Skip to content

Commit

Permalink
chore: Add appversion-summary
Browse files Browse the repository at this point in the history
  • Loading branch information
rsenden committed Jun 5, 2024
1 parent a26286f commit 70a4c1b
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 11 deletions.
5 changes: 3 additions & 2 deletions internal/run-script/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,14 @@ runs:
- run: echo "_RUN_SCRIPTS_DIR=$(pwd)/scripts" >> $GITHUB_ENV
shell: bash
working-directory: ${{ github.action_path }}
- run: echo "TEMP_DIR=$(pwd)" >> $GITHUB_ENV
shell: bash
working-directory: ${{ runner.temp }}
- uses: fortify/github-action/internal/run-script/[email protected]
with:
dir: ${{ env._RUN_SCRIPTS_DIR }}
script: ${{ inputs.script }}
post: ${{ inputs.post }}
env:
TEMP_DIR: ${{ env.RUNNER_TEMP }}

branding:
icon: 'shield'
Expand Down
64 changes: 59 additions & 5 deletions internal/run-script/scripts/common.sh
Original file line number Diff line number Diff line change
@@ -1,30 +1,84 @@
#!/usr/bin/env bash
if [ -n "$RUNNER_DEBUG" ]; then
set -v -x
echo "Bash version: $BASH_VERSION"
fi

echo "Bash version: $BASH_VERSION"
function printOutputFileName {
local operation=$1
local type=$2
mkdir -p "${TEMP_DIR}"
printf '%s/output_%s_%s.txt' "${TEMP_DIR}" "${operation}" "${type}"
}

function printOutput {
local operation=$1
local type=$2
cat $(printOutputFileName "${operation}" "${type}")
}

declare -a runs
declare -a runsWithError
declare -A runResults
declare -A runCommands
function run {
local operation=$1; shift;
local cmd=( )
for arg in "$@"; do
# Expand environment variables that potentially contain multiple arguments.
# This is commonly used for *_EXTRA_OPTS environment variables, needed to
# properly handle quoted arguments containing whitespace.
if [[ "$arg" == "__expand:"* ]]; then
local varName=${arg#"__expand:"}
if [ ! -z "${!varName}" ]; then
readarray -d '' expandedArgs < <(xargs printf '%s\0' <<<"${!varName}")
cmd+=("${expandedArgs[@]}")
fi
else
cmd+=("$arg")
fi
done
runs+=($operation)
runCommands[$operation]="$@"
echo RUN $operation: "$@"
"$@"
local exitCode=$?
runCommands[$operation]="${cmd[@]}"
echo "::group::RUN $operation: ${cmd[@]}"
# Any better way of doing this, avoiding writing exit code to temporary file?
local exitCodeFile="$TEMP_DIR/exit_code.txt"
{ ("${cmd[@]}"; echo >"$exitCodeFile" $?) 2>&1 1>&3 3>&- \
| tee $(printOutputFileName "${operation}" "stderr"); } 3>&1 1>&2 \
| tee $(printOutputFileName "${operation}" "stdout")
local exitCode=$(cat "$exitCodeFile")
rm -f ${exitCodeFile}
runResults[$operation]=$exitCode
requireRun $operation || runsWithError+=($operation)
echo "::endgroup::"
}

function requireRun {
local operation=$1;
[[ "${runResults[$operation]}" == "0" ]]
}

function printRunStatus {
local operations="$@";
local fail=0, success=0;
for op in "$operations"; do
if [ -z "${runResults[$op]}" ]; then
skip=1
elif [[ "${runResults[$op]}" == "0" ]]; then
success=1
else
fail=1
fi
done
if [[ ${fail} == 1 ]]; then
echo "FAILED"
elif [[ ${success} == 1 ]]; then
echo "SUCCESS"
else
echo "SKIPPED"
fi
}

function printRunSummary {
echo "Summary:"
for value in "${runs[@]}"; do
Expand Down
59 changes: 55 additions & 4 deletions internal/run-script/scripts/sc-sast-and-debricked-scan.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,70 @@ requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_CLI_CMD"
requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_TOKEN"
checkRequirements

# Disable Debricked CLI colors
export NO_COLOR=true

if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}
run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start \
--publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" \
--store sc_sast_scan __expand:EXTRA_SC_SAST_SCAN_OPTS
fi
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
# Debricked may return non-zero exit code on automation rule failures, in which case
# we still want to run the import, so we don't explicitly check for Debricked scan success.
run "DEBRICKED_SCAN" ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action"
run "DEBRICKED_IMPORT" ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan
run "DEBRICKED_IMPORT" ${FCLI_CMD} ssc artifact import-debricked \
--av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" \
--branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" \
--store debricked_scan
fi
if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
requireRun "SAST_SCAN" && run "SAST_PUBLISH" ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan::
requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" ${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
requireRun "SAST_SCAN" && run "SAST_PUBLISH" \
${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan::
requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" \
${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
fi

SAST_SCAN_STATUS=$(printRunStatus "SAST_SCAN")
SAST_PUBLISH_STATUS=$(printRunStatus "SAST_PUBLISH")
DEBRICKED_SCAN_STATUS=$(printRunStatus "DEBRICKED_SCAN")
DEBRICKED_PUBLISH_STATUS=$(printRunStatus "DEBRICKED_IMPORT" "DEBRICKED_PUBLISH")
if [ "${DEBRICKED_SCAN_STATUS}" == "FAILED" ]; then
DEBRICKED_SCAN_DETAILS=$(cat <<EOF
## Debricked Scan Output
The Debricked scan might have failed due to automation rule failures. The output of the
Debricked scan is displayed below, allowing you to verify the cause of the Debricked scan
failure.
\`\`\`
$(printOutput DEBRICKED_SCAN stdout)
$(printOutput DEBRICKED_SCAN stderr)
\`\`\`
EOF)
fi
cat <<EOF >> $GITHUB_STEP_SUMMARY
# Scan Summary
This section provides a status overview of the scans types supported by this GitHub Action,
together with their status.
| Analysis Type | Scan Status | Publish Status |
| ------------- | ----------- | -------------- |
| SCA | ${SAST_SCAN_STATUS} | ${SAST_PUBLISH_STATUS} |
| DEBRICKED | ${DEBRICKED_SCAN_STATUS} | ${DEBRICKED_PUBLISH_STATUS} |
${DEBRICKED_SCAN_DETAILS:-""}
EOF
APPVERSION_SUMMARY_ACTION="${APPVERSION_SUMMARY_ACTION:-appversion-summary}"
run "APPVERSION_SUMMARY" ${FCLI_CMD} ssc action run "${APPVERSION_SUMMARY_ACTION}" \
--av "${SSC_APPVERSION}" --progress=none __expand:APPVERSION_SUMMARY_ACTION_EXTRA_OPTS
requireRun "APPVERSION_SUMMARY" \
&& printOutput "APPVERSION_SUMMARY" "stdout" >> $GITHUB_STEP_SUMMARY \
|| cat<<EOF >> $GITHUB_STEP_SUMMARY
# SSC Application Version Summary
There was an error generating the application version summary; please review pipeline log for details.
EOF
printRunSummary
failOnError

0 comments on commit 70a4c1b

Please sign in to comment.