diff --git a/ssc-debricked-scan/README.md b/ssc-debricked-scan/README.md new file mode 100644 index 0000000..a30d8b6 --- /dev/null +++ b/ssc-debricked-scan/README.md @@ -0,0 +1,168 @@ +# fortify/github-action/sc-sast-scan@v1 + + + + +[Fortify Application Security](https://www.microfocus.com/en-us/solutions/application-security) provides your team with solutions to empower [DevSecOps](https://www.microfocus.com/en-us/cyberres/use-cases/devsecops) practices, enable [cloud transformation](https://www.microfocus.com/en-us/cyberres/use-cases/cloud-transformation), and secure your [software supply chain](https://www.microfocus.com/en-us/cyberres/use-cases/securing-the-software-supply-chain). As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code [demands great security](https://www.microfocus.com/cyberres/application-security/developer-security), and with Fortify, go beyond 'check the box' security to achieve that. + + + + + + + +This action performs a SAST scan on ScanCentral SAST, consisting of the following steps: + +* Login to ScanCentral SAST Controller +* Package application source code using ScanCentral Client +* Submit the source code package to be scanned to ScanCentral SAST Controller +* Optionally wait for the scan to complete +* Optionally export scan results to the GitHub Code Scanning dashboard + +Before running this action, please ensure that the appropriate application version has been created on SSC. Future versions of this action may add support for automating application version creation. + + + + +### Prerequisites + +This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running `fortify/github-action` or one of its sub-actions: + +* Node.js +* Visual C++ Redistributable (Windows-based runners only) +* Bash shell + If using Windows runners, this must be a Windows-based `bash` variant, for example as provided by MSYS2. You must make sure that this Windows-based `bash` variant is used for `run` steps that specify `shell: bash`. Actions will fail if the GitHub runner executes `bash` commands on the WSL-provided `bash.exe` + + + + +### Action environment variable inputs + + + + + + + + + + + +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ + +**`SSC_TOKEN`** - REQUIRED* +Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. + +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* +Required when authenticating with SSC user credentials. + + + + +**`SC_SAST_TOKEN`** - REQUIRED +Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. + +**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.3.0//manpage/fcli-sc-sast-session-login.html). + + + + + + + +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`:`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. + + + + + + + +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. + +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url#CLI.htm#Package}}) for more information on available options. + + + + +**`SC_SAST_SENSOR_VERSION`** - REQUIRED +Version of the ScanCentral SAST sensor on which the scan should be performed. See [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.3.0//manpage/fcli-sc-sast-scan-start.html#_options_for_scanning_a_package_file) for details. + +**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.3.0//manpage/fcli-sc-sast-scan-start.html) + + + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. + + + + + + + + + + +**`TOOL_DEFINITIONS`** - OPTIONAL +Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used. + +This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs. + + + + +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on ScanCentral SAST. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run ScanCentral SAST Scan + uses: fortify/github-action/sc-sast-scan@v1 + env: + SSC_URL: ${{secrets.SSC_URL}} + SSC_TOKEN: ${{secrets.SSC_TOKEN}} + SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SSC_APPVERSION: MyApp:MyVersion + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + SC_SAST_SENSOR_VERSION: 23.2 + # DO_WAIT: true + # DO_EXPORT: true + # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip +``` + + + + + + + +## Support + +The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. + +The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the [GitHub Issues](https://github.com/fortify/github-action/issues) page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues. + +Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable. + +Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the [Professional Services Contact Form](https://www.microfocus.com/en-us/cyberres/contact/professional-services) to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide. + + + + +--- + +*[This document was auto-generated; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)* diff --git a/ssc-debricked-scan/action.yml b/ssc-debricked-scan/action.yml new file mode 100644 index 0000000..6b0be3e --- /dev/null +++ b/ssc-debricked-scan/action.yml @@ -0,0 +1,25 @@ +name: 'Perform SAST scan' +description: 'Perform a SAST scan on ScanCentral SAST' +author: 'Fortify' +runs: + using: composite + steps: + - uses: fortify/github-action/setup@feat-1.3.0 + with: + export-path: false + fcli: action-default + debricked-cli: action-default + - uses: fortify/github-action/internal/ssc-login@feat-1.3.0 + - run: | + ${DEBRICKED_CLI_CMD} scan + ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}"" --repository "${{ github.repository }}"" --branch "${{ github.head_ref || github.ref_name }}" -t ${{ env.DEBRICKED_TOKEN }} --store debricked_scan + shell: bash + - if: env.DO_WAIT == 'true' || env.DO_EXPORT == 'true' + run: | + ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: + shell: bash + +branding: + icon: 'shield' + color: 'blue' +