-
Notifications
You must be signed in to change notification settings - Fork 3
102 lines (97 loc) · 4.09 KB
/
fortify.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Fortify ScanCentral SAST Scan
on:
workflow_call:
secrets:
SSC_CI_TOKEN:
description: 'CIToken for service account'
required: true
SC_CLIENT_TOKEN:
description: 'ScanCentral Client token'
required: true
PAT_TOKEN:
description: 'User PAT Token - to be removed'
required: false
inputs:
APPLICATION:
description: 'Application Name'
type: string
required: true
VERSION:
description: 'Application Version'
type: string
required: true
BUILD_OPTS:
description: 'Build Options'
type: string
required: false
default: "none"
SC_CONTROLLER_URL:
description: 'ScanCentral Controller URL'
type: string
required: false
default: "http://fortify-scancentral-controller.fortify.svc.cluster.local:8080/scancentral-ctrl/"
jobs:
setup-correct-runner:
runs-on: ubuntu-latest
outputs:
runner: ${{ steps.check_org_and_platform.outputs.runner }}
steps:
- name: Check Org and Platform
id: check_org_and_platform
run: |
if [ ${{ github.repository_owner }} == 'SPHTech' ]; then
echo "runner=sphtech-sec" >> "$GITHUB_OUTPUT"
else
echo "runner=sphtech-platform-sec" >> "$GITHUB_OUTPUT"
fi
Fortify-SAST:
timeout-minutes: 120
needs: setup-correct-runner
runs-on:
- self-hosted
- ${{ needs.setup-correct-runner.outputs.runner }}
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Java is required to run ScanCentral Client, and may be required for your build
# Java version to use depends on the Java version required to run your build (if any),
# and the Java version supported by the ScanCentral Client version that you are running
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: zulu
java-version: 11
### Set up Fortify ScanCentral Client ###
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@v1
with:
version: 22.1.0 # On-prem customers should specify a client version that matches their ScanCentral environment
# FoD customers usually should not specify a version but rather rely on the default version
client-auth-token: ${{ secrets.SC_CLIENT_TOKEN }} # Optional, but required if ScanCentral Controller requires client authentication
### Run Fortify ScanCentral Client ###
# Update BUILD_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s).
# ScanCentral Client will download dependencies for maven, gradle and msbuild projects.
# For other build tools, add your build commands to the workflow to download necessary dependencies and prepare according to Fortify SCA documentation.
- name: Perform SAST Scan
run: scancentral -url "$SC_CONTROLLER_URL" start -bt "$BUILD_OPTS" -upload -application "$APPLICATION" -version "$VERSION" -uptoken "$SSC_CI_TOKEN"
env:
SC_CONTROLLER_URL: ${{ inputs.SC_CONTROLLER_URL }}
SSC_CI_TOKEN: ${{ secrets.SSC_CI_TOKEN }}
APPLICATION: ${{ inputs.APPLICATION }}
VERSION: ${{ inputs.VERSION }}
BUILD_OPTS: ${{ inputs.BUILD_OPTS }}
### Archive ScanCentral Client logs on failure ###
- name: Save ScanCentral Logs
uses: actions/upload-artifact@v4
if: failure()
with:
name: scancentral-logs
path: ~/.fortify/scancentral/log
retention-days: 7