Skip to content

Commit

Permalink
chore: Incomplete doc updates
Browse files Browse the repository at this point in the history
  • Loading branch information
rsenden committed Oct 31, 2024
1 parent 2d91e3c commit 271ea6c
Show file tree
Hide file tree
Showing 89 changed files with 443 additions and 2,141 deletions.
1,582 changes: 48 additions & 1,534 deletions README.md

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@ inputs:
runs:
using: composite
steps:
- uses: fortify/github-action/fod-sast-scan@main
- uses: fortify/github-action/fod-sast-scan@doc-updates
if: inputs['sast-scan']=='true' && env.FOD_URL
env:
DO_DEBRICKED_SCAN: ${{ inputs['debricked-sca-scan'] }}
- uses: fortify/github-action/sc-sast-scan@main
- uses: fortify/github-action/sc-sast-scan@doc-updates
if: inputs['sast-scan']=='true' && env.SSC_URL
env:
DO_DEBRICKED_SCAN: ${{ inputs['debricked-sca-scan'] }}
- uses: fortify/github-action/ssc-debricked-scan@main
- uses: fortify/github-action/ssc-debricked-scan@doc-updates
if: inputs['sast-scan']=='false' && inputs['debricked-sca-scan']=='true' && env.SSC_URL

branding:
Expand Down
82 changes: 0 additions & 82 deletions doc-resources/action-setup.md

This file was deleted.

70 changes: 70 additions & 0 deletions doc-resources/action/_root/readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
This GitHub Action allows for easy integration of Fortify Application Security Testing (AST) into your GitHub Action workflows. It provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. Apart from utilizing the standard scan workflows provided by this GitHub Action, you may also choose to utilize the various building blocks to implement custom workflows, which can be either customized SAST or SCA workflows, or your own DAST or MAST workflows.

The following sections describe these topics in more detail:

* [Prerequisites](#prerequisites)
* [Application Security Testing with Fortify on Demand](#application-security-testing-with-fortify-on-demand)
* [Application Security Testing with SSC/ScanCentral](#application-security-testing-with-ssc-scancentral)
* [Building blocks for custom workflows](#building-blocks-for-custom-workflows)

{{include:action/generic/prerequisites-h2.md}}

## Application Security Testing with Fortify on Demand

The standard workflow provided by this GitHub Action allows for running a Static scan and optional open-source scan (software composition analysis) on Fortify on Demand. The following sample snippet demonstrates how to invoke this GitHub Action from a GitHub Actions workflow:

```yaml
steps:
- name: Check out source code
uses: actions/checkout@v4
- name: Run FoD SAST Scan
uses: fortify/github-action@{{var:action-major-version}}
with:
sast-scan: true
debricked-sca-scan: true
env:
{x{include:nocomments.env-fod-sast-scan-sample.md}}
```

In this example, the `with` clause specifies what scans to run:

{{include:action/generic/nocomments.input-table-header.md}}
| `sast-scan` | If set to `true`, run a static scan. If not specified or set to `false`, the action will run neither static or open-source scan (independent of `debricked-sca-scan` setting), as open-source scans are currently only run in combination with a static scan. |
| `debricked-sca-scan` | Configure the static scan to also run an open-source scan. Depending on FoD configuration, this may be either a Debricked or a Sonatype scan. Effectively, this adds dependency data to the scan payload, and enables the open-source scan setting in the FoD scan configuration. Note that any existing FoD scan configuration will not be updated, so if the scan has already been configured in FoD, an open-source scan will only be performed if previously enabled in the existing scan configuration. |

The `env` clause specifies environment variables to configure those scans. The following environment variables are currently supported:

{x{include:env-fod-sast-scan.md}}

{x{include:env-setup.md}}


## Application Security Testing with SSC/ScanCentral

The standard workflow provided by this GitHub Action allows for running a static scan on ScanCentral SAST and/or running software composition analysis on Debricked. The following sample snippet demonstrates how to invoke this GitHub Action from a GitHub Actions workflow:

```yaml
steps:
- name: Check out source code
uses: actions/checkout@v4
- name: Run FoD SAST Scan
uses: fortify/github-action@{{var:action-major-version}}
with:
sast-scan: true
debricked-sca-scan: true
env:
{x{include:nocomments.env-sc-sast-scan-sample.md}}
```

{{include:action/generic/nocomments.input-section-and-table-header.md}}
| `sast-scan` | If set to `true`, run a static scan. If not specified or set to `false`, no static scan will be run. |
| `debricked-sca-scan` | If set to `true`, run Debricked Software Composition Analysis. If not specified or set to `false`, no software composition analysis will be performed. |

{{include:action/generic/nocomments.env-section-and-table-header.md}}

{x{include:env-sc-sast-scan.md}}

{x{include:env-setup.md}}

## Building blocks for custom workflows

Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| DO_EXPORT<br/>EXPORT_ACTION<br/>EXPORT_EXTRA_OPTS | If `DO_EXPORT` is set to `true` (implied if any of the other two `EXPORT_*` variables are set, and implies `DO_WAIT`), this action will will export scan results to the GitHub Security Code Scanning dashboard using the fcli-provided [FoD `github-sast-report`]({{var:fcli-doc-base-url}}fod-actions.html#_github_sast_report) action or, if specified, the custom fcli action specified through `EXPORT_ACTION`. `EXPORT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `EXPORT_EXTRA_OPTS` environment variable, for example to to allow an unsigned custom action to be used.<br/><br/>Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. GitHub only supports importing SAST results; other results will not exported to GitHub. |
1 change: 1 addition & 0 deletions doc-resources/action/fod-export/nocomments.env-export.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| EXPORT_ACTION<br/>EXPORT_EXTRA_OPTS | This action will will export scan results to the GitHub Security Code Scanning dashboard using the fcli-provided [FoD `github-sast-report`]({{var:fcli-doc-base-url}}fod-actions.html#_github_sast_report) action or, if specified, the custom fcli action specified through `EXPORT_ACTION`. `EXPORT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `EXPORT_EXTRA_OPTS` environment variable, for example to to allow an unsigned custom action to be used. |
Original file line number Diff line number Diff line change
@@ -1,16 +1,6 @@
This action exports the latest vulnerability data from an FoD release to the GitHub Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository.

