GitHub Actions and Scripts

fortify-presales · Nov 28, 2023 · 65aa85d · 65aa85d
1 parent c46bc17
commit 65aa85d
Show file tree

Hide file tree

Showing 15 changed files with 100 additions and 437 deletions.
diff --git a/.github/actions/gradle-fod-oss-scan/action.yml b/.github/actions/gradle-fod-oss-scan/action.yml
@@ -28,7 +28,7 @@ inputs:
   fod_parent_release_name:
     required: false
     description: "FoD Parent Release Name"
-    default: "main"
+    default: "dev"
   gradle_version:
     required: false
     description: "Version of Gradle to use"

diff --git a/.github/actions/gradle-fod-sast-scan/action.yml b/.github/actions/gradle-fod-sast-scan/action.yml
@@ -28,7 +28,7 @@ inputs:
   fod_parent_release_name:
     required: false
     description: "FoD Parent Release Name"
-    default: "main"
+    default: "dev"
   gradle_version:
     required: false
     description: "Version of Gradle to use"

diff --git a/.github/actions/gradle-fortify-sast-scan/action.yml b/.github/actions/gradle-fortify-sast-scan/action.yml
@@ -24,7 +24,7 @@ inputs:
   ssc_parent_appver_name:
     required: false
     description: "SSC Parent Application Version Name"
-    default: "main"
+    default: "develop"
   ssc_sensor_ver:
     required: false
     description: "SSC Sensor Version"

diff --git a/.github/workflows/debricked.yml b/.github/workflows/debricked.yml
@@ -5,14 +5,14 @@
 name: OSS SCA with Debricked
 
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
+  # Triggers the workflow on push or pull request events but only for the main and develop branches
   push:
     paths:
       - 'build.gradle'
     branches:
       - '**'        # matches every branch
   pull_request:
-    branches: [ main ]
+    branches: [ main, develop ]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

diff --git a/.github/workflows/fod.yml b/.github/workflows/fod.yml
@@ -1,8 +1,8 @@
 
 # Create GitHub Action Repository Variables for your version of the application:
-#   FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://emea.fortify.com)
-#   FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.emea,fortify.com)
-#   FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main"
+#   FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://ams.fortify.com)
+#   FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.ams,fortify.com)
+#   FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
 # Create GitHub Action Secrets for your version of the application:
 #   FOD_CLIENT_ID should be an API Key obtained from your FoD tenant.
 #   FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant.
@@ -14,7 +14,7 @@
 name: DevSecOps with Fortify on Demand
 
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
+  # Triggers the workflow on push or pull request events but only for the main or develop branches
   push:
     paths-ignore:
       - '.github/**/**'
@@ -29,7 +29,7 @@ on:
     branches:
       - '**'        # matches every branch
   pull_request:
-    branches: [ main ]
+    branches: [ main, develop ]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -112,6 +112,7 @@ jobs:
           fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
           fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
           fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
+          fod_parent_release_name: ${{ vars.FOD_PARENT_RELEASE_NAME }}
 
   Quality-Gate:
     runs-on: ubuntu-latest
@@ -152,6 +153,7 @@ jobs:
           fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
           fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
           fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
+          fod_parent_release_name: ${{ vars.FOD_PARENT_RELEASE_NAME }}
 
   FoD-DAST-Scan:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml
@@ -1,15 +1,15 @@
 
 # Create GitHub Action Repository Variables for your version of the application:
 #   FORTIFY_BASE_URL should be the Fortify Base URL (e.g. https://ssc.uat.fortifyhosted.net)
-#   FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main"
+#   FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
 # Create GitHub Action Secrets for your version of the application:
 #   FORTIFY_SSC_TOKEN should be an SSC Authorization token (CIToken) obtained from your Fortify tenant.
 #   FORTIFY_SCSAST_CLIENT_AUTH_TOKEN should be the ScanCentral SAST Client Authentication token for your Fortify tenant.
 
 name: DevSecOps with Fortify (Hosted)
 
