From 3c80d746b78e66f5d3e0a70fb12441a322a9f32d Mon Sep 17 00:00:00 2001 From: Dylan Date: Wed, 2 Sep 2020 13:59:33 -0400 Subject: [PATCH 01/12] Update start-fod-scan.yml --- .github/workflows/start-fod-scan.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/start-fod-scan.yml b/.github/workflows/start-fod-scan.yml index cbf7bd7..7f8c6ef 100644 --- a/.github/workflows/start-fod-scan.yml +++ b/.github/workflows/start-fod-scan.yml @@ -13,8 +13,6 @@ jobs: java-version: 1.8 - uses: fortify/gha-setup-scancentral-client@v1 - uses: fortify/gha-setup-fod-uploader@v1 - with: - version: v5.0.1 - run: scancentral package -bt mvn -o package.zip - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 1 env: From 9e7576e1449e36cbd5975bdd79bf5cf3670be921 Mon Sep 17 00:00:00 2001 From: Dylan Date: Thu, 3 Sep 2020 12:01:39 -0400 Subject: [PATCH 02/12] Rename fod-sast-scan-import.yaml to fod-sast-scan-import.yml --- .../{fod-sast-scan-import.yaml => fod-sast-scan-import.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{fod-sast-scan-import.yaml => fod-sast-scan-import.yml} (100%) diff --git a/.github/workflows/fod-sast-scan-import.yaml b/.github/workflows/fod-sast-scan-import.yml similarity index 100% rename from .github/workflows/fod-sast-scan-import.yaml rename to .github/workflows/fod-sast-scan-import.yml From e5c6ae0b4daed7273c25c146f505ed4b9a1e8243 Mon Sep 17 00:00:00 2001 From: Dylan Date: Thu, 3 Sep 2020 12:40:24 -0400 Subject: [PATCH 03/12] Update fod-sast-scan-import.yml --- .github/workflows/fod-sast-scan-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index adbffd9..e5a19f5 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -14,7 +14,7 @@ jobs: - uses: fortify/gha-setup-scancentral-client@v1 - uses: fortify/gha-setup-fod-uploader@v1 - run: scancentral package -bt mvn -o package.zip - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 + - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 && exit 0 env: FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} From bcb990037a480ae11a2e7c3bd3afef6388c3db00 Mon Sep 17 00:00:00 2001 From: Dylan Date: Thu, 3 Sep 2020 12:54:17 -0400 Subject: [PATCH 04/12] Update fod-sast-scan-import.yml another attempt to override exit code of foduploader --- .github/workflows/fod-sast-scan-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index e5a19f5..a595a87 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -14,7 +14,7 @@ jobs: - uses: fortify/gha-setup-scancentral-client@v1 - uses: fortify/gha-setup-fod-uploader@v1 - run: scancentral package -bt mvn -o package.zip - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 && exit 0 + - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 || true env: FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} From a952d993ddd23c4d993260b22e4075585a0715f4 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 13:27:06 -0400 Subject: [PATCH 05/12] Update fod-sast-scan-import.yml Removed exit code override to test with new version of FoDUploader --- .github/workflows/fod-sast-scan-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index a595a87..adbffd9 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -14,7 +14,7 @@ jobs: - uses: fortify/gha-setup-scancentral-client@v1 - uses: fortify/gha-setup-fod-uploader@v1 - run: scancentral package -bt mvn -o package.zip - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 || true + - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 env: FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} From 3c85c859c109facb60ccd60eb909b5b703dfeda3 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 13:31:56 -0400 Subject: [PATCH 06/12] Update fod-sast-scan-import.yml set allowpolicyfail option --- .github/workflows/fod-sast-scan-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index adbffd9..b58eb28 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -14,7 +14,7 @@ jobs: - uses: fortify/gha-setup-scancentral-client@v1 - uses: fortify/gha-setup-fod-uploader@v1 - run: scancentral package -bt mvn -o package.zip - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 + - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 -apf env: FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} From ecb8cd4368cbc10620f5397ac1bfef546202eaae Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 14:32:18 -0400 Subject: [PATCH 07/12] Update fod-sast-scan-import.yml Parameterize and document workflow --- .github/workflows/fod-sast-scan-import.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index b58eb28..c386f6a 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -4,33 +4,46 @@ on: [workflow_dispatch] jobs: build: + # Use the appropriate runner for building your source code runs-on: ubuntu-latest steps: + # Check out source cdoe - uses: actions/checkout@v2 + # Set up Java 1.8; required by ScanCentral Client and FoD Uploader - uses: actions/setup-java@v1 with: java-version: 1.8 + # Prepare source+dependencies for upload. Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). - uses: fortify/gha-setup-scancentral-client@v1 + - run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + # Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant. - uses: fortify/gha-setup-fod-uploader@v1 - - run: scancentral package -bt mvn -o package.zip - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl https://api.ams.fortify.com/ -purl https://ams.fortify.com/ -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" -ep 2 -pp 0 -I 1 -apf + - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS env: FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - uses: fortify/gha-fod-generate-sarif@master with: - base-url: https://ams.fortify.com + base-url: $FOD_URL tenant: ${{ secrets.FOD_TENANT }} user: ${{ secrets.FOD_USER }} password: ${{ secrets.FOD_PAT }} release-id: ${{ secrets.FOD_RELEASE_ID }} output: ./sarif/output.sarif + # Import Fortify on Demand results to GitHub Security Code Scanning - uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./sarif/output.sarif + # Save artifacts for troubleshooting (if necessary). These steps can be removed after successful configuration is confirmed. - uses: actions/upload-artifact@v2 if: always() with: From d1251d374cb014ae76482f31303d4c4b5dff6199 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 14:40:16 -0400 Subject: [PATCH 08/12] Update fod-sast-scan-import.yml --- .github/workflows/fod-sast-scan-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index c386f6a..0b3390c 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -33,7 +33,7 @@ jobs: # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - uses: fortify/gha-fod-generate-sarif@master with: - base-url: $FOD_URL + base-url: https://ams.fortify.com/ tenant: ${{ secrets.FOD_TENANT }} user: ${{ secrets.FOD_USER }} password: ${{ secrets.FOD_PAT }} From 1bc52e9ea3c36f7f5610dbc4371421539a8d2672 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 14:52:12 -0400 Subject: [PATCH 09/12] Update fod-sast-scan-import.yml --- .github/workflows/fod-sast-scan-import.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index 0b3390c..18ed951 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -1,10 +1,10 @@ -name: Start FoD scan with Import +name: Fortify on Demand SAST with Import on: [workflow_dispatch] jobs: - build: - # Use the appropriate runner for building your source code + Fortify : + # Use the appropriate runner for building your source code. Use Windows for projects that use msbuild. runs-on: ubuntu-latest steps: @@ -16,12 +16,14 @@ jobs: java-version: 1.8 # Prepare source+dependencies for upload. Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). - uses: fortify/gha-setup-scancentral-client@v1 - - run: scancentral package $PACKAGE_OPTS -o package.zip + - name: Package code + run: scancentral package $PACKAGE_OPTS -o package.zip env: PACKAGE_OPTS: "-bt mvn" # Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant. - uses: fortify/gha-setup-fod-uploader@v1 - - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS env: FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} @@ -31,7 +33,8 @@ jobs: FOD_API_URL: "https://api.ams.fortify.com/" FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - uses: fortify/gha-fod-generate-sarif@master + - name: Download Results + uses: fortify/gha-fod-generate-sarif@master with: base-url: https://ams.fortify.com/ tenant: ${{ secrets.FOD_TENANT }} @@ -40,7 +43,8 @@ jobs: release-id: ${{ secrets.FOD_RELEASE_ID }} output: ./sarif/output.sarif # Import Fortify on Demand results to GitHub Security Code Scanning - - uses: github/codeql-action/upload-sarif@v1 + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./sarif/output.sarif # Save artifacts for troubleshooting (if necessary). These steps can be removed after successful configuration is confirmed. From 32224adfe3fe138c88bc3d1a700c2f700f4a7758 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 15:04:00 -0400 Subject: [PATCH 10/12] Update fod-sast-scan-import.yml --- .github/workflows/fod-sast-scan-import.yml | 25 ++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index 18ed951..c8410d9 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -1,27 +1,37 @@ -name: Fortify on Demand SAST with Import +name: Start FoD scan with Import -on: [workflow_dispatch] +on: + workflow_dispatch: + push: + branches: [master] + pull_request: + branches: [master] + jobs: - Fortify : + FoD SAST Scan: # Use the appropriate runner for building your source code. Use Windows for projects that use msbuild. runs-on: ubuntu-latest steps: - # Check out source cdoe + # Check out source code - uses: actions/checkout@v2 # Set up Java 1.8; required by ScanCentral Client and FoD Uploader - uses: actions/setup-java@v1 with: java-version: 1.8 + # Prepare source+dependencies for upload. Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). - - uses: fortify/gha-setup-scancentral-client@v1 + - name: Download ScanCentral Client + uses: fortify/gha-setup-scancentral-client@v1 - name: Package code run: scancentral package $PACKAGE_OPTS -o package.zip env: PACKAGE_OPTS: "-bt mvn" + # Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant. - - uses: fortify/gha-setup-fod-uploader@v1 + - name: Download FoD Universal CI Tool + uses: fortify/gha-setup-fod-uploader@v1 - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS env: @@ -32,6 +42,7 @@ jobs: FOD_URL: "https://ams.fortify.com/" FOD_API_URL: "https://api.ams.fortify.com/" FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - name: Download Results uses: fortify/gha-fod-generate-sarif@master @@ -42,11 +53,13 @@ jobs: password: ${{ secrets.FOD_PAT }} release-id: ${{ secrets.FOD_RELEASE_ID }} output: ./sarif/output.sarif + # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./sarif/output.sarif + # Save artifacts for troubleshooting (if necessary). These steps can be removed after successful configuration is confirmed. - uses: actions/upload-artifact@v2 if: always() From f268fb9b4981f703e786d310266c0f9121cf1cf4 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 15:05:08 -0400 Subject: [PATCH 11/12] Update fod-sast-scan-import.yml --- .github/workflows/fod-sast-scan-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index c8410d9..aeac13d 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -9,7 +9,7 @@ on: jobs: - FoD SAST Scan: + FoD_SAST_Scan: # Use the appropriate runner for building your source code. Use Windows for projects that use msbuild. runs-on: ubuntu-latest From f0278153a89017c2d429abf8869ef035ec28d6a6 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 4 Sep 2020 15:28:06 -0400 Subject: [PATCH 12/12] Update fod-sast-scan-import.yml --- .github/workflows/fod-sast-scan-import.yml | 33 ++++++++++++++-------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/.github/workflows/fod-sast-scan-import.yml b/.github/workflows/fod-sast-scan-import.yml index aeac13d..55a5600 100644 --- a/.github/workflows/fod-sast-scan-import.yml +++ b/.github/workflows/fod-sast-scan-import.yml @@ -9,28 +9,34 @@ on: jobs: - FoD_SAST_Scan: - # Use the appropriate runner for building your source code. Use Windows for projects that use msbuild. + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # Use Windows runner for projects that use msbuild. Additional changes to RUN commands will be required. runs-on: ubuntu-latest steps: # Check out source code - - uses: actions/checkout@v2 - # Set up Java 1.8; required by ScanCentral Client and FoD Uploader - - uses: actions/setup-java@v1 + - name: Check Out Source Code + uses: actions/checkout@v2 + # Required by ScanCentral Client and FoD Uploader + - name: Setup Java 8 + uses: actions/setup-java@v1 with: java-version: 1.8 - # Prepare source+dependencies for upload. Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). - - name: Download ScanCentral Client + # Prepare source+dependencies for upload. + # Update PACKAGE_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). + # ScanCentral Client will download dependencies for maven, gradle and msbuild projects. + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + - name: Download Fortify ScanCentral Client uses: fortify/gha-setup-scancentral-client@v1 - - name: Package code + - name: Package Code + Dependencies run: scancentral package $PACKAGE_OPTS -o package.zip env: PACKAGE_OPTS: "-bt mvn" # Start Fortify on Demand SAST scan and wait until results complete. Be sure to set secrets/variables for your FoD tenant. - - name: Download FoD Universal CI Tool + - name: Download Fortify on Demand Universal CI Tool uses: fortify/gha-setup-fod-uploader@v1 - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS @@ -61,17 +67,20 @@ jobs: sarif_file: ./sarif/output.sarif # Save artifacts for troubleshooting (if necessary). These steps can be removed after successful configuration is confirmed. - - uses: actions/upload-artifact@v2 + - name: Save SARIF Results + uses: actions/upload-artifact@v2 if: always() with: name: sarif-files path: ./sarif - - uses: actions/upload-artifact@v2 + - name: Save ScanCentral Logs + uses: actions/upload-artifact@v2 if: always() with: name: scancentral-logs path: ~/.fortify/scancentral/log - - uses: actions/upload-artifact@v2 + - name: Save Packaged Code + uses: actions/upload-artifact@v2 if: always() with: name: package.zip