URL to API for doing diff operations. For example, the GitLab GraphQL endpoint is used for most operations but the REST API is used for diff information."
},
"allow_all": {
"type": "boolean",
"description": "Whether all repos within this VCS should be scannable. This should be set to false for public VCS hosts like GitHub."
},
"api_key_add": {
"type": [
"string",
"null"
],
"description": "Additional data that needs to be added to the API key. For example, because GitLab uses multiple APIs some of them need \"oauth2:$key\" and that is configured here."
},
"use_deploy_key": {
"type": "boolean",
"description": "Whether to use an SSH key instead of an API key to clone repos from this VCS service."
},
"batch_queries": {
"type": "boolean",
"description": "Whether this VCS service supports batched queries."
},
"nat_connect": {
"type": "boolean",
"description": "Whether this VCS service is scanned by engines in the NAT cluster. This is required if Artemis has to connect to the VCS from a single IP."
},
"app_integration": {
"type": "boolean",
"description": "Whether this VCS service is integrated with using a GitHub App."
},
"http_basic_auth": {
"type": "boolean",
"description": "Whether this VCS service uses HTTP Basic authentication."
},
"initial_page": {
"type": "object",
"required": [
"cursor"
],
"properties": {
"cursor": {
"type": "string",
"description": "Initial cursor value for paging API results. This will normally by \"null\""
}
}
},
"secrets_management": {
"type": "object",
"description": "Secrets management schemes and include/exclude globs for applying them",
"patternProperties": {
"[a-zA-Z0-9_]+": {
"type": "object",
"required": [
"include",
"exclude"
],
"properties": {
"include": {
"type": "array",
"description": "List of globs for repos that are included in this secrets management scheme.",
"items": {
"type": "string"
}
},
"exclude": {
"type": "array",
"description": "List of globs for repos that are excluded from this secrets management scheme.",
"items": {
"type": "string"
}
}
}
}
}
},
"application_metadata": {
"type": "object",
"description": "Application metadata schemes and include/exclude globs for applying them",
"patternProperties": {
"[a-zA-Z0-9_]+": {
"type": "object",
"required": [
"include",
"exclude"
],
"properties": {
"include": {
"type": "array",
"description": "List of globs for repos that are included in this application metadata scheme.",
"items": {
"type": "string"
}
},
"exclude": {
"type": "array",
"description": "List of globs for repos that are excluded from this application metadata scheme.",
"items": {
"type": "string"
}
}
}
}
}
}
}
},
"repos": {
"type": "array",
"description": "List of globs for allowed repos when the service configuration has allow_all set to false. Example: github/testorg/*",
"items": {
"type": "string"
}
},
"scan_orgs": {
"type": "array",
"description": "Orgs that are included in the orchestrator's scanning. If the item ends in a wildcard the service is queried for all orgs/groups.",
"items": {
"type": "string"
}
},
"external_orgs": {
"type": "array",
"description": "Orgs that are considered external. Orgs listed here will only have private repos scanned and not any public repos so that the scope is limited.",
"items": {
"type": "string"
}
}
}
}