From e0b8b83bd3e2a9b684a3bf4f68d99d3641b93b58 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Thu, 12 Sep 2024 14:06:42 +0200 Subject: [PATCH] chore: Improve consistency, add policy checks fix: Deprecate EXTRA_*_OPTS variables; these are replaced by *_EXTRA_OPTS variables for consistency feat: Add support for performing policy checks after scan completion --- README.md | 140 ++++++++++++------ doc-resources/action-fod-sast-scan.md | 2 +- doc-resources/env-do-policy-check.md | 2 + doc-resources/env-fod-login.md | 2 +- doc-resources/env-fod-package.md | 8 +- doc-resources/env-fod-sast-scan.md | 4 +- doc-resources/env-package.md | 6 +- doc-resources/env-sc-sast-login.md | 2 +- doc-resources/env-sc-sast-scan.md | 4 +- doc-resources/env-ssc-debricked-scan.md | 2 + doc-resources/env-ssc-login.md | 2 +- .../nocomments.env-fod-login-sample.md | 2 +- .../nocomments.env-fod-package-sample.md | 2 +- .../nocomments.env-package-sample.md | 2 +- .../nocomments.env-sc-sast-login-sample.md | 2 +- .../nocomments.env-ssc-login-sample.md | 2 +- fod-sast-scan/README.md | 27 ++-- internal/run-script/scripts/common.sh | 36 +++-- internal/run-script/scripts/export.sh | 2 +- internal/run-script/scripts/fod-login.sh | 4 +- internal/run-script/scripts/fod-scan.sh | 8 +- internal/run-script/scripts/package.sh | 2 +- .../scripts/sc-sast-and-debricked-scan.sh | 8 +- internal/run-script/scripts/sc-sast-login.sh | 2 +- internal/run-script/scripts/ssc-login.sh | 4 +- package/README.md | 8 +- sc-sast-scan/README.md | 27 ++-- ssc-debricked-scan/README.md | 13 +- 28 files changed, 218 insertions(+), 107 deletions(-) create mode 100644 doc-resources/env-do-policy-check.md diff --git a/README.md b/README.md index 5838d1b..58d67f7 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ Required when authenticating with user credentials: FoD tenant, user and passwor -**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_FOD_LOGIN_OPTS` (deprecated), `FOD_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-session-login.html) @@ -128,19 +128,19 @@ Fortify on Demand release to use with this action. This can be specified either -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. The `PACKAGE_EXTRA_OPTS` environment variable can be used to specify additional packaging options. If FoD Software Composition Analysis has been purchased and configured on the applicable release, you'll need to pass the `-oss` option through this environment variable to generate and package the additional dependency files required. -Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. -**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_FOD_SAST_SCAN_OPTS` (deprecated), `FOD_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-sast-scan-start.html) @@ -153,6 +153,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -226,7 +235,7 @@ Required when authenticating with SSC user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-ssc-session-login.html). @@ -238,7 +247,7 @@ Extra SSC login options, for example for disabling SSL checks or changing connec **`SC_SAST_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_LOGIN_OPTS` (deprecated), `SC_SAST_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-session-login.html). @@ -262,10 +271,10 @@ Fortify SSC application version to use with this action. This can be specified e -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. @@ -273,7 +282,7 @@ As an example, if the build file that you want to use for packaging doesn't adhe **`SC_SAST_SENSOR_VERSION`** - REQUIRED Version of the ScanCentral SAST sensor on which the scan should be performed. See [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html#_options_for_scanning_a_package_file) for details. -**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_SCAN_OPTS` (deprecated), `SC_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html) @@ -286,6 +295,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -359,7 +377,7 @@ Required when authenticating with SSC user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-ssc-session-login.html). @@ -387,6 +405,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -445,9 +472,9 @@ The sample workflows below demonstrate how to configure the action for running a FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # FOD_RELEASE: MyApp:MyRelease - # EXTRA_PACKAGE_OPTS: -oss + # PACKAGE_EXTRA_OPTS: -oss # DO_WAIT: true # DO_EXPORT: true # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip @@ -467,11 +494,11 @@ The sample workflows below demonstrate how to configure the action for running a env: SSC_URL: ${{vars.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # SSC_APPVERSION: MyApp:MyVersion - # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # PACKAGE_EXTRA_OPTS: -bf custom-pom.xml SC_SAST_SENSOR_VERSION: 23.2 # DO_DEBRICKED_SCAN: true # Or debricked-sca-scan input on top-level action # DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} @@ -494,7 +521,7 @@ The sample workflows below demonstrate how to configure the action for running a env: SSC_URL: ${{vars.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # SSC_APPVERSION: MyApp:MyVersion DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # DO_WAIT: true @@ -654,10 +681,10 @@ This action assumes the standard software packages as provided by GitHub-hosted -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. @@ -684,7 +711,7 @@ The sample workflow below demonstrates how to configure the action for running a - name: Package source code uses: fortify/github-action/package@v1 env: - # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # PACKAGE_EXTRA_OPTS: -bf custom-pom.xml # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip ``` @@ -727,7 +754,7 @@ This action assumes the standard software packages as provided by GitHub-hosted Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action: * The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. -* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable. +* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `PACKAGE_EXTRA_OPTS` environment variable. ### Action environment variable inputs @@ -753,7 +780,7 @@ Required when authenticating with user credentials: FoD tenant, user and passwor -**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_FOD_LOGIN_OPTS` (deprecated), `FOD_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-session-login.html) @@ -771,19 +798,19 @@ Fortify on Demand release to use with this action. This can be specified either -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. The `PACKAGE_EXTRA_OPTS` environment variable can be used to specify additional packaging options. If FoD Software Composition Analysis has been purchased and configured on the applicable release, you'll need to pass the `-oss` option through this environment variable to generate and package the additional dependency files required. -Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. -**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_FOD_SAST_SCAN_OPTS` (deprecated), `FOD_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-sast-scan-start.html) @@ -796,6 +823,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -861,9 +897,9 @@ The sample workflow below demonstrates how to configure the action for running a FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # FOD_RELEASE: MyApp:MyRelease - # EXTRA_PACKAGE_OPTS: -oss + # PACKAGE_EXTRA_OPTS: -oss # DO_WAIT: true # DO_EXPORT: true # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip @@ -1025,7 +1061,7 @@ Required when authenticating with SSC user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-ssc-session-login.html). @@ -1037,7 +1073,7 @@ Extra SSC login options, for example for disabling SSL checks or changing connec **`SC_SAST_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_LOGIN_OPTS` (deprecated), `SC_SAST_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-session-login.html). @@ -1061,10 +1097,10 @@ Fortify SSC application version to use with this action. This can be specified e -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. @@ -1072,7 +1108,7 @@ As an example, if the build file that you want to use for packaging doesn't adhe **`SC_SAST_SENSOR_VERSION`** - REQUIRED Version of the ScanCentral SAST sensor on which the scan should be performed. See [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html#_options_for_scanning_a_package_file) for details. -**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_SCAN_OPTS` (deprecated), `SC_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html) @@ -1085,6 +1121,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -1148,11 +1193,11 @@ The sample workflow below demonstrates how to configure the action for running a env: SSC_URL: ${{vars.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # SSC_APPVERSION: MyApp:MyVersion - # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # PACKAGE_EXTRA_OPTS: -bf custom-pom.xml SC_SAST_SENSOR_VERSION: 23.2 # DO_DEBRICKED_SCAN: true # Or debricked-sca-scan input on top-level action # DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} @@ -1224,7 +1269,7 @@ Required when authenticating with SSC user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-ssc-session-login.html). @@ -1252,6 +1297,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -1304,7 +1358,7 @@ The sample workflow below demonstrates how to configure the action for running a env: SSC_URL: ${{vars.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # SSC_APPVERSION: MyApp:MyVersion DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # DO_WAIT: true diff --git a/doc-resources/action-fod-sast-scan.md b/doc-resources/action-fod-sast-scan.md index 75ec459..e244a7b 100644 --- a/doc-resources/action-fod-sast-scan.md +++ b/doc-resources/action-fod-sast-scan.md @@ -13,7 +13,7 @@ The SAST and optional open source scan performed by this action consists of the Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action: * The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. -* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable. +* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `PACKAGE_EXTRA_OPTS` environment variable. ### Action environment variable inputs diff --git a/doc-resources/env-do-policy-check.md b/doc-resources/env-do-policy-check.md new file mode 100644 index 0000000..fd7b288 --- /dev/null +++ b/doc-resources/env-do-policy-check.md @@ -0,0 +1,2 @@ +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see {{var:fcli-doc-base-url}}#_actions for more information. \ No newline at end of file diff --git a/doc-resources/env-fod-login.md b/doc-resources/env-fod-login.md index 08aa1c1..74648c2 100644 --- a/doc-resources/env-fod-login.md +++ b/doc-resources/env-fod-login.md @@ -1,4 +1,4 @@ {{include:env-fod-connection.md}} -**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_FOD_LOGIN_OPTS` (deprecated), `FOD_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-session-login.html) \ No newline at end of file diff --git a/doc-resources/env-fod-package.md b/doc-resources/env-fod-package.md index 7ffb7fe..76243cb 100644 --- a/doc-resources/env-fod-package.md +++ b/doc-resources/env-fod-package.md @@ -1,8 +1,8 @@ -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. The `PACKAGE_EXTRA_OPTS` environment variable can be used to specify additional packaging options. If FoD Software Composition Analysis has been purchased and configured on the applicable release, you'll need to pass the `-oss` option through this environment variable to generate and package the additional dependency files required. -Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options. diff --git a/doc-resources/env-fod-sast-scan.md b/doc-resources/env-fod-sast-scan.md index 373961d..ab2232e 