diff --git a/.husky/pre-commit b/.husky/pre-commit index 394875a..1ea24b6 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -2,4 +2,4 @@ . "$(dirname "$0")/_/husky.sh" (cd internal/run && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/) (cd setup && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/) -doc-resources/update-doc-resources.sh +doc-resources/update-repo-docs.sh diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0737b90..b877a7a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,6 +19,7 @@ Action documentation is generated from the `doc-resources` directory, using func * `templates//README.template.md`: Template for the README.md file for each action * `action-.md`: Documentation for each action, included by both the corresponding action readme template, and the top-level readme (through `repo-readme.md`) * `env-*.md`: Documentation for the environment variables supported by the various actions. Most of these are named after the action that they correspond to, for example `env-fod-login.md` (corresponding to the `internal/fod-login` action), listing action-specific environment variables. Others describe generic environment variables that are shared by multiple actions, for example `env-fod-release.md`. +* `nocomments.env-*-sample.md`: Most of the `env-*.md` files mentioned above have a corresponding sample file that shows how to configure the variables in a GitHub workflow. * `repo-devinfo.md`: Information for developers * `repo-readme.md`: Top-level readme contents * `repo-usage.md`: Used to generated top-level USAGE.md, just refers to README.md diff --git a/README.md b/README.md index 6b3138f..d1eba93 100644 --- a/README.md +++ b/README.md @@ -138,7 +138,7 @@ The sample workflow below demonstrates how to configure the action for installin -This action packages application source code to be scanned using [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm). +This action packages application source code using [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm). The output package is saved as `package.zip`. ### Action environment variable inputs @@ -151,6 +151,20 @@ Optional: By default, this action runs `scancentral package -o package.zip`. The +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Package source code + uses: fortify/github-action/package@v1 + env: + EXTRA_PACKAGE_OPTS: -bt mvn +``` + @@ -178,6 +192,9 @@ Before running this action, please ensure that the appropriate release has been + + + **`FOD_URL`** Required: Fortify on Demand URL, for example https://ams.fortify.com @@ -187,6 +204,9 @@ Required when authenticating with an API key: FoD Client ID (API key) and Secret **`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. + + + **`EXTRA_FOD_LOGIN_OPTS`** Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) @@ -223,6 +243,28 @@ Optional: If set to `true`, this action will export scan results to the GitHub S +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run FoD SAST Scan + uses: fortify/github-action/fod-sast-scan@v1 + env: + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + FOD_RELEASE: MyApp:MyRelease + EXTRA_PACKAGE_OPTS: -oss -bt gradle + # DO_WAIT: true # Ignored due to DO_EXPORT below + DO_EXPORT: true +``` + @@ -236,7 +278,7 @@ This action exports the latest vulnerability data from an FoD release to the Git ### Action environment variable inputs - + **`FOD_URL`** Required: Fortify on Demand URL, for example https://ams.fortify.com @@ -247,10 +289,7 @@ Required when authenticating with an API key: FoD Client ID (API key) and Secret **`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. -**`EXTRA_FOD_LOGIN_OPTS`** -Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) - - + @@ -262,6 +301,22 @@ Required: Fortify on Demand release to use with this action. This can be specifi +### Sample usage + +The sample workflow below demonstrates how to configure the action for exporting FoD vulnerability data to the GitHub Security Code Scanning dashboard. + +```yaml + steps: + - name: Export FoD vulnerability data to GitHub + uses: fortify/github-action/fod-export@v1 + env: + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + FOD_RELEASE: MyApp:MyRelease +``` + @@ -343,6 +398,27 @@ Optional: If set to `true`, this action will export scan results to the GitHub S +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on ScanCentral SAST. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run ScanCentral SAST Scan + uses: fortify/github-action/sc-sast-scan@v1 + env: + SSC_URL: ${{secrets.SSC_URL}} + SSC_TOKEN: ${{secrets.SSC_TOKEN}} + SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} + EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + SSC_APPVERSION: MyApp:MyVersion + EXTRA_PACKAGE_OPTS: -bt mvn + # DO_WAIT: true # Ignored due to DO_EXPORT below + DO_EXPORT: true +``` + @@ -356,9 +432,6 @@ This action exports the latest vulnerability data from an SSC application versio ### Action environment variable inputs - - - **`SSC_URL`** @@ -373,12 +446,6 @@ Required when authenticating with user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** -Optional: Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-ssc-session-login.html). - - - - @@ -388,6 +455,20 @@ Required: Fortify SSC application version to use with this action. This can be s +### Sample usage + +The sample workflow below demonstrates how to configure the action for exporting FoD vulnerability data to the GitHub Security Code Scanning dashboard. + +```yaml + steps: + - name: Export SSC vulnerability data to GitHub + uses: fortify/github-action/ssc-export@v1 + env: + SSC_URL: ${{secrets.SSC_URL}} + SSC_TOKEN: ${{secrets.SSC_TOKEN}} + SSC_APPVERSION: MyApp:MyVersion +``` + diff --git a/doc-resources/action-fod-export.md b/doc-resources/action-fod-export.md index ebe7041..1ca4e18 100644 --- a/doc-resources/action-fod-export.md +++ b/doc-resources/action-fod-export.md @@ -2,6 +2,19 @@ This action exports the latest vulnerability data from an FoD release to the Git ### Action environment variable inputs -{{include:env-fod-login.md}} +{{include:env-fod-connection.md}} {{include:env-fod-release.md}} + +### Sample usage + +The sample workflow below demonstrates how to configure the action for exporting FoD vulnerability data to the GitHub Security Code Scanning dashboard. + +```yaml + steps: + - name: Export FoD vulnerability data to GitHub + uses: fortify/github-action/fod-export@{{var:action-major-version}} + env: +{{include:nocomments.env-fod-connection-sample.md}} +{{include:nocomments.env-fod-release-sample.md}} +``` \ No newline at end of file diff --git a/doc-resources/action-fod-sast-scan.md b/doc-resources/action-fod-sast-scan.md index 095d291..35a3c5e 100644 --- a/doc-resources/action-fod-sast-scan.md +++ b/doc-resources/action-fod-sast-scan.md @@ -11,3 +11,17 @@ Before running this action, please ensure that the appropriate release has been ### Action environment variable inputs {{include:env-fod-sast-scan.md}} + +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run FoD SAST Scan + uses: fortify/github-action/fod-sast-scan@{{var:action-major-version}} + env: +{{include:nocomments.env-fod-sast-scan-sample.md}} +``` diff --git a/doc-resources/action-package.md b/doc-resources/action-package.md index 40209c9..f4b39db 100644 --- a/doc-resources/action-package.md +++ b/doc-resources/action-package.md @@ -1,5 +1,19 @@ -This action packages application source code to be scanned using [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm). +This action packages application source code using [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm). The output package is saved as `package.zip`. ### Action environment variable inputs -{{include:env-package.md}} \ No newline at end of file +{{include:env-package.md}} + +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Package source code + uses: fortify/github-action/package@{{var:action-major-version}} + env: +{{include:nocomments.env-package-sample.md}} +``` \ No newline at end of file diff --git a/doc-resources/action-sc-sast-scan.md b/doc-resources/action-sc-sast-scan.md index bdb7dd6..996055b 100644 --- a/doc-resources/action-sc-sast-scan.md +++ b/doc-resources/action-sc-sast-scan.md @@ -10,4 +10,18 @@ Before running this action, please ensure that the appropriate application versi ### Action environment variable inputs -{{include:env-sc-sast-scan.md}} \ No newline at end of file +{{include:env-sc-sast-scan.md}} + +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on ScanCentral SAST. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run ScanCentral SAST Scan + uses: fortify/github-action/sc-sast-scan@{{var:action-major-version}} + env: +{{include:nocomments.env-sc-sast-scan-sample.md}} +``` \ No newline at end of file diff --git a/doc-resources/action-ssc-export.md b/doc-resources/action-ssc-export.md index 1decec5..8e7a0ab 100644 --- a/doc-resources/action-ssc-export.md +++ b/doc-resources/action-ssc-export.md @@ -2,6 +2,19 @@ This action exports the latest vulnerability data from an SSC application versio ### Action environment variable inputs -{{include:env-ssc-login.md}} +{{include:env-ssc-connection.md}} {{include:env-ssc-appversion.md}} + +### Sample usage + +The sample workflow below demonstrates how to configure the action for exporting FoD vulnerability data to the GitHub Security Code Scanning dashboard. + +```yaml + steps: + - name: Export SSC vulnerability data to GitHub + uses: fortify/github-action/ssc-export@{{var:action-major-version}} + env: +{{include:nocomments.env-ssc-connection-sample.md}} +{{include:nocomments.env-ssc-appversion-sample.md}} +``` \ No newline at end of file diff --git a/doc-resources/env-fod-connection.md b/doc-resources/env-fod-connection.md new file mode 100644 index 0000000..fce5c8f --- /dev/null +++ b/doc-resources/env-fod-connection.md @@ -0,0 +1,8 @@ +**`FOD_URL`** +Required: Fortify on Demand URL, for example https://ams.fortify.com + +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) + +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. \ No newline at end of file diff --git a/doc-resources/env-fod-login.md b/doc-resources/env-fod-login.md index 2de770e..aa50ffa 100644 --- a/doc-resources/env-fod-login.md +++ b/doc-resources/env-fod-login.md @@ -1,11 +1,4 @@ -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com - -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** -Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) - -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** -Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. +{{include:env-fod-connection.md}} **`EXTRA_FOD_LOGIN_OPTS`** Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-session-login.html) \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-connection-sample.md b/doc-resources/nocomments.env-fod-connection-sample.md new file mode 100644 index 0000000..1efb5ab --- /dev/null +++ b/doc-resources/nocomments.env-fod-connection-sample.md @@ -0,0 +1,4 @@ + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-login-sample.md b/doc-resources/nocomments.env-fod-login-sample.md new file mode 100644 index 0000000..403b273 --- /dev/null +++ b/doc-resources/nocomments.env-fod-login-sample.md @@ -0,0 +1,2 @@ +{{include:nocomments.env-fod-connection-sample.md}} + EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-package-sample.md b/doc-resources/nocomments.env-fod-package-sample.md new file mode 100644 index 0000000..99b91de --- /dev/null +++ b/doc-resources/nocomments.env-fod-package-sample.md @@ -0,0 +1 @@ + EXTRA_PACKAGE_OPTS: -oss -bt gradle \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-release-sample.md b/doc-resources/nocomments.env-fod-release-sample.md new file mode 100644 index 0000000..8a21bba --- /dev/null +++ b/doc-resources/nocomments.env-fod-release-sample.md @@ -0,0 +1 @@ + FOD_RELEASE: MyApp:MyRelease \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-sast-scan-sample.md b/doc-resources/nocomments.env-fod-sast-scan-sample.md new file mode 100644 index 0000000..798e6e2 --- /dev/null +++ b/doc-resources/nocomments.env-fod-sast-scan-sample.md @@ -0,0 +1,5 @@ +{{include:nocomments.env-fod-login-sample.md}} +{{include:nocomments.env-fod-release-sample.md}} +{{include:nocomments.env-fod-package-sample.md}} + # DO_WAIT: true # Ignored due to DO_EXPORT below + DO_EXPORT: true \ No newline at end of file diff --git a/doc-resources/nocomments.env-package-sample.md b/doc-resources/nocomments.env-package-sample.md new file mode 100644 index 0000000..ac7a852 --- /dev/null +++ b/doc-resources/nocomments.env-package-sample.md @@ -0,0 +1 @@ + EXTRA_PACKAGE_OPTS: -bt mvn \ No newline at end of file diff --git a/doc-resources/nocomments.env-sc-sast-login-sample.md b/doc-resources/nocomments.env-sc-sast-login-sample.md new file mode 100644 index 0000000..c0c2c05 --- /dev/null +++ b/doc-resources/nocomments.env-sc-sast-login-sample.md @@ -0,0 +1,3 @@ +{{include:nocomments.env-ssc-connection-sample.md}} + SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} + EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/doc-resources/nocomments.env-sc-sast-scan-sample.md b/doc-resources/nocomments.env-sc-sast-scan-sample.md new file mode 100644 index 0000000..e3d525f --- /dev/null +++ b/doc-resources/nocomments.env-sc-sast-scan-sample.md @@ -0,0 +1,5 @@ +{{include:nocomments.env-sc-sast-login-sample.md}} +{{include:nocomments.env-ssc-appversion-sample.md}} +{{include:nocomments.env-package-sample.md}} + # DO_WAIT: true # Ignored due to DO_EXPORT below + DO_EXPORT: true \ No newline at end of file diff --git a/doc-resources/nocomments.env-ssc-appversion-sample.md b/doc-resources/nocomments.env-ssc-appversion-sample.md new file mode 100644 index 0000000..e76f0cc --- /dev/null +++ b/doc-resources/nocomments.env-ssc-appversion-sample.md @@ -0,0 +1 @@ + SSC_APPVERSION: MyApp:MyVersion \ No newline at end of file diff --git a/doc-resources/nocomments.env-ssc-connection-sample.md b/doc-resources/nocomments.env-ssc-connection-sample.md new file mode 100644 index 0000000..50c1901 --- /dev/null +++ b/doc-resources/nocomments.env-ssc-connection-sample.md @@ -0,0 +1,2 @@ + SSC_URL: ${{secrets.SSC_URL}} + SSC_TOKEN: ${{secrets.SSC_TOKEN}} \ No newline at end of file diff --git a/doc-resources/repo-devinfo.md b/doc-resources/repo-devinfo.md index f72be37..9f8d015 100644 --- a/doc-resources/repo-devinfo.md +++ b/doc-resources/repo-devinfo.md @@ -10,6 +10,7 @@ Action documentation is generated from the `doc-resources` directory, using func * `templates//README.template.md`: Template for the README.md file for each action * `action-.md`: Documentation for each action, included by both the corresponding action readme template, and the top-level readme (through `repo-readme.md`) * `env-*.md`: Documentation for the environment variables supported by the various actions. Most of these are named after the action that they correspond to, for example `env-fod-login.md` (corresponding to the `internal/fod-login` action), listing action-specific environment variables. Others describe generic environment variables that are shared by multiple actions, for example `env-fod-release.md`. +* `nocomments.env-*-sample.md`: Most of the `env-*.md` files mentioned above have a corresponding sample file that shows how to configure the variables in a GitHub workflow. * `repo-devinfo.md`: Information for developers * `repo-readme.md`: Top-level readme contents * `repo-usage.md`: Used to generated top-level USAGE.md, just refers to README.md diff --git a/fod-export/README.md b/fod-export/README.md index 11176dd..a09db92 100644 --- a/fod-export/README.md +++ b/fod-export/README.md @@ -16,7 +16,7 @@ This action exports the latest vulnerability data from an FoD release to the Git ### Action environment variable inputs - + **`FOD_URL`** Required: Fortify on Demand URL, for example https://ams.fortify.com @@ -27,10 +27,7 @@ Required when authenticating with an API key: FoD Client ID (API key) and Secret **`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. -**`EXTRA_FOD_LOGIN_OPTS`** -Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) - - + @@ -42,6 +39,22 @@ Required: Fortify on Demand release to use