The goal of this lab is to provide hands on experience configuring a Polaris workflow in GitHub and viewing the results. As part of the lab, we will:
- execute a full scan, viewing the results in the Polaris UI
- break the build based on a policy defined in the Polaris UI
- review the code scanning findings in the GitHub Advanced Security tab
- introduce a vulnerable code change that adds a comment to the Pull Request
This repository contains everything you need to complete the lab except for the two prerequisites listed below.
- Clone this repository into your GitHub account. GitHub → New → Import a Repository Milestone 1 ✔️
- enter https://github.com/chuckaude/sig-integrations-lab1.git
- enter repository name, e.g. hello-java
- leave as public (required for GHAS on free accounts)
- Confirm GITHUB_TOKEN has workflow read & write permissions. GitHub → Project → Settings → Actions → General → Workflow Permissions
- Confirm all GitHub Actions are allowed. GitHub → Project → Settings → Actions → General → Actions Permissions
- Add the following variables, adding POLARIS_ACCESSTOKEN as a secret. GitHub → Project → Settings → Secrets and Variables → Actions
- POLARIS_SERVERURL
- POLARIS_ACCESSTOKEN
- Add a coverity.yaml to the project repository. GitHub → Project → Add file → Create new file
capture:
build:
clean-command: mvn -B clean
build-command: mvn -B -DskipTests package
analyze:
checkers:
webapp-security:
enabled: true
- From the Polaris UI, create an application and assign SAST and SCA subscriptions. Note: application name must match what is defined in the workflow, e.g. chuckaude-hello-java ← replace my name with your name
- Create a new workflow. GitHub → Project → Actions → New Workflow → Setup a workflow yourself Milestone 2 ✔️
# example workflow for Polaris scans using the Synopsys Action
# https://github.com/marketplace/actions/synopsys-action
name: polaris
on:
push:
branches: [ main, master, develop, stage, release ]
pull_request:
branches: [ main, master, develop, stage, release ]
workflow_dispatch:
jobs:
polaris:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Setup Java JDK
uses: actions/setup-java@v4
with:
java-version: 17
distribution: microsoft
cache: maven
- name: Polaris Scan
uses: synopsys-sig/synopsys-action@v1.9.0
with:
polaris_server_url: ${{ vars.POLARIS_SERVERURL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESSTOKEN }}
polaris_assessment_types: 'SAST,SCA'
polaris_application_name: chuckaude-${{ github.event.repository.name }}
polaris_project_name: ${{ github.event.repository.name }}
polaris_prComment_enabled: 'true'
polaris_reports_sarif_create: 'true'
polaris_upload_sarif_report: 'true'
github_token: ${{ secrets.GITHUB_TOKEN }}
# - name: Save Logs
# if: always()
# uses: actions/upload-artifact@v4
# with:
# name: bridge-logs
# path: ${{ github.workspace }}/.bridge
- Monitor your workflow run and wait for scan to complete. GitHub → Project → Actions → Polaris → Most recent workflow run → Polaris
- Note that scan completes, and the workflow passes. This is because the default policy is notify on critical & high issues.
- From the Polaris UI, create a policy that breaks the build and assign it to your project.
- Rerun workflow, and once it completes, select Summary in upper left to see policy enforcement and a failed workflow. Milestone 3 ✔️
- View findings in GitHub Advanced Security tab GitHub → Project → Security → Code scanning Milestone 4 ✔️
- Edit pom.xml GitHub → Project → Code → pom.xml → Edit pencil icon upper right
- change log4j version from 2.14.1 to 2.15.0
- Click on Commit Changes, select create a new branch and start a PR
- Review changes and click on Create Pull Request
- Monitor workflow run GitHub → Project → Actions → Polaris → Most recent workflow run → Polaris
- Once workflow completes, navigate back to PR and see PR comment Milestone 5 ✔️ _GitHub → Project → Pull requests
You have now configured a Polaris workflow in GitHub and demonstrated all the current post-scan CI features. 👏 🏆