Add original Fortify on Demand workflow
This commit is contained in:
@@ -0,0 +1,92 @@
|
||||
################################################################################################################################################
|
||||
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
|
||||
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
|
||||
# or contact our sales team, visit microfocus.com/appsecurity. #
|
||||
# #
|
||||
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
|
||||
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
|
||||
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
|
||||
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
|
||||
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
|
||||
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
|
||||
################################################################################################################################################
|
||||
|
||||
name: Fortify on Demand Scan
|
||||
|
||||
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ master ]
|
||||
schedule:
|
||||
- cron: '24 18 * * 5'
|
||||
|
||||
jobs:
|
||||
FoD-SAST-Scan:
|
||||
# Use the appropriate runner for building your source code.
|
||||
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
# Check out source code
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
|
||||
- name: Setup Java
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: 1.8
|
||||
|
||||
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
|
||||
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
|
||||
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
|
||||
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
|
||||
# ScanCentral has additional options that should be set for PHP and Python projects
|
||||
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
|
||||
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
|
||||
- name: Download Fortify ScanCentral Client
|
||||
uses: fortify/gha-setup-scancentral-client@v1
|
||||
- name: Package Code + Dependencies
|
||||
run: scancentral package $PACKAGE_OPTS -o package.zip
|
||||
env:
|
||||
PACKAGE_OPTS: "-bt mvn"
|
||||
|
||||
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
|
||||
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
|
||||
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
|
||||
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
|
||||
- name: Download Fortify on Demand Universal CI Tool
|
||||
uses: fortify/gha-setup-fod-uploader@v1
|
||||
- name: Perform SAST Scan
|
||||
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
|
||||
env:
|
||||
FOD_TENANT: ${{ secrets.FOD_TENANT }}
|
||||
FOD_USER: ${{ secrets.FOD_USER }}
|
||||
FOD_PAT: ${{ secrets.FOD_PAT }}
|
||||
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
|
||||
FOD_URL: "https://ams.fortify.com/"
|
||||
FOD_API_URL: "https://api.ams.fortify.com/"
|
||||
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
|
||||
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
|
||||
|
||||
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
|
||||
# TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step.
|
||||
- name: Download Results
|
||||
uses: fortify/gha-fod-generate-sarif@1.1.0
|
||||
with:
|
||||
base-url: https://ams.fortify.com
|
||||
tenant: ${{ secrets.FOD_TENANT }}
|
||||
user: ${{ secrets.FOD_USER }}
|
||||
password: ${{ secrets.FOD_PAT }}
|
||||
release-id: ${{ secrets.FOD_RELEASE_ID }}
|
||||
output: ./sarif/output.sarif
|
||||
|
||||
# Import Fortify on Demand results to GitHub Security Code Scanning
|
||||
- name: Import Results
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ./sarif/output.sarif
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Fortify on Demand Scan",
|
||||
"creator": "Micro Focus",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
|
||||
"iconName": "fortify",
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
<svg width="95" height="63" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" overflow="hidden"><defs><clipPath id="clip0"><rect x="979" y="281" width="95" height="63"/></clipPath></defs><g clip-path="url(#clip0)" transform="translate(-979 -281)"><path d="M0.495362 32.6809 16.4466 32.6809 16.4466 36.8041 5.29445 36.8041 5.29445 41.7043 16.2098 41.7043 16.2098 45.8261 5.29445 45.8261 5.29445 55.2206 0.495362 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M17.6294 47.0435C17.6294 42.4134 20.8731 38.4938 26.247 38.4938 31.6541 38.4938 34.8978 42.4134 34.8978 47.0435 34.8978 51.7069 31.6541 55.6264 26.247 55.6264 20.8731 55.6264 17.6294 51.7025 17.6294 47.0435ZM30.4366 47.0435C30.4366 44.5089 28.9173 42.3123 26.2484 42.3123 23.5795 42.3123 22.0963 44.5089 22.0963 47.0435 22.0963 49.6113 23.5824 51.8094 26.2528 51.8094 28.9231 51.8094 30.4366 49.6113 30.4366 47.0435Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M37.0612 38.8997 41.3534 38.8997 41.3534 41.1295C42.5087 39.6766 44.5306 38.5299 46.5525 38.5299L46.5525 42.7181C46.1644 42.6295 45.7677 42.584 45.3697 42.5824 43.95 42.5824 42.0581 43.394 41.349 44.4411L41.349 55.2206 37.0612 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M50.4027 51.1667 50.4027 42.6459 47.7064 42.6459 47.7064 38.891 50.4027 38.891 50.4027 34.4385 54.7354 34.4385 54.7354 38.8997 58.0469 38.8997 58.0469 42.6546 54.7354 42.6546 54.7354 50.02C54.7354 51.031 55.2755 51.8108 56.2214 51.8108 56.8641 51.8108 57.4721 51.574 57.709 51.3386L58.6203 54.5823C57.979 55.16 56.8295 55.6293 55.0386 55.6293 52.0318 55.6264 50.4027 54.0725 50.4027 51.1667Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M59.533 33.9388C59.5282 32.5199 60.6746 31.3657 62.0936 31.3609 63.5125 31.3561 64.6667 32.5025 64.6715 33.9215 64.6762 35.3404 63.5298 36.4946 62.1109 36.4994 62.1076 36.4994 62.1041 36.4994 62.1008 36.4994 60.69 36.4884 59.5479 35.3495 59.533 33.9388ZM59.9663 38.9069 64.2671 38.9069 64.2671 55.2264 59.9735 55.2264Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M68.4553 42.6502 65.7517 42.6502 65.7517 38.8953 68.4553 38.8953 68.4553 38.0158C68.4553 34.4674 70.753 32.3386 73.9635 32.3386 75.1795 32.3386 76.2944 32.6087 77.0729 33.0145L76.1934 36.056C75.7716 35.8179 75.2923 35.701 74.8083 35.7181 73.5909 35.7181 72.7865 36.5297 72.7865 38.0837L72.7865 38.8953 76.098 38.8953 76.098 42.6502 72.7879 42.6502 72.7879 55.2148 68.4553 55.2148Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M80.3166 58.0267C81.4315 58.0267 82.1752 57.722 82.5811 56.8439L83.1862 55.4575 76.5659 38.8997 81.1643 38.8997 85.4189 50.2583 89.6851 38.8997 94.3066 38.8997 86.6364 57.8909C85.4189 60.9657 83.257 61.7773 80.4523 61.8452 79.737 61.8309 79.0244 61.7516 78.3235 61.6083L78.9648 57.7552C79.3944 57.9294 79.853 58.0214 80.3166 58.0267Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M22.5166 12.2757C22.519 17.9292 17.9379 22.5141 12.2844 22.5166 12.2815 22.5166 12.2786 22.5166 12.2757 22.5166L0 22.5166 0 12.2757ZM12.2757 10.2351 12.2757 10.2351C17.9284 10.2383 22.5134 5.65845 22.5166 0.00577884 22.5166 0.00385269 22.5166 0.00192654 22.5166 3.96827e-07L0 0 0 10.2351Z" fill="#F42147" transform="matrix(1 0 0 1.01243 979.012 281)"/></g></svg>
|
||||
|
After Width: | Height: | Size: 3.2 KiB |
Reference in New Issue
Block a user