Merge in new workflow updates (#2)

* Update start-fod-scan.yml * Rename fod-sast-scan-import.yaml to fod-sast-scan-import.yml * Update fod-sast-scan-import.yml * Update fod-sast-scan-import.yml another attempt to override exit code of foduploader * Update fod-sast-scan-import.yml Removed exit code override to test with new version of FoDUploader * Update fod-sast-scan-import.yml set allowpolicyfail option * Update fod-sast-scan-import.yml Parameterize and document workflow * Update fod-sast-scan-import.yml * Update fod-sast-scan-import.yml * Update fod-sast-scan-import.yml * Update fod-sast-scan-import.yml * Update fod-sast-scan-import.yml
fortify · Sep 4, 2020 · 84edba1 · 84edba1
1 parent e25deb7
commit 84edba1
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 2 deletions.
diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml
@@ -0,0 +1,87 @@
+name: Start FoD scan with Import
+
+on: 
+  workflow_dispatch:
+  push:
+      branches: [master]
+  pull_request:
+      branches: [master]
+
+
+jobs:
+  FoD-SAST-Scan:
+    # Use the appropriate runner for building your source code. 
+    # Use Windows runner for projects that use msbuild. Additional changes to RUN commands will be required.
+    runs-on: ubuntu-latest
+
+    steps:
+      # Check out source code
+      - name: Check Out Source Code
+        uses: actions/checkout@v2
+      # Required by ScanCentral Client and FoD Uploader
+      - name: Setup Java 8
+        uses: actions/setup-java@v1
+        with:
+          java-version: 1.8
+
+      # Prepare source+dependencies for upload. 
+      # Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s).
+      #   ScanCentral Client will download dependencies for maven, gradle and msbuild projects.
+      #   For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
+      - name: Download Fortify ScanCentral Client
+        uses: fortify/gha-setup-scancentral-client@v1
+      - name: Package Code + Dependencies
+        run: scancentral package $PACKAGE_OPTS -o package.zip
+        env:
+          PACKAGE_OPTS: "-bt mvn"
+
+      # Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant.
+      - name: Download Fortify on Demand Universal CI Tool
+        uses: fortify/gha-setup-fod-uploader@v1
+      - name: Perform SAST Scan
+        run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS
+        env: 
+          FOD_TENANT: ${{ secrets.FOD_TENANT }}  
+          FOD_USER: ${{ secrets.FOD_USER }}
+          FOD_PAT: ${{ secrets.FOD_PAT }}
+          FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
+          FOD_URL: "https://ams.fortify.com/"
+          FOD_API_URL: "https://api.ams.fortify.com/"
+          FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
+
+      # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
+      - name: Download Results
+        uses: fortify/gha-fod-generate-sarif@master
+        with:
+          base-url: https://ams.fortify.com/
+          tenant: ${{ secrets.FOD_TENANT }}
+          user: ${{ secrets.FOD_USER }}
+          password: ${{ secrets.FOD_PAT }}
+          release-id: ${{ secrets.FOD_RELEASE_ID }}
+          output: ./sarif/output.sarif
+
+      # Import Fortify on Demand results to GitHub Security Code Scanning
+      - name: Import Results
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ./sarif/output.sarif
+
+      # Save artifacts for troubleshooting (if necessary). These steps can be removed after successful configuration is confirmed.
+      - name: Save SARIF Results
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: sarif-files
+          path: ./sarif
+      - name: Save ScanCentral Logs
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: scancentral-logs
+          path: ~/.fortify/scancentral/log
+      - name: Save Packaged Code
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: package.zip
+          path: package.zip
diff --git a/.github/workflows/start-fod-scan.yml b/.github/workflows/start-fod-scan.yml
@@ -13,8 +13,6 @@ jobs:
           java-version: 1.8
       - uses: fortify/gha-setup-scancentral-client@v1
       - uses: fortify/gha-setup-fod-uploader@v1
-        with:
-          version: v5.0.1
       - run: scancentral package -bt mvn -o package.zip
       - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 1
         env: