Skip to content

Commit

Permalink
ACS-6305 Implement SAST Pipeline Scan (#893)
Browse files Browse the repository at this point in the history 
ACS-6305 Implement SAST Pipeline Scan
  • Loading branch information
@mikolajbrzezinski
mikolajbrzezinski committed Dec 13, 2023
1 parent 75c1709 commit 2847a43
Showing 1 changed file with 57 additions and 2 deletions.
59 changes: 57 additions & 2 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ env:
GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60

jobs:
veracode:
veracode_sca:
name: "Veracode - Source Clear Scan (SCA)"
runs-on: ubuntu-latest
if: >
Expand All @@ -52,6 +52,61 @@ jobs:
with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}

veracode_sast:
name: "Pipeline SAST Scan"
runs-on: ubuntu-latest
if: >
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') &&
!contains(github.event.head_commit.message, '[skip tests]')
steps:
- uses: actions/checkout@v3
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.34.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.34.0
- name: "Login to Docker Hub"
uses: docker/login-action@v2.1.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to Quay.io"
uses: docker/login-action@v2.1.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repository: "Alfresco/veracode-baseline-archive"
file-path: "alfresco-transform-core/alfresco-transform-core-baseline.json"
target: "baseline.json"
- name: "Build"
run: mvn -B -U install -DskipTests
- name: "Create zip"
run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar
- name: "Run SAST Scan"
uses: veracode/Veracode-pipeline-scan-action@v1.0.10
with:
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
file: "to-scan.zip"
fail_build: true
project_name: alfresco-transform-core
issue_details: true
veracode_policy_name: Alfresco Default
summary_output: true
summary_output_file: results.json
summary_display: true
baseline_file: baseline.json
- name: Upload scan result
if: success() || failure()
run: zip readable_output.zip results.json
- name: Upload Artifact
if: success() || failure()
uses: actions/upload-artifact@v3
with:
name: Veracode Pipeline-Scan Results (Human Readable)
path: readable_output.zip

build_and_test:
name: "Core & Base Snapshot deployment"
runs-on: ubuntu-latest
Expand Down Expand Up @@ -146,7 +201,7 @@ jobs:
release:
name: "Release"
runs-on: ubuntu-latest
needs: [veracode, build_and_test, all_tests_matrix]
needs: [veracode_sca, build_and_test, all_tests_matrix]
if: >
!(failure() || cancelled()) &&
contains(github.event.head_commit.message, '[release]') &&
Expand Down

0 comments on commit 2847a43

Please sign in to comment.