Skip to content

Commit

Permalink
feat: Add ssc-scan action, supporting both SC-SAST & Debricked
Browse files Browse the repository at this point in the history
  • Loading branch information
rsenden committed Jun 3, 2024
1 parent 3f17de0 commit f97619e
Show file tree
Hide file tree
Showing 16 changed files with 104 additions and 45 deletions.
4 changes: 2 additions & 2 deletions internal/fod-login/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ runs:
if: ${{ !env._FOD_LOGGED_IN }}
with:
dir: ${{ github.action_path }}
script: ./fod-login.sh
post: ./fod-logout.sh
script: fod-login.sh
post: fod-logout.sh

branding:
icon: 'shield'
Expand Down
11 changes: 2 additions & 9 deletions internal/run-script-js/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,10 @@ inputs:
description: 'Script to run on job completion'
required: false
dir:
description: 'Directory where scripts are located, should usually be set to github.action_path'
description: 'Directory where scripts are located, set automatically by internal/run-script action'
required: true
util:
description: 'Directory where utility scripts are located, set automatically by internal/run-script action'
required: true
key:
description: 'Name of the state variable used to detect the post step.'
required: false
default: POST

runs:
using: 'node20'
main: 'main.js'
post: 'main.js'
post: 'post.js'
16 changes: 3 additions & 13 deletions internal/run-script-js/main.js
Original file line number Diff line number Diff line change
@@ -1,24 +1,14 @@
const { spawn } = require("child_process");
const { appendFileSync } = require("fs");
const { EOL } = require("os");

function run(script) {
if ( script ) {
const dir = process.env.INPUT_DIR;
const utilDir = process.env.INPUT_UTIL;
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${dir}/${script}'`,
const scriptDir = process.env.INPUT_DIR;
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${scriptDir}; ${scriptDir}/${script}'`,
{ stdio: "inherit", shell: true });
subprocess.on("exit", (exitCode) => {
process.exitCode = exitCode;
});
}
}

const key = process.env.INPUT_KEY.toUpperCase();

if ( process.env[`STATE_${key}`] !== undefined ) { // Are we in the 'post' step?
run(process.env.INPUT_POST);
} else { // Otherwise, this is the main step
appendFileSync(process.env.GITHUB_STATE, `${key}=true${EOL}`);
run(process.env.INPUT_SCRIPT);
}
run(process.env.INPUT_SCRIPT);
14 changes: 14 additions & 0 deletions internal/run-script-js/post.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
const { spawn } = require("child_process");

function run(script) {
if ( script ) {
const utilDir = process.env.INPUT_UTIL;
const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${utilDir}; ${script}'`,
{ stdio: "inherit", shell: true });
subprocess.on("exit", (exitCode) => {
process.exitCode = exitCode;
});
}
}

run(process.env.INPUT_POST);
13 changes: 3 additions & 10 deletions internal/run-script/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,21 +15,14 @@ inputs:
runs:
using: composite
steps:
# github.action_path uses platform-specific path format, like D:\... for Windows.
# The run-script-js action requires the path to be in bash format, so we convert
# the paths to bash format before invoking the run-script-js action.
- run: echo "BASH_SCRIPT_DIR=$(pwd)" >> $GITHUB_ENV
shell: bash
working-directory: ${{ inputs.dir }}
- run: echo "BASH_UTIL_DIR=$(pwd)/util" >> $GITHUB_ENV
- run: echo "_RUN_SCRIPTS_DIR=$(pwd)/scripts" >> $GITHUB_ENV
shell: bash
working-directory: ${{ github.action_path }}
- uses: fortify/github-action/internal/[email protected]
with:
util: ${{ env.BASH_UTIL_DIR }}
dir: ${{ env.BASH_SCRIPT_DIR }}
dir: ${{ env._RUN_SCRIPTS_DIR }}
script: ${{ inputs.script }}
post: ${{ inputs.post }}
post: ${{ inputs.post }}

branding:
icon: 'shield'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,9 @@ fi
if [ -z "$FCLI_CMD" ]; then
echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
exit 1;
fi
fi

function run {
echo RUN: "$@"
"$@"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@ else
echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"
exit 1;
fi
${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} || exit 1
run ${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} \
|| exit 1
echo '_FOD_LOGGED_IN=true' >> $GITHUB_ENV
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@

if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
${FCLI_CMD} fod session logout || exit 1
run ${FCLI_CMD} fod session logout \
|| exit 1
fi
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@ fi
if [ -z "SSC_TOKEN" ]; then
echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
fi
${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}
run ${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS} \
|| exit 1
echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@

if [[ "${_SC_SAST_LOGGED_IN}" == "true" ]]; then
echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
${FCLI_CMD} sc-sast session logout --no-revoke-token || exit 1
run ${FCLI_CMD} sc-sast session logout --no-revoke-token \
|| exit 1
fi
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
else
echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
fi
${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS}
run ${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS} \
|| exit 1
echo '_SSC_LOGGED_IN=true' >> $GITHUB_ENV
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@ if [[ "${_SSC_LOGGED_IN}" == "true" ]]; then
else
echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
fi
${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" || exit 1
run ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" \
|| exit 1
fi
33 changes: 33 additions & 0 deletions internal/run-script/scripts/ssc-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/bin/bash
. ${UTIL_DIR}/common.sh

# This script assumes that fcli and Debricked CLI have already been installed,
# and that any necessary fcli sessions have been created.
# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ...

if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \
|| exit 1
fi
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
# Debricked may return non-zero exit code on automation rule failures, in which case
# we still want to run subsequent steps, hence we temporarily ignore the exit code,
run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \
|| FAIL_ON_EXIT=true
run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \
|| exit 1
fi
if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \
|| exit 1
fi
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \
|| exit 1
fi
fi
if [ "${FAIL_ON_EXIT}" == "true" ]; then
echo "Earlier failures detected"
exit 1
fi
4 changes: 2 additions & 2 deletions internal/sc-sast-login/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ runs:
if: ${{ !env._SC_SAST_LOGGED_IN }}
with:
dir: ${{ github.action_path }}
script: ./sc-sast-login.sh
post: ./sc-sast-logout.sh
script: sc-sast-login.sh
post: sc-sast-logout.sh

branding:
icon: 'shield'
Expand Down
4 changes: 2 additions & 2 deletions internal/ssc-login/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ runs:
if: ${{ !env._SSC_LOGGED_IN }}
with:
dir: ${{ github.action_path }}
script: ./ssc-login.sh
post: ./ssc-logout.sh
script: ssc-login.sh
post: ssc-logout.sh
branding:
icon: 'shield'
color: 'blue'
Expand Down
25 changes: 25 additions & 0 deletions ssc-scan/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: 'Perform SAST scan'
description: 'Perform a SAST scan on ScanCentral SAST'
author: 'Fortify'
runs:
using: composite
steps:
- uses: fortify/github-action/[email protected]
with:
export-path: false
fcli: action-default
debricked-cli: ${{ env.DO_DEBRICKED_SCAN=='true' && 'action-default' || 'skip' }}
- uses: fortify/github-action/internal/[email protected]
- uses: fortify/github-action/internal/[email protected]
- uses: fortify/github-action/[email protected]
- uses: fortify/github-action/internal/[email protected]
with:
dir: ${{ github.action_path }}
script: ssc-scan.sh
- if: env.DO_EXPORT == 'true'
uses: fortify/github-action/[email protected]

branding:
icon: 'shield'
color: 'blue'

0 comments on commit f97619e

Please sign in to comment.