diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..759db93 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,62 @@ +name: Fortify ScanCentral SAST Scan +on: + workflow_dispatch: + push: + # Master or main branch that you want to trigger this workflow for + branches: [master] + pull_request: + # The branches below must be a subset of the branches above + branches: [master] + +jobs: + Fortify-SAST: + # Use the appropriate runner for building your source code + runs-on: ubuntu-latest + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + with: + # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. + fetch-depth: 2 + # If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Java is required to run ScanCentral Client, and may be required for your build + # Java version to use depends on the Java version required to run your build (if any), + # and the Java version supported by the ScanCentral Client version that you are running + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 11 + + ### Set up Fortify ScanCentral Client ### + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@v1 + with: + version: 21.2.0 # On-prem customers should specify a client version that matches their ScanCentral environment + # FoD customers usually should not specify a version but rather rely on the default version + client-auth-token: ${{ secrets.CLIENT_AUTH_TOKEN }} # Optional, but required if ScanCentral Controller requires client authentication + + ### Run Fortify ScanCentral Client ### + # Update BUILD_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s). + # ScanCentral Client will download dependencies for maven, gradle and msbuild projects. + # For other build tools, add your build commands to the workflow to download necessary dependencies and prepare according to Fortify SCA documentation. + - name: Perform SAST Scan + run: scancentral -url ${SC_CONTROLLER_URL} start $BUILD_OPTS -upload -application $APPLICATION -version $VERSION -uptoken $SSC_UPLOAD_TOKEN + env: + SC_CONTROLLER_URL: ${{ secrets.SC_CONTROLLER_URL }} + SSC_UPLOAD_TOKEN: ${{ secrets.SSC_UPLOAD_TOKEN }} + APPLICATION: "sample" + VERSION: "electron" + BUILD_OPTS: "-bt none" + + ### Archive ScanCentral Client logs on failure ### + - name: Save ScanCentral Logs + uses: actions/upload-artifact@v2 + if: failure() + with: + name: scancentral-logs + path: ~/.fortify/scancentral/log