100644 --- a/doc-resources/env-fod-sast-scan.md +++ b/doc-resources/env-fod-sast-scan.md @@ -5,11 +5,13 @@ {{include:env-fod-package.md}} -**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_FOD_SAST_SCAN_OPTS` (deprecated), `FOD_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-sast-scan-start.html) {{include:env-do-wait.md}} +{{include:env-do-policy-check.md}} + {{include:env-do-job-summary.md}} {{include:env-do-export.md}} diff --git a/doc-resources/env-package.md b/doc-resources/env-package.md index 2e8d0aa..7414d76 100644 --- a/doc-resources/env-package.md +++ b/doc-resources/env-package.md @@ -1,4 +1,4 @@ -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options. diff --git a/doc-resources/env-sc-sast-login.md b/doc-resources/env-sc-sast-login.md index 3f93b91..df90ff2 100644 --- a/doc-resources/env-sc-sast-login.md +++ b/doc-resources/env-sc-sast-login.md @@ -1,5 +1,5 @@ **`SC_SAST_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_LOGIN_OPTS` (deprecated), `SC_SAST_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-session-login.html). \ No newline at end of file diff --git a/doc-resources/env-sc-sast-scan.md b/doc-resources/env-sc-sast-scan.md index 51fcbfb..9b3bb0b 100644 --- a/doc-resources/env-sc-sast-scan.md +++ b/doc-resources/env-sc-sast-scan.md @@ -17,11 +17,13 @@ Required when performing a Debricked Software Composition Analysis scan; see the **`SC_SAST_SENSOR_VERSION`** - REQUIRED Version of the ScanCentral SAST sensor on which the scan should be performed. See [`fcli sc-sast scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-scan-start.html#_options_for_scanning_a_package_file) for details. -**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_SCAN_OPTS` (deprecated), `SC_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-scan-start.html) {{include:env-do-wait.md}} +{{include:env-do-policy-check.md}} + {{include:env-do-job-summary.md}} {{include:env-do-export.md}} diff --git a/doc-resources/env-ssc-debricked-scan.md b/doc-resources/env-ssc-debricked-scan.md index cbb85e5..d3b9046 100644 --- a/doc-resources/env-ssc-debricked-scan.md +++ b/doc-resources/env-ssc-debricked-scan.md @@ -9,6 +9,8 @@ See the [Generate access token](https://docs.debricked.com/product/administratio {{include:env-do-wait.md}} +{{include:env-do-policy-check.md}} + {{include:env-do-job-summary.md}} {{include:env-do-pr-comment.md}} diff --git a/doc-resources/env-ssc-login.md b/doc-resources/env-ssc-login.md index 89e4eea..4ee4a8c 100644 --- a/doc-resources/env-ssc-login.md +++ b/doc-resources/env-ssc-login.md @@ -1,2 +1,2 @@ -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-ssc-session-login.html). \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-login-sample.md b/doc-resources/nocomments.env-fod-login-sample.md index 25727ef..3e10927 100644 --- a/doc-resources/nocomments.env-fod-login-sample.md +++ b/doc-resources/nocomments.env-fod-login-sample.md @@ -1,2 +1,2 @@ {{include:nocomments.env-fod-connection-sample.md}} - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-package-sample.md b/doc-resources/nocomments.env-fod-package-sample.md index d51c0f9..0d7363e 100644 --- a/doc-resources/nocomments.env-fod-package-sample.md +++ b/doc-resources/nocomments.env-fod-package-sample.md @@ -1 +1 @@ - # EXTRA_PACKAGE_OPTS: -oss \ No newline at end of file + # PACKAGE_EXTRA_OPTS: -oss \ No newline at end of file diff --git a/doc-resources/nocomments.env-package-sample.md b/doc-resources/nocomments.env-package-sample.md index 4b0ee7c..08eca1a 100644 --- a/doc-resources/nocomments.env-package-sample.md +++ b/doc-resources/nocomments.env-package-sample.md @@ -1 +1 @@ - # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml \ No newline at end of file + # PACKAGE_EXTRA_OPTS: -bf custom-pom.xml \ No newline at end of file diff --git a/doc-resources/nocomments.env-sc-sast-login-sample.md b/doc-resources/nocomments.env-sc-sast-login-sample.md