Skip to content

OSS SCA with Debricked #38

OSS SCA with Debricked

OSS SCA with Debricked #38

Workflow file for this run

# Create GitHub Action Secrets for your version of the application:
# DEBRICKEN_TOKEN should be an API Access Token from your Debricked tenant.
name: OSS SCA with Debricked
on:
# Triggers the workflow on push or pull request events but only for the main and dev branches
push:
paths:
- 'build.gradle'
branches:
- '**' # matches every branch
pull_request:
branches: [ main, develop ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runDebrickedScan:
description: 'Carry out SCA scan using Debricked'
required: true
default: 'true'
uploadToFoD:
description: 'Upload Debricked results to FoD'
required: false
default: 'true'
# Global environment variables
env:
DEFAULT_APP_NAME: "IWA"
GRADLE_VERSION: "7.3"
jobs:
Debricked-SCA:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# Java is required to run the various Fortify utilities.
# Setup JDK 11 on host
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
# Install appropriate version of Gradle
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
# Install Fortify (if required)
- name: Setup Fortify tools
uses: fortify/github-action/[email protected]
with:
export-path: true
fcli: latest
# Run debricked scan
- name: Run debricked scan
# Normally you would comment the following out - this is for demo
continue-on-error: true
shell: bash
run: |
curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked
chmod +x debricked
./debricked scan --callgraph --prefer-npm -r "${APP_NAME}" --access-token="${DEBRICKED_TOKEN}" -e "*/**.lock" -e "**/build/classes/test/**" -e "**/target/classes/test-classes/**" .
env:
APP_NAME: ${{ env.DEFAULT_APP_NAME }}
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
Debricked-FoD-Import:
runs-on: ubuntu-latest
needs: [ Debricked-SCA ]
if: ${{ needs.Debricked-SCA.result == 'success' && ((github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.uploadToFoD == 'true')) }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# Java is required to run the various Fortify utilities.
# Setup JDK 11 on host
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
# Install appropriate version of Gradle
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
# Install Fortify (if required)
- name: Setup Fortify tools
uses: fortify/github-action/setup@v1
with:
export-path: true
fcli: latest
debricked-cli: true
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
- name: Import Debricked
shell: bash
run: |
fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --session github-actions
fcli fod oss-scan import-debricked --release "${FOD_APP_NAME}:${FOD_RELEASE_NAME}" -r "${APP_NAME}" -t "${DEBRICKED_TOKEN}" -b "${BRANCH_NAME}" --chunk-size ${CHUNK_SIZE} --file sbom.json --session github-actions
fcli fod session logout --session github-actions
env:
APP_NAME: ${{ env.DEFAULT_APP_NAME }}
BRANCH_NAME: ${{ github.ref_name }}
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
CHUNK_SIZE: "1073741824"
FOD_API_URI: ${{ vars.FOD_API_URL }}
FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
FOD_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
FOD_RELEASE_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}