Moved template files and fixed wrong argument to veracode action

.github/actions/kosli-attest-veracode-executed/action.yml

@@ -13,8 +13,8 @@ inputs:
   #   KOSLI_TRAIL: your-trail-name (often git-commit-sha)
   #   KOSLI_API_TOKEN: "${{ secrets.KOSLI_API_TOKEN }}" 
   #   KOSLI_CLI_VERSION: 2.11.6
-  kosli-artifact-template-name:
-    description: "Name of the artifact in kosli template-file. Often something generic like 'frontend'"
+  kosli-attestation-template-name:
+    description: "Name of the attestation in kosli template-file. Often something generic like 'security-scan-executed'"
     required: true
   artifact-fingerprint:
     description: "Fingerprint of artifact"
@@ -37,6 +37,6 @@ runs:
       run: |
         kosli attest custom \
           --type=veracode-executed \
-          --name ${{ inputs.kosli-artifact-template-name }} \
+          --name ${{ inputs.kosli-attestation-template-name }} \
           --fingerprint ${{ inputs.artifact-fingerprint }} \
           --attestation-data ${{ inputs.veracode-summary-file }}

.github/workflows/build-backend.yml

@@ -13,7 +13,7 @@ env:
   KOSLI_TRAIL: ${{ github.sha }}
   KOSLI_API_TOKEN: "${{ secrets.KOSLI_PUBLIC_API_TOKEN }}"
   KOSLI_CLI_VERSION: "${{ vars.KOSLI_CLI_VERSION }}"
-  KOSLI_TEMPLATE_FILE: "apps/backend/kosli-template.yml"
+  KOSLI_TEMPLATE_FILE: "kosli-flow-templates/backend-template.yml"
   # KOSLI_DRY_RUN: true
   JIRA_BASE_URL: "${{ vars.JIRA_BASE_URL }}"
   JIRA_USERNAME: ${{ secrets.KOSLI_JIRA_USERNAME }}
@@ -90,7 +90,7 @@ jobs:
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: ./.github/actions/kosli-attest-veracode-executed
         with:
-          kosli-artifact-template-name: veracode-executed
+          kosli-attestation-template-name: security-scan-executed
           artifact-fingerprint: ${{ needs.build.outputs.fingerprint }}
           veracode-summary-file: static-scan-summary-backend.json
 

.github/workflows/build-frontend.yml

@@ -13,7 +13,7 @@ env:
   KOSLI_TRAIL: ${{ github.sha }}
   KOSLI_API_TOKEN: "${{ secrets.KOSLI_PUBLIC_API_TOKEN }}"
   KOSLI_CLI_VERSION: "${{ vars.KOSLI_CLI_VERSION }}"
-  KOSLI_TEMPLATE_FILE: "apps/frontend/kosli-template.yml"
+  KOSLI_TEMPLATE_FILE: "kosli-flow-templates/frontend-template.yml"
   # KOSLI_DRY_RUN: true
   JIRA_BASE_URL: "${{ vars.JIRA_BASE_URL }}"
   JIRA_USERNAME: ${{ secrets.KOSLI_JIRA_USERNAME }}
@@ -89,7 +89,7 @@ jobs:
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: ./.github/actions/kosli-attest-veracode-executed
         with:
-          kosli-artifact-template-name: veracode-executed
+          kosli-attestation-template-name: security-scan-executed
           artifact-fingerprint: ${{ needs.build.outputs.fingerprint }}
           veracode-summary-file: static-scan-summary-frontend.json
 

.github/workflows/setup-kosli.yml

@@ -39,27 +39,36 @@ jobs:
         run:
           kosli create flow veracode-example-backend
             --description "Track veracode example attestations for backend"
-            --template-file apps/backend/kosli-template.yml
+            --template-file kosli-flow-templates/backend-template.yml
 
       - name: Create veracode-example-frontend flow
         run:
           kosli create flow veracode-example-frontend
             --description "Track veracode example attestations for frontend"
-            --template-file apps/frontend/kosli-template.yml
+            --template-file kosli-flow-templates/frontend-template.yml
 
-#      - name: Create veracode-example-release flow
-#        run:
-#          kosli create flow veracode-example-release
-#            --description "Track veracode example attestations for releases"
+      - name: Create veracode-example-veracode flow
+        run:
+          kosli create flow veracode-example-veracode
+            --description "Flow to track if the veracode process is followed"
 #            --template-file kosli-release-template.yml
 
       ### Custom attestation types ###
       - name: Create veracode-executed attestation type
         run:
-          kosli create attestation-type veracode-executed
+          kosli create attestation-type veracode-scan-executed
               --description "Attest that veracode scan was executed"
-              --schema kosli-setup/veracode-scan-schema.json
+              --schema custom-attestation-types/veracode-scan-schema.json
+              --jq '.scan_status == "SUCCESS"'
+
+      - name: Create veracode-vulnerability-summary attestation type
+        run:
+          kosli create attestation-type veracode-scan-vulnerability-summary
+              --description "Attest that veracode scan has no vulnerabilities"
+              --schema custom-attestation-types/veracode-scan-schema.json
               --jq '.scan_status == "SUCCESS"'
+              --jq 'all(.severity_summary[]; . == 0)'
+              --jq 'all(.gob_summary[]; . == 0)'
 
 
       ### environments ###

apps/backend/kosli-template.yml → kosli-flow-templates/backend-template.yml

@@ -6,5 +6,5 @@ trail:
     artifacts:
         - name: backend
           attestations:
-            - name: veracode-executed
-              type: custom:veracode-executed
+            - name: security-scan-executed
+              type: custom:veracode-scan-executed

apps/frontend/kosli-template.yml → kosli-flow-templates/frontend-template.yml

@@ -6,5 +6,5 @@ trail:
     artifacts:
         - name: frontend
           attestations:
-            - name: veracode-executed
-              type: custom:veracode-executed
+            - name: security-scan-executed
+              type: custom:veracode-scan-executed