From 16a1b76572ff62d6c4f295b55a88dd27c68eb178 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Tue, 9 Mar 2021 15:57:48 -0500 Subject: [PATCH 1/6] add_listing_to_github_ui --- .../properties/synopsysio.properties.json | 7 ++ code-scanning/synopsys-io-actions.yml | 77 +++++++++++++++++++ icons/synopsys.svg | 1 + 3 files changed, 85 insertions(+) create mode 100644 code-scanning/properties/synopsysio.properties.json create mode 100644 code-scanning/synopsys-io-actions.yml create mode 100644 icons/synopsys.svg diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsysio.properties.json new file mode 100644 index 0000000..257357e --- /dev/null +++ b/code-scanning/properties/synopsysio.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Synopsys Intelligent Security Scan Action", + "creator": "Synopsys", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "iconName": "synopsys", + "categories": ["Code Scanning"] +} diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml new file mode 100644 index 0000000..b5aa503 --- /dev/null +++ b/code-scanning/synopsys-io-actions.yml @@ -0,0 +1,77 @@ +name: "Synopsys Intelligent Security Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@v2 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@v1 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/icons/synopsys.svg b/icons/synopsys.svg new file mode 100644 index 0000000..764a3be --- /dev/null +++ b/icons/synopsys.svg @@ -0,0 +1 @@ + \ No newline at end of file From 93599e25052bb0825cd15e7fbec78289ce008d49 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Wed, 10 Mar 2021 08:22:45 -0500 Subject: [PATCH 2/6] Updated suggested changes in code-scanning/synopsys-io-actions.yml Co-authored-by: Nick Fyson --- code-scanning/synopsys-io-actions.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index b5aa503..39ed12a 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -17,15 +17,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - name: Synopsys Intelligent Security Scan id: prescription From a74640c1ec12ff8eced90ca1e13436b09ff3975f Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Wed, 10 Mar 2021 08:53:33 -0500 Subject: [PATCH 3/6] updated suggested filename changes --- .../{synopsysio.properties.json => synopsys-io.properties.json} | 2 +- icons/{synopsys.svg => synopsys-io.svg} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename code-scanning/properties/{synopsysio.properties.json => synopsys-io.properties.json} (92%) rename icons/{synopsys.svg => synopsys-io.svg} (100%) diff --git a/code-scanning/properties/synopsysio.properties.json b/code-scanning/properties/synopsys-io.properties.json similarity index 92% rename from code-scanning/properties/synopsysio.properties.json rename to code-scanning/properties/synopsys-io.properties.json index 257357e..67aeb09 100644 --- a/code-scanning/properties/synopsysio.properties.json +++ b/code-scanning/properties/synopsys-io.properties.json @@ -2,6 +2,6 @@ "name": "Synopsys Intelligent Security Scan Action", "creator": "Synopsys", "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", - "iconName": "synopsys", + "iconName": "synopsys-io", "categories": ["Code Scanning"] } diff --git a/icons/synopsys.svg b/icons/synopsys-io.svg similarity index 100% rename from icons/synopsys.svg rename to icons/synopsys-io.svg From fe22e77a67382caac9adf68816cc67bc94e82be1 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran Date: Thu, 11 Mar 2021 13:18:53 -0500 Subject: [PATCH 4/6] changes for checklist items --- code-scanning/properties/synopsys-io.properties.json | 4 ++-- code-scanning/synopsys-io-actions.yml | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/synopsys-io.properties.json b/code-scanning/properties/synopsys-io.properties.json index 67aeb09..ea7fae7 100644 --- a/code-scanning/properties/synopsys-io.properties.json +++ b/code-scanning/properties/synopsys-io.properties.json @@ -1,7 +1,7 @@ { "name": "Synopsys Intelligent Security Scan Action", "creator": "Synopsys", - "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", + "description": "The Synopsys Intelligent Security Scan Action helps selectively perform SAST and SCA scans, triggered during a variety of GitHub Platform events", "iconName": "synopsys-io", - "categories": ["Code Scanning"] + "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "Ruby", "PHP", "Swift", "Kotlin" , "Python", "VB.NET", "Objective C"] } diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index 39ed12a..edc3cbc 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -1,4 +1,9 @@ -name: "Synopsys Intelligent Security Scan" +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan on: push: From ba6a2f292c765fc881d0ffd3472e7101d74ec1e4 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Thu, 11 Mar 2021 21:33:39 -0500 Subject: [PATCH 5/6] Updated version to commit SHA --- code-scanning/synopsys-io-actions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index edc3cbc..7501726 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -25,7 +25,7 @@ jobs: - name: Synopsys Intelligent Security Scan id: prescription - uses: synopsys-sig/intelligent-security-scan@v1 + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 with: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} @@ -55,7 +55,7 @@ jobs: - name: Synopsys Intelligent Security Scan if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} - uses: synopsys-sig/intelligent-security-scan@v1 + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 with: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} From 5eb695baece07fb726877d04c0e98d3eeb0a63a5 Mon Sep 17 00:00:00 2001 From: Rahul Gunasekaran <71350204+rahulguna10@users.noreply.github.com> Date: Fri, 12 Mar 2021 12:23:28 -0500 Subject: [PATCH 6/6] Updated commit SHA Co-authored-by: Nick Fyson --- code-scanning/synopsys-io-actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/synopsys-io-actions.yml b/code-scanning/synopsys-io-actions.yml index 7501726..9b5a080 100644 --- a/code-scanning/synopsys-io-actions.yml +++ b/code-scanning/synopsys-io-actions.yml @@ -49,7 +49,7 @@ jobs: # in order for this logic to work - name: Software Composition Analysis with Black Duck if: ${{steps.prescription.outputs.scaScan == 'true' }} - uses: blackducksoftware/github-action@v2 + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 with: args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"'