with this action. This can be specifi +### Sample usage + +The sample workflow below demonstrates how to configure the action for exporting FoD vulnerability data to the GitHub Security Code Scanning dashboard. + +```yaml + steps: + - name: Export FoD vulnerability data to GitHub + uses: fortify/github-action/fod-export@v1 + env: + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + FOD_RELEASE: MyApp:MyRelease +``` + diff --git a/fod-sast-scan/README.md b/fod-sast-scan/README.md index 4e9c9fa..d362009 100644 --- a/fod-sast-scan/README.md +++ b/fod-sast-scan/README.md @@ -30,6 +30,9 @@ Before running this action, please ensure that the appropriate release has been + + + **`FOD_URL`** Required: Fortify on Demand URL, for example https://ams.fortify.com @@ -39,6 +42,9 @@ Required when authenticating with an API key: FoD Client ID (API key) and Secret **`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. + + + **`EXTRA_FOD_LOGIN_OPTS`** Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) @@ -75,6 +81,28 @@ Optional: If set to `true`, this action will export scan results to the GitHub S +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run FoD SAST Scan + uses: fortify/github-action/fod-sast-scan@v1 + env: + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + FOD_RELEASE: MyApp:MyRelease + EXTRA_PACKAGE_OPTS: -oss -bt gradle + # DO_WAIT: true # Ignored due to DO_EXPORT below + DO_EXPORT: true +``` + diff --git a/package/README.md b/package/README.md index b0a3c2b..dd77853 100644 --- a/package/README.md +++ b/package/README.md @@ -11,7 +11,7 @@ -This action packages application source code to be scanned using [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm). +This action packages application source code using [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#A_Clients.htm). The output package is saved as `package.zip`. ### Action environment variable inputs @@ -24,6 +24,20 @@ Optional: By default, this action runs `scancentral package -o package.zip`. The +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Package source code + uses: fortify/github-action/package@v1 + env: + EXTRA_PACKAGE_OPTS: -bt mvn +``` + diff --git a/sc-sast-scan/README.md b/sc-sast-scan/README.md index b6ddeb0..caccd57 100644 --- a/sc-sast-scan/README.md +++ b/sc-sast-scan/README.md @@ -84,6 +84,27 @@ Optional: If set to `true`, this action will export scan results to the GitHub S +### Sample usage + +The sample workflow below demonstrates how to configure the action for running a SAST scan on ScanCentral SAST. + +```yaml + steps: + - name: Check out source code + uses: actions/checkout@v4 + - name: Run ScanCentral SAST Scan + uses: fortify/github-action/sc-sast-scan@v1 + env: + SSC_URL: ${{secrets.SSC_URL}} + SSC_TOKEN: ${{secrets.SSC_TOKEN}} + SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} + EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + SSC_APPVERSION: MyApp:MyVersion + EXTRA_PACKAGE_OPTS: -bt mvn + # DO_WAIT: true # Ignored due to DO_EXPORT below + DO_EXPORT: true +``` + diff --git a/ssc-export/README.md b/ssc-export/README.md index 62088a8..8427c53 100644 --- a/ssc-export/README.md +++ b/ssc-export/README.md @@ -16,9 +16,6 @@ This action exports the latest vulnerability data from an SSC application versio ### Action environment variable inputs - - - **`SSC_URL`** @@ -33,12 +30,6 @@ Required when authenticating with user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** -Optional: Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-ssc-session-login.html). - - - - @@ -48,6 +39,20 @@ Required: Fortify SSC application version to use with this action. This can be s +### Sample usage + +The sample workflow below demonstrates how to configure the action for exporting FoD vulnerability data to the GitHub Security Code Scanning dashboard. + +```yaml + steps: + - name: Export SSC vulnerability data to GitHub + uses: fortify/github-action/ssc-export@v1 + env: + SSC_URL: ${{secrets.SSC_URL}} + SSC_TOKEN: ${{secrets.SSC_TOKEN}} + SSC_APPVERSION: MyApp:MyVersion +``` +