chore: Restructuring, initial documentation

.github/workflows/update-repo-docs.yml

@@ -0,0 +1,13 @@
+name: update-repo-docs
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '5 4 * * *'
+  push:
+    branches:
+      - main
+
+jobs:
+  update-repo-docs:
+    uses: fortify/shared-doc-resources/.github/workflows/update-repo-docs.yml@main

.husky/pre-commit

@@ -1,4 +1,4 @@
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"
-(cd run && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/)
+(cd internal/run && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/)
 (cd setup && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/)

CODE_OF_CONDUCT.md

@@ -0,0 +1,39 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+We as contributors and maintainers pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity
+and orientation. We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others’ private information, such as a physical or email address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+Project maintainers are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers. All complaints will be reviewed and investigated promptly and fairly. The project maintainers are obligated to respect the privacy and security of the reporter of any incident.
+
+## Attribution
+This Code of Conduct is adapted from the Contributor Covenant, version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. Community Impact Guidelines were inspired by Mozilla’s code of conduct enforcement ladder. For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.
+
+---
+
+*[This document was auto-generated from CODE_OF_CONDUCT.template.md; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*

CONTRIBUTING.md

@@ -0,0 +1,20 @@
+# Contributing to Fortify GitHub Actions
+
+## Contribution Agreement
+
+Contributions like bug fixes and enhancements may be submitted through Pull Requests on this repository. Before we can accept 3<sup>rd</sup>-party pull requests, you will first need to sign and submit the [Contribution Agreement](https://github.com/fortify/repo-resources/raw/main/static/Open%20Source%20Contribution%20Agreement%20Jan2020v1.pdf). Please make sure to mention your GitHub username when submitting the form, to allow us to verify that the author of a pull request has accepted this agreement. 
+
+
+<!-- START-INCLUDE:repo-devinfo.md -->
+
+## Information for Developers
+
+### Repository initialization
+After cloning this repository, please run ./configure.sh to install npm modules and configure git hooks. When adding a new NodeJS-based action, you'll need to update `<repo-root>/configure.sh` to add the action directory to the for-loop.
+
+<!-- END-INCLUDE:repo-devinfo.md -->
+
+
+---
+
+*[This document was auto-generated from CONTRIBUTING.template.md; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*

LICENSE.txt

@@ -0,0 +1,26 @@
+MIT License
+
+Copyright 2023 Open Text or one of its affiliates
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+
+This document was auto-generated from LICENSE.MIT.template.txt; do not edit by hand.
+See https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md for details.

