Add Synopsys Security Scan Workflow #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file is based on https://github.com/marketplace/actions/synopsys-intelligent-security-scan. | |
name: "Synopsys Intelligent Security Scan" | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
jobs: | |
security: | |
name: security scans | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
# If this run was triggered by a pull request event, then checkout | |
# the head of the pull request instead of the merge commit. | |
- run: git checkout HEAD^2 | |
if: ${{ github.event_name == 'pull_request' }} | |
- name: Synopsys Intelligent Security Scan | |
id: prescription | |
uses: synopsys-sig/[email protected] | |
with: | |
ioServerUrl: "${{secrets.IO_SERVER_URL}}" | |
ioServerToken: "${{secrets.IO_SERVER_TOKEN}}" | |
additionalWorkflowArgs: --persona=developer --release.type=minor --sast.rescan.threshold=5 --sca.rescan.threshold=5 | |
--polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
--sensitive.package.pattern='.*(\\+\\+\\+.*(com\\/example\\/app)).*' | |
stage: "IO" | |
# Please note that the ID in previous step was set to prescription | |
# in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN | |
# is defined in settings | |
- name: Static Analysis with Polaris | |
if: ${{steps.prescription.outputs.sastScan == 'true' }} | |
run: | | |
export POLARIS_SERVER_URL=${{secrets.POLARIS_SERVER_URL}} | |
export POLARIS_ACCESS_TOKEN=${{secrets.POLARIS_ACCESS_TOKEN}} | |
wget -q ${{secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip | |
unzip -j -o polaris_cli-linux64.zip -d /tmp | |
/tmp/polaris analyze -w | |
# Please note that the ID in previous step was set to prescription | |
# in order for this logic to work | |
- name: Software Composition Analysis with Black Duck | |
if: ${{steps.prescription.outputs.scaScan == 'true' }} | |
uses: synopsys-sig/[email protected] | |
env: | |
SPRING_APPLICATION_JSON: '{"detect.project.name":"{{blackduck_project_name}}","detect.project.version":"{{blackduck_project_version}}","detect.tools":"DETECTOR","blackduck.trust.cert":"true"}' | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
detect-version: 7.9.0 | |
blackduck-url: ${{ secrets.BLACKDUCK_SERVER_URL}} | |
blackduck-api-token: ${{ secrets.BLACKDUCK_TOKEN}} | |
scan-mode: INTELLIGENT | |
- name: Synopsys Intelligent Security Scan | |
uses: synopsys-sig/[email protected] | |
with: | |
ioServerUrl: "${{secrets.IO_SERVER_URL}}" | |
ioServerToken: "${{secrets.IO_SERVER_TOKEN}}" | |
workflowServerUrl: "${{secrets.WORKFLOW_SERVER_URL}}" | |
additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} | |
--slack.channel.id=${{secrets.SLACK_CHANNEL_ID}} --slack.token=${{secrets.SLACK_TOKEN}} | |
--polaris.project.name=${{secrets.POLARIS_PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
--blackduck.project.name=${{secrets.BLACKDUCK_PROJECT_NAME}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} | |
stage: "WORKFLOW" | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@v1 | |
with: | |
# Path to SARIF file relative to the root of the repository | |
sarif_file: workflowengine-results.sarif.json |