Merge branch 'main' into bump-actions-setup-node
This commit is contained in:
@@ -41,9 +41,9 @@ jobs:
|
||||
# https://github.com/sigstore/cosign-installer
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
|
||||
with:
|
||||
cosign-release: 'v2.1.1'
|
||||
cosign-release: 'v2.2.4'
|
||||
|
||||
# Set up BuildKit Docker container builder to be able to build
|
||||
# multi-platform images and export cache
|
||||
|
||||
+1
-1
@@ -28,7 +28,7 @@ jobs:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
|
||||
# Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
|
||||
@@ -76,6 +76,7 @@ jobs:
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
- if: matrix.build-mode == 'manual'
|
||||
shell: bash
|
||||
run: |
|
||||
echo 'If you are using a "manual" build mode for one or more of the' \
|
||||
'languages you are analyzing, replace this with the commands to build' \
|
||||
|
||||
+51
-65
@@ -4,32 +4,31 @@
|
||||
# documentation.
|
||||
|
||||
################################################################################################################################################
|
||||
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
|
||||
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
|
||||
# or contact our sales team, visit microfocus.com/appsecurity. #
|
||||
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
|
||||
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
|
||||
# #
|
||||
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
|
||||
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
|
||||
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
|
||||
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
|
||||
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
|
||||
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
|
||||
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
|
||||
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
|
||||
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
|
||||
# documentation. If you need additional assistance, please contact Fortify support. #
|
||||
################################################################################################################################################
|
||||
|
||||
name: Fortify on Demand Scan
|
||||
name: Fortify AST Scan
|
||||
|
||||
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
|
||||
# Customize trigger events based on your DevSecOps process and/or policy
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
FoD-SAST-Scan:
|
||||
# Use the appropriate runner for building your source code.
|
||||
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
|
||||
Fortify-AST-Scan:
|
||||
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
@@ -41,58 +40,45 @@ jobs:
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Java is required to run the various Fortify utilities.
|
||||
# When scanning a Java application, please use the appropriate Java version for building your application.
|
||||
# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
|
||||
- name: Setup Java
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 8
|
||||
java-version: 17
|
||||
distribution: 'temurin'
|
||||
|
||||
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
|
||||
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
|
||||
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
|
||||
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
|
||||
# ScanCentral has additional options that should be set for PHP and Python projects
|
||||
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
|
||||
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
|
||||
- name: Download Fortify ScanCentral Client
|
||||
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
|
||||
- name: Package Code + Dependencies
|
||||
run: scancentral package $PACKAGE_OPTS -o package.zip
|
||||
env:
|
||||
PACKAGE_OPTS: "-bt mvn"
|
||||
|
||||
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
|
||||
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
|
||||
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
|
||||
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
|
||||
- name: Download Fortify on Demand Universal CI Tool
|
||||
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
|
||||
- name: Perform SAST Scan
|
||||
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
|
||||
env:
|
||||
FOD_URL: "https://ams.fortify.com/"
|
||||
FOD_API_URL: "https://api.ams.fortify.com/"
