diff --git a/.github/workflows/fod-sast-scan-import.yaml b/.github/workflows/fod-sast-scan-import.yaml deleted file mode 100644 index adbffd9..0000000 --- a/.github/workflows/fod-sast-scan-import.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Start FoD scan with Import - -on: [workflow_dispatch] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-java@v1 - with: - java-version: 1.8 - - uses: fortify/gha-setup-scancentral-client@v1 - - uses: fortify/gha-setup-fod-uploader@v1 - - run: scancentral package -bt mvn -o package.zip - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 - env: - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - - uses: fortify/gha-fod-generate-sarif@master - with: - base-url: https://ams.fortify.com - tenant: ${{ secrets.FOD_TENANT }} - user: ${{ secrets.FOD_USER }} - password: ${{ secrets.FOD_PAT }} - release-id: ${{ secrets.FOD_RELEASE_ID }} - output: ./sarif/output.sarif - - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: ./sarif/output.sarif - - uses: actions/upload-artifact@v2 - if: always() - with: - name: sarif-files - path: ./sarif - - uses: actions/upload-artifact@v2 - if: always() - with: - name: scancentral-logs - path: ~/.fortify/scancentral/log - - uses: actions/upload-artifact@v2 - if: always() - with: - name: package.zip - path: package.zip diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml new file mode 100644 index 0000000..55a5600 --- /dev/null +++ b/.github/workflows/fod-sast-scan-import.yml @@ -0,0 +1,87 @@ +name: Start FoD scan with Import + +on: + workflow_dispatch: + push: + branches: [master] + pull_request: + branches: [master] + + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # Use Windows runner for projects that use msbuild. Additional changes to RUN commands will be required. + runs-on: ubuntu-latest + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + # Required by ScanCentral Client and FoD Uploader + - name: Setup Java 8 + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. + # Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). + # ScanCentral Client will download dependencies for maven, gradle and msbuild projects. + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@v1 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@v1 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS + env: + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Download Results + uses: fortify/gha-fod-generate-sarif@master + with: + base-url: https://ams.fortify.com/ + tenant: ${{ secrets.FOD_TENANT }} + user: ${{ secrets.FOD_USER }} + password: ${{ secrets.FOD_PAT }} + release-id: ${{ secrets.FOD_RELEASE_ID }} + output: ./sarif/output.sarif + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./sarif/output.sarif + + # Save artifacts for troubleshooting (if necessary). These steps can be removed after successful configuration is confirmed. + - name: Save SARIF Results + uses: actions/upload-artifact@v2 + if: always() + with: + name: sarif-files + path: ./sarif + - name: Save ScanCentral Logs + uses: actions/upload-artifact@v2 + if: always() + with: + name: scancentral-logs + path: ~/.fortify/scancentral/log + - name: Save Packaged Code + uses: actions/upload-artifact@v2 + if: always() + with: + name: package.zip + path: package.zip diff --git a/.github/workflows/start-fod-scan.yml b/.github/workflows/start-fod-scan.yml index cbf7bd7..7f8c6ef 100644 --- a/.github/workflows/start-fod-scan.yml +++ b/.github/workflows/start-fod-scan.yml @@ -13,8 +13,6 @@ jobs: java-version: 1.8 - uses: fortify/gha-setup-scancentral-client@v1 - uses: fortify/gha-setup-fod-uploader@v1 - with: - version: v5.0.1 - run: scancentral package -bt mvn -o package.zip - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 1 env: