feat: Add ssc-scan action, supporting both SC-SAST & Debricked

internal/fod-login/action.yml

@@ -11,8 +11,8 @@ runs:
       if: ${{ !env._FOD_LOGGED_IN }}
       with:
         dir: ${{ github.action_path }}
-        script: ./fod-login.sh
-        post: ./fod-logout.sh
+        script: fod-login.sh
+        post: fod-logout.sh
 
 branding:
   icon: 'shield'

internal/run-script-js/action.yml

@@ -10,17 +10,10 @@ inputs:
     description: 'Script to run on job completion'
     required: false
   dir:
-    description: 'Directory where scripts are located, should usually be set to github.action_path'
+    description: 'Directory where scripts are located, set automatically by internal/run-script action'
     required: true
-  util:
-    description: 'Directory where utility scripts are located, set automatically by internal/run-script action'
-    required: true
-  key:
-    description: 'Name of the state variable used to detect the post step.'
-    required: false
-    default: POST
 
 runs:
   using: 'node20'
   main: 'main.js'
-  post: 'main.js'
+  post: 'post.js'

internal/run-script-js/main.js

@@ -1,24 +1,14 @@
 const { spawn } = require("child_process");
-const { appendFileSync } = require("fs");
-const { EOL } = require("os");
 
 function run(script) {
   if ( script ) {
-      const dir = process.env.INPUT_DIR;
-      const utilDir = process.env.INPUT_UTIL;
-      const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${dir}/${script}'`, 
+      const scriptDir = process.env.INPUT_DIR;
+      const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${dir}; ${dir}/${script}'`, 
         { stdio: "inherit", shell: true });
       subprocess.on("exit", (exitCode) => {
         process.exitCode = exitCode;
       });
   }
 }
 
-const key = process.env.INPUT_KEY.toUpperCase();
-
-if ( process.env[`STATE_${key}`] !== undefined ) { // Are we in the 'post' step?
-  run(process.env.INPUT_POST);
-} else { // Otherwise, this is the main step
-  appendFileSync(process.env.GITHUB_STATE, `${key}=true${EOL}`);
-  run(process.env.INPUT_SCRIPT);
-}
+run(process.env.INPUT_SCRIPT);

internal/run-script-js/post.js

@@ -0,0 +1,14 @@
+const { spawn } = require("child_process");
+
+function run(script) {
+  if ( script ) {
+      const utilDir = process.env.INPUT_UTIL;
+      const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${script}'`, 
+        { stdio: "inherit", shell: true });
+      subprocess.on("exit", (exitCode) => {
+        process.exitCode = exitCode;
+      });
+  }
+}
+
+run(process.env.INPUT_POST);

internal/run-script/action.yml

@@ -15,21 +15,14 @@ inputs:
 runs:
   using: composite
   steps:
-    # github.action_path uses platform-specific path format, like D:\... for Windows.
-    # The run-script-js action requires the path to be in bash format, so we convert
-    # the paths to bash format before invoking the run-script-js action.
-    - run: echo "BASH_SCRIPT_DIR=$(pwd)" >> $GITHUB_ENV
-      shell: bash
-      working-directory: ${{ inputs.dir }}
-    - run: echo "BASH_UTIL_DIR=$(pwd)/util" >> $GITHUB_ENV
+    - run: echo "_RUN_SCRIPTS_DIR=$(pwd)/scripts" >> $GITHUB_ENV
       shell: bash
       working-directory: ${{ github.action_path }}
-    - uses: fortify/github-action/internal/[email protected]
+    - uses: fortify/github-action/internal/run-script-js-wrapper@feat-1.3.0
       with: 
-        util: ${{ env.BASH_UTIL_DIR }}
-        dir: ${{ env.BASH_SCRIPT_DIR }}
-        script: ${{ inputs.script }}
-        post: ${{ inputs.post }}
+        dir:    ${{ env._RUN_SCRIPTS_DIR }}
+        script: ${{ env.RUN_SCRIPT }}
+        post:   ${{ env.RUN_POST }}
 
 branding:
   icon: 'shield'

internal/run-script/util/common.sh → internal/run-script/scripts/common.sh

@@ -5,4 +5,9 @@ fi
 if [ -z "$FCLI_CMD" ]; then
   echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
   exit 1;
-fi
+fi
+
+function run {
+  echo RUN: "$@"
+  "$@" 
+}

