Skip to content

OSS SCA with Debricked #15

OSS SCA with Debricked

OSS SCA with Debricked #15

Workflow file for this run

# Create GitHub Action Secrets for your version of the application:
# DEBRICKEN_TOKEN should be an API Access Token from your Debricked tenant.
#
# If importing results into FoD:
# Create GitHub Action Repository Variables for your version of the application:
# FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://ams.fortify.com)
# FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.ams,fortify.com)
# FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
# Create GitHub Action Secrets for your version of the application:
# FOD_CLIENT_ID should be an API Key obtained from your FoD tenant.
# FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant.
# If importing results into SSC:
name: OSS SCA with Debricked
on:
# Triggers the workflow on push or pull request events but only for the main and develop branches
push:
paths:
- '.github\**\*'
- 'pom.xml'
#- 'build.gradle'
#- 'frontend/build.gradle'
- 'frontend/package.json'
- 'libs/**'
branches:
- '**' # matches every branch
pull_request:
branches: [ main, develop ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runDebrickedScan:
description: 'Carry out SCA scan using Debricked'
required: true
default: 'true'
uploadToFoD:
description: 'Upload Debricked results to FoD'
required: false
default: 'false'
uploadToSSC:
description: 'Upload Debricked results to SSC'
required: false
default: 'false'
# Global environment variables
env:
DEFAULT_APP_NAME: "DebrickedDemoApp"
DEFAULT_CHUNK_SIZE: "1073741824"
jobs:
Debricked-SCA:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }}
steps:
- name: Setup Maven Action
uses: s4u/[email protected]
with:
java-version: '17'
java-distribution: 'temurin'
- name: Setup Fortify tools
uses: fortify/github-action/setup@v1
with:
export-path: true
fcli: latest
debricked-cli: latest
# Note: we are excluding Gradle and using Maven so that we can use callgraph
- name: Run debricked scan
shell: bash
run: |
debricked scan --callgraph --prefer-npm -r "${DEFAULT_APP_NAME}" --access-token="${DEBRICKED_TOKEN}" -e "**/build.gradle" -e "**/node_modules/**" -e "*/**.lock" -e "**/build/classes/test/**" -e "**/target/classes/test-classes/**" .
env:
APP_NAME: ${{ env.DEFAULT_APP_NAME }}
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
Debricked-FoD-Import:
runs-on: ubuntu-latest
needs: [ Debricked-SCA ]
if: ${{ (always() && ((github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.uploadToFoD == 'true'))) }}
steps:
- name: Setup Maven Action
uses: s4u/[email protected]
with:
java-version: '17'
java-distribution: 'temurin'
- name: Setup Fortify tools
uses: fortify/github-action/setup@v1
with:
export-path: true
fcli: latest
- name: Import Debricked
shell: bash
run: |
fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --session github-actions
fcli fod oss-scan import-debricked --release "${FOD_RELEASE_ID}" -r "${APP_NAME}" -t "${DEBRICKED_TOKEN}" -b "${BRANCH_NAME}" --chunk-size ${CHUNK_SIZE} --file sbom.json --session github-actions
fcli fod session logout --session github-actions
env:
APP_NAME: ${{ env.DEFAULT_APP_NAME }}
BRANCH_NAME: ${{ github.ref_name }}
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
CHUNK_SIZE: ${{ env.DEFAULT_CHUNK_SIZE }}
FOD_API_URI: ${{ vars.FOD_API_URL }}
FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
FOD_RELEASE_ID: ${{ vars.FOD_RELEASE_ID }}