From 16a1b76572ff62d6c4f295b55a88dd27c68eb178 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Tue, 9 Mar 2021 15:57:48 -0500 Subject: [PATCH] add_listing_to_github_ui --- .../properties/synopsysio.properties.json | 7 ++ code-scanning/synopsys-io-actions.yml | 77 +++++++++++++++++++ icons/synopsys.svg | 1 + 3 files changed, 85 insertions(+) create mode 100644 code-scanning/properties/synopsysio.properties.json create mode 100644 code-scanning/synopsys-io-actions.yml create mode 100644 icons/synopsys.svg diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsysio.properties.json new file mode 100644 index 0000000..257357e --- /dev/null +++ b/code-scanning/properties/synopsysio.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Intelligent Security Scan Action", + "creator": "Synopsys", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "iconName": "synopsys", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml new file mode 100644 index 0000000..b5aa503 --- /dev/null +++ b/code-scanning/synopsys-io-actions.yml @@ -0,0 +1,77 @@ +name: "Synopsys Intelligent Security Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@v2 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/icons/synopsys.svg b/icons/synopsys.svg new file mode 100644 index 0000000..764a3be --- /dev/null +++ b/icons/synopsys.svg @@ -0,0 +1 @@ + \ No newline at end of file