Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: spring-projects/spring-petclinic
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: jfrog/spring-petclinic
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Able to merge. These branches can be automatically merged.
  • 3 commits
  • 1 file changed
  • 1 contributor

Commits on Mar 28, 2025

  1. Merge pull request #2 from spring-projects/main 

    Update with latest fork branch
    @krishnamanchikalapudi
    krishnamanchikalapudi authored Mar 28, 2025
    Copy the full SHA
    a222b5b View commit details

Commits on Apr 1, 2025

  1. Create frogbot-scan-and-fix.yml

    @krishnamanchikalapudi
    krishnamanchikalapudi authored Apr 1, 2025
    Copy the full SHA
    0eae653 View commit details

  2. Merge pull request #3 from jfrog/krishnamanchikalapudi-patch-2 

    Create frogbot-scan-and-fix.yml
    @krishnamanchikalapudi
    krishnamanchikalapudi authored Apr 1, 2025
    Copy the full SHA
    185320b View commit details
Showing with 104 additions and 0 deletions.
  1. +104 −0 .github/workflows/frogbot-scan-and-fix.yml
104 changes: 104 additions & 0 deletions .github/workflows/frogbot-scan-and-fix.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Frogbot Scan and Fix does the following:
# Automatically creates pull requests with fixes for vulnerable project dependencies.
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot

# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration

name: "Frogbot Scan and Fix"
on:
push:
branches: [ "main" ]
pull_request_target:
types: [opened, synchronize]
permissions:
contents: write
pull-requests: write
security-events: write
# [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN]
id-token: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

# - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
- uses: jfrog/frogbot@v2 # ref: https://github.com/jfrog/frogbot
# [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN]
# Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD
with:
oidc-provider-name: "jfrog-spring-petclinic"
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
# 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
#
# The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
# JF_INSTALL_DEPS_CMD: ""

# [Mandatory]
# JFrog platform URL
# JF_URL: ${{ secrets.JF_URL }}
JF_URL: "https://psazuse.jfrog.io"

# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
#JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}

# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
# JF_USER: ${{ secrets.JF_USER }}

# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}

# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# [Optional]
# If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
# in Artifactory, which proxies https://releases.jfrog.io/artifactory
# The 'frogbot' executable and other tools it needs will be downloaded through this repository.
# JF_RELEASES_REPO: ""

# [Optional]
# Frogbot will download the project dependencies, if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""

# [Optional, default: "FALSE"]
# Displays all existing vulnerabilities, including the ones that were added by the pull request.
JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"

# [Optional, default: "FALSE"]
# When adding new comments on pull requests, keep old comments that were added by previous scans.
JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"

# [Optional, default: "TRUE"]
# Fails the Frogbot task if any security issue is found.
JF_FAIL: "FALSE"

# [Optional]
# Frogbot will download the project dependencies if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""

# [Optional, Default: "FALSE"]
# If TRUE, Frogbot creates a single pull request with all the fixes.
# If false, Frogbot creates a separate pull request for each fix.
# JF_GIT_AGGREGATE_FIXES: "FALSE"
JF_GIT_AGGREGATE_FIXES: "TRUE"

# [Optional]
# Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
# The following values are accepted: Low, Medium, High or Critical
JF_MIN_SEVERITY: "Low"