mirror of
https://github.com/actions/checkout.git
synced 2025-07-13 17:33:49 +00:00
130 lines
10 KiB
YAML
130 lines
10 KiB
YAML
# This workflow uses actions that are not certified by GitHub.
|
|
# They are provided by a third-party and are governed by
|
|
# separate terms of service, privacy policy, and support
|
|
# documentation.
|
|
|
|
################################################################################################################################################
|
|
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
|
|
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
|
|
# #
|
|
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
|
|
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
|
|
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
|
|
# documentation. If you need additional assistance, please contact Fortify support. #
|
|
################################################################################################################################################
|
|
|
|
name: Fortify AST Scan
|
|
|
|
# Customize trigger events based on your DevSecOps process and/or policy
|
|
on:
|
|
push:
|
|
branches: [ "main" ]
|
|
pull_request:
|
|
# The branches below must be a subset of the branches above
|
|
branches: [ "main" ]
|
|
schedule:
|
|
- cron: '40 23 * * 6'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
Fortify-AST-Scan:
|
|
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
# pull-requests: write # Required if DO_PR_COMMENT is set to true
|
|
|
|
steps:
|
|
# Check out source code
|
|
- name: Check Out Source Code
|
|
uses: actions/checkout@v4
|
|
|
|
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
|
|
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
|
|
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
|
|
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
|
|
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
|
|
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
|
|
# documentation at https://github.com/fortify/github-action#readme for more information on the various
|
|
# configuration options and available sub-actions.
|
|
- name: Run Fortify Scan
|
|
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
|
|
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
|
|
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
|
|
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
|
|
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
|
|
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
|
|
with:
|
|
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
|
|
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
|
|
# is disabled). For SSC, run a Debricked scan and import results into SSC.
|
|
env:
|
|
#############################################################
|
|
##### Fortify on Demand configuration
|
|
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
|
|
### Required configuration
|
|
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
|
|
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
|
|
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
|
|
FOD_PASSWORD: ${{secrets.FOD_PAT}}
|
|
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
|
|
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
|
|
### Optional configuration
|
|
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
|
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
|
|
# DO_SETUP: true # Setup FoD application, release & static scan configuration
|
|
# SETUP_ACTION: <URL or file> # Customize setup action
|
|
# Pass extra options to setup action:
|
|
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
|
|
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
|
|
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
|
|
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
|
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
|
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
|
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
|
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
|
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
|
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
|
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
|
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
|
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
|
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
|
# EXPORT_ACTION: <URL or file> # Customize export action
|
|
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
|
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
|
|
|
#############################################################
|
|
##### Fortify Hosted / Software Security Center & ScanCentral
|
|
##### Remove this section if you're integrating with Fortify on Demand (see above)
|
|
### Required configuration
|
|
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
|
|
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
|
|
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
|
|
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
|
|
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
|
|
### Optional configuration
|
|
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
|
|
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
|
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
|
|
# DO_SETUP: true # Set up SSC application & version
|
|
# SETUP_ACTION: <URL or file> # Customize setup action
|
|
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
|
|
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
|
|
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
|
|
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
|
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
|
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
|
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
|
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
|
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
|
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
|
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
|
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
|
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
|
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
|
# EXPORT_ACTION: <URL or file> # Customize export action
|
|
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
|
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|