chore: Add ssc/sc-sast actions

fortify · Sep 26, 2023 · 69e098f · 69e098f
1 parent 2281e53
commit 69e098f
Show file tree

Hide file tree

Showing 7 changed files with 174 additions and 1 deletion.
diff --git a/fod-sast-scan/action.yml b/fod-sast-scan/action.yml
@@ -12,7 +12,7 @@ runs:
     - uses: fortify-ps/github-action/fod-login@main
     - uses: fortify-ps/github-action/run@main
       with:
-        cmd: '"${FCLI_CMD}" fod scan start-sast "${FOD_RELEASE}" -f package.zip --store fod_scan ${EXTRA_FOD_SAST_OPTS}'
+        cmd: '"${FCLI_CMD}" fod scan start-sast "${FOD_RELEASE}" -f package.zip --store fod_scan ${EXTRA_FOD_SAST_SCAN_OPTS}'
     - uses: fortify-ps/github-action/run@main
       if: env.DO_WAIT == 'true' || env.DO_EXPORT == 'true'
       with:

diff --git a/sc-sast-login/action.yml b/sc-sast-login/action.yml
@@ -0,0 +1,32 @@
+name: 'Run "fcli fod session login" command'
+description: 'Run "fcli fod session login" command based on environment variables'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: action-default
+    - run: |
+        # TODO If we wait for scan completion, potentially we could generate a CIToken if 
+        #      SSC_USER and SSC_PASSWORD have been set, and then revoke the token once the
+        #      scan has been successfully processed on SSC.
+        if [ -z "$SSC_URL" ]; then
+          echo "ERROR: SSC_URL environment variable must be set"; exit 1;
+        fi
+        if [ -z "$SC_SAST_TOKEN" ]; then
+          echo "ERROR: SC_SAST_TOKEN environment variable must be set"; exit 1;
+        fi
+        if [ -z "SSC_TOKEN" ]; then
+          echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
+        fi
+        echo '_SC_SAST_LOGIN_OPTS=--ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}' >> $GITHUB_ENV
+      shell: bash
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" sc-sast session login ${_SC_SAST_LOGIN_OPTS}'         
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/sc-sast-logout/action.yml b/sc-sast-logout/action.yml
@@ -0,0 +1,19 @@
+name: 'Run "fcli fod session login" command'
+description: 'Run "fcli fod session login" command based on environment variables'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: action-default
+    - uses: fortify-ps/github-action/run@main
+      with:
+        # TODO If we add functionality for generating a CIToken in the sc-sast-login
+        #      action, we should clean it up here. 
+        cmd: '"${FCLI_CMD}" sc-sast session logout --no-revoke-token'        
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/sc-sast-scan/action.yml b/sc-sast-scan/action.yml
@@ -0,0 +1,27 @@
+name: 'Perform SAST scan'
+description: 'Perform a SAST scan on ScanCentral SAST'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: action-default
+    - uses: fortify-ps/github-action/package@main
+    - uses: fortify-ps/github-action/sc-sast-login@main
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}'
+    - uses: fortify-ps/github-action/run@main
+      if: env.DO_WAIT == 'true' || env.DO_EXPORT == 'true'
+      with:
+        cmd: '"${FCLI_CMD}" sc-sast scan wait-for ::sc_sast_scan::'
+    - uses: fortify-ps/github-action/sc-sast-logout@main       
+    - if: env.DO_EXPORT == 'true'
+      uses: fortify-ps/github-action/ssc-export@main
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/ssc-export/action.yml b/ssc-export/action.yml
@@ -0,0 +1,37 @@
+name: 'xport FoD vulnerability data to GitHub'
+description: 'xport FoD vulnerability data to GitHub'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        vuln-exporter: action-default
+    - run: |
+        if [[ ${SSC_APPVERSION} == ?(-)+([0-9]) ]]; then
+          _APPVERSION_OPT="--ssc.version.id=${SSC_APPVERSION}"
+        else
+          _APPVERSION_OPT="--ssc.version.name=${SSC_APPVERSION}"
+        fi
+        "${VULN_EXPORTER_CMD}" SSCToGitHub "--ssc.baseUrl=${SSC_URL}" \
+          "--ssc.user=${SSC_USER}" "--ssc.password=${SSC_PASSWORD}" \
+          "--ssc.authToken=${SSC_TOKEN}" \
+          "${_APPVERSION_OPT}"
+      shell: bash
+    # Uploaded the generated file containing Fortify vulnerabilities to GitHub.
+    - uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: ./gh-fortify-sast.sarif
+
+    # Optionally store the generated file for troubleshooting purposes.
+    - uses: actions/upload-artifact@v2
+      if: always()
+      with:
+        name: sarif-files
+        path: ./gh-fortify-sast.sarif  
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/ssc-login/action.yml b/ssc-login/action.yml
@@ -0,0 +1,29 @@
+name: 'Run "fcli fod session login" command'
+description: 'Run "fcli fod session login" command based on environment variables'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: action-default
+    - run: |
+        if [ -z "$SSC_URL" ]; then
+          echo "ERROR: SSC_URL environment variable must be set"; exit 1;
+        fi
+        if [ -n "${SSC_TOKEN}" ]; then
+          echo '_SSC_LOGIN_OPTS=--url "${SSC_URL}" --token "${SSC_TOKEN}" ${EXTRA_SSC_LOGIN_OPTS}' >> $GITHUB_ENV
+        elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
+          echo '_SSC_LOGIN_OPTS=--url "${SSC_URL}" -u "${SSC_USER}" -p "${SSC_PASSWORD}" ${EXTRA_SSC_LOGIN_OPTS}' >> $GITHUB_ENV
+        else
+          echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
+        fi
+      shell: bash
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" ssc session login ${_SSC_LOGIN_OPTS}'         
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/ssc-logout/action.yml b/ssc-logout/action.yml
@@ -0,0 +1,29 @@
+name: 'Run "fcli fod session login" command'
+description: 'Run "fcli fod session login" command based on environment variables'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: action-default
+    - run: |
+        if [ -z "$SSC_URL" ]; then
+          echo "ERROR: SSC_URL environment variable must be set"; exit 1;
+        fi
+        if [ -n "${SSC_TOKEN}" ]; then
+          echo '_SSC_LOGOUT_OPTS=--no-revoke-token' >> $GITHUB_ENV
+        elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
+          echo '_SSC_LOGOUT_OPTS=--u "${SSC_USER}" -p "${SSC_PASSWORD}"' >> $GITHUB_ENV
+        else
+          echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
+        fi
+      shell: bash
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" ssc session logout ${_SSC_LOGOUT_OPTS}'      
+branding:
+  icon: 'shield'
+  color: 'blue'
+