Updated FAST scripts #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create GitHub Action Repository Variables for your version of the application: | |
# FORTIFY_BASE_URL should be the Fortify Base URL (e.g. https://ssc.uat.fortifyhosted.net) | |
# FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop" | |
# FORTIFY_SCANCENTRAL_VERSION is the version of ScanCentral SAST Sensors being used | |
# Create GitHub Action Secrets for your version of the application: | |
# FORTIFY_SSC_TOKEN should be an SSC Authorization token (CIToken) obtained from your Fortify tenant. | |
# FORTIFY_SCSAST_CLIENT_AUTH_TOKEN should be the ScanCentral SAST Client Authentication token for your Fortify tenant. | |
name: DevSecOps with Fortify ScanCentral | |
on: | |
# Triggers the workflow on push or pull request events but only for the main or dev branches | |
push: | |
paths-ignore: | |
- '.github/**/**' | |
- 'bin/**' | |
- 'data/**' | |
- 'etc/**' | |
- 'README.md' | |
- 'LICENSE' | |
branches: | |
- '**' # matches every branch | |
pull_request: | |
branches: [ main, develop ] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
runFortifySASTScan: | |
description: 'Carry out SAST scan using Fortify' | |
required: false | |
default: 'false' | |
runSonatypeScan: | |
description: 'Carry out SCA scan using Sonatype Nexus IQ' | |
required: false | |
default: 'false' | |
runFortifyDASTScan: | |
description: 'Carry out DAST scan using Fortify' | |
required: false | |
default: 'false' | |
deployApp: | |
description: 'Deploy App' | |
required: false | |
default: 'true' | |
# Global environment variables | |
env: | |
DEFAULT_APP_NAME: "IWA" | |
GRADLE_VERSION: "7.3" | |
jobs: | |
Build-And-Unit-Test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
# Build / Test with Gradle | |
- name: Build with Gradle | |
run: ./gradlew clean build test | |
# Publish test results | |
- name: Publish Test Results | |
uses: EnricoMi/publish-unit-test-result-action@v2 | |
if: always() | |
with: | |
files: | | |
build/test-results/**/*.xml | |
build/test-results/**/*.trx | |
build/test-results/**/*.json | |
Sonatype-SCA: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runSonatypeScan == 'true') }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
# TBD | |
Quality-Gate: | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
needs: [ Build-And-Unit-Test, Sonatype-SCA ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
# TBD | |
Fortify-SAST-Scan: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFortifySASTScan == 'true') }} | |
needs: [ Quality-Gate ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
- name: Fortify App and Release Name | |
id: fortify-app-and-rel-name | |
uses: fortify-presales/github-actions/fortify-app-and-release-name@main | |
with: | |
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }} | |
default_fortify_release_name: ${{ github.ref_name }} | |
app_name_postfix: "" | |
# Uncomment below to debug SSC App/App Version names | |
#- name: Print App and Release Name | |
# shell: bash | |
# run: | | |
# echo "SSC App Name: ${SSC_APP_NAME}" | |
# echo "SSC App Version Name: ${SSC_APPVER_NAME}" | |
# env: | |
# SSC_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }} | |
# SSC_APPVER_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }} | |
# TODO: make sure release exists | |
# | |
- name: Run ScanCentral SAST Scan | |
uses: fortify/github-action@v1 | |
with: | |
sast-scan: true | |
env: | |
SSC_URL: ${{ vars.SSC_URL }} | |
SSC_TOKEN: ${{ secrets.SSC_TOKEN }} | |
SC_SAST_TOKEN: ${{ secrets.CLIENT_AUTH_TOKEN }} | |
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s | |
SSC_APPVERSION: ${{ format('{0}:{1}', steps.fortify-app-and-rel-name.outputs.app_name, steps.fortify-app-and-rel-name.outputs.release_name) }} | |
# EXTRA_PACKAGE_OPTS: -bf custom-pom.xml | |
SC_SAST_SENSOR_VERSION: ${{ vars.SCANCENTRAL_VERSION }} | |
DO_WAIT: true | |
#DO_EXPORT: true | |
# TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip | |
Deploy-App: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.deployApp == 'true') }} | |
needs: [ Quality-Gate ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
- name: Deploy App | |
shell: bash | |
run: | | |
echo "Simulating deployment" | |
env: | |
FOD_APP_NAME: ${{ env.DEFAULT_APP_NAME }} | |
# TBD | |
Fortify-DAST-Scan: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event.inputs.runFortifyDASTScan == 'true') }} | |
needs: [ Deploy-App ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
# TBD | |
Security-Gate: | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
needs: [ Fortify-SAST-Scan, Fortify-DAST-Scan ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Setup JDK 11 on host | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
# TBD | |
Release-To-Prod: | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
needs: [ Quality-Gate, Security-Gate ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# TBD |