Skip to content
This repository has been archived by the owner on Feb 15, 2023. It is now read-only.

Commit

Permalink
Enable srcclr scanning (#3)
Browse files Browse the repository at this point in the history
  • Loading branch information
ryan-d-campbell authored Sep 24, 2020
1 parent b520e26 commit 963db1a
Show file tree
Hide file tree
Showing 6 changed files with 53 additions and 15 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,5 @@ jobs:
vkey: '${{ secrets.VERACODE_KEY }}'
appname: '${{ secrets.VERACODE_APPNAME }}'
sandboxname: 'DH-Veracode-Scan-And-Upload'
srcclr: true
srcclrtoken: '${{ secrets.SRCCLR_API_TOKEN }}'
5 changes: 2 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
# Container image that runs your code
FROM openjdk:8-jre-alpine

RUN apk --no-cache add curl
## srcclr agent doesn't support alpine
FROM openjdk:8

# Copies your code file from your action repository to the filesystem path `/` of the container
COPY entrypoint.sh /entrypoint.sh
Expand Down
11 changes: 10 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,14 @@ This action runs the Veracode Java Wrapper's 'upload and scan' action.
**Required:** Veracode API key.

### `sandboxname`
**Required:** The name of the sandbox that you would like to send the scan.
**Optional:** If you would rather send your scan to a sandbox.

### `srcclr`
**Optional:** Enable scanning this project with the srcclr agent. Currently only validated support for python
**Default:** false

### `srcclrtoken`
**Optional:** Token for access to srcclr. Only used when `srcclr = true`.

## Example usage

Expand All @@ -49,5 +56,7 @@ The veracode credentials are read from github secrets. NEVER STORE YOUR SECRETS
filepath: 'folder_to_upload/'
vid: '${{ secrets.VERACODE_ID }}'
vkey: '${{ secrets.VERACODE_KEY }}'
srcclrtoken: '${{ secrets.SRCCLR_API_TOKEN }}'
sandboxname: sandbox_to_send_scan
srcclr: true
```
10 changes: 10 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,14 @@ inputs:
sandboxname: # id of input
description: 'sandboxname'
required: true
srcclr: # id of input
description: 'enable srcclr scans'
required: false
default: false
srcclrtoken: # id of input
description: 'srcclr verification token'
required: false
default: very_secure_token
# outputs:
# time: # id of output
# description: 'The time we greeted you'
Expand All @@ -39,3 +47,5 @@ runs:
- ${{ inputs.vid }}
- ${{ inputs.vkey }}
- ${{ inputs.sandboxname }}
- ${{ inputs.srcclr }}
- ${{ inputs.srcclrtoken }}
40 changes: 29 additions & 11 deletions entrypoint.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/sh -l
#!/bin/bash -l

appname=$1
createprofile=$2
Expand All @@ -7,8 +7,12 @@ version=$4
vid=$5
vkey=$6
sandboxname=$7
srcclr=$8

export SRCCLR_API_TOKEN=$9

echo "appname: $appname"
echo "sandboxname: $sandboxname"
echo "createprofile: $createprofile"
echo "filepath: $filepath"
echo "version: $version"
Expand All @@ -20,14 +24,28 @@ javawrapperversion=$(curl https://repo1.maven.org/maven2/com/veracode/vosp/api/w

echo "javawrapperversion: $javawrapperversion"

# Building jar execution command
veracodejavaapicmd='/usr/local/openjdk-8/bin/java -jar VeracodeJavaAPI.jar -action UploadAndScan -autoscan true'

# if $var is set: add flag & value
[ ! -z "$appname" ] && veracodejavaapicmd+=' -appname "$appname"'
[ ! -z "$createprofile" ] && veracodejavaapicmd+=' -createprofile "$createprofile"'
[ ! -z "$filepath" ] && veracodejavaapicmd+=' -filepath "$filepath"'
[ ! -z "$version" ] && veracodejavaapicmd+=' -version "$version"'
[ ! -z "$vid" ] && veracodejavaapicmd+=' -vid "$vid"'
[ ! -z "$vkey" ] && veracodejavaapicmd+=' -vkey "$vkey"'
[ ! -z "$sandboxname" ] && veracodejavaapicmd+=' -sandboxname "$sandboxname"'

curl -sS -o VeracodeJavaAPI.jar "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$javawrapperversion/vosp-api-wrappers-java-$javawrapperversion.jar"
java -jar VeracodeJavaAPI.jar \
-action UploadAndScan \
-appname "$appname" \
-createprofile "$createprofile" \
-filepath "$filepath" \
-version "$version" \
-vid "$vid" \
-vkey "$vkey" \
-sandboxname "$sandboxname" \
-autoscan true

# Execute the command
eval $veracodejavaapicmd

if $srcclr
then
apt-get update -y
apt-get install -y python3 python3-pip
update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1
pip install --upgrade pip
curl -sSL https://download.sourceclear.com/ci.sh | sh -s scan
fi
Empty file added requirements.txt
Empty file.

0 comments on commit 963db1a

Please sign in to comment.