Skip to content

Commit

Permalink
feat: Add ssc-scan action, supporting both SC-SAST & Debricked
Browse files Browse the repository at this point in the history
  • Loading branch information
rsenden committed Jun 3, 2024
1 parent 3f17de0 commit 93855e1
Show file tree
Hide file tree
Showing 13 changed files with 95 additions and 30 deletions.
3 changes: 2 additions & 1 deletion internal/fod-login/fod-login.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@ else
echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"
exit 1;
fi
${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} || exit 1
run ${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} \
|| exit 1
echo '_FOD_LOGGED_IN=true' >> $GITHUB_ENV
3 changes: 2 additions & 1 deletion internal/fod-login/fod-logout.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@

if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
${FCLI_CMD} fod session logout || exit 1
run ${FCLI_CMD} fod session logout \
|| exit 1
fi
9 changes: 1 addition & 8 deletions internal/run-script-js/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,11 @@ inputs:
post:
description: 'Script to run on job completion'
required: false
dir:
description: 'Directory where scripts are located, should usually be set to github.action_path'
required: true
util:
description: 'Directory where utility scripts are located, set automatically by internal/run-script action'
required: true
key:
description: 'Name of the state variable used to detect the post step.'
required: false
default: POST

runs:
using: 'node20'
main: 'main.js'
post: 'main.js'
post: 'post.js'
14 changes: 2 additions & 12 deletions internal/run-script-js/main.js
Original file line number Diff line number Diff line change
@@ -1,24 +1,14 @@
const { spawn } = require("child_process");
const { appendFileSync } = require("fs");
const { EOL } = require("os");

function run(script) {
if ( script ) {
const dir = process.env.INPUT_DIR;
const utilDir = process.env.INPUT_UTIL;
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${dir}/${script}'`,
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${script}'`,
{ stdio: "inherit", shell: true });
subprocess.on("exit", (exitCode) => {
process.exitCode = exitCode;
});
}
}

const key = process.env.INPUT_KEY.toUpperCase();

if ( process.env[`STATE_${key}`] !== undefined ) { // Are we in the 'post' step?
run(process.env.INPUT_POST);
} else { // Otherwise, this is the main step
appendFileSync(process.env.GITHUB_STATE, `${key}=true${EOL}`);
run(process.env.INPUT_SCRIPT);
}
run(process.env.INPUT_SCRIPT);
14 changes: 14 additions & 0 deletions internal/run-script-js/post.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
const { spawn } = require("child_process");

function run(script) {
if ( script ) {
const utilDir = process.env.INPUT_UTIL;
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${script}'`,
{ stdio: "inherit", shell: true });
subprocess.on("exit", (exitCode) => {
process.exitCode = exitCode;
});
}
}

run(process.env.INPUT_POST);
5 changes: 2 additions & 3 deletions internal/run-script/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,8 @@ runs:
- uses: fortify/github-action/internal/[email protected]
with:
util: ${{ env.BASH_UTIL_DIR }}
dir: ${{ env.BASH_SCRIPT_DIR }}
script: ${{ inputs.script }}
post: ${{ inputs.post }}
script: ${{ env.BASH_SCRIPT_DIR }}/${{ inputs.script }}
post: ${{ env.BASH_SCRIPT_DIR }}/${{ inputs.post }}

branding:
icon: 'shield'
Expand Down
7 changes: 6 additions & 1 deletion internal/run-script/util/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,9 @@ fi
if [ -z "$FCLI_CMD" ]; then
echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
exit 1;
fi
fi

function run {
echo RUN: "$@"
"$@"
}
3 changes: 2 additions & 1 deletion internal/sc-sast-login/sc-sast-login.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@ fi
if [ -z "SSC_TOKEN" ]; then
echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
fi
${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}
run ${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS} \
|| exit 1
echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV
3 changes: 2 additions & 1 deletion internal/sc-sast-login/sc-sast-logout.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@

if [[ "${_SC_SAST_LOGGED_IN}" == "true" ]]; then
echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
${FCLI_CMD} sc-sast session logout --no-revoke-token || exit 1
run ${FCLI_CMD} sc-sast session logout --no-revoke-token \
|| exit 1
fi
3 changes: 2 additions & 1 deletion internal/ssc-login/ssc-login.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
else
echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
fi
${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS}
run ${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS} \
|| exit 1
echo '_SSC_LOGGED_IN=true' >> $GITHUB_ENV
3 changes: 2 additions & 1 deletion internal/ssc-login/ssc-logout.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@ if [[ "${_SSC_LOGGED_IN}" == "true" ]]; then
else
echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
fi
${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" || exit 1
run ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" \
|| exit 1
fi
25 changes: 25 additions & 0 deletions ssc-scan/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: 'Perform SAST scan'
description: 'Perform a SAST scan on ScanCentral SAST'
author: 'Fortify'
runs:
using: composite
steps:
- uses: fortify/github-action/[email protected]
with:
export-path: false
fcli: action-default
debricked-cli: ${{ env.DO_DEBRICKED_SCAN=='true' && 'action-default' || 'skip' }}
- uses: fortify/github-action/internal/[email protected]
- uses: fortify/github-action/internal/[email protected]
- uses: fortify/github-action/[email protected]
- uses: fortify/github-action/internal/[email protected]
with:
dir: ${{ github.action_path }}
script: ./ssc-scan.sh
- if: env.DO_EXPORT == 'true'
uses: fortify/github-action/[email protected]

branding:
icon: 'shield'
color: 'blue'

33 changes: 33 additions & 0 deletions ssc-scan/ssc-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/bin/bash
. ${UTIL_DIR}/common.sh

# This script assumes that fcli and Debricked CLI have already been installed,
# and that any necessary fcli sessions have been created.
# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ...

if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \
|| exit 1
fi
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
# Debricked may return non-zero exit code on automation rule failures, in which case
# we still want to run subsequent steps, hence we temporarily ignore the exit code,
run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \
|| FAIL_ON_EXIT=true
run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \
|| exit 1
fi
if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \
|| exit 1
fi
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \
|| exit 1
fi
fi
if [ "${FAIL_ON_EXIT}" == "true" ]; then
echo "Earlier failures detected"
exit 1
fi

0 comments on commit 93855e1

Please sign in to comment.