index 6583ba4..88fa9a8 100644 --- a/doc-resources/nocomments.env-sc-sast-login-sample.md +++ b/doc-resources/nocomments.env-sc-sast-login-sample.md @@ -1,2 +1,2 @@ SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/doc-resources/nocomments.env-ssc-login-sample.md b/doc-resources/nocomments.env-ssc-login-sample.md index 9cdcc3b..c2b41fc 100644 --- a/doc-resources/nocomments.env-ssc-login-sample.md +++ b/doc-resources/nocomments.env-ssc-login-sample.md @@ -1 +1 @@ - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/fod-sast-scan/README.md b/fod-sast-scan/README.md index e5b0031..ced7977 100644 --- a/fod-sast-scan/README.md +++ b/fod-sast-scan/README.md @@ -39,7 +39,7 @@ This action assumes the standard software packages as provided by GitHub-hosted Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action: * The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. -* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable. +* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `PACKAGE_EXTRA_OPTS` environment variable. ### Action environment variable inputs @@ -65,7 +65,7 @@ Required when authenticating with user credentials: FoD tenant, user and passwor -**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_FOD_LOGIN_OPTS` (deprecated), `FOD_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-session-login.html) @@ -83,19 +83,19 @@ Fortify on Demand release to use with this action. This can be specified either -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. The `PACKAGE_EXTRA_OPTS` environment variable can be used to specify additional packaging options. If FoD Software Composition Analysis has been purchased and configured on the applicable release, you'll need to pass the `-oss` option through this environment variable to generate and package the additional dependency files required. -Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. -**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_FOD_SAST_SCAN_OPTS` (deprecated), `FOD_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-sast-scan-start.html) @@ -108,6 +108,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -173,9 +182,9 @@ The sample workflow below demonstrates how to configure the action for running a FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # FOD_RELEASE: MyApp:MyRelease - # EXTRA_PACKAGE_OPTS: -oss + # PACKAGE_EXTRA_OPTS: -oss # DO_WAIT: true # DO_EXPORT: true # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip diff --git a/internal/run-script/scripts/common.sh b/internal/run-script/scripts/common.sh index b78eee9..99c7d7f 100644 --- a/internal/run-script/scripts/common.sh +++ b/internal/run-script/scripts/common.sh @@ -38,7 +38,7 @@ function printOutput { # arguments specify the command to run together with its arguments. # # Command arguments may contain environment variable references in the -# format __expand:, for example __expand:EXTRA_SC_SAST_SCAN_OPTS; +# format __expand:, for example __expand:SC_SAST_SCAN_EXTRA_OPTS; # these will be expanded before running the given command. The environment # variable to be expanded may contain multiple arguments, including properly # quoted arguments containing whitespace. @@ -250,26 +250,36 @@ function requireSCSastSession { ############################################################################# # Function to determine whether PR comments should be generated. PR comments -# are only generated if DO_PR_COMMENT is set to true, required GITHUB_* -# environment variables are available, and GITHUB_REF_NAME points to a PR. +# are only generated if any of the PR_COMMENT variables is set, required +# GITHUB_* environment variables are available, and GITHUB_REF_NAME points to +# a PR. function doPRComment { - [ "${DO_PR_COMMENT}" == "true" ] \ - && [ -n "${GITHUB_TOKEN}" ] \ - && [ -n "${GITHUB_REPOSITORY_OWNER}" ] \ - && [ -n "${GITHUB_REPOSITORY}" ] \ - && [ -n "${GITHUB_REF_NAME}" ] \ - && [ -n "${GITHUB_SHA}" ] \ - && [[ "${GITHUB_REF_NAME}" == */merge ]] + [[ ("${DO_PR_COMMENT}" == "true" || -n "${PR_COMMENT_ACTION}" || -n "${PR_COMMENT_EXTRA_OPTS}") \ + && -n "${GITHUB_TOKEN}" ] \ + && -n "${GITHUB_REPOSITORY_OWNER}" ] \ + && -n "${GITHUB_REPOSITORY}" ] \ + && -n "${GITHUB_REF_NAME}" ] \ + && -n "${GITHUB_SHA}" ] \ + && "${GITHUB_REF_NAME}" == */merge ]] } ############################################################################# -# Function to determine whether job summary should be generated. +# Function to determine whether PR comments should be generated. Job summary +# is enabled if any of the JOB_SUMMARY variables is set. function doJobSummary { - [ "${DO_JOB_SUMMARY}" == "true" ] + [[ "${DO_JOB_SUMMARY}" == "true" || -n "${JOB_SUMMARY_ACTION}" || -n "${JOB_SUMMARY_EXTRA_OPTS} ]] +} + +############################################################################# +# Function to determine whether policy check should be run. Policy checks +# are enabled if POLICY_CHECK_ACTION is defined (as we don't provide a +# default action). +function doPolicyCheck { + [[ -n "${POLICY_CHECK_ACTION}" ]] } ############################################################################# # Function to determine whether we should wait for scan completion. function doWait { - [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ] || doJobSummary || doPRComment + [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ] || doJobSummary || doPRComment || doPolicyCheck } diff --git a/internal/run-script/scripts/export.sh b/internal/run-script/scripts/export.sh index 6cae08b..04b67b7 100755 --- a/internal/run-script/scripts/export.sh +++ b/internal/run-script/scripts/export.sh @@ -5,6 +5,6 @@ requireFcli requireVar "PRODUCT" checkRequirements -run "EXPORT" "${FCLI_CMD}" "${PRODUCT}" action run "${EXPORT_ACTION:-github-sast-report}" __expand:DEFAULT_OPTS __expand:EXTRA_EXPORT_OPTS +run "EXPORT" "${FCLI_CMD}" "${PRODUCT}" action run "${EXPORT_ACTION:-github-sast-report}" __expand:DEFAULT_OPTS __expand:EXPORT_EXTRA_OPTS printRunSummary failOnError diff --git a/internal/run-script/scripts/fod-login.sh b/internal/run-script/scripts/fod-login.sh index f81a21c..dc7f728 100755 --- a/internal/run-script/scripts/fod-login.sh +++ b/internal/run-script/scripts/fod-login.sh @@ -10,9 +10,9 @@ requireIfVar "FOD_USER" "FOD_TENANT" checkRequirements if [ -n "${FOD_CLIENT_ID}" ]; then - run "FOD_LOGIN" "${FCLI_CMD}" fod session login --url "${FOD_URL}" --client-id "${FOD_CLIENT_ID}" --client-secret "${FOD_CLIENT_SECRET}" __expand:EXTRA_FOD_LOGIN_OPTS + run "FOD_LOGIN" "${FCLI_CMD}" fod session login --url "${FOD_URL}" --client-id "${FOD_CLIENT_ID}" --client-secret "${FOD_CLIENT_SECRET}" __expand:EXTRA_FOD_LOGIN_OPTS __expand:FOD_LOGIN_EXTRA_OPTS else - run "FOD_LOGIN" "${FCLI_CMD}" fod session login --url "${FOD_URL}" -t "${FOD_TENANT}" -u "${FOD_USER}" -p "${FOD_PASSWORD}" __expand:EXTRA_FOD_LOGIN_OPTS + run "FOD_LOGIN" "${FCLI_CMD}" fod session login --url "${FOD_URL}" -t "${FOD_TENANT}" -u "${FOD_USER}" -p "${FOD_PASSWORD}" __expand:EXTRA_FOD_LOGIN_OPTS __expand:FOD_LOGIN_EXTRA_OPTS fi printRunSummary diff --git a/internal/run-script/scripts/fod-scan.sh b/internal/run-script/scripts/fod-scan.sh index 8934fa6..4cb70e4 100755 --- a/internal/run-script/scripts/fod-scan.sh +++ b/internal/run-script/scripts/fod-scan.sh @@ -10,12 +10,18 @@ checkRequirements run "SAST_SCAN" "${FCLI_CMD}" fod sast-scan start \ --rel "${FOD_RELEASE}" -f package.zip \ - --store fod_sast_scan __expand:EXTRA_FOD_SAST_SCAN_OPTS + --store fod_sast_scan __expand:EXTRA_FOD_SAST_SCAN_OPTS __expand:FOD_SAST_SCAN_EXTRA_OPTS if doWait; then ifRun "SAST_SCAN" && run "SAST_PUBLISH" \ "${FCLI_CMD}" fod sast-scan wait-for ::fod_sast_scan:: fi +if doPolicyCheck; then + run "POLICY_CHECK" "${FCLI_CMD}" ssc action run "${POLICY_CHECK_ACTION}" \ + --av "${SSC_APPVERSION}" --progress=none __expand:POLICY_CHECK_EXTRA_OPTS +fi + +# TODO