Skip to content

DevSecOps with Fortify (Hosted) #10

DevSecOps with Fortify (Hosted)

DevSecOps with Fortify (Hosted) #10

Workflow file for this run

# Create GitHub Action Repository Variables for your version of the application:
# FORTIFY_BASE_URL should be the Fortify Base URL (e.g. https://ssc.uat.fortifyhosted.net)
# FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main"
# Create GitHub Action Secrets for your version of the application:
# FORTIFY_SSC_TOKEN should be an SSC Authorization token (CIToken) obtained from your Fortify tenant.
# FORTIFY_SCSAST_CLIENT_AUTH_TOKEN should be the ScanCentral SAST Client Authentication token for your Fortify tenant.
name: DevSecOps with Fortify (Hosted)
on:
# Triggers the workflow on push or pull request events but only for the main branch
push:
paths-ignore:
- '.github/**/**'
- 'bin/**'
- 'data/**'
- 'etc/**'
- 'media/**'
- 'Jenkinsfile'
- '.gitlab-ci.yml'
- 'README.md'
- 'LICENSE'
branches:
- '**' # matches every branch
pull_request:
branches: [ main ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runFortifySASTScan:
description: 'Carry out SAST scan using Fortify'
required: false
default: 'true'
# runDebrickedScan:
# description: 'Carry out SCA scan using Debricked'
# required: false
# default: 'false'
runFortifyDASTScan:
description: 'Carry out DAST scan using Fortify'
required: false
default: 'false'
# Global environment variables
env:
DEFAULT_APP_NAME: "IWA-Java"
jobs:
Build-And-Test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Setup JDK 11 on host
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '11'
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
with:
gradle-version: 7.3
# Build / Test with Gradle
- name: Build with Gradle
run: ./gradlew clean build
# TODO: changed to FoD OSS Scan
# Debricked-SCA:
# runs-on: ubuntu-latest
# if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }}
# steps:
# - uses: actions/[email protected]
# - uses: actions/setup-java@v3
# with:
# distribution: 'temurin'
# java-version: '11'
# - run: ./gradlew dependencies > .debricked-gradle-dependencies.txt
# - uses: debricked/vulnerable-functionality/java/gradle@v0
# - uses: debricked/actions/scan@v1
# env:
# DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
Quality-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Build-And-Test ]
steps:
- uses: actions/[email protected]
# TBD
Fortify-SAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFortifySASTScan == 'true') }}
steps:
- name: Checkout
uses: actions/[email protected]
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: ./.github/actions/fortify-app-and-release-name
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
#- name: Print App and Release Name
# shell: bash
# run: |
# echo "SSC App Name: ${SSC_APP_NAME}"
# echo "SSC App Version Name: ${SSC_APPVER_NAME}"
# env:
# SSC_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
# SSC_APPVER_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
- name: Gradle Fortify SAST scan
id: gradle-fortify-sast-scan
uses: ./.github/actions/gradle-fortify-sast-scan
with:
working_directory: ${{ env.BASE_DIR }}
ssc_url: ${{ vars.FORTIFY_BASE_URL }}
ssc_token: ${{ secrets.FORTIFY_SSC_TOKEN }}
scsast_client_auth_token: ${{ secrets.FORTIFY_SCSAST_CLIENT_AUTH_TOKEN }}
ssc_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
ssc_appver_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
Fortify-DAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event.inputs.runFortifyDASTScan == 'true') }}
steps:
- name: Checkout
uses: actions/[email protected]
- name: Fortify App and Release Name
id: fortify-app-and-release-name
uses: ./.github/actions/fortify-app-and-release-name
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: 'main'
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
# TBD
Security-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Fortify-SAST-Scan,Fortify-DAST-Scan ]
steps:
- name: Checkout
uses: actions/[email protected]
- name: Fortify App and Release Name
id: fortify-app-and-release-name
uses: ./.github/actions/fortify-app-and-release-name
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: 'main'
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
#- name: Verify Fortify Security Policy
# uses: ./.github/actions/verify-fod-security-policy
# with:
# fod_api_uri: ${{ vars.FORTIFY_API_URI }}
# fod_client_id: ${{ secrets.FORTIFY_CLIENT_ID }}
# fod_client_secret: ${{ secrets.FORTIFY_CLIENT_SECRET }}
# fod_app_name: ${{ steps.fod-app-and-rel-name.outputs.app_name }}
# fod_release_name: ${{ steps.fod-app-and-rel-name.outputs.release_name }}
Release-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Quality-Gate, Security-Gate ]
steps:
- name: Check Out Source Code
uses: actions/[email protected]
# TBD