Merge branch 'actions:main' into main
This commit is contained in:
@@ -31,7 +31,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Bandit Scan
|
||||
uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
|
||||
uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd
|
||||
with: # optional arguments
|
||||
# exit with 0, even with results found
|
||||
exit_zero: true # optional, default is DEFAULT
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines.
|
||||
# For more information about configuring your workflow,
|
||||
# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan
|
||||
|
||||
name: CI Black Duck security scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: write
|
||||
security-events: write
|
||||
actions: read
|
||||
|
||||
steps:
|
||||
- name: Checkout source
|
||||
uses: actions/checkout@v4
|
||||
- name: Black Duck SCA scan
|
||||
uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
|
||||
with:
|
||||
### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ----------
|
||||
blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
|
||||
blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
|
||||
|
||||
### ---------- COVERITY SCANNING: REQUIRED FIELDS ----------
|
||||
coverity_url: ${{ vars.COVERITY_URL }}
|
||||
coverity_user: ${{ secrets.COVERITY_USER }}
|
||||
coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
|
||||
|
||||
### ---------- POLARIS SCANNING: REQUIRED FIELDS ----------
|
||||
polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
|
||||
polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
|
||||
polaris_assessment_types: "SCA,SAST"
|
||||
|
||||
### ---------- SRM SCANNING: REQUIRED FIELDS ----------
|
||||
srm_url: ${{ vars.SRM_URL }}
|
||||
srm_apikey: ${{ secrets.SRM_API_KEY }}
|
||||
srm_assessment_types: "SCA,SAST"
|
||||
|
||||
@@ -55,9 +55,15 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Add any setup steps before running the `github/codeql-action/init` action.
|
||||
# This includes steps like installing compilers or runtimes (`actions/setup-node`
|
||||
# or others). This is typically only required for manual builds.
|
||||
# - name: Setup runtime (example)
|
||||
# uses: actions/setup-example@v1
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v3
|
||||
uses: github/codeql-action/init@v4
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
build-mode: ${{ matrix.build-mode }}
|
||||
@@ -74,7 +80,8 @@ jobs:
|
||||
# to build your code.
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
- if: matrix.build-mode == 'manual'
|
||||
- name: Run manual build steps
|
||||
if: matrix.build-mode == 'manual'
|
||||
shell: bash
|
||||
run: |
|
||||
echo 'If you are using a "manual" build mode for one or more of the' \
|
||||
@@ -85,6 +92,6 @@ jobs:
|
||||
exit 1
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v3
|
||||
uses: github/codeql-action/analyze@v4
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
+83
-38
@@ -34,51 +34,96 @@ jobs:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
# pull-requests: write # Required if DO_PR_COMMENT is set to true
|
||||
|
||||
steps:
|
||||
# Check out source code
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
|
||||
- name: Setup Java
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 17
|
||||
distribution: 'temurin'
|
||||
|
||||
# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
|
||||
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
|
||||
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
|
||||
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
|
||||
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
|
||||
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
|
||||
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
|
||||
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
|
||||
# details.
|
||||
- name: Run FoD SAST Scan
|
||||
uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
|
||||
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
|
||||
# documentation at https://github.com/fortify/github-action#readme for more information on the various
|
||||
# configuration options and available sub-actions.
|
||||
- name: Run Fortify Scan
|
||||
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
|
||||
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
|
||||
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
|
||||
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
|
||||
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
|
||||
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
|
||||
with:
|
||||
sast-scan: true
|
||||
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
|
||||
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
|
||||
# is disabled). For SSC, run a Debricked scan and import results into SSC.
|
||||
env:
|
||||
### Required configuration when integrating with Fortify on Demand
|
||||
FOD_URL: https://ams.fortify.com
|
||||
FOD_TENANT: ${{secrets.FOD_TENANT}}
|
||||
FOD_USER: ${{secrets.FOD_USER}}
|
||||
#############################################################
|
||||
##### Fortify on Demand configuration
|
||||
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
|
||||
### Required configuration
|
||||
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
|
||||
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
|
||||
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
|
||||
FOD_PASSWORD: ${{secrets.FOD_PAT}}
|
||||
### Optional configuration when integrating with Fortify on Demand
|
||||
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
|
||||
# Debricked SCA scan is enabled on Fortify on Demand
|
||||
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
||||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
|
||||
# replace app+release name with numeric release ID
|
||||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
|
||||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
|
||||
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
|
||||
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL
|
||||
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
|
||||
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
|
||||
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
|
||||
# usually defined as organization or repo variable
|
||||
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
|
||||
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
||||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
|
||||
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
|
||||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
|
||||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
|
||||
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
|
||||
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
|
||||
### Optional configuration
|
||||
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
||||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
|
||||
# DO_SETUP: true # Setup FoD application, release & static scan configuration
|
||||
# SETUP_ACTION: <URL or file> # Customize setup action
|
||||
# Pass extra options to setup action:
|
||||
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
|
||||
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
|
||||
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
|
||||
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
||||
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
||||
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
||||
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
||||
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
||||
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
||||
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
||||
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
||||
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
||||
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
||||
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
||||
# EXPORT_ACTION: <URL or file> # Customize export action
|
||||
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
||||
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
||||
|
||||
#############################################################
|
||||
##### Fortify Hosted / Software Security Center & ScanCentral
|
||||
##### Remove this section if you're integrating with Fortify on Demand (see above)
|
||||
### Required configuration
|
||||
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
|
||||
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
|
||||
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
|
||||
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
|
||||
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
|
||||
### Optional configuration
|
||||
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
|
||||
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
||||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
|
||||
# DO_SETUP: true # Set up SSC application & version
|
||||
# SETUP_ACTION: <URL or file> # Customize setup action
|
||||
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
|
||||
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
|
||||
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
|
||||
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
||||
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
||||
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
||||
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
||||
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
||||
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
||||
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
||||
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
||||
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
||||
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
||||
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
||||
# EXPORT_ACTION: <URL or file> # Customize export action
|
||||
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
||||
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
||||
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file as an Artifact to download and view
|
||||
# - name: Upload SARIF as an Artifact
|
||||
# uses: actions/upload-artifact@v3
|
||||
# uses: actions/upload-artifact@v4
|
||||
# with:
|
||||
# name: sarif-file
|
||||
# path: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
{
|
||||
"name": "Black Duck Security Scan Workflow",
|
||||
"creator": "Black Duck Software, Inc.",
|
||||
"description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results",
|
||||
"iconName": "black-duck",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"C",
|
||||
"C++",
|
||||
"C#",
|
||||
"Go",
|
||||
"Java",
|
||||
"JavaScript",
|
||||
"Ruby",
|
||||
"PHP",
|
||||
"Swift",
|
||||
"Kotlin",
|
||||
"Python",
|
||||
"VB.NET",
|
||||
"Objective C"
|
||||
]
|
||||
}
|
||||
@@ -21,6 +21,8 @@ jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
|
||||
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
|
||||
permissions:
|
||||
# Needed to upload the results to code-scanning dashboard.
|
||||
security-events: write
|
||||
@@ -32,12 +34,12 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
|
||||
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
@@ -56,10 +58,13 @@ jobs:
|
||||
# of the value entered here.
|
||||
publish_results: true
|
||||
|
||||
# (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
|
||||
# file_mode: git
|
||||
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
|
||||
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
|
||||
@@ -36,15 +36,25 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Run SOOS DAST Analysis
|
||||
uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af
|
||||
uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa
|
||||
with:
|
||||
client_id: ${{ secrets.SOOS_CLIENT_ID }}
|
||||
api_key: ${{ secrets.SOOS_API_KEY }}
|
||||
project_name: "<YOUR-PROJECT-NAME>"
|
||||
scan_mode: "baseline"
|
||||
target_url: "https://www.example.com/"
|
||||
output_format: "sarif"
|
||||
export_format: "Sarif"
|
||||
export_file_type: "Json"
|
||||
- name: Find and rename SARIF file since it is unique
|
||||
run: |
|
||||
file=$(find . -name "*.sarif.json" | head -n 1)
|
||||
if [ -n "$file" ]; then
|
||||
mv "$file" output.sarif.json
|
||||
echo "Renamed $file to output.sarif.json"
|
||||
else
|
||||
echo "No SARIF file found" && exit 1
|
||||
fi
|
||||
- name: Upload SOOS DAST SARIF Report
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: output.sarif.json
|
||||
|
||||
@@ -87,7 +87,7 @@ jobs:
|
||||
license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
|
||||
# Archiving the findings list reports
|
||||
- uses: actions/upload-artifact@v3
|
||||
- uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: Xanitizer-Reports
|
||||
path: |
|
||||
|
||||
Reference in New Issue
Block a user