-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
11 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,84 +1,46 @@ | ||
# This workflow uses actions that are not certified by GitHub. | ||
# They are provided by a third-party and are governed by | ||
# separate terms of service, privacy policy, and support | ||
# documentation. | ||
|
||
################################################################################################################################################ | ||
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # | ||
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # | ||
# # | ||
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # | ||
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # | ||
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # | ||
# documentation. If you need additional assistance, please contact Fortify support. # | ||
################################################################################################################################################ | ||
|
||
name: Fortify AST Scan | ||
|
||
# Customize trigger events based on your DevSecOps process and/or policy | ||
# Настройте события триггеров в соответствии с вашим DevSecOps процессом и/или политикой | ||
on: | ||
push: | ||
branches: [ "main" ] | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
# Ветви ниже должны быть подмножеством ветвей выше | ||
branches: [ "main" ] | ||
schedule: | ||
- cron: '35 11 * * 3' | ||
workflow_dispatch: | ||
|
||
jobs: | ||
Fortify-AST-Scan: | ||
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). | ||
# Используйте подходящий раннер для сборки исходного кода. Убедитесь, что необходимые инструменты разработки (MSBuild, Python и т.д.) установлены и настроены. | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
|
||
steps: | ||
# Check out source code | ||
# Проверка исходного кода | ||
- name: Check Out Source Code | ||
uses: actions/checkout@v4 | ||
|
||
# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. | ||
# Установка Java, необходимого для запуска различных утилит Fortify. Убедитесь, что установлена правильная версия. | ||
- name: Setup Java | ||
uses: actions/setup-java@v4 | ||
with: | ||
java-version: 17 | ||
distribution: 'temurin' | ||
|
||
# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then | ||
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is | ||
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools | ||
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for | ||
# details. | ||
# Выполнение SAST-сканирования с использованием Fortify on Demand/Fortify Hosted/Software Security Center | ||
- name: Run FoD SAST Scan | ||
uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 | ||
with: | ||
sast-scan: true | ||
env: | ||
### Required configuration when integrating with Fortify on Demand | ||
### Необходимая конфигурация для интеграции с Fortify on Demand | ||
FOD_URL: https://ams.fortify.com | ||
FOD_TENANT: ${{secrets.FOD_TENANT}} | ||
FOD_USER: ${{secrets.FOD_USER}} | ||
FOD_PASSWORD: ${{secrets.FOD_PAT}} | ||
### Optional configuration when integrating with Fortify on Demand | ||
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if | ||
# Debricked SCA scan is enabled on Fortify on Demand | ||
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options | ||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may | ||
# replace app+release name with numeric release ID | ||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' | ||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard | ||
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral | ||
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL | ||
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken | ||
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token | ||
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; | ||
# usually defined as organization or repo variable | ||
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral | ||
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options | ||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch> | ||
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options | ||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' | ||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard | ||
FOD_TENANT: ${{ secrets.FOD_TENANT }} | ||
FOD_USER: ${{ secrets.FOD_USER }} | ||
FOD_PASSWORD: ${{ secrets.FOD_PASSWORD }} | ||
|