GitHub Action for upload code scanning results to Pixeebot so it can fix the issues they found.

For SonarCloud integration, the pixee/upload-tool-results-action must be configured to execute only after the SonarCloud GitHub App completes a check. The sonar-pixeebot.yml example workflow includes the requisite configuration and is generic enough to apply to most repositories without modification.

1. Copy the example sonarcloud-pixeebot.yml workflow to the repository's .github/workflows directory.
2. Set the SONAR_TOKEN secret. Create a SonarCloud token at https://sonarcloud.io/account/security. See Using secrets in GitHub Actions.

For SonarQube integration, the pixee/upload-tool-results-action must be configured to execute after SonarQube has completed its analysis. In a typical GitHub Action workflow that includes SonarQube, the step that performs the SonarQube analysis will be followed by a step that applies the SonarQube Quality Gate. The pixee/upload-tool-results-action should follow the SonarQube Quality Gate. The workflow should be configured to run the pixee/upload-tool-results-action step regardless of the outcome of the quality gate, so that Pixeebot may fix the issues preventing the quality gate from passing.

The pixee/upload-tool-results-action requires a SonarQube user token token that is permitted to read Security Hotspots. Typically, the SONAR_TOKEN secret in a GitHub Actions workflow is a project analysis token. A project analysis token does not have the requisite permissions to read security hotspots. You should use a new secret PIXEE_SONAR_TOKEN for the user token, to avoid confusing it for the typical project analysis token.

- name: SonarQube Quality Gate Check
  uses: sonarsource/sonarqube-quality-gate-action@master
  env:
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

- name: Upload SonarQube Results to Pixeebot
  uses: pixee/upload-tool-results-action@v1
  if: always() && steps.sonarqube-analysis.outcome == 'success'
  with:
    tool: sonar
    sonar-api-url: ${{ vars.SONAR_HOST_URL }}/api
    sonar-token: ${{ secrets.PIXEE_SONAR_TOKEN }}
    sonar-component-key: "<insert-my-sonar-project-key>"

The following are examples of complete workflows that send SonarQube results from the default branch to Pixee for inclusion in Pixeebot's next continuous improvement campaign analysis.

• Java (Maven)
• Python

All workflows using this action must include the id-token: write permission.

permissions:
  contents: read
  id-token: write

The action uses this permission to create a GitHub token to authenticate to the Pixee API. The Pixee API verifies that the GitHub-signed token originated from an authorized GitHub workflow.

Detailed description of the inputs exposed by the pixee/upload-tool-results-action:

- uses: pixee/upload-tool-results-action
  with:
    # The supported code scanning tool that produced the results being uploaded to Pixeebot.
    # Allowed values: 'sonar', 'codeql', 'semgrep', 'defectdojo', 'contrast'
    # Required
    tool:

    # Token for authenticating requests to SonarCloud.
    # Required, when tool is "sonar" and "file" has not been set. Only required for private repository.
    sonar-token:

    # Key identifying the SonarCloud component to be analyzed. Only necessary if deviating from SonarCloud's established convention.
    # Default: `owner_repo`
    sonar-component-key:

    # Base URL of the Sonar API. Use this to switch from SonarCloud to SonarQube.
    # Default: https://sonarcloud.io/api
    sonar-api-url:

    # Token for authenticating requests to DefectDojo.
    defectdojo-token:

    # Key identifying the DefectDojo product (repository) to be analyzed.
    defectdojo-product-name:

    # Base URL of the DefectDojo API.
    defectdojo-api-url:

    # Base URL of the Contrast API.
    contrast-api-url:

    # Unique identifier for the organization in Contrast that needs to be analyzed.
    contrast-org-id:

    # Unique identifier for the specific application within Contrast.
    contrast-app-id:

    # Api key for authenticating requests to Contrast.
    contrast-api-key:

    # Token for authenticating requests to Contrast.
    contrast-token:

    # The base URL of the Pixee API
    # Default: https://api.pixee.ai
    pixee-api-url:

    # Path to the tool's results file to upload to Pixeebot. This does not apply to SonarCloud integration, because the action retrieves the results directly from SonarCloud.
    # Required, when `tool` is not "sonar"
    file:

The following diagram illustrates how the action orchestrates the results from Sonar, to Pixeebot, and then back to GitHub.

sequenceDiagram
    participant GitHub
    participant SonarApp as Sonar GitHub App
    participant PixeeAction as Pixee GitHub Action
    participant Pixeebot as Pixeebot

    GitHub->>SonarApp: Trigger Sonar Analysis
    SonarApp-->>GitHub: Sonar Check Run Completed
    GitHub->>PixeeAction: Trigger Pixeebot GitHub Action
    PixeeAction->>SonarApp: Retrieve Sonar Results
    PixeeAction->>Pixeebot: Upload Results
    Pixeebot-->>GitHub: Automatically Fix Issues

The code scanning results will feed both Pixeebot's continuous improvement and pull request hardening features.

• When the code quality tool finds issues on an open PR, Pixeebot opens another PR to fix those issues.
• When the code quality tool finds issues on a commit that has been merged to the default branch, Pixeebot considers those results in its next continuous improvement PR.