From 157a5156d853fdfdef304b631876bf6b92526ed8 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 26 Jul 2022 10:54:41 +0300 Subject: [PATCH] Adding JFrog Frogbot to GitHub starter workflows --- code-scanning/frogbot-fix.yml | 56 +++++++++ code-scanning/frogbot-scan-pr.yml | 112 ++++++++++++++++++ .../properties/frogbot-fix.properties.json | 15 +++ .../frogbot-scan-pr.properties.json | 15 +++ icons/frogbot.svg | 80 +++++++++++++ 5 files changed, 278 insertions(+) create mode 100644 code-scanning/frogbot-fix.yml create mode 100644 code-scanning/frogbot-scan-pr.yml create mode 100644 code-scanning/properties/frogbot-fix.properties.json create mode 100644 code-scanning/properties/frogbot-scan-pr.properties.json create mode 100644 icons/frogbot.svg diff --git a/code-scanning/frogbot-fix.yml b/code-scanning/frogbot-fix.yml new file mode 100644 index 0000000..278e8fa --- /dev/null +++ b/code-scanning/frogbot-fix.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot + +name: "Frogbot Fix" +on: + push: + branches: + # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches. + # You can edit the list of branches you wish to open fix pull requests on. + - "main" + - "master" +permissions: + contents: write + pull-requests: write +jobs: + create-fix-pull-requests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Install prerequisites - uncomment the relevant one + + # - uses: actions/setup-go@v3 + # with: + # go-version: 1.17.x + + # - uses: actions/setup-java@v3 + # with: + # java-version: "11" + # distribution: "temurin" + + # - uses: actions/setup-node@v3 + # with: + # node-version: "16.x" + + + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.FROGBOT_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Mandatory if using npm] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "npm i" \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml new file mode 100644 index 0000000..54304d3 --- /dev/null +++ b/code-scanning/frogbot-scan-pr.yml @@ -0,0 +1,112 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: "Frogbot Scan" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Install prerequisites - uncomment the relevant ones + + # - uses: actions/setup-go@v3 + # with: + # go-version: 1.17.x + + # - uses: actions/setup-java@v3 + # with: + # java-version: "11" + # distribution: "temurin" + + # - uses: actions/setup-node@v3 + # with: + # node-version: "16.x" + + # - uses: gradle/gradle-build-action@v2 + + # - uses: actions/setup-dotnet@v2 + # with: + # dotnet-version: "3.1.x" + + # - uses: nuget/setup-nuget@v1 + # with: + # nuget-version: "5.x" + + # - uses: actions/setup-python@v3 + # with: + # python-version: "3.x" + + # - run: pipx install pipenv + + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Uncomment the below options if you'd like to use them. + + # [Mandatory when using npm] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "npm i" + + # [Mandatory when using .NET] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "dotnet restore" + + # [Optional when using Nuget] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "nuget restore" + + # [Optional when using Pip] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "pip install" + + # [Optional when using Pipenv] + # The command that installs the dependencies + # JF_INSTALL_DEPS_CMD: "pipenv install" + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Optional, default: "."] + # Relative path to the project in the git repository + # JF_WORKING_DIR: path/to/working/dir + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + # JF_PROJECT: \ No newline at end of file diff --git a/code-scanning/properties/frogbot-fix.properties.json b/code-scanning/properties/frogbot-fix.properties.json new file mode 100644 index 0000000..5d04487 --- /dev/null +++ b/code-scanning/properties/frogbot-fix.properties.json @@ -0,0 +1,15 @@ +{ + "name": "Frogbot Scan and Fix", + "description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", + "iconName": "frogbot", + "categories": [ + "Code Scanning", + "Go Module", + "Maven POM", + "NPM Config", + "Gradle", + "C#", + "Python" + ], + "organization": "JFrog" +} \ No newline at end of file diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json new file mode 100644 index 0000000..e0a93c8 --- /dev/null +++ b/code-scanning/properties/frogbot-scan-pr.properties.json @@ -0,0 +1,15 @@ +{ + "name": "Frogbot Scan Pull Requests", + "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.", + "iconName": "frogbot", + "categories": [ + "Code Scanning", + "Go Module", + "Maven POM", + "NPM Config", + "Gradle", + "C#", + "Python" + ], + "owner": "JFrog" +} \ No newline at end of file diff --git a/icons/frogbot.svg b/icons/frogbot.svg new file mode 100644 index 0000000..21100d9 --- /dev/null +++ b/icons/frogbot.svg @@ -0,0 +1,80 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +