-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add ssc-scan action, supporting both SC-SAST & Debricked
- Loading branch information
Showing
13 changed files
with
104 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,14 @@ | ||
const { spawn } = require("child_process"); | ||
const { appendFileSync } = require("fs"); | ||
const { EOL } = require("os"); | ||
|
||
function run(script) { | ||
if ( script ) { | ||
const dir = process.env.INPUT_DIR; | ||
const utilDir = process.env.INPUT_UTIL; | ||
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${dir}/${script}'`, | ||
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${script}'`, | ||
{ stdio: "inherit", shell: true }); | ||
subprocess.on("exit", (exitCode) => { | ||
process.exitCode = exitCode; | ||
}); | ||
} | ||
} | ||
|
||
const key = process.env.INPUT_KEY.toUpperCase(); | ||
|
||
if ( process.env[`STATE_${key}`] !== undefined ) { // Are we in the 'post' step? | ||
run(process.env.INPUT_POST); | ||
} else { // Otherwise, this is the main step | ||
appendFileSync(process.env.GITHUB_STATE, `${key}=true${EOL}`); | ||
run(process.env.INPUT_SCRIPT); | ||
} | ||
run(process.env.INPUT_SCRIPT); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
const { spawn } = require("child_process"); | ||
|
||
function run(script) { | ||
if ( script ) { | ||
const utilDir = process.env.INPUT_UTIL; | ||
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${script}'`, | ||
{ stdio: "inherit", shell: true }); | ||
subprocess.on("exit", (exitCode) => { | ||
process.exitCode = exitCode; | ||
}); | ||
} | ||
} | ||
|
||
run(process.env.INPUT_POST); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,9 +16,12 @@ runs: | |
using: composite | ||
steps: | ||
# github.action_path uses platform-specific path format, like D:\... for Windows. | ||
# The run-script-js action requires the path to be in bash format, so we convert | ||
# The run-script-js action requires the paths to be in bash format, so we convert | ||
# the paths to bash format before invoking the run-script-js action. | ||
- run: echo "BASH_SCRIPT_DIR=$(pwd)" >> $GITHUB_ENV | ||
- run: echo "RUN_SCRIPT=$(pwd)/${{ inputs.script }}" >> $GITHUB_ENV | ||
shell: bash | ||
working-directory: ${{ inputs.dir }} | ||
- run: echo "RUN_POST=$(pwd)/${{ inputs.post }}" >> $GITHUB_ENV | ||
shell: bash | ||
working-directory: ${{ inputs.dir }} | ||
- run: echo "BASH_UTIL_DIR=$(pwd)/util" >> $GITHUB_ENV | ||
|
@@ -27,9 +30,12 @@ runs: | |
- uses: fortify/github-action/internal/[email protected] | ||
with: | ||
util: ${{ env.BASH_UTIL_DIR }} | ||
dir: ${{ env.BASH_SCRIPT_DIR }} | ||
script: ${{ inputs.script }} | ||
post: ${{ inputs.post }} | ||
script: ${{ env.RUN_SCRIPT }} | ||
post: ${{ env.RUN_POST }}/${{ inputs.post }} | ||
- run: | | ||
echo "RUN_SCRIPT=" >> $GITHUB_ENV | ||
echo "RUN_POST=" >> $GITHUB_ENV | ||
shell: bash | ||
branding: | ||
icon: 'shield' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
name: 'Perform SAST scan' | ||
description: 'Perform a SAST scan on ScanCentral SAST' | ||
author: 'Fortify' | ||
runs: | ||
using: composite | ||
steps: | ||
- uses: fortify/github-action/[email protected] | ||
with: | ||
export-path: false | ||
fcli: action-default | ||
debricked-cli: ${{ env.DO_DEBRICKED_SCAN=='true' && 'action-default' || 'skip' }} | ||
- uses: fortify/github-action/internal/[email protected] | ||
- uses: fortify/github-action/internal/[email protected] | ||
- uses: fortify/github-action/[email protected] | ||
- uses: fortify/github-action/internal/[email protected] | ||
with: | ||
dir: ${{ github.action_path }} | ||
script: ./ssc-scan.sh | ||
- if: env.DO_EXPORT == 'true' | ||
uses: fortify/github-action/[email protected] | ||
|
||
branding: | ||
icon: 'shield' | ||
color: 'blue' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#!/bin/bash | ||
. ${UTIL_DIR}/common.sh | ||
|
||
# This script assumes that fcli and Debricked CLI have already been installed, | ||
# and that any necessary fcli sessions have been created. | ||
# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ... | ||
|
||
if [ "${DO_SC_SAST_SCAN}" == "true" ]; then | ||
run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \ | ||
|| exit 1 | ||
fi | ||
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then | ||
# Debricked may return non-zero exit code on automation rule failures, in which case | ||
# we still want to run subsequent steps, hence we temporarily ignore the exit code, | ||
run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \ | ||
|| FAIL_ON_EXIT=true | ||
run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \ | ||
|| exit 1 | ||
fi | ||
if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then | ||
if [ "${DO_SC_SAST_SCAN}" == "true" ]; then | ||
run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \ | ||
|| exit 1 | ||
fi | ||
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then | ||
run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \ | ||
|| exit 1 | ||
fi | ||
fi | ||
if [ "${FAIL_ON_EXIT}" == "true" ]; then | ||
echo "Earlier failures detected" | ||
exit 1 | ||
fi |