-
-
Notifications
You must be signed in to change notification settings - Fork 0
81 lines (73 loc) · 3.76 KB
/
FortifyOnDemandScan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Fortify on Demand SAST Scan
on:
workflow_dispatch:
push:
branches: [master]
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# Use Windows runner for projects that use msbuild. Additional changes to RUN commands will be required.
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Java is required to run ScanCentral Client, and may be required for your build
# Java version to use depends on the Java version required to run your build (if any),
# and the Java version supported by the ScanCentral Client version that you are running
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 17
distribution: 'zulu'
# Prepare source+dependencies for upload.
# Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s).
# ScanCentral Client will download dependencies for maven, gradle and msbuild projects.
# For other build tools, add your build commands to the workflow to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
- name: Download Fortify ScanCentral Client
uses: fortify/[email protected]
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
env:
PACKAGE_OPTS: "-bt mvn"
# Start Fortify on Demand SAST scan. Be sure to set secrets/variables for your desired configuration.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@v1
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
env:
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_URL: "https://emea.fortify.com/"
FOD_API_URL: "https://api.emea.fortify.com/"
FOD_UPLOADER_OPTS: "-ep 2 -pp 0"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Pull SAST issues from Fortify on Demand and generate GitHub-optimized SARIF output
#- name: Export Results
#uses: fortify/gha-export-vulnerabilities@v1
#with:
#fod_base_url: "https://emea.fortify.com/"
#fod_tenant: ${{ secrets.FOD_TENANT }}
#fod_user: ${{ secrets.FOD_USER }}
#fod_password: ${{ secrets.FOD_PAT }}
#fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
# Import Fortify SAST results to GitHub Security Code Scanning
#- name: Import Results
#uses: github/codeql-action/upload-sarif@v2
#with:
#sarif_file: ./gh-fortify-sast.sarif