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
+  # Triggers the workflow on push or pull request events but only for the main or develop branches
   push:
     paths-ignore:
       - '.github/**/**'
@@ -24,7 +24,7 @@ on:
     branches:
       - '**'        # matches every branch
   pull_request:
-    branches: [ main ]
+    branches: [ main, develop ]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -33,10 +33,10 @@ on:
         description: 'Carry out SAST scan using Fortify'
         required: false
         default: 'true'
-#      runDebrickedScan:
-#        description: 'Carry out SCA scan using Debricked'
-#        required: false
-#        default: 'false'
+      runSonatypeScan:
+        description: 'Carry out SCA scan using Sonatype Nexus IQ'
+        required: false
+        default: 'false'
       runFortifyDASTScan:
         description: 'Carry out DAST scan using Fortify'
         required: false
@@ -72,21 +72,18 @@ jobs:
       - name: Build with Gradle
         run: ./gradlew clean build
 
-# TODO: changed to FoD OSS Scan
-#  Debricked-SCA:
-#    runs-on: ubuntu-latest
-#    if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runDebrickedScan == 'true') }}
-#    steps:
-#      - uses: actions/[email protected]
-#      - uses: actions/setup-java@v3
-#        with:
-#          distribution: 'temurin'
-#          java-version: '11'
-#      - run: ./gradlew dependencies > .debricked-gradle-dependencies.txt
-#      - uses: debricked/vulnerable-functionality/java/gradle@v0
-#      - uses: debricked/actions/scan@v1
-#        env:
-#          DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
+  Sonatype-SCA:
+    runs-on: ubuntu-latest
+    if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runSonatypeScan == 'true') }}
+    steps:
+      - uses: actions/[email protected]
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '11'
+      - run: ./gradlew dependencies > .debricked-gradle-dependencies.txt
+
+    # TODO: Sonatype Nexus IQ scan
 
   Quality-Gate:
     runs-on: ubuntu-latest

diff --git a/bin/create-config-package.ps1 b/bin/create-config-package.ps1
diff --git a/bin/create-iac-zip.ps1 → bin/create-infrastructure-zip.ps1 b/bin/create-iac-zip.ps1 → bin/create-infrastructure-zip.ps1
@@ -3,6 +3,6 @@ Write-Host $RootPath
 $compress = @{
     Path = "$($RootPath)\etc\*.yml", "$($RootPath)\etc\*.json", "$($RootPath)\docker-compose.*", "$($RootPath)\Docker*.*", "$($RootPath)\.github\workflows\*.yml"
     CompressionLevel = "Fastest"
-    DestinationPath = "$($RootPath)\IACPackage.zip"
+    DestinationPath = "$($RootPath)\infrastructure.zip"
 }
-Compress-Archive @compress -Verbose
+Compress-Archive @compress -Verbose
diff --git a/bin/fcli-examples/fod-sast-scan.ps1 b/bin/fcli-examples/fod-sast-scan.ps1
@@ -0,0 +1,11 @@
+$EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
+$AppName = $EnvSettings['FOD_APP_NAME']
+$RelName = $EnvSettings['FOD_REL_NAME']
+
+scancentral package -bt gradle -bc 'clean build -x test' -o package.zip
+
+fcli fod session login
+fcli fod sast-scan start --release "$($AppName):$($RelName)" --notes "Started from CLI" -f package.zip --store curScan
+fcli fod sast-scan wait-for ::curScan::
+fcli fod sast-scan get ::curScan:: -o expr="Fortify Security Rating: {starRating}"
+fcli fod session logout
diff --git a/bin/fcli-examples/ssc-security-gate.ps1 b/bin/fcli-examples/ssc-security-gate.ps1
@@ -0,0 +1,9 @@
+
+$EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
+$AppName = $EnvSettings['SSC_APP_NAME']
+$AppVersion = $EnvSettings['SSC_APP_VER_NAME']
+
+fcli ssc session login
+#fcli ssc issue list-filtersets --appversion "$($AppName):$($AppVersion)"
+fcli ssc issue count --appversion "$($AppName):$($AppVersion)" --filterset "Security Gate"
+fcli ssc session logout
diff --git a/bin/fod-list-users.ps1 b/bin/fod-list-users.ps1
diff --git a/bin/fortify-fod.ps1 b/bin/fortify-fod.ps1