|
||||
FOD_TENANT: ${{ secrets.FOD_TENANT }}
|
||||
FOD_USER: ${{ secrets.FOD_USER }}
|
||||
FOD_PAT: ${{ secrets.FOD_PAT }}
|
||||
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
|
||||
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
|
||||
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
|
||||
|
||||
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
|
||||
- name: Export results to GitHub-optimized SARIF
|
||||
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
|
||||
# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
|
||||
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
|
||||
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
|
||||
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
|
||||
# details.
|
||||
- name: Run FoD SAST Scan
|
||||
uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
|
||||
with:
|
||||
fod_base_url: "https://ams.fortify.com/"
|
||||
fod_tenant: ${{ secrets.FOD_TENANT }}
|
||||
fod_user: ${{ secrets.FOD_USER }}
|
||||
fod_password: ${{ secrets.FOD_PAT }}
|
||||
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
|
||||
|
||||
# Import Fortify on Demand results to GitHub Security Code Scanning
|
||||
- name: Import Results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ./gh-fortify-sast.sarif
|
||||
sast-scan: true
|
||||
env:
|
||||
### Required configuration when integrating with Fortify on Demand
|
||||
FOD_URL: https://ams.fortify.com
|
||||
FOD_TENANT: ${{secrets.FOD_TENANT}}
|
||||
FOD_USER: ${{secrets.FOD_USER}}
|
||||
FOD_PASSWORD: ${{secrets.FOD_PAT}}
|
||||
### Optional configuration when integrating with Fortify on Demand
|
||||
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
|
||||
# Debricked SCA scan is enabled on Fortify on Demand
|
||||
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
||||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
|
||||
# replace app+release name with numeric release ID
|
||||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
|
||||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
|
||||
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
|
||||
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL
|
||||
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
|
||||
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
|
||||
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
|
||||
# usually defined as organization or repo variable
|
||||
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
|
||||
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
||||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
|
||||
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
|
||||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
|
||||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
|
||||
|
||||
@@ -20,7 +20,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
jobs:
|
||||
@@ -45,7 +46,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
@@ -57,11 +58,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -71,14 +73,26 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
reference-policy: ${{ env.REFERENCE }}
|
||||
reference-policy: ${{ env.REFERENCE_POLICY }}
|
||||
reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
|
||||
region: ${{env.REGION }}
|
||||
# Print result from CHECK_NO_NEW_ACCESS check
|
||||
- name: Print the result for CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -21,7 +21,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
|
||||
@@ -48,7 +49,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -60,11 +61,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -74,7 +76,7 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -85,3 +87,15 @@ jobs:
|
||||
- name: Print the result CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Fortify on Demand Scan",
