Add Synopsys Security Scan Workflow #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file is parttly based on https://github.com/marketplace/actions/synopsys-intelligent-security-scan. | |
| name: "Synopsys Intelligent Security Scan" | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '30 2 * * *' # Run once per day | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Consider changing this to true when your workflow is stable. | |
| fail-fast: false | |
| # Set up a matrix to run the following 3 configurations: | |
| # 1. <Windows, Release, latest MSVC compiler toolchain on the default runner image, default generator> | |
| # 2. <Linux, Release, latest GCC compiler toolchain on the default runner image, default generator> | |
| # 3. <Linux, Release, latest Clang compiler toolchain on the default runner image, default generator> | |
| # | |
| # To add more build types (Release, Debug, RelWithDebInfo, etc.) customize the build_type list. | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| build_type: [Release, Debug] | |
| c_compiler: [gcc, clang, cl] | |
| include: | |
| - os: windows-latest | |
| c_compiler: cl | |
| cpp_compiler: cl | |
| - os: ubuntu-latest | |
| c_compiler: gcc | |
| cpp_compiler: g++ | |
| - os: ubuntu-latest | |
| c_compiler: clang | |
| cpp_compiler: clang++ | |
| - os: macos-latest | |
| c_compiler: gcc | |
| cpp_compiler: g++ | |
| - os: macos-latest | |
| c_compiler: clang | |
| cpp_compiler: clang++ | |
| exclude: | |
| - os: windows-latest | |
| c_compiler: gcc | |
| - os: windows-latest | |
| c_compiler: clang | |
| - os: ubuntu-latest | |
| c_compiler: cl | |
| - os: macos-latest | |
| c_compiler: cl | |
| steps: | |
| - uses: actions/checkout@v3 | |
| # If this run was triggered by a pull request event, then checkout | |
| # the head of the pull request instead of the merge commit. | |
| # - run: git checkout HEAD^2 | |
| # if: ${{ github.event_name == 'pull_request' }} | |
| - name: Synopsys Coverity Scan | |
| run: | | |
| curl --form token=${{secrets.SYNOPSYS_ACCESS_TOKEN}} \ | |
| --form email=${{secrets.SYNOPSYS_ACCESS_EMAIL}} \ | |
| --form file=@tarball/file/location \ | |
| --form version="Version" \ | |
| --form description="Description" \ | |
| https://scan.coverity.com/builds?project=franziska-wegner%2Fegoa | |
| # - name: Synopsys Intelligent Security Scan | |
| # id: prescription | |
| # uses: synopsys-sig/[email protected] | |
| # with: | |
| # ioServerUrl: "${{secrets.IO_SERVER_URL}}" | |
| # ioServerToken: "${{secrets.IO_SERVER_TOKEN}}" | |
| # additionalWorkflowArgs: --persona=developer --release.type=minor --sast.rescan.threshold=5 --sca.rescan.threshold=5 | |
| # --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| # --sensitive.package.pattern='.*(\\+\\+\\+.*(com\\/example\\/app)).*' | |
| # stage: "IO" | |
| # # Please note that the ID in previous step was set to prescription | |
| # # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN | |
| # # is defined in settings | |
| # - name: Static Analysis with Polaris | |
| # if: ${{steps.prescription.outputs.sastScan == 'true' }} | |
| # run: | | |
| # export POLARIS_SERVER_URL=${{secrets.POLARIS_SERVER_URL}} | |
| # export POLARIS_ACCESS_TOKEN=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| # wget -q ${{secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip | |
| # unzip -j -o polaris_cli-linux64.zip -d /tmp | |
| # /tmp/polaris analyze -w | |
| # # Please note that the ID in previous step was set to prescription | |
| # # in order for this logic to work | |
| # - name: Software Composition Analysis with Black Duck | |
| # if: ${{steps.prescription.outputs.scaScan == 'true' }} | |
| # uses: synopsys-sig/[email protected] | |
| # env: | |
| # SPRING_APPLICATION_JSON: '{"detect.project.name":"{{blackduck_project_name}}","detect.project.version":"{{blackduck_project_version}}","detect.tools":"DETECTOR","blackduck.trust.cert":"true"}' | |
| # with: | |
| # github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # detect-version: 7.9.0 | |
| # blackduck-url: ${{ secrets.BLACKDUCK_SERVER_URL}} | |
| # blackduck-api-token: ${{ secrets.BLACKDUCK_TOKEN}} | |
| # scan-mode: INTELLIGENT | |
| # - name: Synopsys Intelligent Security Scan | |
| # uses: synopsys-sig/[email protected] | |
| # with: | |
| # ioServerUrl: "${{secrets.IO_SERVER_URL}}" | |
| # ioServerToken: "${{secrets.IO_SERVER_TOKEN}}" | |
| # workflowServerUrl: "${{secrets.WORKFLOW_SERVER_URL}}" | |
| # additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} | |
| # --slack.channel.id=${{secrets.SLACK_CHANNEL_ID}} --slack.token=${{secrets.SLACK_TOKEN}} | |
| # --polaris.project.name=${{secrets.POLARIS_PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} | |
| # --blackduck.project.name=${{secrets.BLACKDUCK_PROJECT_NAME}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} | |
| # stage: "WORKFLOW" | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v1 | |
| with: | |
| # Path to SARIF file relative to the root of the repository | |
| sarif_file: workflowengine-results.sarif.json |