Add policy check output to job summary if doJobSummary; then # Collect scan/publish statuses for inclusion in job summary. SAST_SCAN_STATUS=$(printRunStatus "SAST_SCAN") diff --git a/internal/run-script/scripts/package.sh b/internal/run-script/scripts/package.sh index 0d4dd76..f6cc73e 100755 --- a/internal/run-script/scripts/package.sh +++ b/internal/run-script/scripts/package.sh @@ -4,6 +4,6 @@ requireScanCentralClient checkRequirements -run "PACKAGE" "${SC_CLIENT_CMD}" package -o package.zip __expand:EXTRA_PACKAGE_OPTS +run "PACKAGE" "${SC_CLIENT_CMD}" package -o package.zip __expand:EXTRA_PACKAGE_OPTS __expand:PACKAGE_EXTRA_OPTS printRunSummary failOnError diff --git a/internal/run-script/scripts/sc-sast-and-debricked-scan.sh b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh index 90f9462..e4a1f82 100755 --- a/internal/run-script/scripts/sc-sast-and-debricked-scan.sh +++ b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh @@ -22,7 +22,7 @@ export NO_COLOR=true if [ "${DO_SC_SAST_SCAN}" == "true" ]; then run "SAST_SCAN" "${FCLI_CMD}" sc-sast scan start \ --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" \ - --store sc_sast_scan __expand:EXTRA_SC_SAST_SCAN_OPTS + --store sc_sast_scan __expand:EXTRA_SC_SAST_SCAN_OPTS __expand:SC_SAST_SCAN_EXTRA_OPTS fi if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then # Debricked may return non-zero exit code on automation rule failures, in which case @@ -43,6 +43,12 @@ fi # Collect Debricked scan output DEBRICKED_SCAN_RESULTS=$(printOutput DEBRICKED_SCAN stdout | fgrep -e '───' -e '│' -e 'vulnerabilities found' -e 'For full details') +if doPolicyCheck; then + run "POLICY_CHECK" "${FCLI_CMD}" ssc action run "${POLICY_CHECK_ACTION}" \ + --av "${SSC_APPVERSION}" --progress=none __expand:POLICY_CHECK_EXTRA_OPTS +fi + +# TODO Add policy check output to job summary if doJobSummary; then # Collect scan/publish statuses for inclusion in job summary. SAST_SCAN_STATUS=$(printRunStatus "SAST_SCAN") diff --git a/internal/run-script/scripts/sc-sast-login.sh b/internal/run-script/scripts/sc-sast-login.sh index c7c9b45..5e8c6eb 100755 --- a/internal/run-script/scripts/sc-sast-login.sh +++ b/internal/run-script/scripts/sc-sast-login.sh @@ -7,7 +7,7 @@ requireVar "SC_SAST_TOKEN" requireVar "SSC_TOKEN" checkRequirements -run "SC_SAST_LOGIN" "${FCLI_CMD}" sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" __expand:EXTRA_SC_SAST_LOGIN_OPTS +run "SC_SAST_LOGIN" "${FCLI_CMD}" sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" __expand:EXTRA_SC_SAST_LOGIN_OPTS __expand:SC_SAST_LOGIN_EXTRA_OPTS printRunSummary failOnError echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV \ No newline at end of file diff --git a/internal/run-script/scripts/ssc-login.sh b/internal/run-script/scripts/ssc-login.sh index fd061d6..b4bf3fc 100755 --- a/internal/run-script/scripts/ssc-login.sh +++ b/internal/run-script/scripts/ssc-login.sh @@ -8,9 +8,9 @@ requireIfVar "SSC_USER" "SSC_PASSWORD" checkRequirements if [ -n "${SSC_TOKEN}" ]; then - run "SSC_LOGIN" "${FCLI_CMD}" ssc session login --url "${SSC_URL}" -t "${SSC_TOKEN}" __expand:EXTRA_SSC_LOGIN_OPTS + run "SSC_LOGIN" "${FCLI_CMD}" ssc session login --url "${SSC_URL}" -t "${SSC_TOKEN}" __expand:EXTRA_SSC_LOGIN_OPTS __expand:SSC_LOGIN_EXTRA_OPTS else - run "SSC_LOGIN" "${FCLI_CMD}" ssc session login --url "${SSC_URL}" -u "${SSC_USER}" -p "${SSC_PASSWORD}" __expand:EXTRA_SSC_LOGIN_OPTS + run "SSC_LOGIN" "${FCLI_CMD}" ssc session login --url "${SSC_URL}" -u "${SSC_USER}" -p "${SSC_PASSWORD}" __expand:EXTRA_SSC_LOGIN_OPTS __expand:SSC_LOGIN_EXTRA_OPTS fi printRunSummary diff --git a/package/README.md b/package/README.md index a824b81..6e852a6 100644 --- a/package/README.md +++ b/package/README.md @@ -33,10 +33,10 @@ This action assumes the standard software packages as provided by GitHub-hosted -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. @@ -63,7 +63,7 @@ The