|
||||
"creator": "Micro Focus",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
|
||||
"name": "Fortify Scan",
|
||||
"creator": "OpenText",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.",
|
||||
"iconName": "fortify",
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"]
|
||||
}
|
||||
|
||||
@@ -46,13 +46,12 @@ jobs:
|
||||
- name: Analyze with SonarCloud
|
||||
|
||||
# You can pin the exact commit or the version.
|
||||
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
# uses: SonarSource/sonarcloud-github-action@v2.2.0
|
||||
uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
|
||||
with:
|
||||
# Additional arguments for the sonarcloud scanner
|
||||
# Additional arguments for the SonarScanner CLI
|
||||
args:
|
||||
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
|
||||
# mandatory
|
||||
@@ -60,9 +59,9 @@ jobs:
|
||||
-Dsonar.organization=
|
||||
# Comma-separated paths to directories containing main source files.
|
||||
#-Dsonar.sources= # optional, default is project base directory
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched
|
||||
#-Dsonar.projectBaseDir= # optional, default is .
|
||||
# Comma-separated paths to directories containing test source files.
|
||||
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
|
||||
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched, default is .
|
||||
projectBaseDir: .
|
||||
|
||||
+29
-1
@@ -1 +1,29 @@
|
||||
<svg width="95" height="63" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" overflow="hidden"><defs><clipPath id="clip0"><rect x="979" y="281" width="95" height="63"/></clipPath></defs><g clip-path="url(#clip0)" transform="translate(-979 -281)"><path d="M0.495362 32.6809 16.4466 32.6809 16.4466 36.8041 5.29445 36.8041 5.29445 41.7043 16.2098 41.7043 16.2098 45.8261 5.29445 45.8261 5.29445 55.2206 0.495362 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M17.6294 47.0435C17.6294 42.4134 20.8731 38.4938 26.247 38.4938 31.6541 38.4938 34.8978 42.4134 34.8978 47.0435 34.8978 51.7069 31.6541 55.6264 26.247 55.6264 20.8731 55.6264 17.6294 51.7025 17.6294 47.0435ZM30.4366 47.0435C30.4366 44.5089 28.9173 42.3123 26.2484 42.3123 23.5795 42.3123 22.0963 44.5089 22.0963 47.0435 22.0963 49.6113 23.5824 51.8094 26.2528 51.8094 28.9231 51.8094 30.4366 49.6113 30.4366 47.0435Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M37.0612 38.8997 41.3534 38.8997 41.3534 41.1295C42.5087 39.6766 44.5306 38.5299 46.5525 38.5299L46.5525 42.7181C46.1644 42.6295 45.7677 42.584 45.3697 42.5824 43.95 42.5824 42.0581 43.394 41.349 44.4411L41.349 55.2206 37.0612 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M50.4027 51.1667 50.4027 42.6459 47.7064 42.6459 47.7064 38.891 50.4027 38.891 50.4027 34.4385 54.7354 34.4385 54.7354 38.8997 58.0469 38.8997 58.0469 42.6546 54.7354 42.6546 54.7354 50.02C54.7354 51.031 55.2755 51.8108 56.2214 51.8108 56.8641 51.8108 57.4721 51.574 57.709 51.3386L58.6203 54.5823C57.979 55.16 56.8295 55.6293 55.0386 55.6293 52.0318 55.6264 50.4027 54.0725 50.4027 51.1667Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M59.533 33.9388C59.5282 32.5199 60.6746 31.3657 62.0936 31.3609 63.5125 31.3561 64.6667 32.5025 64.6715 33.9215 64.6762 35.3404 63.5298 36.4946 62.1109 36.4994 62.1076 36.4994 62.1041 36.4994 62.1008 36.4994 60.69 36.4884 59.5479 35.3495 59.533 33.9388ZM59.9663 38.9069 64.2671 38.9069 64.2671 55.2264 59.9735 55.2264Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M68.4553 42.6502 65.7517 42.6502 65.7517 38.8953 68.4553 38.8953 68.4553 38.0158C68.4553 34.4674 70.753 32.3386 73.9635 32.3386 75.1795 32.3386 76.2944 32.6087 77.0729 33.0145L76.1934 36.056C75.7716 35.8179 75.2923 35.701 74.8083 35.7181 73.5909 35.7181 72.7865 