Updating build scripts #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create GitHub Action Repository Variables for your version of the application: | |
# FORTIFY_BASE_URL should be the Fortify Base URL (e.g. https://ssc.uat.fortifyhosted.net) | |
# FORTIFY_PARENT_APPVER_NAME is the Fortify SSC Application Version Name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop" | |
# Create GitHub Action Secrets for your version of the application: | |
# FORTIFY_SSC_TOKEN should be an SSC Authorization token (CIToken) obtained from your Fortify tenant. | |
# FORTIFY_SCSAST_CLIENT_AUTH_TOKEN should be the ScanCentral SAST Client Authentication token for your Fortify tenant. | |
name: DevSecOps with Fortify (Hosted) | |
on: | |
# Triggers the workflow on push or pull request events but only for the main or develop branches | |
push: | |
paths-ignore: | |
- '.github/**/**' | |
- 'bin/**' | |
- 'data/**' | |
- 'etc/**' | |
- 'media/**' | |
- 'Jenkinsfile' | |
- '.gitlab-ci.yml' | |
- 'README.md' | |
- 'LICENSE' | |
branches: | |
- '**' # matches every branch | |
pull_request: | |
branches: [ main, develop ] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
runFortifySASTScan: | |
description: 'Carry out SAST scan using Fortify' | |
required: false | |
default: 'true' | |
runSonatypeScan: | |
description: 'Carry out SCA scan using Sonatype Nexus IQ' | |
required: false | |
default: 'false' | |
runFortifyDASTScan: | |
description: 'Carry out DAST scan using Fortify' | |
required: false | |
default: 'false' | |
# Global environment variables | |
env: | |
DEFAULT_APP_NAME: "IWA-API" | |
jobs: | |
Build-And-Test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit. | |
- run: git checkout HEAD^2 | |
if: ${{ github.event_name == 'pull_request' }} | |
# TBD | |
Sonatype-SCA: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runSonatypeScan == 'true') }} | |
steps: | |
- uses: actions/[email protected] | |
- uses: actions/setup-java@v3 | |
with: | |
distribution: 'temurin' | |
java-version: '11' | |
# TODO: Sonatype Nexus IQ scan | |
Quality-Gate: | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
needs: [ Build-And-Test ] | |
steps: | |
- uses: actions/[email protected] | |
# TBD | |
Fortify-SAST-Scan: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFortifySASTScan == 'true') }} | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit. | |
- run: git checkout HEAD^2 | |
if: ${{ github.event_name == 'pull_request' }} | |
- name: Fortify App and Release Name | |
id: fortify-app-and-rel-name | |
uses: ./.github/actions/fortify-app-and-release-name | |
with: | |
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }} | |
default_fortify_release_name: ${{ github.ref_name }} | |
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }} | |
- name: Node Fortify SAST scan | |
id: node-fortify-sast-scan | |
uses: ./.github/actions/node-fortify-sast-scan | |
with: | |
working_directory: ${{ env.BASE_DIR }} | |
ssc_url: ${{ vars.FORTIFY_BASE_URL }} | |
ssc_token: ${{ secrets.FORTIFY_SSC_TOKEN }} | |
scsast_client_auth_token: ${{ secrets.FORTIFY_SCSAST_CLIENT_AUTH_TOKEN }} | |
ssc_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }} | |
ssc_appver_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }} | |
Fortify-DAST-Scan: | |
runs-on: ubuntu-latest | |
if: ${{ (github.event.inputs.runFortifyDASTScan == 'true') }} | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Fortify App and Release Name | |
id: fortify-app-and-release-name | |
uses: ./.github/actions/fortify-app-and-release-name | |
with: | |
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }} | |
default_fortify_release_name: 'main' | |
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }} | |
# TBD | |
Security-Gate: | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
needs: [ Fortify-SAST-Scan,Fortify-DAST-Scan ] | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Fortify App and Release Name | |
id: fortify-app-and-release-name | |
uses: ./.github/actions/fortify-app-and-release-name | |
with: | |
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }} | |
default_fortify_release_name: 'main' | |
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }} | |
#- name: Verify Fortify Security Policy | |
# uses: ./.github/actions/verify-fod-security-policy | |
# with: | |
# fod_api_uri: ${{ vars.FORTIFY_API_URI }} | |
# fod_client_id: ${{ secrets.FORTIFY_CLIENT_ID }} | |
# fod_client_secret: ${{ secrets.FORTIFY_CLIENT_SECRET }} | |
# fod_app_name: ${{ steps.fod-app-and-rel-name.outputs.app_name }} | |
# fod_release_name: ${{ steps.fod-app-and-rel-name.outputs.release_name }} | |
Release-Gate: | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
needs: [ Quality-Gate, Security-Gate ] | |
steps: | |
- name: Check Out Source Code | |
uses: actions/[email protected] | |
# TBD |