Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fcli * action: Add support for pipeline-style actions #549

Open
rsenden opened this issue May 22, 2024 · 0 comments
Open

fcli * action: Add support for pipeline-style actions #549

rsenden opened this issue May 22, 2024 · 0 comments
Labels
effort:high Lot of effort needed to implement/fix fcli-actions feature A feature that's on the roadmap or in development prio:high High priority; important new feature or bug fix

Comments

@rsenden
Copy link
Contributor

rsenden commented May 22, 2024
edited
Loading

Current action framework is focused on retrieving, processing and outputting data. Ideally, we should also support pipeline-style actions, for example allowing an action to run the following steps:

  1. Set up fcli SC-SAST & SSC sessions
  2. Run 'scancentral package' command to package source code
  3. Run fcli sc-sast scan start command to submit scan request
  4. Optionally run fcli sc-sast scan wait-for command to wait for scan completion
  5. Optionally run fcli ssc action run *-sast-report to export scan results
  6. Optionally run fcli ssc action check-policy to evaluate security policy outcome
  7. Terminate SC-SAST & SSC sessions

We would have a similar sast-scan action in the FoD module, or maybe even a non-product-specific action that automatically selects either FoD or SSC/SC-SAST scan based on input parameters/environment variables, similar to the sast-scan.sh script in the fortify-ci-tools image.

This would be very beneficial for our CI/CD integrations like GitHub Action and GitLab templates, as we don't need to implement the same steps in every individual integration, but rather just have those integrations invoke these sast-scan actions. Also, we could provide an easy option to have users point to a custom sast-scan action that performs extra customer-specific activities, sets some customer-specific defaults (like SSC URL), or uses a custom check-policy action.

In order to implement this, we'd need to solve various limitations in the current actions framework:

  1. Improve session management for actions (fcli * action: Session management & non-product-specific actions #547)
  2. Ability to invoke scancentral package and potentially other commands (fcli * action: Add support for running ScanCentral and possibly other commands #548)
  3. Current framework only allows for collecting data from fcli commands, and doesn't allow for running non-data commands like invoking other actions (required for running the *-sast-report and check-policy actions). We'd need to add support for running arbitrary fcli commands without collecting their output, but rather output command output to console (see next point).
  4. Ability to provide immediate command output for every command being run, without interfering with progress messages (fcli * action: Allow actions to disable progress writer #538)

Once implemented, this will fix #1
@rsenden rsenden added feature A feature that's on the roadmap or in development fcli-actions labels May 22, 2024
@rsenden rsenden added prio:1 prio:high High priority; important new feature or bug fix effort:high Lot of effort needed to implement/fix and removed prio:1 labels May 29, 2024
@rsenden rsenden mentioned this issue May 30, 2024
Open
@rsenden rsenden mentioned this issue Jun 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort:high Lot of effort needed to implement/fix fcli-actions feature A feature that's on the roadmap or in development prio:high High priority; important new feature or bug fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rsenden