36.5297 72.7865 38.0837L72.7865 38.8953 76.098 38.8953 76.098 42.6502 72.7879 42.6502 72.7879 55.2148 68.4553 55.2148Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M80.3166 58.0267C81.4315 58.0267 82.1752 57.722 82.5811 56.8439L83.1862 55.4575 76.5659 38.8997 81.1643 38.8997 85.4189 50.2583 89.6851 38.8997 94.3066 38.8997 86.6364 57.8909C85.4189 60.9657 83.257 61.7773 80.4523 61.8452 79.737 61.8309 79.0244 61.7516 78.3235 61.6083L78.9648 57.7552C79.3944 57.9294 79.853 58.0214 80.3166 58.0267Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M22.5166 12.2757C22.519 17.9292 17.9379 22.5141 12.2844 22.5166 12.2815 22.5166 12.2786 22.5166 12.2757 22.5166L0 22.5166 0 12.2757ZM12.2757 10.2351 12.2757 10.2351C17.9284 10.2383 22.5134 5.65845 22.5166 0.00577884 22.5166 0.00385269 22.5166 0.00192654 22.5166 3.96827e-07L0 0 0 10.2351Z" fill="#F42147" transform="matrix(1 0 0 1.01243 979.012 281)"/></g></svg>
|
||||
<svg width="238" height="93" viewBox="0 0 238 93" fill="none" xmlns="http://www.w3.org/2000/svg">
|
||||
<g clip-path="url(#clip0_27_36971)">
|
||||
<path d="M57.3999 65.4001H59.7399V72.9101H59.9399C60.4599 72.1201 61.3699 70.2901 64.3499 70.2901C68.1999 70.2901 70.8699 73.3501 70.8699 78.1601C70.8699 82.9701 68.2099 86.0701 64.3899 86.0701C61.4499 86.0701 60.4599 84.2401 59.9399 83.4101H59.6599V85.7501H57.3999V65.4101V65.4001ZM64.0699 83.9601C67.0099 83.9601 68.5199 81.3801 68.5199 78.1201C68.5199 74.8601 67.0499 72.4001 64.0699 72.4001C61.0899 72.4001 59.6999 74.7001 59.6999 78.1201C59.6999 81.5401 61.2499 83.9601 64.0699 83.9601Z" fill="black"/>
|
||||
<path d="M72.9497 91.1902L73.5497 89.1202C75.2597 89.5602 76.3097 89.3402 77.1697 87.0102L77.6097 85.8202L71.9697 70.4802H74.5097L78.7197 82.6402H78.8797L83.0897 70.4802H85.6297L79.1497 87.9602C78.2697 90.3302 76.7797 91.4602 74.6597 91.4602C73.8697 91.4602 73.1897 91.3002 72.9497 91.1802V91.1902Z" fill="black"/>
|
||||
<path d="M113.43 77.7301C113.43 82.1801 110.87 86.9901 104 86.9901C99.0498 86.9901 94.5298 84.2301 94.5298 77.7301C94.5298 72.3401 97.9298 68.2001 104.67 68.5701C111.85 68.9701 113.43 74.5301 113.43 77.7301ZM100.63 74.3501C99.9898 75.3401 99.7498 76.5201 99.7498 77.7001C99.7498 80.4301 101.1 82.9001 103.99 82.9001C106.88 82.9001 108.17 80.6301 108.17 77.9301C108.17 76.0201 107.7 74.5401 106.72 73.6201C105.64 72.6301 104.43 72.6001 103.69 72.6701C102.21 72.7701 101.33 73.2601 100.62 74.3501H100.63Z" fill="black"/>
|
||||
<path d="M159.42 70.5601C159.93 70.0201 160.26 69.6201 161.17 69.1801C161.98 68.8401 163.12 68.5701 164.37 68.5701C165.41 68.5701 166.59 68.7401 167.5 69.2401C169.35 70.2201 169.82 71.8001 169.82 74.5301V86.5601H164.67V76.6601C164.67 75.0801 164.64 74.5001 164.43 74.0301C164.03 73.0901 163.12 72.6801 162.11 72.6801C159.38 72.6801 159.38 74.8701 159.38 77.0601V86.5601H154.19V69.0101H159.41V70.5601H159.42Z" fill="black"/>
|
||||
<path d="M151.74 82.0101C151.26 83.0101 149.73 86.9901 142.98 86.9901C137.76 86.9901 134.09 83.8001 134.09 78.0401C134.09 73.8001 136.18 68.5701 143.12 68.5701C144.16 68.5701 147.2 68.4401 149.45 70.8701C151.74 73.3301 151.88 76.7601 151.94 78.7501H139.38C139.35 80.9401 140.59 83.1301 143.39 83.1301C146.19 83.1301 147.2 81.2801 147.84 80.0301L151.75 82.0201L151.74 82.0101ZM146.59 75.5101C146.49 74.7701 146.35 73.7901 145.61 73.0201C144.97 72.3801 143.99 72.0401 143.08 72.0401C141.83 72.0401 140.96 72.6501 140.45 73.1901C139.74 73.9601 139.57 74.7701 139.41 75.5101H146.59Z" fill="black"/>
|
||||
<path d="M223.87 72.6501H227.31V69.0101H223.91V65.3101H218.76V69.0101H217.94L215.58 72.6501H218.76V81.0001C218.76 82.6801 218.79 83.9301 219.5 84.9701C220.61 86.5901 222.57 86.6901 224.35 86.6901C225.29 86.6901 225.97 86.5901 227.08 86.4201V82.3801L225.23 82.4501C223.85 82.4501 223.85 81.5401 223.88 80.4601V72.6501H223.87Z" fill="black"/>