sample workflow below demonstrates how to configure the action for running a - name: Package source code uses: fortify/github-action/package@v1 env: - # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # PACKAGE_EXTRA_OPTS: -bf custom-pom.xml # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip ``` diff --git a/sc-sast-scan/README.md b/sc-sast-scan/README.md index 978b2a1..d1ef014 100644 --- a/sc-sast-scan/README.md +++ b/sc-sast-scan/README.md @@ -63,7 +63,7 @@ Required when authenticating with SSC user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-ssc-session-login.html). @@ -75,7 +75,7 @@ Extra SSC login options, for example for disabling SSL checks or changing connec **`SC_SAST_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_LOGIN_OPTS` (deprecated), `SC_SAST_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-session-login.html). @@ -99,10 +99,10 @@ Fortify SSC application version to use with this action. This can be specified e -**`EXTRA_PACKAGE_OPTS`** - OPTIONAL -By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. +**`EXTRA_PACKAGE_OPTS` (deprecated), `PACKAGE_EXTRA_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `PACKAGE_EXTRA_OPTS` environment variable to specify additional packaging options. -As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. +As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the `-bf ` option using the `PACKAGE_EXTRA_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options. @@ -110,7 +110,7 @@ As an example, if the build file that you want to use for packaging doesn't adhe **`SC_SAST_SENSOR_VERSION`** - REQUIRED Version of the ScanCentral SAST sensor on which the scan should be performed. See [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html#_options_for_scanning_a_package_file) for details. -**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +**`EXTRA_SC_SAST_SCAN_OPTS` (deprecated), `SC_SAST_SCAN_EXTRA_OPTS`** - OPTIONAL Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html) @@ -123,6 +123,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -186,11 +195,11 @@ The sample workflow below demonstrates how to configure the action for running a env: SSC_URL: ${{vars.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # SSC_APPVERSION: MyApp:MyVersion - # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # PACKAGE_EXTRA_OPTS: -bf custom-pom.xml SC_SAST_SENSOR_VERSION: 23.2 # DO_DEBRICKED_SCAN: true # Or debricked-sca-scan input on top-level action # DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} diff --git a/ssc-debricked-scan/README.md b/ssc-debricked-scan/README.md index 2d02b0f..3a1d020 100644 --- a/ssc-debricked-scan/README.md +++ b/ssc-debricked-scan/README.md @@ -63,7 +63,7 @@ Required when authenticating with SSC user credentials. -**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +**`EXTRA_SSC_LOGIN_OPTS` (deprecated), `SSC_LOGIN_EXTRA_OPTS`** - OPTIONAL Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-ssc-session-login.html). @@ -91,6 +91,15 @@ By default, this action will not wait until scans have been completed. To have t + + +**`CHECK_POLICY_ACTION`, `CHECK_POLICY_EXTRA_OPTS`** - OPTIONAL +These inputs allow for running policy checks after scan completion. As security policies are different for every Fortify customer, we don't provide a default policy check action. `POLICY_CHECK_ACTION` may point to a local file or URL; this custom fcli action must accept at least the `--av` (for SSC) or `--rel` (for FoD) option. Any extra options for this custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. + + + + + **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL @@ -143,7 +152,7 @@ The sample workflow below demonstrates how to configure the action for running a env: SSC_URL: ${{vars.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # SSC_APPVERSION: MyApp:MyVersion DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # DO_WAIT: true