forked from veracode/verademo
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create pipeline-scan-fail-commit.yml
added pipelinescanner fail on commit
- Loading branch information
Showing
1 changed file
with
207 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,207 @@ | ||
| name: Pipelinescanner fail on commit | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| SRCCLR_API_TOKEN: ${{secrets.SRCCLR_API_TOKEN}} | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| # grants permissions for the artifact to be uploaded | ||
|
|
||
| steps: | ||
|
|
||
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can acces it and clones the repo | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'adopt' | ||
|
|
||
| - name: Build with Maven | ||
| run: | | ||
| mvn -B clean package --file app/pom.xml | ||
| ls -la app/target/verademo.war | ||
| chmod +rx app/target/verademo.war | ||
| ls -la app/target/verademo.war | ||
| - name: Veracode Dependency Scanning | ||
| # You may pin to the exact commit or the version. | ||
| # uses: veracode/veracode-sca@8f68e021ac444b5f873e4fb4311f924b0f904f57 | ||
| uses: veracode/veracode-sca@v2.1.6 | ||
| with: | ||
| # Authorization token to query and create issues | ||
| github_token: ${{ secrets.GH_TOKEN }} | ||
| # | ||
| quick: false # optional, default is false | ||
| # Show update advisor | ||
| update_advisor: true # optional, default is false | ||
| # A git URL to work with in case the scan is not for the current repository | ||
| #url: https://github.com/bnreplah/verademo # optional, default is | ||
| # The minimum CVSS value for vulnerability to be added as an issue | ||
| #min-cvss-for-issue: # optional, default is 0 | ||
| # The maximum allowed cvss in found vulnerabilities to pass the step | ||
| #fail-on-cvss: # optional, default is 10 | ||
| # An attribute to instruct the action to create an issue from found vulnerability or just simple text output | ||
| create-issues: true # optional, default is false | ||
| # A path within the repository where the build definition starts | ||
| path: ./app/ # optional, default is . | ||
| # Run the SRCCLR in debug mode | ||
| debug: true # optional, default is false | ||
| # Run the SRCCLR with the `--skip-collectors` options | ||
| #skip-collectors: # optional, default is false | ||
| # Run the SRCCLR with the `--allow-dirty` option | ||
| allow-dirty: true # optional, default is false | ||
| # Run the SRCCLR with the `--recursive` option | ||
| recursive: false # optional, default is false | ||
|
|
||
|
|
||
| - name: Veracode Pipeline-Scan | ||
| # You may pin to the exact commit or the version. | ||
| # uses: veracode/Veracode-pipeline-scan-action@c94abab5dc83cccc825c05120b746835fc6f673a | ||
| uses: veracode/Veracode-pipeline-scan-action@v1.0.10 | ||
| with: | ||
| # vid | ||
| vid: ${{ secrets.VERACODE_API_ID }} | ||
| # vkey | ||
| vkey: ${{ secrets.VERACODE_API_KEY }} | ||
| # Filename of the packaged application to upload and scan. | ||
| file: app/target/verademo.war | ||
| # GITHUB_TOKEN or a repo scoped PAT. | ||
| token: ${{ secrets.GH_TOKEN }} # default is ${{ github.token }} | ||
| # Name of the security policy to download as a file. Required only if you want to download the configuration for a custom policy defined by your organization. After downloading the policy, you can provide this file in a subsequent command using the policy_file parameter. | ||
| #request_policy: # optional | ||
| # Fail the pipeline job if the scan finds flaws of the specified severities. Enter a comma-separated list of severities in quotation marks. | ||
| #fail_on_severity: # optional | ||
| # Fail the pipeline job if the scan finds flaws of the specified CWEs. Enter a comma-separated list of CWE IDs. | ||
| #fail_on_cwe: # optional | ||
| # Filter the flaws that exist in the specified baseline file and show only the additional flaws in the current scan. | ||
| #baseline_file: # optional | ||
| # Name of the Veracode default policy rule to apply to the scan results. You can only use this parameter with a Veracode default policy. | ||
| #policy_name: # optional | ||
| # Name of the local policy file you want to apply to the scan results. To download this file, use the --request_policy parameter. | ||
| #policy_file: # optional | ||
| # Amount of time, in minutes, for the Pipeline Scan to wait before reporting an unsuccessful scan if the scan does not complete. Default is 60 minutes, which is also the maximum value. | ||
| #timeout: # optional | ||
| # Enter true to show detailed messages for each issue in the results summary. | ||
| issue_details: true # optional | ||
| # Enter true to show a human-readable results summary on the console. Default is true. | ||
| summary_display: true # optional | ||
| # Enter true to show the JSON containing the scan results on the console. Default is false. | ||
| #json_display: # optional | ||
| # Enter true to display detailed messages in the scan results. Default is false. | ||