|
||||
<path d="M172.41 65.3101H177.56V69.0101H182.92L180.56 72.6501H177.53V80.4601C177.5 81.5401 177.5 82.4501 178.88 82.4501L180.73 82.3801V86.4201C179.62 86.5901 178.94 86.6901 178 86.6901C176.21 86.6901 174.26 86.5901 173.15 84.9701C172.44 83.9301 172.41 82.6801 172.41 81.0001V65.3101Z" fill="black"/>
|
||||
<path d="M232.08 72.65H231.44V69.54H230.27V69H233.23V69.54H232.08V72.65ZM237.07 72.65H236.44L236.46 70.4L236.49 69.65L236.31 70.26L235.56 72.64H234.99L234.25 70.26L234.06 69.66L234.1 70.4L234.12 72.65H233.51V69.01H234.38L235.29 71.89L236.18 69.01H237.05V72.65H237.07Z" fill="black"/>
|
||||
<path d="M199.16 82.0301L198.17 83.5501C197.25 84.9101 195.51 86.9901 190.53 86.9901C185.55 86.9901 181.8 83.8001 181.8 78.0401C181.8 73.8001 183.89 68.5701 190.83 68.5701C191.87 68.5701 194.91 68.4401 197.16 70.8701C199.45 73.3301 199.59 76.7601 199.65 78.7501H187.09C187.06 80.9401 188.14 83.1301 190.93 83.1301C193.72 83.1301 194.57 81.2801 195.21 80.0301L199.15 82.0301H199.16ZM194.3 75.5101C194.2 74.7701 194.06 73.7901 193.32 73.0201C192.68 72.3801 191.7 72.0401 190.79 72.0401C189.54 72.0401 188.67 72.6501 188.16 73.1901C187.45 73.9601 187.28 74.7701 187.12 75.5101H194.3Z" fill="black"/>
|
||||
<path d="M216.82 86.56L210.37 77.32L215.75 69.01H209.85L207.31 72.93L204.58 69.01H198.68L204.48 77.32L198.5 86.56H204.4L207.54 81.71L210.92 86.56H216.82Z" fill="black"/>
|
||||
<path d="M120.57 70.5601C121.07 69.8101 122.66 68.5701 125.18 68.5701C129.49 68.5701 132.52 71.8401 132.52 77.7001C132.52 81.3001 131.21 87.0001 124.96 87.0001C122.71 87.0001 120.97 85.7501 120.53 85.0101V92.3701H115.34V69.0101H120.56V70.5601H120.57ZM124.07 72.6201C123.13 72.6201 122.15 73.0001 121.41 73.9401C120.67 74.8501 120.33 76.2601 120.33 77.8001C120.33 79.8701 120.94 81.1201 121.58 81.8401C122.18 82.5101 123.06 82.9001 123.9 82.9001C126.43 82.9001 127.54 80.2401 127.54 77.6701C127.54 75.5101 126.9 73.2201 124.78 72.7201C124.54 72.6601 124.31 72.6301 124.07 72.6301V72.6201Z" fill="black"/>
|
||||
<path d="M56.6802 1.93994H87.1502V9.81994H65.8502V19.1799H86.7002V27.0499H65.8502V44.9899H56.6802V1.93994Z" fill="black"/>
|
||||
<path d="M89.0801 29.37C89.0801 20.53 95.2801 13.04 105.54 13.04C115.8 13.04 122.06 20.53 122.06 29.37C122.06 38.21 115.86 45.76 105.54 45.76C95.2201 45.76 89.0801 38.27 89.0801 29.37ZM113.54 29.37C113.54 24.53 110.64 20.33 105.54 20.33C100.44 20.33 97.6001 24.53 97.6001 29.37C97.6001 34.21 100.44 38.47 105.54 38.47C110.64 38.47 113.54 34.27 113.54 29.37Z" fill="black"/>
|
||||
<path d="M124.9 13.8101H133.1V18.0701C135.29 15.2901 139.17 13.1001 143.04 13.1001V21.1001C142.46 20.9701 141.68 20.8401 140.78 20.8401C138.07 20.8401 134.45 22.3901 133.1 24.3901V44.9801H124.9V13.8101Z" fill="black"/>
|
||||
<path d="M149.74 37.24V20.97H144.58V13.81H149.74V5.29004H158V13.81H164.33V20.97H158V35.04C158 36.98 159.03 38.46 160.84 38.46C162.07 38.46 163.23 38.01 163.68 37.56L165.42 43.76C164.19 44.86 162 45.76 158.58 45.76C152.84 45.76 149.74 42.79 149.74 37.24Z" fill="black"/>
|
||||
<path d="M166.26 4.91C166.26 2.2 168.52 0 171.17 0C173.82 0 176.08 2.19 176.08 4.91C176.08 7.63 173.89 9.82 171.17 9.82C168.45 9.82 166.26 7.63 166.26 4.91ZM167.1 13.82H175.3V44.99H167.1V13.81V13.82Z" fill="black"/>
|
||||
<path d="M182.98 20.98H177.82V13.82H182.98V12.14C182.98 5.36005 187.37 1.30005 193.5 1.30005C195.82 1.30005 197.95 1.82005 199.44 2.59005L197.76 8.40005C197.05 7.95005 196.08 7.75005 195.11 7.75005C192.79 7.75005 191.24 9.30005 191.24 12.27V13.82H197.57V20.98H191.24V44.9901H182.98V20.98Z" fill="black"/>
|
||||
<path d="M204.99 50.34C207.12 50.34 208.54 49.7601 209.31 48.0801L210.47 45.43L197.82 13.8H206.6L214.73 35.4901L222.86 13.8H231.7L217.05 50.07C214.73 55.94 210.6 57.49 205.24 57.62C204.27 57.62 202.21 57.43 201.17 57.17L202.4 49.8101C203.11 50.1301 204.21 50.3301 204.98 50.3301L204.99 50.34Z" fill="black"/>
