From 7e9ab60c5f227c12ce1b4197e7bc9ef4447d2e18 Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Fri, 19 Apr 2024 16:26:10 -0500 Subject: [PATCH 01/24] remove pages for now --- script/sync-ghes/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 41d6bcd..c848615 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -3,7 +3,6 @@ "../../ci", "../../automation", "../../code-scanning", - "../../pages" ], "enabledActions": [ "actions/cache", From 29b0a3e3a9e362bf782a2d3d4bd200a92b577704 Mon Sep 17 00:00:00 2001 From: Fabian Aguilar Gomez Date: Fri, 19 Apr 2024 16:30:57 -0500 Subject: [PATCH 02/24] Update settings.json --- script/sync-ghes/settings.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index c848615..0fd7319 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -10,7 +10,6 @@ "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", - "actions/deploy-pages", "actions/download-artifact", "actions/jekyll-build-pages", "actions/setup-dotnet", @@ -21,7 +20,6 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From 5902ad751bbf5a50ae17fe754e01046512540412 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:56:18 -0700 Subject: [PATCH 03/24] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 0fd7319..0dbea1e 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,7 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning", + "../../code-scanning" ], "enabledActions": [ "actions/cache", From d526113a1b61be86f4ba9aac4f765073a26cdd65 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:56:46 -0700 Subject: [PATCH 04/24] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 0dbea1e..fec0264 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -10,6 +10,7 @@ "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", "actions/jekyll-build-pages", "actions/setup-dotnet", From 7d07997513aa76f3d0f2523a58b194c1c1b90b6d Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 11:57:05 -0700 Subject: [PATCH 05/24] Update script/sync-ghes/settings.json --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fec0264..cb0197a 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -21,6 +21,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From 264962401da5f1837581d623fbc211c84118ae07 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:03:21 -0700 Subject: [PATCH 06/24] ici --- script/sync-ghes/index.ts | 6 ++++++ script/sync-ghes/settings.json | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index f53d220..2559b40 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -163,6 +163,9 @@ async function checkWorkflow( await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); + // Ignore read-only folders from compatible workflows list + result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", @@ -184,6 +187,9 @@ async function checkWorkflow( }) ), ]); + + // Add back Pages icons + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index cb0197a..ce18eb6 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,11 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" + ], + "readOnlyFolders": [ + "../../pages" ], "enabledActions": [ "actions/cache", From c7480532d0129274e25ccd09e2357377a228f56a Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:16:50 -0700 Subject: [PATCH 07/24] again --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2559b40..7c07a36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -153,7 +153,7 @@ async function checkWorkflow( console.groupEnd(); console.log("Switch to GHES branch"); - await exec("git", ["checkout", "ghes"]); + // await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some // and modify others. The lazy approach is to delete all workflows first, and then @@ -163,7 +163,7 @@ async function checkWorkflow( await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); - // Ignore read-only folders from compatible workflows list + // Ignore compatible workflows in a read-only folder result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); console.log("Sync changes from main for compatible workflows"); From 252e935e86952db9cad9b0f6c9ee1d543f91e12c Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:17:24 -0700 Subject: [PATCH 08/24] ghes --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 7c07a36..e7cb2b2 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -153,7 +153,7 @@ async function checkWorkflow( console.groupEnd(); console.log("Switch to GHES branch"); - // await exec("git", ["checkout", "ghes"]); + await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some // and modify others. The lazy approach is to delete all workflows first, and then From 1e15901e1c50134c3eb77f2b3c82b79d15a5f3e5 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:20:27 -0700 Subject: [PATCH 09/24] wip --- script/sync-ghes/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index e7cb2b2..03d04f0 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -156,11 +156,11 @@ async function checkWorkflow( await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some - // and modify others. The lazy approach is to delete all workflows first, and then + // and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); - await exec("rm", ["-fr", ...settings.folders]); + await exec("rm", ["-fr", ...(settings.folders.filter(x => !settings.readOnlyFolders.includes(x)))]); await exec("rm", ["-fr", "../../icons"]); // Ignore compatible workflows in a read-only folder From 138375ba29d0bac534217573f589a49ebb3d87d3 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:30:15 -0700 Subject: [PATCH 10/24] wip --- script/sync-ghes/index.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 03d04f0..9105bb3 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -160,11 +160,17 @@ async function checkWorkflow( // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); - await exec("rm", ["-fr", ...