Skip to content

DevSecOps with Fortify on Demand #124

DevSecOps with Fortify on Demand

DevSecOps with Fortify on Demand #124

Workflow file for this run

# Create GitHub Action Repository Variables for your version of the application:
# FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://ams.fortify.com)
# FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.ams,fortify.com)
# FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
# Create GitHub Action Secrets for your version of the application:
# FOD_CLIENT_ID should be an API Key obtained from your FoD tenant.
# FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant.
# Helpful hints:
# API Key credentials can be obtained from your FoD tenant, under Administration -> Settings -> API
# It is recommended to create credentials with 'Security Lead' Role selected.
# "Automated Audit preference" should be configured for the release's Static Scan Settings.
name: DevSecOps with Fortify on Demand
on:
# Triggers the workflow on push or pull request events but only for the main or develop branches
push:
paths-ignore:
- '.github/**/**'
- 'Jenkinsfile'
- 'bin/**'
- 'data/**'
- 'etc/**'
- 'tests/**'
- '*.md'
- 'LICENSE'
branches:
- '**' # matches every branch
pull_request:
branches: [ main, develop ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runFoDSASTScan:
description: 'Carry out SAST scan using Fortify on Demand'
required: false
default: 'true'
runFoDDASTScan:
description: 'Carry out DAST scan using Fortify on Demand'
required: false
default: 'false'
deployApp:
description: 'Deploy App'
required: false
default: 'true'
# Global environment variables
env:
DEFAULT_APP_NAME: "IWA"
jobs:
Build-And-Unit-Test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# Setup JDK 11 on host
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '11'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-version: 7.3
# Build / Test with Gradle
- name: Build with Gradle
run: ./gradlew clean build test
# Publish test results
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: |
build/test-results/**/*.xml
build/test-results/**/*.trx
build/test-results/**/*.json
Quality-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Build-And-Unit-Test ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD
FoD-SAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFoDSASTScan == 'true') }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
# Uncomment below to debug FoD App/Release names
#- name: Print App and Release Name
# shell: bash
# run: |
# echo "FoD App Name: ${FOD_APP_NAME}"
# echo "FoD Release Name: ${FOD_RELEASE_NAME}"
# env:
# FOD_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
# FOD_RELEASE_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
- name: Gradle FoD SAST scan
id: gradle-fod-sast-scan
uses: fortify-presales/github-actions/gradle-fod-sast-scan@main
with:
working_directory: ${{ env.BASE_DIR }}
fod_url: ${{ vars.FOD_URL }}
fod_api_url: ${{ vars.FOD_API_URL }}
fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
fod_parent_release_name: ${{ steps.fortify-app-and-rel-name.outputs.parent_release_name }}
Deploy-App:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.deployApp == 'true') }}
needs: [ Build-And-Unit-Test, FoD-SAST-Scan ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Deploy App
shell: bash
run: |
echo "Simulating deployment"
env:
FOD_APP_NAME: ${{ env.DEFAULT_APP_NAME }}
# TBD
Functional-Test:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Deploy-App ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD
FoD-DAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFoDDASTScan == 'true') }}
needs: [ Deploy-App ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
- name: FoD DAST scan
id: fod-dast-scan
uses: fortify-presales/github-actions/fod-dast-scan@main
with:
working_directory: ${{ env.BASE_DIR }}
fod_url: ${{ vars.FOD_URL }}
fod_api_url: ${{ vars.FOD_API_URL }}
fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
#fod_release_name: ${{ format('{0}#{1}', steps.fortify-app-and-rel-name.outputs.release_name, github.run_number) }}
fod_parent_release_name: ${{ steps.fortify-app-and-rel-name.outputs.parent_release_name }}
Security-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Functional-Test, FoD-DAST-Scan ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
- name: Verify FoD Security Policy
uses: fortify-presales/github-actions/verify-fod-security-policy@main
with:
fod_api_url: ${{ vars.FOD_API_URL }}
fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
Release-To-Prod:
runs-on: ubuntu-latest
needs: [ Quality-Gate, Security-Gate ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD