From ed0cddd610067c63eae65a6301f8d78c01533211 Mon Sep 17 00:00:00 2001 From: Ruud Senden <8635138+rsenden@users.noreply.github.com> Date: Tue, 31 Oct 2023 12:55:23 +0100 Subject: [PATCH] chore: Update docs, add internal action --- README.md | 230 ++++++++++-------- doc-resources/env-fod-connection.md | 8 +- doc-resources/env-fod-login.md | 4 +- doc-resources/env-fod-release.md | 4 +- doc-resources/env-fod-sast-scan.md | 9 +- doc-resources/env-package.md | 4 +- doc-resources/env-sc-sast-login.md | 6 +- doc-resources/env-sc-sast-scan.md | 10 +- doc-resources/env-ssc-appversion.md | 4 +- doc-resources/env-ssc-connection.md | 8 +- doc-resources/env-ssc-login.md | 4 +- doc-resources/env-wait-export.md | 5 + .../nocomments.env-fod-login-sample.md | 2 +- .../nocomments.env-fod-package-sample.md | 2 +- .../nocomments.env-fod-release-sample.md | 2 +- .../nocomments.env-fod-sast-scan-sample.md | 4 +- .../nocomments.env-package-sample.md | 2 +- .../nocomments.env-sc-sast-login-sample.md | 2 +- .../nocomments.env-sc-sast-scan-sample.md | 4 +- .../nocomments.env-ssc-appversion-sample.md | 2 +- fod-export/README.md | 14 +- fod-sast-scan/README.md | 48 ++-- internal/set-ssc-var-defaults/action.yml | 20 ++ package/README.md | 6 +- sc-sast-scan/README.md | 50 ++-- ssc-export/README.md | 14 +- 26 files changed, 261 insertions(+), 207 deletions(-) create mode 100644 doc-resources/env-wait-export.md create mode 100644 internal/set-ssc-var-defaults/action.yml diff --git a/README.md b/README.md index 8888e12..18a63bf 100644 --- a/README.md +++ b/README.md @@ -62,20 +62,20 @@ If not specified or when set to false, no SAST scan will be performed. When set -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com +**`FOD_URL`** - REQUIRED +(REQUIRED) Fortify on Demand URL, for example https://ams.fortify.com -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** - REQUIRED* Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** - REQUIRED* Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. -**`EXTRA_FOD_LOGIN_OPTS`** -Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) +**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) @@ -83,8 +83,8 @@ Optional: Extra FoD login options, for example for disabling SSL checks or chang -**`FOD_RELEASE`** -Required: Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). +**`FOD_RELEASE`** - OPTIONAL +Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -92,20 +92,26 @@ Required: Fortify on Demand release to use with this action. This can be specifi -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). -**`EXTRA_FOD_SAST_SCAN_OPTS`** -Optional: Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-sast-scan-start.html) +**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-sast-scan-start.html) -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. + + + @@ -122,23 +128,23 @@ Optional: If set to `true`, this action will export scan results to the GitHub S -**`SSC_URL`** -(Required) Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ -**`SSC_TOKEN`** +**`SSC_TOKEN`** - REQUIRED* Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. -**`SSC_USER` & `SSC_PASSWORD`** +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* Required when authenticating with user credentials. -**`SC_SAST_CLIENT_AUTH_TOKEN`** +**`SC_SAST_CLIENT_AUTH_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** -Optional: Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-session-login.html). +**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-session-login.html). @@ -146,8 +152,8 @@ Optional: Extra ScanCentral SAST login options, for example for disabling SSL ch -**`SSC_APPVERSION`** -Required: Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -155,20 +161,26 @@ Required: Fortify SSC application version to use with this action. This can be s -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). -**`EXTRA_SC_SAST_SCAN_OPTS`** -Optional: Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-scan-start.html) +**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +xtra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-scan-start.html) + + + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. @@ -192,11 +204,11 @@ The sample workflows below demonstrate how to configure the action for running a FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s - FOD_RELEASE: MyApp:MyRelease - EXTRA_PACKAGE_OPTS: -oss -bt gradle - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + # FOD_RELEASE: MyApp:MyRelease + # EXTRA_PACKAGE_OPTS: -oss + # DO_WAIT: true + # DO_EXPORT: true ``` #### ScanCentral SAST @@ -213,11 +225,11 @@ The sample workflows below demonstrate how to configure the action for running a SSC_URL: ${{secrets.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s - SSC_APPVERSION: MyApp:MyVersion - EXTRA_PACKAGE_OPTS: -bt mvn - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SSC_APPVERSION: MyApp:MyVersion + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # DO_WAIT: true + # DO_EXPORT: true ``` ## setup action @@ -308,8 +320,8 @@ This action packages application source code using [ScanCentral Client](https:// -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). @@ -325,7 +337,7 @@ The sample workflow below demonstrates how to configure the action for running a - name: Package source code uses: fortify/github-action/package@v1 env: - EXTRA_PACKAGE_OPTS: -bt mvn + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml ``` @@ -358,20 +370,20 @@ Before running this action, please ensure that the appropriate release has been -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com +**`FOD_URL`** - REQUIRED +(REQUIRED) Fortify on Demand URL, for example https://ams.fortify.com -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** - REQUIRED* Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** - REQUIRED* Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. -**`EXTRA_FOD_LOGIN_OPTS`** -Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) +**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) @@ -379,8 +391,8 @@ Optional: Extra FoD login options, for example for disabling SSL checks or chang -**`FOD_RELEASE`** -Required: Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). +**`FOD_RELEASE`** - OPTIONAL +Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -388,20 +400,26 @@ Required: Fortify on Demand release to use with this action. This can be specifi -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). -**`EXTRA_FOD_SAST_SCAN_OPTS`** -Optional: Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-sast-scan-start.html) +**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-sast-scan-start.html) -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. + + + @@ -421,11 +439,11 @@ The sample workflow below demonstrates how to configure the action for running a FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s - FOD_RELEASE: MyApp:MyRelease - EXTRA_PACKAGE_OPTS: -oss -bt gradle - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + # FOD_RELEASE: MyApp:MyRelease + # EXTRA_PACKAGE_OPTS: -oss + # DO_WAIT: true + # DO_EXPORT: true ``` @@ -443,13 +461,13 @@ This action exports the latest vulnerability data from an FoD release to the Git -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com +**`FOD_URL`** - REQUIRED +(REQUIRED) Fortify on Demand URL, for example https://ams.fortify.com -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** - REQUIRED* Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** - REQUIRED* Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. @@ -458,8 +476,8 @@ Required when authenticating with user credentials: FoD tenant, user and passwor -**`FOD_RELEASE`** -Required: Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). +**`FOD_RELEASE`** - OPTIONAL +Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -477,7 +495,7 @@ The sample workflow below demonstrates how to configure the action for exporting FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - FOD_RELEASE: MyApp:MyRelease + # FOD_RELEASE: MyApp:MyRelease ``` @@ -510,23 +528,23 @@ Before running this action, please ensure that the appropriate application versi -**`SSC_URL`** -(Required) Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ -**`SSC_TOKEN`** +**`SSC_TOKEN`** - REQUIRED* Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. -**`SSC_USER` & `SSC_PASSWORD`** +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* Required when authenticating with user credentials. -**`SC_SAST_CLIENT_AUTH_TOKEN`** +**`SC_SAST_CLIENT_AUTH_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** -Optional: Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-session-login.html). +**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-session-login.html). @@ -534,8 +552,8 @@ Optional: Extra ScanCentral SAST login options, for example for disabling SSL ch -**`SSC_APPVERSION`** -Required: Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -543,20 +561,26 @@ Required: Fortify SSC application version to use with this action. This can be s -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). -**`EXTRA_SC_SAST_SCAN_OPTS`** -Optional: Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-scan-start.html) +**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +xtra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-scan-start.html) + + + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. @@ -575,11 +599,11 @@ The sample workflow below demonstrates how to configure the action for running a SSC_URL: ${{secrets.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s - SSC_APPVERSION: MyApp:MyVersion - EXTRA_PACKAGE_OPTS: -bt mvn - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SSC_APPVERSION: MyApp:MyVersion + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # DO_WAIT: true + # DO_EXPORT: true ``` @@ -597,13 +621,13 @@ This action exports the latest vulnerability data from an SSC application versio -**`SSC_URL`** -(Required) Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ -**`SSC_TOKEN`** +**`SSC_TOKEN`** - REQUIRED* Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. -**`SSC_USER` & `SSC_PASSWORD`** +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* Required when authenticating with user credentials. @@ -612,8 +636,8 @@ Required when authenticating with user credentials. -**`SSC_APPVERSION`** -Required: Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -629,7 +653,7 @@ The sample workflow below demonstrates how to configure the action for exporting env: SSC_URL: ${{secrets.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - SSC_APPVERSION: MyApp:MyVersion + # SSC_APPVERSION: MyApp:MyVersion ``` diff --git a/doc-resources/env-fod-connection.md b/doc-resources/env-fod-connection.md index fce5c8f..d2bf956 100644 --- a/doc-resources/env-fod-connection.md +++ b/doc-resources/env-fod-connection.md @@ -1,8 +1,8 @@ -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com +**`FOD_URL`** - REQUIRED +(REQUIRED) Fortify on Demand URL, for example https://ams.fortify.com -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** - REQUIRED* Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** - REQUIRED* Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. \ No newline at end of file diff --git a/doc-resources/env-fod-login.md b/doc-resources/env-fod-login.md index aa50ffa..08aa1c1 100644 --- a/doc-resources/env-fod-login.md +++ b/doc-resources/env-fod-login.md @@ -1,4 +1,4 @@ {{include:env-fod-connection.md}} -**`EXTRA_FOD_LOGIN_OPTS`** -Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-session-login.html) \ No newline at end of file +**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-session-login.html) \ No newline at end of file diff --git a/doc-resources/env-fod-release.md b/doc-resources/env-fod-release.md index 4998ad7..08ef2c9 100644 --- a/doc-resources/env-fod-release.md +++ b/doc-resources/env-fod-release.md @@ -1,2 +1,2 @@ -**`FOD_RELEASE`** -Required: Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). \ No newline at end of file +**`FOD_RELEASE`** - OPTIONAL +Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. \ No newline at end of file diff --git a/doc-resources/env-fod-sast-scan.md b/doc-resources/env-fod-sast-scan.md index c999394..be5d390 100644 --- a/doc-resources/env-fod-sast-scan.md +++ b/doc-resources/env-fod-sast-scan.md @@ -5,11 +5,8 @@ {{include:env-package.md}} -**`EXTRA_FOD_SAST_SCAN_OPTS`** -Optional: Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-sast-scan-start.html) +**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-sast-scan-start.html) -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. +{{include:env-wait-export.md}} -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. diff --git a/doc-resources/env-package.md b/doc-resources/env-package.md index 9cee466..951edac 100644 --- a/doc-resources/env-package.md +++ b/doc-resources/env-package.md @@ -1,2 +1,2 @@ -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). \ No newline at end of file +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). \ No newline at end of file diff --git a/doc-resources/env-sc-sast-login.md b/doc-resources/env-sc-sast-login.md index d7b65e5..48696e1 100644 --- a/doc-resources/env-sc-sast-login.md +++ b/doc-resources/env-sc-sast-login.md @@ -1,7 +1,7 @@ {{include:env-ssc-connection.md}} -**`SC_SAST_CLIENT_AUTH_TOKEN`** +**`SC_SAST_CLIENT_AUTH_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** -Optional: Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-session-login.html). \ No newline at end of file +**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-session-login.html). \ No newline at end of file diff --git a/doc-resources/env-sc-sast-scan.md b/doc-resources/env-sc-sast-scan.md index 57918ed..5ec2b54 100644 --- a/doc-resources/env-sc-sast-scan.md +++ b/doc-resources/env-sc-sast-scan.md @@ -5,11 +5,7 @@ {{include:env-package.md}} -**`EXTRA_SC_SAST_SCAN_OPTS`** -Optional: Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-scan-start.html) +**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-scan-start.html) -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. - -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. +{{include:env-wait-export.md}} diff --git a/doc-resources/env-ssc-appversion.md b/doc-resources/env-ssc-appversion.md index 872f703..c47dcbf 100644 --- a/doc-resources/env-ssc-appversion.md +++ b/doc-resources/env-ssc-appversion.md @@ -1,2 +1,2 @@ -**`SSC_APPVERSION`** -Required: Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. \ No newline at end of file +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. \ No newline at end of file diff --git a/doc-resources/env-ssc-connection.md b/doc-resources/env-ssc-connection.md index 761a805..1ebfce3 100644 --- a/doc-resources/env-ssc-connection.md +++ b/doc-resources/env-ssc-connection.md @@ -1,8 +1,8 @@ -**`SSC_URL`** -(Required) Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ -**`SSC_TOKEN`** +**`SSC_TOKEN`** - REQUIRED* Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. -**`SSC_USER` & `SSC_PASSWORD`** +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* Required when authenticating with user credentials. \ No newline at end of file diff --git a/doc-resources/env-ssc-login.md b/doc-resources/env-ssc-login.md index 0244f78..f93dba5 100644 --- a/doc-resources/env-ssc-login.md +++ b/doc-resources/env-ssc-login.md @@ -1,4 +1,4 @@ {{include:env-ssc-connection.md}} -**`EXTRA_SSC_LOGIN_OPTS`** -Optional: Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-ssc-session-login.html). \ No newline at end of file +**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL +Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-ssc-session-login.html). \ No newline at end of file diff --git a/doc-resources/env-wait-export.md b/doc-resources/env-wait-export.md new file mode 100644 index 0000000..0fd02a5 --- /dev/null +++ b/doc-resources/env-wait-export.md @@ -0,0 +1,5 @@ +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. diff --git a/doc-resources/nocomments.env-fod-login-sample.md b/doc-resources/nocomments.env-fod-login-sample.md index 403b273..25727ef 100644 --- a/doc-resources/nocomments.env-fod-login-sample.md +++ b/doc-resources/nocomments.env-fod-login-sample.md @@ -1,2 +1,2 @@ {{include:nocomments.env-fod-connection-sample.md}} - EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-package-sample.md b/doc-resources/nocomments.env-fod-package-sample.md index 99b91de..d51c0f9 100644 --- a/doc-resources/nocomments.env-fod-package-sample.md +++ b/doc-resources/nocomments.env-fod-package-sample.md @@ -1 +1 @@ - EXTRA_PACKAGE_OPTS: -oss -bt gradle \ No newline at end of file + # EXTRA_PACKAGE_OPTS: -oss \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-release-sample.md b/doc-resources/nocomments.env-fod-release-sample.md index 8a21bba..a82a186 100644 --- a/doc-resources/nocomments.env-fod-release-sample.md +++ b/doc-resources/nocomments.env-fod-release-sample.md @@ -1 +1 @@ - FOD_RELEASE: MyApp:MyRelease \ No newline at end of file + # FOD_RELEASE: MyApp:MyRelease \ No newline at end of file diff --git a/doc-resources/nocomments.env-fod-sast-scan-sample.md b/doc-resources/nocomments.env-fod-sast-scan-sample.md index 798e6e2..eff0ec4 100644 --- a/doc-resources/nocomments.env-fod-sast-scan-sample.md +++ b/doc-resources/nocomments.env-fod-sast-scan-sample.md @@ -1,5 +1,5 @@ {{include:nocomments.env-fod-login-sample.md}} {{include:nocomments.env-fod-release-sample.md}} {{include:nocomments.env-fod-package-sample.md}} - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true \ No newline at end of file + # DO_WAIT: true + # DO_EXPORT: true \ No newline at end of file diff --git a/doc-resources/nocomments.env-package-sample.md b/doc-resources/nocomments.env-package-sample.md index ac7a852..4b0ee7c 100644 --- a/doc-resources/nocomments.env-package-sample.md +++ b/doc-resources/nocomments.env-package-sample.md @@ -1 +1 @@ - EXTRA_PACKAGE_OPTS: -bt mvn \ No newline at end of file + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml \ No newline at end of file diff --git a/doc-resources/nocomments.env-sc-sast-login-sample.md b/doc-resources/nocomments.env-sc-sast-login-sample.md index c0c2c05..664c2f8 100644 --- a/doc-resources/nocomments.env-sc-sast-login-sample.md +++ b/doc-resources/nocomments.env-sc-sast-login-sample.md @@ -1,3 +1,3 @@ {{include:nocomments.env-ssc-connection-sample.md}} SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s \ No newline at end of file diff --git a/doc-resources/nocomments.env-sc-sast-scan-sample.md b/doc-resources/nocomments.env-sc-sast-scan-sample.md index e3d525f..765f60a 100644 --- a/doc-resources/nocomments.env-sc-sast-scan-sample.md +++ b/doc-resources/nocomments.env-sc-sast-scan-sample.md @@ -1,5 +1,5 @@ {{include:nocomments.env-sc-sast-login-sample.md}} {{include:nocomments.env-ssc-appversion-sample.md}} {{include:nocomments.env-package-sample.md}} - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true \ No newline at end of file + # DO_WAIT: true + # DO_EXPORT: true \ No newline at end of file diff --git a/doc-resources/nocomments.env-ssc-appversion-sample.md b/doc-resources/nocomments.env-ssc-appversion-sample.md index e76f0cc..903c00e 100644 --- a/doc-resources/nocomments.env-ssc-appversion-sample.md +++ b/doc-resources/nocomments.env-ssc-appversion-sample.md @@ -1 +1 @@ - SSC_APPVERSION: MyApp:MyVersion \ No newline at end of file + # SSC_APPVERSION: MyApp:MyVersion \ No newline at end of file diff --git a/fod-export/README.md b/fod-export/README.md index a09db92..a0b3cb3 100644 --- a/fod-export/README.md +++ b/fod-export/README.md @@ -18,13 +18,13 @@ This action exports the latest vulnerability data from an FoD release to the Git -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com +**`FOD_URL`** - REQUIRED +(REQUIRED) Fortify on Demand URL, for example https://ams.fortify.com -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** - REQUIRED* Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** - REQUIRED* Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. @@ -33,8 +33,8 @@ Required when authenticating with user credentials: FoD tenant, user and passwor -**`FOD_RELEASE`** -Required: Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). +**`FOD_RELEASE`** - OPTIONAL +Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -52,7 +52,7 @@ The sample workflow below demonstrates how to configure the action for exporting FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - FOD_RELEASE: MyApp:MyRelease + # FOD_RELEASE: MyApp:MyRelease ``` diff --git a/fod-sast-scan/README.md b/fod-sast-scan/README.md index d362009..a34abc9 100644 --- a/fod-sast-scan/README.md +++ b/fod-sast-scan/README.md @@ -33,20 +33,20 @@ Before running this action, please ensure that the appropriate release has been -**`FOD_URL`** -Required: Fortify on Demand URL, for example https://ams.fortify.com +**`FOD_URL`** - REQUIRED +(REQUIRED) Fortify on Demand URL, for example https://ams.fortify.com -**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** +**`FOD_CLIENT_ID` & `FOD_CLIENT_SECRET`** - REQUIRED* Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret) -**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** +**`FOD_TENANT`, `FOD_USER` & `FOD_PASSWORD`** - REQUIRED* Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. -**`EXTRA_FOD_LOGIN_OPTS`** -Optional: Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) +**`EXTRA_FOD_LOGIN_OPTS`** - OPTIONAL +Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-session-login.html) @@ -54,8 +54,8 @@ Optional: Extra FoD login options, for example for disabling SSL checks or chang -**`FOD_RELEASE`** -Required: Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). +**`FOD_RELEASE`** - OPTIONAL +Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `:` (for non-microservices applications) or `::` (for microservices applications). Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -63,20 +63,26 @@ Required: Fortify on Demand release to use with this action. This can be specifi -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). -**`EXTRA_FOD_SAST_SCAN_OPTS`** -Optional: Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-sast-scan-start.html) +**`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL +Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-fod-sast-scan-start.html) -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. + + + @@ -96,11 +102,11 @@ The sample workflow below demonstrates how to configure the action for running a FOD_TENANT: ${{secrets.FOD_TENANT}} FOD_USER: ${{secrets.FOD_USER}} FOD_PASSWORD: ${{secrets.FOD_PAT}} - EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s - FOD_RELEASE: MyApp:MyRelease - EXTRA_PACKAGE_OPTS: -oss -bt gradle - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s + # FOD_RELEASE: MyApp:MyRelease + # EXTRA_PACKAGE_OPTS: -oss + # DO_WAIT: true + # DO_EXPORT: true ``` diff --git a/internal/set-ssc-var-defaults/action.yml b/internal/set-ssc-var-defaults/action.yml new file mode 100644 index 0000000..b067710 --- /dev/null +++ b/internal/set-ssc-var-defaults/action.yml @@ -0,0 +1,20 @@ +name: 'Set default values' +description: 'Set default values for SSC environment variables like SSC_APPVERSION' +author: 'Fortify' +runs: + using: composite + steps: + - if: ${{ !env.SSC_APPVERSION }} + run: | + export SSC_APPVERSION="${APP}:${V}" + echo SSC_APPVERSION=$SSC_APPVERSION >> $GITHUB_ENV + echo "Configured default value for SSC_APPVERSION: ${SSC_APPVERSION}" + shell: bash + env: + APP: ${{ github.action_repository }} + V: ${{ github.action_ref }} + +branding: + icon: 'shield' + color: 'blue' + diff --git a/package/README.md b/package/README.md index dd77853..9e9ea23 100644 --- a/package/README.md +++ b/package/README.md @@ -18,8 +18,8 @@ This action packages application source code using [ScanCentral Client](https:// -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). @@ -35,7 +35,7 @@ The sample workflow below demonstrates how to configure the action for running a - name: Package source code uses: fortify/github-action/package@v1 env: - EXTRA_PACKAGE_OPTS: -bt mvn + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml ``` diff --git a/sc-sast-scan/README.md b/sc-sast-scan/README.md index caccd57..4ec9681 100644 --- a/sc-sast-scan/README.md +++ b/sc-sast-scan/README.md @@ -33,23 +33,23 @@ Before running this action, please ensure that the appropriate application versi -**`SSC_URL`** -(Required) Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ -**`SSC_TOKEN`** +**`SSC_TOKEN`** - REQUIRED* Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. -**`SSC_USER` & `SSC_PASSWORD`** +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* Required when authenticating with user credentials. -**`SC_SAST_CLIENT_AUTH_TOKEN`** +**`SC_SAST_CLIENT_AUTH_TOKEN`** - REQUIRED Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. -**`EXTRA_SC_SAST_LOGIN_OPTS`** -Optional: Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-session-login.html). +**`EXTRA_SC_SAST_LOGIN_OPTS`** - OPTIONAL +Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli sc-sast session login` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-session-login.html). @@ -57,8 +57,8 @@ Optional: Extra ScanCentral SAST login options, for example for disabling SSL ch -**`SSC_APPVERSION`** -Required: Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -66,20 +66,26 @@ Required: Fortify SSC application version to use with this action. This can be s -**`EXTRA_PACKAGE_OPTS`** -Optional: By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-bt none` to disable automatic build tool detection, or `-oss` to collect additional files for an open-source scan (FoD only). +**`EXTRA_PACKAGE_OPTS`** - OPTIONAL +By default, this action runs `scancentral package -o package.zip`. The `EXTRA_PACKAGE_OPTS` environment variable can be used to specify additional packaging options like `-oss` to collect additional files for an open-source scan (FoD only). -**`EXTRA_SC_SAST_SCAN_OPTS`** -Optional: Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-scan-start.html) +**`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL +xtra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.0.0//manpage/fcli-sc-sast-scan-start.html) -**`DO_WAIT`** -Optional: By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. -**`DO_EXPORT`** -Optional: If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. + + +**`DO_WAIT`** - OPTIONAL +By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below. + +**`DO_EXPORT`** - OPTIONAL +If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. + + + @@ -98,11 +104,11 @@ The sample workflow below demonstrates how to configure the action for running a SSC_URL: ${{secrets.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} SC_SAST_CLIENT_AUTH_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}} - EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s - SSC_APPVERSION: MyApp:MyVersion - EXTRA_PACKAGE_OPTS: -bt mvn - # DO_WAIT: true # Ignored due to DO_EXPORT below - DO_EXPORT: true + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s + # SSC_APPVERSION: MyApp:MyVersion + # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml + # DO_WAIT: true + # DO_EXPORT: true ``` diff --git a/ssc-export/README.md b/ssc-export/README.md index 8427c53..6498546 100644 --- a/ssc-export/README.md +++ b/ssc-export/README.md @@ -18,13 +18,13 @@ This action exports the latest vulnerability data from an SSC application versio -**`SSC_URL`** -(Required) Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ +**`SSC_URL`** - REQUIRED +Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/ -**`SSC_TOKEN`** +**`SSC_TOKEN`** - REQUIRED* Required when authenticating with an SSC token (recommended). Most actions should work fine with a `CIToken`. -**`SSC_USER` & `SSC_PASSWORD`** +**`SSC_USER` & `SSC_PASSWORD`** - REQUIRED* Required when authenticating with user credentials. @@ -33,8 +33,8 @@ Required when authenticating with user credentials. -**`SSC_APPVERSION`** -Required: Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. +**`SSC_APPVERSION`** - OPTIONAL +Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format `:`. Default value is [`${{ github.action_repository }}:${{ github.action_ref }}`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. @@ -50,7 +50,7 @@ The sample workflow below demonstrates how to configure the action for exporting env: SSC_URL: ${{secrets.SSC_URL}} SSC_TOKEN: ${{secrets.SSC_TOKEN}} - SSC_APPVERSION: MyApp:MyVersion + # SSC_APPVERSION: MyApp:MyVersion ```