-
Notifications
You must be signed in to change notification settings - Fork 29
182 lines (165 loc) · 6.59 KB
/
fortify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# Create GitHub Action Repository Variables for your version of the application:
# FORTIFY_BASE_URL should be the Fortify Base URL (e.g. https://ssc.uat.fortifyhosted.net)
# FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main" or "dev"
# Create GitHub Action Secrets for your version of the application:
# FORTIFY_SSC_TOKEN should be an SSC Authorization token (CIToken) obtained from your Fortify tenant.
# FORTIFY_SCSAST_CLIENT_AUTH_TOKEN should be the ScanCentral SAST Client Authentication token for your Fortify tenant.
name: DevSecOps with Fortify (Hosted)
on:
# Triggers the workflow on push or pull request events but only for the main or dev branches
push:
paths-ignore:
- '.github/**/**'
- 'bin/**'
- 'data/**'
- 'etc/**'
- 'media/**'
- 'Jenkinsfile'
- '.gitlab-ci.yml'
- 'README.md'
- 'LICENSE'
branches:
- '**' # matches every branch
pull_request:
branches: [ main, dev ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runFortifySASTScan:
description: 'Carry out SAST scan using Fortify'
required: false
default: 'true'
runSonatypeScan:
description: 'Carry out SCA scan using Sonatype Nexus IQ'
required: false
default: 'false'
runFortifyDASTScan:
description: 'Carry out DAST scan using Fortify'
required: false
default: 'false'
# Global environment variables
env:
DEFAULT_APP_NAME: "IWA-Java"
jobs:
Build-And-Test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Setup JDK 11 on host
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '11'
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
with:
gradle-version: 7.3
# Build / Test with Gradle
- name: Build with Gradle
run: ./gradlew clean build
Sonatype-SCA:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runSonatypeScan == 'true') }}
steps:
- uses: actions/[email protected]
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '11'
- run: ./gradlew dependencies > .debricked-gradle-dependencies.txt
# TODO: Sonatype Nexus IQ scan
Quality-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Build-And-Test ]
steps:
- uses: actions/[email protected]
# TBD
Fortify-SAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFortifySASTScan == 'true') }}
steps:
- name: Checkout
uses: actions/[email protected]
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: ./.github/actions/fortify-app-and-release-name
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
#- name: Print App and Release Name
# shell: bash
# run: |
# echo "SSC App Name: ${SSC_APP_NAME}"
# echo "SSC App Version Name: ${SSC_APPVER_NAME}"
# env:
# SSC_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
# SSC_APPVER_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
- name: Gradle Fortify SAST scan
id: gradle-fortify-sast-scan
uses: ./.github/actions/gradle-fortify-sast-scan
with:
working_directory: ${{ env.BASE_DIR }}
ssc_url: ${{ vars.FORTIFY_BASE_URL }}
ssc_token: ${{ secrets.FORTIFY_SSC_TOKEN }}
scsast_client_auth_token: ${{ secrets.FORTIFY_SCSAST_CLIENT_AUTH_TOKEN }}
ssc_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
ssc_appver_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
Fortify-DAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event.inputs.runFortifyDASTScan == 'true') }}
steps:
- name: Checkout
uses: actions/[email protected]
- name: Fortify App and Release Name
id: fortify-app-and-release-name
uses: ./.github/actions/fortify-app-and-release-name
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: 'main'
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
# TBD
Security-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Fortify-SAST-Scan,Fortify-DAST-Scan ]
steps:
- name: Checkout
uses: actions/[email protected]
- name: Fortify App and Release Name
id: fortify-app-and-release-name
uses: ./.github/actions/fortify-app-and-release-name
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: 'main'
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
#- name: Verify Fortify Security Policy
# uses: ./.github/actions/verify-fod-security-policy
# with:
# fod_api_uri: ${{ vars.FORTIFY_API_URI }}
# fod_client_id: ${{ secrets.FORTIFY_CLIENT_ID }}
# fod_client_secret: ${{ secrets.FORTIFY_CLIENT_SECRET }}
# fod_app_name: ${{ steps.fod-app-and-rel-name.outputs.app_name }}
# fod_release_name: ${{ steps.fod-app-and-rel-name.outputs.release_name }}
Release-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Quality-Gate, Security-Gate ]
steps:
- name: Check Out Source Code
uses: actions/[email protected]
# TBD