internal/fod-login/fod-login.sh → internal/run-script/scripts/fod-login.sh

@@ -12,5 +12,6 @@ else
   echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"
   exit 1;
 fi
-${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} || exit 1
+run ${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} \
+  || exit 1
 echo '_FOD_LOGGED_IN=true' >> $GITHUB_ENV 

internal/fod-login/fod-logout.sh → internal/run-script/scripts/fod-logout.sh

@@ -3,5 +3,6 @@
 
 if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
   echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
-  ${FCLI_CMD} fod session logout || exit 1
+  run ${FCLI_CMD} fod session logout \
+    || exit 1
 fi

internal/sc-sast-login/sc-sast-login.sh → internal/run-script/scripts/sc-sast-login.sh

@@ -10,5 +10,6 @@ fi
 if [ -z "SSC_TOKEN" ]; then
   echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
 fi
-${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}
+run ${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS} \
+  || exit 1
 echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV 

internal/sc-sast-login/sc-sast-logout.sh → internal/run-script/scripts/sc-sast-logout.sh

@@ -3,5 +3,6 @@
 
 if [[ "${_SC_SAST_LOGGED_IN}" == "true" ]]; then
   echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
-  ${FCLI_CMD} sc-sast session logout --no-revoke-token || exit 1
+  run ${FCLI_CMD} sc-sast session logout --no-revoke-token \
+    || exit 1
 fi

internal/ssc-login/ssc-login.sh → internal/run-script/scripts/ssc-login.sh

@@ -11,5 +11,6 @@ elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
 else
   echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
 fi
-${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS}
+run ${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS} \
+  || exit 1
 echo '_SSC_LOGGED_IN=true' >> $GITHUB_ENV 

internal/ssc-login/ssc-logout.sh → internal/run-script/scripts/ssc-logout.sh

@@ -10,5 +10,6 @@ if [[ "${_SSC_LOGGED_IN}" == "true" ]]; then
   else
     echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
   fi
-  ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" || exit 1
+  run ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" \
+    || exit 1
 fi

internal/run-script/scripts/ssc-scan.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+. ${UTIL_DIR}/common.sh
+
+# This script assumes that fcli and Debricked CLI have already been installed,
+# and that any necessary fcli sessions have been created.
+# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ...
+
+if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
+  run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \
+    || exit 1
+fi
+if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
+  # Debricked may return non-zero exit code on automation rule failures, in which case
+  # we still want to run subsequent steps, hence we temporarily ignore the exit code,
+  run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \
+    || FAIL_ON_EXIT=true
+  run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \
+    || exit 1
+fi
+if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
+  if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
+    run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \
+      || exit 1
+  fi
+  if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then 
+    run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \
+      || exit 1
+  fi
+fi
+if [ "${FAIL_ON_EXIT}" == "true" ]; then
+  echo "Earlier failures detected"
+  exit 1
+fi

internal/sc-sast-login/action.yml

@@ -15,8 +15,8 @@ runs:
       if: ${{ !env._SC_SAST_LOGGED_IN }}
       with:
         dir: ${{ github.action_path }}
-        script: ./sc-sast-login.sh
-        post: ./sc-sast-logout.sh
+        script: sc-sast-login.sh
+        post: sc-sast-logout.sh
 
 branding:
   icon: 'shield'

internal/ssc-login/action.yml

@@ -11,8 +11,8 @@ runs:
       if: ${{ !env._SSC_LOGGED_IN }}
       with:
         dir: ${{ github.action_path }}
-        script: ./ssc-login.sh
-        post: ./ssc-logout.sh
+        script: ssc-login.sh
+        post: ssc-logout.sh
 branding:
   icon: 'shield'
   color: 'blue'

ssc-scan/action.yml

@@ -0,0 +1,25 @@
+name: 'Perform SAST scan'
+description: 'Perform a SAST scan on ScanCentral SAST'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify/github-action/[email protected]
+      with:
+        export-path: false
+        fcli: action-default
+        debricked-cli: ${{ env.DO_DEBRICKED_SCAN=='true' && 'action-default' || 'skip' }}
+    - uses: fortify/github-action/internal/[email protected]
+    - uses: fortify/github-action/internal/[email protected]
+    - uses: fortify/github-action/[email protected]
+    - uses: fortify/github-action/internal/[email protected]
+      with:
+        dir: ${{ github.action_path }}
+        script: ssc-scan.sh
+    - if: env.DO_EXPORT == 'true'
+      uses: fortify/github-action/[email protected]
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+