| #verbose: # optional | ||
| # Enter true to save the scan results as a human-readable file. Default is false. | ||
| summary_output: true # optional | ||
| # Enter the filename of the scan results summary file. The file is stored in the current directory. Default is results.txt. | ||
| summary_output_file: results.txt # optional | ||
| # Enter true to save the scan results in JSON format. Default is true. | ||
| json_output: true # optional | ||
| # Rename the JSON file that contains the scan results. The file is stored in the current directory. Default filename is results.json. | ||
| json_output_file: results.json # optional | ||
| # Enter the filename in the current directory to save results that violate pass-fail criteria. Default is filtered_results.json. | ||
| #filtered_json_output_file: # optional | ||
| # Enter the name of the CI/CD code repository that runs a Pipeline Scan. This parameter adds the repository name to the scan results, which can help you track scans across repositories. | ||
| project_name: Verademo # optional | ||
| # Enter the source control URL for the CI/CD code repository that runs a Pipeline Scan. | ||
| project_url: https://github.com/bnreplah/verademo # optional | ||
| # Enter the source control reference, revision, or branch for the CI/CD code repository that runs a Pipeline Scan. | ||
| project_ref: main # optional | ||
| # Enter the [application profile](https://docs.veracode.com/r/request_profile) ID for the application you want to upload and scan. | ||
| #app_id: # optional | ||
| # Enter one these values, which are case-sensitive, for the type of development stage: Development, Testing, Release. | ||
| #development_stage: # optional | ||
| # Enable debug mode. 1 for on | ||
| debug: 1 # optional | ||
| # Enable the storage of a baseline file. Takes true or fales | ||
| store_baseline_file: true # optional | ||
| # Enter the branch name where the baseline file should be stored | ||
| store_baseline_file_branch: baseline # optional | ||
| # From which results should the baseline file be created. standard = full results || filtered = filtered results | ||
| create_baseline_from: standard # optional | ||
| # Fail the build upon findings. Takes true or false | ||
| fail_build: true # optional | ||
|
|
||
|
|
||
| - name: Upload a Build Artifact | ||
| uses: actions/upload-artifact@v3.1.1 | ||
| with: | ||
| # Artifact name | ||
| name: verademo.war | ||
| # optional, default is artifact | ||
| # A file, directory or wildcard pattern that describes what to upload | ||
| path: app/target/verademo.war | ||
| # The desired behavior if no files are found using the provided path. | ||
| if-no-files-found: error | ||
|
|
||
| - name: Upload a Build Artifact | ||
| uses: actions/upload-artifact@v3.1.1 | ||
| with: | ||
| # Artifact name | ||
| name: Summary-Output-File # optional, default is artifact | ||
| # A file, directory or wildcard pattern that describes what to upload | ||
| path: results.txt | ||
| # The desired behavior if no files are found using the provided path. | ||
|
|
||
| - name: Upload a Build Artifact | ||
| uses: actions/upload-artifact@v3.1.1 | ||
| with: | ||
| # Artifact name | ||
| name: Pipeline-Scan-Results # optional, default is artifact | ||
| # A file, directory or wildcard pattern that describes what to upload | ||
| path: results.json | ||
| # The desired behavior if no files are found using the provided path. | ||
|
|
||
|
|
||
| results_to_sarif: | ||
| needs: build | ||
| runs-on: ubuntu-latest | ||
| name: import pipeline results to sarif | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
|
|
||
| steps: | ||
| - name: Download a Build Artifact | ||
| uses: actions/download-artifact@v4.1.7 | ||
| with: | ||
| # Artifact name | ||
| name: Pipeline-Scan-Results # optional | ||
| # Destination path | ||
| path: results.json # optional | ||
|
|
||
| - name: Download a Build Artifact | ||
| uses: actions/download-artifact@v4.1.7 | ||
| with: | ||
| # Artifact name | ||
| name: verademo.war # optional | ||
| # Destination path | ||
| path: verademo.war # optional | ||
|
|
||
|
|
||
| - name: Reading permissions | ||
| run: | | ||
| chmod +rx verademo.war | ||
| chmod +rx results.json | ||
| ls -la verademo.war | ||
| ls -la results.json | ||
| - name: Veracode scan results to GitHub issues Action | ||
| # You may pin to the exact commit or the version. | ||
| # uses: veracode/veracode-flaws-to-issues@e03c95a2d9ce730870fe160ff77bbce3b7f0e32d | ||
| uses: veracode/veracode-flaws-to-issues@v2.1.0 | ||
| with: | ||
| # Scan results file | ||
| scan-results-json: results.json # default is filtered_results.json | ||
| # GitHub token to access the repo | ||
| github-token: ${{ secrets.GH_TOKEN }} | ||
| # Delay (in seconds) between entering Issues into GitHub (due to rate limiting) | ||
| #wait-time: # optional, default is 2 | ||
| fail_build: false # optional | ||
|
|
||
|
|