README.md

@@ -0,0 +1,139 @@
+# Fortify GitHub Actions 
+
+
+<!-- START-INCLUDE:p.marketing-intro.md -->
+
+[Fortify Application Security](https://www.microfocus.com/en-us/solutions/application-security) provides your team with solutions to empower [DevSecOps](https://www.microfocus.com/en-us/cyberres/use-cases/devsecops) practices, enable [cloud transformation](https://www.microfocus.com/en-us/cyberres/use-cases/cloud-transformation), and secure your [software supply chain](https://www.microfocus.com/en-us/cyberres/use-cases/securing-the-software-supply-chain). As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code [demands great security](https://www.microfocus.com/cyberres/application-security/developer-security), and with Fortify, go beyond 'check the box' security to achieve that.
+
+<!-- END-INCLUDE:p.marketing-intro.md -->
+
+
+
+<!-- START-INCLUDE:repo-intro.md -->
+
+The [Fortify github-action repository]({{repo-url}}) hosts various Fortify-related GitHub Actions as listed in the sections below.
+
+**Fortify on Demand**
+
+* [`https://github.com/fortify-ps/github-action@<version>`](#top-level-action)  
+  For now, this action provides the same functionality as the `fod-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other FoD actions.
+* [`https://github.com/fortify-ps/github-action/fod-sast-scan@<version>`](#fod-sast-scan-action)  
+  Package source code, submit SAST scan request to Fortify on Demand, optionally wait for completion and export results back to the GitHub Security dashboard.
+* [`https://github.com/fortify-ps/github-action/package@<version>`](#package-action)  
+  Package source code for running a SAST scan, using the latest version of ScanCentral Client.
+* [`https://github.com/fortify-ps/github-action/fod-export@<version>`](#fod-export-action)  
+  Export vulnerability data from Fortify on Demand to the GitHub Security dashboard.
+* [`https://github.com/fortify-ps/github-action/setup@<version>`](#setup-action)  
+  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
+
+**SSC / ScanCentral SAST/ ScanCentral DAST**
+
+* [`https://github.com/fortify-ps/github-action@<version>`](#top-level-action)  
+  For now, this action provides the same functionality as the `ssc-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other SSC / ScanCentral actions.
+* [`https://github.com/fortify-ps/github-action/sc-sast-scan@<version>`](#sc-sast-scan-action)  
+  Package source code, submit SAST scan request to ScanCentral SAST, optionally wait for completion and export results back to the GitHub Security dashboard.
+* [`https://github.com/fortify-ps/github-action/package@<version>`](#package-action)  
+  Package source code for running a SAST scan, using the latest version of ScanCentral Client.
+* [`https://github.com/fortify-ps/github-action/ssc-export@<version>`](#ssc-export-action)  
+  Export vulnerability data from Fortify Software Security Center (SSC) to the GitHub Security dashboard.
+* [`https://github.com/fortify-ps/github-action/setup@<version>`](#setup-action)  
+  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
+
+
+<!-- START-INCLUDE:repo-usage.md -->
+
+## Top-level action
+
+TODO
+
+<!-- END-INCLUDE:repo-usage.md -->
+
+
+
+<!-- START-INCLUDE:../setup/README.md -->
+
+## setup action
+
+TODO
+
+<!-- END-INCLUDE:../setup/README.md -->
+
+
+
+<!-- START-INCLUDE:../package/README.md -->
+
+## package action
+
+TODO
+
+<!-- END-INCLUDE:../package/README.md -->
+
+
+
+<!-- START-INCLUDE:../fod-sast-scan/README.md -->
+
+## fod-sast-scan action
+
+TODO
+
+<!-- END-INCLUDE:../fod-sast-scan/README.md -->
+
+
+
+<!-- START-INCLUDE:../fod-export/README.md -->
+
+## fod-export action
+
+TODO
+
+<!-- END-INCLUDE:../fod-export/README.md -->
+
+
+
+<!-- START-INCLUDE:../sc-sast-scan/README.md -->
+
+## sc-sast-scan action
+
+TODO
+
+<!-- END-INCLUDE:../sc-sast-scan/README.md -->
+
+
+
+<!-- START-INCLUDE:../ssc-export/README.md -->
+
+## ssc-export action
+
+TODO
+
+<!-- END-INCLUDE:../ssc-export/README.md -->
+
+
+<!-- END-INCLUDE:repo-intro.md -->
+
+
+## Resources
+
+
+<!-- START-INCLUDE:repo-resources.md -->
+
+* **Contributing Guidelines**: [CONTRIBUTING.md](CONTRIBUTING.md)
+* **Code of Conduct**: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
+* **License**: [LICENSE.txt](LICENSE.txt)
+
+<!-- END-INCLUDE:repo-resources.md -->
+
+
+## Support
+
+The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
+
+The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the [GitHub Issues](https://github.com/fortify-ps/github-action/issues) page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues. 
+
+Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable.
+
+Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the [Professional Services Contact Form](https://www.microfocus.com/en-us/cyberres/contact/professional-services) to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide.
+
+---
+
+*[This document was auto-generated from README.template.md; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*

USAGE.md

@@ -0,0 +1,13 @@
+
+<!-- START-INCLUDE:repo-usage.md -->
+
+## Top-level action
+
+TODO
+
+<!-- END-INCLUDE:repo-usage.md -->
+
+
+---
+
+*[This document was auto-generated from USAGE.template.md; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*

configure.sh

@@ -4,8 +4,8 @@ cat << 'EOF' > .husky/pre-commit
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"
 EOF
-for dir in run setup; do
+for dir in internal/run setup; do
   (cd $dir && npm install)
   echo "(cd "$dir" && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/)" >> .husky/pre-commit
 done
-git config --local core.hooksPath=.husky
+git config --local core.hooksPath=.husky

developers.md → doc-resources/repo-devinfo.md

@@ -1,4 +1,4 @@
-# Information for developers
+## Information for Developers
 
-## Repository initialization
+### Repository initialization
 After cloning this repository, please run ./configure.sh to install npm modules and configure git hooks. When adding a new NodeJS-based action, you'll need to update `<repo-root>/configure.sh` to add the action directory to the for-loop.

