diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 84edce1..7f0ae9e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -36,3 +36,5 @@ jobs: vkey: '${{ secrets.VERACODE_KEY }}' appname: '${{ secrets.VERACODE_APPNAME }}' sandboxname: 'DH-Veracode-Scan-And-Upload' + srcclr: true + srcclrtoken: '${{ secrets.SRCCLR_API_TOKEN }}' diff --git a/Dockerfile b/Dockerfile index af34be5..92b0c29 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,6 @@ # Container image that runs your code -FROM openjdk:8-jre-alpine - -RUN apk --no-cache add curl +## srcclr agent doesn't support alpine +FROM openjdk:8 # Copies your code file from your action repository to the filesystem path `/` of the container COPY entrypoint.sh /entrypoint.sh diff --git a/README.md b/README.md index 2cc8835..1e9b1fd 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,14 @@ This action runs the Veracode Java Wrapper's 'upload and scan' action. **Required:** Veracode API key. ### `sandboxname` -**Required:** The name of the sandbox that you would like to send the scan. +**Optional:** If you would rather send your scan to a sandbox. + +### `srcclr` +**Optional:** Enable scanning this project with the srcclr agent. Currently only validated support for python +**Default:** false + +### `srcclrtoken` +**Optional:** Token for access to srcclr. Only used when `srcclr = true`. ## Example usage @@ -49,5 +56,7 @@ The veracode credentials are read from github secrets. NEVER STORE YOUR SECRETS filepath: 'folder_to_upload/' vid: '${{ secrets.VERACODE_ID }}' vkey: '${{ secrets.VERACODE_KEY }}' + srcclrtoken: '${{ secrets.SRCCLR_API_TOKEN }}' sandboxname: sandbox_to_send_scan + srcclr: true ``` diff --git a/action.yml b/action.yml index c9316bb..a43f1e0 100644 --- a/action.yml +++ b/action.yml @@ -25,6 +25,14 @@ inputs: sandboxname: # id of input description: 'sandboxname' required: true + srcclr: # id of input + description: 'enable srcclr scans' + required: false + default: false + srcclrtoken: # id of input + description: 'srcclr verification token' + required: false + default: very_secure_token # outputs: # time: # id of output # description: 'The time we greeted you' @@ -39,3 +47,5 @@ runs: - ${{ inputs.vid }} - ${{ inputs.vkey }} - ${{ inputs.sandboxname }} + - ${{ inputs.srcclr }} + - ${{ inputs.srcclrtoken }} diff --git a/entrypoint.sh b/entrypoint.sh index 528e5dd..841c154 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/sh -l +#!/bin/bash -l appname=$1 createprofile=$2 @@ -7,8 +7,12 @@ version=$4 vid=$5 vkey=$6 sandboxname=$7 +srcclr=$8 + +export SRCCLR_API_TOKEN=$9 echo "appname: $appname" +echo "sandboxname: $sandboxname" echo "createprofile: $createprofile" echo "filepath: $filepath" echo "version: $version" @@ -20,14 +24,28 @@ javawrapperversion=$(curl https://repo1.maven.org/maven2/com/veracode/vosp/api/w echo "javawrapperversion: $javawrapperversion" +# Building jar execution command +veracodejavaapicmd='/usr/local/openjdk-8/bin/java -jar VeracodeJavaAPI.jar -action UploadAndScan -autoscan true' + +# if $var is set: add flag & value +[ ! -z "$appname" ] && veracodejavaapicmd+=' -appname "$appname"' +[ ! -z "$createprofile" ] && veracodejavaapicmd+=' -createprofile "$createprofile"' +[ ! -z "$filepath" ] && veracodejavaapicmd+=' -filepath "$filepath"' +[ ! -z "$version" ] && veracodejavaapicmd+=' -version "$version"' +[ ! -z "$vid" ] && veracodejavaapicmd+=' -vid "$vid"' +[ ! -z "$vkey" ] && veracodejavaapicmd+=' -vkey "$vkey"' +[ ! -z "$sandboxname" ] && veracodejavaapicmd+=' -sandboxname "$sandboxname"' + curl -sS -o VeracodeJavaAPI.jar "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$javawrapperversion/vosp-api-wrappers-java-$javawrapperversion.jar" -java -jar VeracodeJavaAPI.jar \ - -action UploadAndScan \ - -appname "$appname" \ - -createprofile "$createprofile" \ - -filepath "$filepath" \ - -version "$version" \ - -vid "$vid" \ - -vkey "$vkey" \ - -sandboxname "$sandboxname" \ - -autoscan true + +# Execute the command +eval $veracodejavaapicmd + +if $srcclr +then + apt-get update -y + apt-get install -y python3 python3-pip + update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1 + pip install --upgrade pip + curl -sSL https://download.sourceclear.com/ci.sh | sh -s scan +fi \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..e69de29