diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index b29adc8..ef8c328 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -11,12 +11,17 @@ on: jobs: Fortif-SAST: - runs-on: ubuntu-latest + runs-on: self-hosted + container: + image: maven permissions: write-all env: - APPLICATION: "${{ github.event.repository.name }}" + APPLICATION: "WebGoat" VERSION: "${{ github.ref_name }}" + # Requires GitHub Advanced Security + PUBLISH_SECURITY_ALERTS: false + steps: # Check out source code - name: Checkout repository @@ -28,22 +33,60 @@ jobs: java-version: '11' distribution: 'temurin' - - name: Run ScanCentral SAST Scan - uses: fortify/github-action@v1 + + # Set up Fortify ScanCentral Client + - name: Download Fortify Clients + uses: fortify-ps/github-action/setup@main with: - sast-scan: true + sc-client: latest + + # Retrieve FCLI + - name: Install FCLI + run: | + wget -qO- https://github.com/fortify/fcli/releases/download/v2.0.0/fcli-linux.tgz | tar zxf - + + # Run SAST Scan + - name: Fortify SAST Scan + uses: agendry-pub/gha-ssc-ast-scan@v1 env: - SSC_URL: ${{vars.FTFY_SSC_BASE_URL}} - SSC_TOKEN: ${{secrets.FTFY_CI_TOKEN_ENC}} - SSC_USER: ${{secrets.FTFY_CI_USERNAME}} - SSC_PASSWORD: ${{secrets.FTFY_CI_PASSWORD}} - SC_SAST_TOKEN : ${{secrets.FTFY_SAST_CLIENT_TOKEN}} - SC_SAST_SENSOR_VERSION: 23.1 - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s - SSC_APPVERSION: WebGoat:${{ github.ref_name }} - #EXTRA_PACKAGE_OPTS: -bt mvn -q - DO_WAIT: true - DO_EXPORT: true + FCLI_DEFAULT_TOKEN_EXPIRE: "1h" + FCLI_EXECUTABLE_LOCATION: . + with: + ssc_base_url: ${{ vars.FTFY_SSC_BASE_URL}} + ssc_app: ${{ env.APPLICATION }} + ssc_version: ${{ env.VERSION }} + ssc_source_version: ${{ github.event.repository.default_branch }} + # ssc_ci_token: ${{ secrets.FTFY_CI_TOKEN_ENC }} + ssc_ci_username: ${{ secrets.FTFY_CI_USERNAME }} + ssc_ci_password: ${{ secrets.FTFY_CI_PASSWORD }} + sast_scan: true + sast_client_auth_token: ${{ secrets.FTFY_SAST_CLIENT_TOKEN }} + sast_build_options: "" + security_gate_action: warn + security_gate_filterset: Critical & High + # summary_filterset: Critical & High + gha_token: ${{ secrets.GITHUB_TOKEN }} + copy_vulns: true + - name: Export Fortify vulnerability data + if: ${{ env.PUBLISH_SECURITY_ALERTS == 'true' }} + uses: fortify/gha-export-vulnerabilities@v1.0.0 + with: + ssc_base_url: ${FTFY_SSC_URL} + ssc_auth_token: ${FTFY_CI_TOKEN_DEC} + ssc_version_name: "${APPLICATION}:${VERSION}" + # Import Fortify SAST results to GitHub Security Code Scanning + - name: Import Results + if: ${{ env.PUBLISH_SECURITY_ALERTS == 'true' }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./gh-fortify-sast.sarif + # # Clean up tokens, session variables, ... + # - name: Cleanup + # if: always() + # run: | + # fcli config var def rm ${SHA}_sastscan + # fcli sc-sast session logout --no-revoke-token + # fcli ssc session logout --no-revoke-token