# Grafana provisioning: datasources
# /etc/grafana/provisioning/datasources/prometheus.yml
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
name: semgrep
on: [pull_request]
jobs:
scan:
apiVersion: v1
kind: ServiceAccount
metadata:
name: metrics-reader
namespace: production
---
module Middleware
class DatabasePinning
PIN_WINDOW = 5.seconds
def initialize(app)
@app = app
# Headless Service for stable DNS
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: production
CREATE TABLE users (
id BIGSERIAL PRIMARY KEY,
username VARCHAR(100) NOT NULL UNIQUE,
email VARCHAR(255) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
severities:
sev1: customer-impacting active compromise or confirmed data exposure
sev2: high risk suspicious activity with potential customer impact
sev3: contained issue with low current impact
first_hour:
web: bin/rails server
css: bin/rails tailwindcss:watch
:concurrency: 10
:queues:
- [critical, 4]
- [default, 2]
- [low, 1]
- name: Build image
run: docker build -t app:${{ github.sha }} .
- name: Scan image
uses: aquasecurity/trivy-action@0.24.0
with:
# Install cert-manager (Helm)
# helm install cert-manager jetstack/cert-manager # --namespace cert-manager # --create-namespace # --set installCRDs=true
---
# ClusterIssuer for Let's Encrypt (staging)
apiVersion: cert-manager.io/v1
# === One-off Job: Database migration ===
apiVersion: batch/v1
kind: Job
metadata:
name: db-migrate
namespace: production