(settings.folders.filter(x => !settings.readOnlyFolders.includes(x)))]); + await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); - // Ignore compatible workflows in a read-only folder - result.compatibleWorkflows = result.compatibleWorkflows.filter(x => !settings.readOnlyFolders.includes(x.folder)); + // Bring back the read-only folders + console.log("Restore read-only folders"); + settings.readOnlyFolders.forEach(async (folder) => { + await exec("git", [ + "checkout", + folder + ]); + }); console.log("Sync changes from main for compatible workflows"); await exec("git", [ From 66e7ed44ca7256287ab489b0eda374250e41979c Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:31:34 -0700 Subject: [PATCH 11/24] wip --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9105bb3..3b8aa93 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - settings.readOnlyFolders.forEach(async (folder) => { + await settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From ddca0a93277bce73784982a3a5e8ccb46f2bdac7 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:33:45 -0700 Subject: [PATCH 12/24] async --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 3b8aa93..9105bb3 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - await settings.readOnlyFolders.forEach(async (folder) => { + settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From 3fa8d369daa66974da30d33cc5df57d08ac1cc1d Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:37:57 -0700 Subject: [PATCH 13/24] async --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9105bb3..3b8aa93 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,7 +165,7 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - settings.readOnlyFolders.forEach(async (folder) => { + await settings.readOnlyFolders.forEach(async (folder) => { await exec("git", [ "checkout", folder From 9f6e4a9e7dbeddc1a36599c96b026a4e6afaf871 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:38:43 -0700 Subject: [PATCH 14/24] wip --- script/sync-ghes/index.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 3b8aa93..0b84733 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -172,6 +172,8 @@ async function checkWorkflow( ]); }); + throw 'x' + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", From 00731369055d2c5f848a5542fbbe453fc4b5761f Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:40:32 -0700 Subject: [PATCH 15/24] wip --- script/sync-ghes/index.ts | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 0b84733..2f20fec 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -165,14 +165,12 @@ async function checkWorkflow( // Bring back the read-only folders console.log("Restore read-only folders"); - await settings.readOnlyFolders.forEach(async (folder) => { + for (let i = 0; i < settings.readOnlyFolders.length; i++) { await exec("git", [ "checkout", - folder + settings.readOnlyFolders[i] ]); - }); - - throw 'x' + } console.log("Sync changes from main for compatible workflows"); await exec("git", [ From dd92d3760d30c5eeaa21bbf35bfd83007e1e251b Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:43:22 -0700 Subject: [PATCH 16/24] wip --- script/sync-ghes/index.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2f20fec..2042946 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -180,10 +180,13 @@ async function checkWorkflow( ...Array.prototype.concat.apply( [], result.compatibleWorkflows.map((x) => { - const r = [ - join(x.folder, `${x.id}.yml`), - join(x.folder, "properties", `${x.id}.properties.json`), - ]; + const r = []; + + // Don't touch read-only folders + if (!settings.readOnlyFolders.includes(x.folder)) { + r.push(join(x.folder, `${x.id}.yml`)); + r.push(join(x.folder, "properties", `${x.id}.properties.json`)); + }; if (x.iconType === "svg") { r.push(join("../../icons", `${x.iconName}.svg`)); From 2c3a9cab039548b67470dbd9001f579b4dc39772 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Mon, 29 Apr 2024 13:46:23 -0700 Subject: [PATCH 17/24] Update script/sync-ghes/index.ts --- script/sync-ghes/index.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 2042946..fcdaaad 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -196,9 +196,6 @@ async function checkWorkflow( }) ), ]); - - // Add back Pages icons - } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; From b30fbdf5f2c90750a667f9bf56ba7777f9dee6f6 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 2 May 2024 10:59:15 -0400 Subject: [PATCH 18/24] Specify bash shell so that it doesn't fail if switching to 'windows` --- code-scanning/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 6fdadb1..655fc59 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -76,6 +76,7 @@ jobs: # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' + shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ From 6702f0d2e3cec8183954616cf7fd6f921b701302 Mon Sep 17 00:00:00 2001 From: Dylan Date: Mon, 6 May 2024 09:57:14 -0400 Subject: [PATCH 19/24] Fortify Starter Workflow to use new Fortify AST Action (#2245) * Update Fortify logo * Update fortify workflow Update positioning, Github action versions, Java version and add in Debricked packaging support * Update fortify.properties.json Update languages and creator * Update fortify.yml Update triggers based on latest starter workflow guidelines * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/properties/fortify.properties.json Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update code-scanning/fortify.yml Co-authored-by: James M. Greene * Update fortify.yml * Update fortify.properties.json * Update fortify.yml Update starter workflow to use new unified Fortify AST Action * Update fortify.yml * Update fortify.yml * Update fortify.yml Refine workflow comments * Update fortify.yml Bump checkout action version * Update fortify.yml * Update fortify.yml * Update fortify.yml One final clean up * Update fortify.properties.json * Update fortify.yml * Update fortify.yml * Update fortify.properties.json Update with support for Bicep and Solidity * Update fortify.properties.json Uppercase "Solidity" for consistency * Change v1 to commit hash --------- Co-authored-by: James M. Greene Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> --- code-scanning/fortify.yml | 116 ++++++++---------- .../properties/fortify.properties.json | 8 +- icons/fortify.svg | 30 ++++- 3 files changed, 84 insertions(+), 70 deletions(-) diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..01611e8 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -4,32 +4,31 @@ # documentation. ################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # # # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # ################################################################################################################################################ -name: Fortify on Demand Scan +name: Fortify AST Scan -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +# Customize trigger events based on your DevSecOps process and/or policy on: - workflow_dispatch: push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly + workflow_dispatch: jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). runs-on: ubuntu-latest permissions: actions: read @@ -41,58 +40,45 @@ jobs: - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: - java-version: 8 + java-version: 17 distribution: 'temurin' - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip - env: - PACKAGE_OPTS: "-bt mvn" - - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./gh-fortify-sast.sarif + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json index 100b4bb..9a7511c 100644 --- a/code-scanning/properties/fortify.properties.json +++ b/code-scanning/properties/fortify.properties.json @@ -1,7 +1,7 @@ { - "name": "Fortify on Demand Scan", - "creator": "Micro Focus", - "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "name": "Fortify Scan", + "creator": "OpenText", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"] } diff --git a/icons/fortify.svg b/icons/fortify.svg index 45a0d77..7033960 100644 --- a/icons/fortify.svg +++ b/icons/fortify.svg @@ -1 +1,29 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 39131434ed4bd7dcf8071fc2faaaa0ef8a23c4eb Mon Sep 17 00:00:00 2001 From: Cory Miller <13227161+cory-miller@users.noreply.github.com> Date: Wed, 22 May 2024 10:25:41 -0400 Subject: [PATCH 20/24] Fix typo in grade starter workflow --- ci/gradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/gradle.yml b/ci/gradle.yml index 65a332b..74dffb5 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,7 +28,7 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 From 61d42c9d0c8d4a398799a581eb6ce48ca742a2bc Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 May 2024 09:34:08 -0700 Subject: [PATCH 21/24] Update cosign versions --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 8a042a5..f8e709f 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.4' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache From 9f1db534549e072c20d5d1a79e0a4ff45a674caf Mon Sep 17 00:00:00 2001 From: Antoine Vinot Date: Mon, 3 Jun 2024 20:58:42 +0200 Subject: [PATCH 22/24] Update sonarcloud.yml after latest release of the action (#2405) Co-authored-by: Alexis Abril --- code-scanning/sonarcloud.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 41075e4..0e7f274 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -46,13 +46,12 @@ jobs: - name: Analyze with SonarCloud # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments for the sonarcloud scanner + # Additional arguments for the SonarScanner CLI args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory @@ -60,9 +59,9 @@ jobs: -Dsonar.organization= # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . From 647cac4f347894582e3fd841b84b0b2c6485b23d Mon Sep 17 00:00:00 2001 From: alankuo-aws <151653677+alankuo-aws@users.noreply.github.com> Date: Mon, 17 Jun 2024 16:32:21 -0400 Subject: [PATCH 23/24] Update policy validator starter workflows (#2433) * Update policy validator starter workflows * Fix reference policy argument --- code-scanning/policy-validator-cfn.yaml | 24 +++++++++++++++++++----- code-scanning/policy-validator-tf.yaml | 22 ++++++++++++++++++---- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml index b2cd163..8d32ce1 100644 --- a/code-scanning/policy-validator-cfn.yaml +++ b/code-scanning/policy-validator-cfn.yaml @@ -20,7 +20,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. jobs: @@ -45,7 +46,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH}} @@ -57,11 +58,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH}} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -71,14 +73,26 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH}} - reference-policy: ${{ env.REFERENCE }} + reference-policy: ${{ env.REFERENCE_POLICY }} reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} region: ${{env.REGION }} # Print result from CHECK_NO_NEW_ACCESS check - name: Print the result for CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml index 1ca77b5..07f884f 100644 --- a/code-scanning/policy-validator-tf.yaml +++ b/code-scanning/policy-validator-tf.yaml @@ -21,7 +21,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. @@ -48,7 +49,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH }} @@ -60,11 +61,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH }} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -74,7 +76,7 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH }} @@ -85,3 +87,15 @@ jobs: - name: Print the result CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From e6a84878775b73145774535516f255f521cfc68f Mon Sep 17 00:00:00 2001 From: Joe Mooring Date: Fri, 28 Jun 2024 13:52:35 -0700 Subject: [PATCH 24/24] pages: Update Hugo workflow - Bump version - Set cache directory - Remove outdated environment variable --- pages/hugo.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pages/hugo.yml b/pages/hugo.yml index 141ad91..b4f316a 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.124.1 + HUGO_VERSION: 0.128.0 steps: - name: Install Hugo CLI run: | @@ -50,9 +50,8 @@ jobs: run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: - # For maximum backward compatibility with Hugo modules + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache HUGO_ENVIRONMENT: production - HUGO_ENV: production run: | hugo \ --minify \