{{include:action-prerequisites.md}}

### Action environment variable inputs

{{include:env-fod-connection.md}}

{{include:env-fod-release.md}}

{{include:env-do-export.md}}

{{include:env-setup.md}}
{{include:action/generic/prerequisites-h3.md}}

### Sample usage

Expand All @@ -21,7 +11,13 @@ The sample workflow below demonstrates how to configure the action for exporting
- name: Export FoD vulnerability data to GitHub
uses: fortify/github-action/fod-export@{{var:action-major-version}}
env:
{{include:nocomments.env-fod-connection-sample.md}}
{{include:nocomments.env-fod-release-sample.md}}
{{include:nocomments.env-setup-sample.md}}
{{include:action/generic/fod/nocomments.snippet-fod-login.md}}
{{include:action/generic/fod/nocomments.snippet-fod-release.md}}
{{include:action/setup/nocomments.snippet-tool-definitions.md}}
```

{{include:action/generic/nocomments.env-section-and-table-header.md}}
{{include:action/generic/fod/nocomments.env-fod-login.md}}
{{include:action/generic/fod/nocomments.env-fod-release.md}}
{{include:action/fod-export/nocomments.env-export.md}}
{{include:action/setup/nocomments.env-tool-definitions.md}}
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,7 @@ The SAST and optional open source scan performed by this action consists of the
* Optionally wait for the scan to complete
* Optionally export scan results to the GitHub Code Scanning dashboard

{{include:action-prerequisites.md}}

Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:

* The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup.
* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `PACKAGE_EXTRA_OPTS` environment variable.
{{include:action/generic/prerequisites-h3.md}}

### Action environment variable inputs

Expand Down
4 changes: 4 additions & 0 deletions doc-resources/action/generic/fod/nocomments.env-fod-login.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
| **FOD_URL** | Fortify on Demand URL, for example https://ams.fortify.com. Note: Using GitHub Secrets to define this URL may cause links back to FoD to be rendered incorrectly, for example in GitHub Action workflow summaries. It is highly recommended to either hard-code the URL in your workflow, or to use [GitHub Variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables) instead of GitHub Secrets. |
| **FOD_CLIENT_ID**<br>**FOD_CLIENT_SECRET** | Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret). |
| **FOD_TENANT**<br/>**FOD_USER**<br/>**FOD_PASSWORD** | Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. |
| FOD_LOGIN_EXTRA_OPTS<br/>EXTRA_FOD_LOGIN_OPTS | Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-session-login.html) . Note that `EXTRA_FOD_LOGIN_OPTS` is deprecated; please use `FOD_LOGIN_EXTRA_OPTS`.|
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| FOD_RELEASE | Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `<app-name>:<release-name>` (for non-microservices applications) or `<app-name>:<microservice-name>:<release-name>` (for microservices applications). Default value is based on repository and branch name, for example `myOrg/myRepo:myBranch`. Note that you'll need to explicitly configure `FOD_RELEASE` for microservices applications, as the default value lacks a microservice name. |
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
FOD_URL: https://ams.fortify.com
FOD_TENANT: ${{secrets.FOD_TENANT}}
FOD_USER: ${{secrets.FOD_USER}}
FOD_PASSWORD: ${{secrets.FOD_PAT}}
FOD_PASSWORD: ${{secrets.FOD_PAT}}
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s
1 change: 1 addition & 0 deletions doc-resources/action/generic/nocomments.env-do-wait.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| DO_WAIT | By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating job summaries. This behavior is documented in the applicable environment variable descriptions. |
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
### Action environment variable inputs

This section lists the environment variables that can be specified in the `env:` clause for this GitHub Action. Any environment variables marked in **bold** are required.

{{include:action/generic/nocomments.env-table-header.md}}
2 changes: 2 additions & 0 deletions doc-resources/action/generic/nocomments.env-table-header.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
| Environment variable | Description |
| :--- | :--- |
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
### Action inputs

This section lists the inputs that can be specified in the `with:` clause for this GitHub Action. Any inputs marked in **bold** are required.

{{include:action/generic/nocomments.input-table-header.md}}
2 changes: 2 additions & 0 deletions doc-resources/action/generic/nocomments.input-table-header.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
| Action input | Description |
| :--- | :--- |
3 changes: 3 additions & 0 deletions doc-resources/action/generic/prerequisites-h2.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## Prerequisites

{{include:action/generic/prerequisites.md}}
3 changes: 3 additions & 0 deletions doc-resources/action/generic/prerequisites-h3.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
### Prerequisites

{{include:action/generic/prerequisites.md}}
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
### Prerequisites

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running `fortify/github-action` or one of its sub-actions:

* Node.js
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
|SSC_APPVERSION|Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `<app-name>:<version-name>`. Default value is based on repository and branch name, for example `myOrg/myRepo:myBranch`.|
Loading

0 comments on commit 271ea6c

Please sign in to comment.