OSS SCA with Debricked #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create GitHub Action Secrets for your version of the application: | |
# DEBRICKEN_TOKEN should be an API Access Token from your Debricked tenant. | |
# | |
# If importing results into FoD: | |
# Create GitHub Action Repository Variables for your version of the application: | |
# FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://ams.fortify.com) | |
# FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.ams,fortify.com) | |
# FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop" | |
# Create GitHub Action Secrets for your version of the application: | |
# FOD_CLIENT_ID should be an API Key obtained from your FoD tenant. | |
# FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant. | |
# If importing results into SSC: | |
name: OSS SCA with Debricked | |
on: | |
# Triggers the workflow on push or pull request events but only for the main and develop branches | |
push: | |
paths: | |
- '.github\**\*' | |
- 'pom.xml' | |
#- 'build.gradle' | |
#- 'frontend/build.gradle' | |
- 'frontend/package.json' | |
- 'libs/**' | |
branches: | |
- '**' # matches every branch | |
pull_request: | |
branches: [ main, develop ] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
runDebrickedScan: | |
description: 'Carry out SCA scan using Debricked' | |
required: true | |
default: 'true' | |
uploadToFoD: | |
description: 'Upload Debricked results to FoD' | |
required: false | |
default: 'false' | |
uploadToSSC: | |
description: 'Upload Debricked results to SSC' | |
required: false | |
default: 'false' | |
# Global environment variables | |
env: | |
DEFAULT_APP_NAME: "DebrickedDemoApp" | |
DEFAULT_CHUNK_SIZE: "1073741824" | |
jobs: | |
Debricked-SCA: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }} | |
steps: | |
- name: Setup Maven Action | |
uses: s4u/[email protected] | |
with: | |
java-version: '17' | |
java-distribution: 'temurin' | |
- name: Setup Fortify tools | |
uses: fortify/github-action/setup@v1 | |
with: | |
export-path: true | |
fcli: latest | |
debricked-cli: latest | |
# Note: we are excluding Gradle and using Maven so that we can use callgraph | |
- name: Run debricked scan | |
shell: bash | |
run: | | |
debricked scan --callgraph --prefer-npm -r "${DEFAULT_APP_NAME}" --access-token="${DEBRICKED_TOKEN}" -e "**/build.gradle" -e "**/node_modules/**" -e "*/**.lock" -e "**/build/classes/test/**" -e "**/target/classes/test-classes/**" . | |
env: | |
APP_NAME: ${{ env.DEFAULT_APP_NAME }} | |
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} | |
Debricked-FoD-Import: | |
runs-on: ubuntu-latest | |
needs: [ Debricked-SCA ] | |
if: ${{ (always() && ((github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.uploadToFoD == 'true'))) }} | |
steps: | |
- name: Setup Maven Action | |
uses: s4u/[email protected] | |
with: | |
java-version: '17' | |
java-distribution: 'temurin' | |
- name: Setup Fortify tools | |
uses: fortify/github-action/setup@v1 | |
with: | |
export-path: true | |
fcli: latest | |
- name: Import Debricked | |
shell: bash | |
run: | | |
fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --session github-actions | |
fcli fod oss-scan import-debricked --release "${FOD_RELEASE_ID}" -r "${APP_NAME}" -t "${DEBRICKED_TOKEN}" -b "${BRANCH_NAME}" --chunk-size ${CHUNK_SIZE} --file sbom.json --session github-actions | |
fcli fod session logout --session github-actions | |
env: | |
APP_NAME: ${{ env.DEFAULT_APP_NAME }} | |
BRANCH_NAME: ${{ github.ref_name }} | |
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} | |
CHUNK_SIZE: ${{ env.DEFAULT_CHUNK_SIZE }} | |
FOD_API_URI: ${{ vars.FOD_API_URL }} | |
FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} | |
FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} | |
FOD_RELEASE_ID: ${{ vars.FOD_RELEASE_ID }} |