|
||||
<path d="M0 3.1001C0 9.5601 0 16.0201 0 22.4801C0.32 22.4801 0.65 22.4701 0.97 22.4701C8.57 22.4701 16.17 22.4701 23.78 22.4701C24.9 22.4701 26 22.3701 27.1 22.1601C30.81 21.4601 34.03 19.8101 36.77 17.2301C40.49 13.7101 42.46 9.3701 42.88 4.2901C42.91 3.9301 42.87 3.5701 42.86 3.1601H41.81C28.22 3.1601 14.63 3.1601 1.04 3.1601C0.69 3.1601 0.35 3.1301 0 3.1101L0 3.1001Z" fill="#1A6AFF"/>
|
||||
<path d="M0 25.6001C0 32.0601 0 38.5301 0 44.9901C0.32 44.9901 0.65 44.9801 0.97 44.9801C8.57 44.9801 16.17 44.9801 23.78 44.9801C24.9 44.9801 26 44.8801 27.1 44.6701C30.81 43.9701 34.03 42.3201 36.77 39.7401C40.49 36.2201 42.46 31.8801 42.88 26.8001C42.91 26.4401 42.87 26.0801 42.86 25.6701H41.81C28.22 25.6701 14.63 25.6701 1.04 25.6701C0.69 25.6701 0.35 25.6401 0 25.6201L0 25.6001Z" fill="#1A6AFF"/>
|
||||
</g>
|
||||
<defs>
|
||||
<clipPath id="clip0_27_36971">
|
||||
<rect width="237.07" height="92.37" fill="white"/>
|
||||
</clipPath>
|
||||
</defs>
|
||||
</svg>
|
||||
|
||||
|
Before Width: | Height: | Size: 3.2 KiB After Width: | Height: | Size: 7.3 KiB |
+2
-3
@@ -31,7 +31,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
HUGO_VERSION: 0.124.1
|
||||
HUGO_VERSION: 0.128.0
|
||||
steps:
|
||||
- name: Install Hugo CLI
|
||||
run: |
|
||||
@@ -50,9 +50,8 @@ jobs:
|
||||
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
|
||||
- name: Build with Hugo
|
||||
env:
|
||||
# For maximum backward compatibility with Hugo modules
|
||||
HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache
|
||||
HUGO_ENVIRONMENT: production
|
||||
HUGO_ENV: production
|
||||
run: |
|
||||
hugo \
|
||||
--minify \
|
||||
|
||||
@@ -156,13 +156,22 @@ async function checkWorkflow(
|
||||
await exec("git", ["checkout", "ghes"]);
|
||||
|
||||
// In order to sync from main, we might need to remove some workflows, add some
|
||||
// and modify others. The lazy approach is to delete all workflows first, and then
|
||||
// and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then
|
||||
// just bring the compatible ones over from the main branch. We let git figure out
|
||||
// whether it's a deletion, add, or modify and commit the new state.
|
||||
console.log("Remove all workflows");
|
||||
await exec("rm", ["-fr", ...settings.folders]);
|
||||
await exec("rm", ["-fr", "../../icons"]);
|
||||
|
||||
// Bring back the read-only folders
|
||||
console.log("Restore read-only folders");
|
||||
for (let i = 0; i < settings.readOnlyFolders.length; i++) {
|
||||
await exec("git", [
|
||||
"checkout",
|
||||
settings.readOnlyFolders[i]
|
||||
]);
|
||||
}
|
||||
|
||||
console.log("Sync changes from main for compatible workflows");
|
||||
await exec("git", [
|
||||
"checkout",
|
||||
@@ -171,10 +180,13 @@ async function checkWorkflow(
|
||||
...Array.prototype.concat.apply(
|
||||
[],
|
||||
result.compatibleWorkflows.map((x) => {
|
||||
const r = [
|
||||
join(x.folder, `${x.id}.yml`),
|
||||
join(x.folder, "properties", `${x.id}.properties.json`),
|
||||
];
|
||||
const r = [];
|
||||
|
||||
// Don't touch read-only folders
|
||||
if (!settings.readOnlyFolders.includes(x.folder)) {
|
||||
r.push(join(x.folder, `${x.id}.yml`));
|
||||
r.push(join(x.folder, "properties", `${x.id}.properties.json`));
|
||||
};
|
||||
|
||||
if (x.iconType === "svg") {
|
||||
r.push(join("../../icons", `${x.iconName}.svg`));
|
||||
|
||||
@@ -5,6 +5,9 @@
|
||||
"../../code-scanning",
|
||||
"../../pages"
|
||||
],
|
||||
"readOnlyFolders": [
|
||||
"../../pages"
|
||||
],
|
||||
"enabledActions": [
|
||||
"actions/cache",
|
||||
"actions/checkout",
|
||||
|
||||
Reference in New Issue
Block a user