forked from fortify/gha-sample-workflows-eightball
-
Notifications
You must be signed in to change notification settings - Fork 0
67 lines (59 loc) · 3.19 KB
/
fod-sast-scan-and-import-windows.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: FoD SAST Scan and Import - Windows sample
on:
workflow_dispatch:
jobs:
FoD-SAST-Scan-And-Import:
# Use the appropriate runner for building your source code.
# For this example we use a windows-based runner
runs-on: windows-latest
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 11
# Prepare source+dependencies for upload.
# Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s).
# ScanCentral Client will download dependencies for maven, gradle and msbuild projects.
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@v2
- name: Package Code + Dependencies
run: scancentral package -bt mvn -o package.zip
- name: Show package contents
run: unzip -v package.zip
# Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@v1
- name: Perform SAST Scan
run: java -jar ${env:FOD_UPLOAD_JAR} -z package.zip -aurl ${env:FOD_AURL} -purl ${env:FOD_PURL} -rid "${env:FOD_RELEASE_ID}" -tc "${env:FOD_TENANT}" -uc "${env:FOD_USER}" "${env:FOD_PAT}" -ep 2 -pp 0 -I 1 -apf
env:
FOD_AURL: ${{ secrets.FOD_EIGHTBALL_API_URL }}
FOD_PURL: ${{ secrets.FOD_EIGHTBALL_BASE_URL }}
FOD_TENANT: ${{ secrets.FOD_EIGHTBALL_TENANT }}
FOD_USER: ${{ secrets.FOD_EIGHTBALL_USER }}
FOD_PAT: ${{ secrets.FOD_EIGHTBALL_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_EIGHTBALL_RELEASE_ID }}
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export results to GitHub-optimized SARIF
uses: fortify/gha-export-vulnerabilities@v1
with:
fod_base_url: ${{ secrets.FOD_EIGHTBALL_BASE_URL }}
fod_tenant: ${{ secrets.FOD_EIGHTBALL_TENANT }}
fod_user: ${{ secrets.FOD_EIGHTBALL_USER }}
fod_password: ${{ secrets.FOD_EIGHTBALL_PAT }}
fod_release_id: ${{ secrets.FOD_EIGHTBALL_RELEASE_ID }}
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import results to GitHub Security Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./gh-fortify-sast.sarif