doc-resources/repo-intro.md

@@ -0,0 +1,41 @@
+The [Fortify github-action repository]({{repo-url}}) hosts various Fortify-related GitHub Actions as listed in the sections below.
+
+**Fortify on Demand**
+
+* [`{{var:repo-url}}@<version>`](#top-level-action)  
+  For now, this action provides the same functionality as the `fod-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other FoD actions.
+* [`{{var:repo-url}}/fod-sast-scan@<version>`](#fod-sast-scan-action)  
+  Package source code, submit SAST scan request to Fortify on Demand, optionally wait for completion and export results back to the GitHub Security dashboard.
+* [`{{var:repo-url}}/package@<version>`](#package-action)  
+  Package source code for running a SAST scan, using the latest version of ScanCentral Client.
+* [`{{var:repo-url}}/fod-export@<version>`](#fod-export-action)  
+  Export vulnerability data from Fortify on Demand to the GitHub Security dashboard.
+* [`{{var:repo-url}}/setup@<version>`](#setup-action)  
+  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
+
+**SSC / ScanCentral SAST/ ScanCentral DAST**
+
+* [`{{var:repo-url}}@<version>`](#top-level-action)  
+  For now, this action provides the same functionality as the `ssc-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other SSC / ScanCentral actions.
+* [`{{var:repo-url}}/sc-sast-scan@<version>`](#sc-sast-scan-action)  
+  Package source code, submit SAST scan request to ScanCentral SAST, optionally wait for completion and export results back to the GitHub Security dashboard.
+* [`{{var:repo-url}}/package@<version>`](#package-action)  
+  Package source code for running a SAST scan, using the latest version of ScanCentral Client.
+* [`{{var:repo-url}}/ssc-export@<version>`](#ssc-export-action)  
+  Export vulnerability data from Fortify Software Security Center (SSC) to the GitHub Security dashboard.
+* [`{{var:repo-url}}/setup@<version>`](#setup-action)  
+  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
+
+{{include:repo-usage.md}}
+
+{{include:../setup/README.md}}
+
+{{include:../package/README.md}}
+
+{{include:../fod-sast-scan/README.md}}
+
+{{include:../fod-export/README.md}}
+
+{{include:../sc-sast-scan/README.md}}
+
+{{include:../ssc-export/README.md}}

doc-resources/repo-resources.md

@@ -0,0 +1 @@
+{{include:resources/nocomments.li.contrib-conduct-licence.md}}

doc-resources/repo-usage.md

@@ -0,0 +1,4 @@
+## Top-level action
+
+TODO
+

doc-resources/template-values.md

@@ -0,0 +1,9 @@
+# repo-title
+Fortify GitHub Actions
+
+# repo-url
+https://github.com/fortify-ps/github-action
+
+# copyright-years
+{{var:current-year}}
+

doc-resources/update-repo-docs.sh

@@ -0,0 +1,2 @@
+#! /bin/bash
+source <(curl -s https://raw.githubusercontent.com/fortify/shared-doc-resources/main/scripts/update-doc-resources.sh)

fod-export/README.md

@@ -0,0 +1,4 @@
+## fod-export action
+
+TODO
+

fod-export/action.yml

@@ -14,7 +14,7 @@ runs:
           *) echo '_RELEASE_OPT="--fod.release.id=${FOD_RELEASE}"' >> $GITHUB_ENV ;;
         esac
       shell: bash
-    - uses: fortify-ps/github-action/run@main
+    - uses: fortify-ps/github-action/internal/run@main
       with:
         cmd: '"${VULN_EXPORTER_CMD}" FoDToGitHub "--fod.baseUrl=${FOD_URL}" "--fod.tenant=${FOD_TENANT}" "--fod.user=${FOD_USER}" "--fod.password=${FOD_PASSWORD}" "--fod.clientID=${FOD_CLIENT_ID}" "--fod.clientSecret=${FOD_CLIENT_SECRET}" "${_RELEASE_OPT}"'
     # Uploaded the generated file containing Fortify vulnerabilities to GitHub.

fod-sast-scan/README.md

@@ -0,0 +1,4 @@
+## fod-sast-scan action
+
+TODO
+