OSS SCA with Debricked #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create GitHub Action Secrets for your version of the application: | |
# DEBRICKEN_TOKEN should be an API Access Token from your Debricked tenant. | |
name: OSS SCA with Debricked | |
on: | |
# Triggers the workflow on push or pull request events but only for the main and dev branches | |
push: | |
paths: | |
- 'build.gradle' | |
branches: | |
- '**' # matches every branch | |
pull_request: | |
branches: [ main, develop ] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
runDebrickedScan: | |
description: 'Carry out SCA scan using Debricked' | |
required: true | |
default: 'true' | |
uploadToFoD: | |
description: 'Upload Debricked results to FoD' | |
required: false | |
default: 'true' | |
# Global environment variables | |
env: | |
DEFAULT_APP_NAME: "IWA" | |
GRADLE_VERSION: "7.3" | |
jobs: | |
Debricked-SCA: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Java is required to run the various Fortify utilities. | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '17' | |
# Install appropriate version of Gradle | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
# Install Fortify (if required) | |
- name: Setup Fortify tools | |
uses: fortify/github-action/[email protected] | |
with: | |
export-path: true | |
fcli: latest | |
# Run debricked scan | |
- name: Run debricked scan | |
# Normally you would comment the following out - this is for demo | |
continue-on-error: true | |
shell: bash | |
run: | | |
curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked | |
chmod +x debricked | |
./debricked scan --callgraph --prefer-npm -r "${APP_NAME}" --access-token="${DEBRICKED_TOKEN}" -e "*/**.lock" -e "**/build/classes/test/**" -e "**/target/classes/test-classes/**" . | |
env: | |
APP_NAME: ${{ env.DEFAULT_APP_NAME }} | |
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} | |
Debricked-FoD-Import: | |
runs-on: ubuntu-latest | |
needs: [ Debricked-SCA ] | |
if: ${{ needs.Debricked-SCA.result == 'success' && ((github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.uploadToFoD == 'true')) }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Java is required to run the various Fortify utilities. | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '17' | |
# Install appropriate version of Gradle | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
# Install Fortify (if required) | |
- name: Setup Fortify tools | |
uses: fortify/github-action/setup@v1 | |
with: | |
export-path: true | |
fcli: latest | |
debricked-cli: true | |
- name: Fortify App and Release Name | |
id: fortify-app-and-rel-name | |
uses: fortify-presales/github-actions/fortify-app-and-release-name@main | |
with: | |
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }} | |
default_fortify_release_name: ${{ github.ref_name }} | |
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }} | |
- name: Import Debricked | |
shell: bash | |
run: | | |
fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --session github-actions | |
fcli fod oss-scan import-debricked --release "${FOD_APP_NAME}:${FOD_RELEASE_NAME}" -r "${APP_NAME}" -t "${DEBRICKED_TOKEN}" -b "${BRANCH_NAME}" --chunk-size ${CHUNK_SIZE} --file sbom.json --session github-actions | |
fcli fod session logout --session github-actions | |
env: | |
APP_NAME: ${{ env.DEFAULT_APP_NAME }} | |
BRANCH_NAME: ${{ github.ref_name }} | |
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} | |
CHUNK_SIZE: "1073741824" | |
FOD_API_URI: ${{ vars.FOD_API_URL }} | |
FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} | |
FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} | |
FOD_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }} | |
FOD_RELEASE_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }} | |