Skip to content
DevSecOps with Fortify ScanCentral

DevSecOps with Fortify ScanCentral #22

Sign in to view logs

DevSecOps with Fortify ScanCentral

DevSecOps with Fortify ScanCentral #22

Workflow file for this run

.github/workflows/scancentral.yml at 2769894
# Create GitHub Action Repository Variables for your version of the application:
# FORTIFY_BASE_URL should be the Fortify Base URL (e.g. https://ssc.uat.fortifyhosted.net)
# FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
# FORTIFY_SCANCENTRAL_VERSION is the version of ScanCentral SAST Sensors being used
# Create GitHub Action Secrets for your version of the application:
# FORTIFY_SSC_TOKEN should be an SSC Authorization token (CIToken) obtained from your Fortify tenant.
# FORTIFY_CLIENT_AUTH_TOKEN should be the ScanCentral SAST Client Authentication token for your Fortify tenant.
name: DevSecOps with Fortify ScanCentral
on:
# Triggers the workflow on push or pull request events but only for the main or dev branches
# Commented out as we only want FoD workflow to trigger automatically
#push:
# paths-ignore:
# - '.github/**/**'
# - 'bin/**'
# - 'data/**'
# - 'etc/**'
# - 'tests/**'
# - 'README.md'
# - 'LICENSE'
# branches:
# - '**' # matches every branch
#pull_request:
# branches: [ main, develop ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runScanCentralSASTScan:
description: 'Carry out SAST scan using Fortify ScanCentral'
required: false
default: 'false'
runScanCentralDASTScan:
description: 'Carry out DAST scan using Fortify ScanCentral'
required: false
default: 'false'
deployApp:
description: 'Deploy App'
required: false
default: 'true'
# Global environment variables
env:
DEFAULT_APP_NAME: "IWA"
GRADLE_VERSION: "7.3"
jobs:
Build-And-Unit-Test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# Setup JDK 11 on host
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '11'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
# Build / Test with Gradle
- name: Build with Gradle
run: ./gradlew clean build test
# Publish test results
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: |
build/test-results/**/*.xml
build/test-results/**/*.trx
build/test-results/**/*.json
Quality-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Build-And-Unit-Test ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD
ScanCentral-SAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runScanCentralSASTScan == 'true') }}
needs: [ Quality-Gate ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ""
# Uncomment below to debug SSC App/App Version names
#- name: Print App and Release Name
# shell: bash
# run: |
# echo "SSC App Name: ${SSC_APP_NAME}"
# echo "SSC App Version Name: ${SSC_APPVER_NAME}"
# env:
# SSC_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
# SSC_APPVER_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
# TODO: make sure release exists
#
- name: Run ScanCentral SAST Scan
uses: fortify/github-action@v1
with:
sast-scan: true
env:
SSC_URL: ${{ vars.FORTIFY_SSC_URL }}
SSC_TOKEN: ${{ secrets.FORTIFY_SSC_TOKEN }}
SC_SAST_TOKEN: ${{ secrets.FORTIFY_CLIENT_AUTH_TOKEN }}
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s
SSC_APPVERSION: ${{ format('{0}:{1}', steps.fortify-app-and-rel-name.outputs.app_name, steps.fortify-app-and-rel-name.outputs.release_name) }}
# EXTRA_PACKAGE_OPTS: -bf custom-pom.xml
SC_SAST_SENSOR_VERSION: ${{ vars.SCANCENTRAL_VERSION }}
DO_WAIT: true
#DO_EXPORT: true
# TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip
Deploy-App:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.deployApp == 'true') }}
needs: [ Quality-Gate ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Deploy App
shell: bash
run: |
echo "Simulating deployment"
env:
SSC_APP_NAME: ${{ env.DEFAULT_APP_NAME }}
# TBD
Functional-Test:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Deploy-App ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD
ScanCentral-DAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runScanCentralDASTScan == 'true') }}
needs: [ Deploy-App ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ""
- name: Run ScanCentral DAST Scan
id: scancentral-dast-scan
uses: fortify-presales/github-actions/sc-dast-scan@main
with:
ssc_url: ${{ vars.FORTIFY_SSC_URL }}
ssc_token: ${{ secrets.FORTIFY_SSC_TOKEN }}
scan_settings_id: ${{ vars.FORTIFY_SCDAST_CICD_TOKEN }}
do_wait: true
Security-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ ScanCentral-SAST-Scan, ScanCentral-DAST-Scan ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
- name: Verify SSC Security Policy
uses: fortify-presales/github-actions/verify-ssc-security-policy@main
with:
ssc_url: ${{ vars.FORTIFY_SSC_URL }}
ssc_token: ${{ secrets.FORTIFY_SSC_TOKEN }}
ssc_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
ssc_appversion_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
Release-To-Prod:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Quality-Gate, Security-Gate ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD