-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* PA-11698 SAST Wrapper Script * readme * workflows * added local installation * code review
- Loading branch information
1 parent
bc44c22
commit 901a67b
Showing
13 changed files
with
719 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
### Changes: | ||
- Description of the change | ||
- Updated package.json version | ||
|
||
**Ticket:** https://soos.atlassian.net/browse/PA-0000 | ||
|
||
<!--- | ||
If you want to create a release make sure to bump the version on package.json, once it's merged just push a tag with the version | ||
eg if package version is 1.0.0 push a tag with the version v1.0.0 (make sure to use the v as a prefix). | ||
This will be enough to release a new version | ||
--> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
name: "CodeQL" | ||
|
||
on: | ||
push: | ||
branches: [ "main" ] | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
branches: [ "main" ] | ||
schedule: | ||
- cron: '15 15 * * 3' | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
language: [ 'typescript' ] | ||
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
languages: ${{ matrix.language }} | ||
# If you wish to specify custom queries, you can do so here or in a config file. | ||
# By default, queries listed here will override any specified in a config file. | ||
# Prefix the list here with "+" to use these queries and those in the config file. | ||
|
||
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
# queries: security-extended,security-and-quality | ||
|
||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | ||
# If this step fails, then you should remove it and run the build manually (see below) | ||
- name: Autobuild | ||
uses: github/codeql-action/autobuild@v2 | ||
|
||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
category: "/language:${{matrix.language}}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
name: Publish to npm | ||
|
||
on: | ||
push: | ||
tags: | ||
- "v*" | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
|
||
- name: Use Node.js | ||
uses: actions/setup-node@v3 | ||
with: | ||
node-version: 18 | ||
registry-url: "https://registry.npmjs.org" | ||
|
||
- name: Install dependencies | ||
run: npm ci | ||
|
||
- name: Build | ||
run: npm run build | ||
|
||
- name: Publish to npm | ||
run: npm publish | ||
env: | ||
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
/node_modules | ||
/bin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
tsconfig.json | ||
.prettierrc | ||
/.vscode | ||
/.github | ||
/src |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
{ | ||
"parser": "typescript", | ||
"printWidth": 100, | ||
"quoteProps": "consistent", | ||
"endOfLine": "auto" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"editor.tabSize": 2, | ||
"editor.formatOnSave": true, | ||
"editor.defaultFormatter": "esbenp.prettier-vscode", | ||
"prettier.configPath": "./.prettierrc", | ||
"cSpell.words": [ | ||
"Levelkey", | ||
"SAST", | ||
"SOOS" | ||
], | ||
"sarif-viewer.connectToGithubCodeScanning": "off", | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,46 @@ | ||
# soos-sast | ||
SOOS wrapper script to upload SAST files. | ||
# [SOOS SAST](https://soos.io/products/sast) | ||
|
||
SOOS is an independent software security company, located in Winooski, VT USA, building security software for your team. [SOOS, Software security, simplified](https://soos.io). | ||
|
||
Use SOOS to scan your software for [vulnerabilities](https://app.soos.io/research/vulnerabilities) and [open source license](https://app.soos.io/research/licenses) issues with [SOOS Core SCA](https://soos.io/sca-product). [Generate SBOMs](https://kb.soos.io/help/generating-a-software-bill-of-materials-sbom). Govern your open source dependencies. Run the [SOOS DAST vulnerability scanner](https://soos.io/dast-product) against your web apps or APIs. | ||
|
||
[Demo SOOS](https://app.soos.io/demo) or [Register for a Free Trial](https://app.soos.io/register). | ||
|
||
If you maintain an Open Source project, sign up for the Free as in Beer [SOOS Community Edition](https://soos.io/products/community-edition). | ||
|
||
## Requirements | ||
- [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) | ||
|
||
## Installation | ||
|
||
### Globally | ||
run `npm i -g @soos-io/soos-sast@latest` | ||
Then Run `soos-sast` from any terminal and add the parameters you want. | ||
|
||
### Locally | ||
run `npm install --prefix ./soos @soos-io/soos-sast` | ||
Then run from the same terminal `node ./soos/node_modules/@soos-io/soos-sast/bin/index.js` | ||
|
||
## Parameters | ||
|
||
|
||
| Argument | Default | Description | | ||
| ----------------------- | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | ||
| `--apiKey` | `getEnvVariable(CONSTANTS.SOOS.API_KEY_ENV_VAR)` | SOOS API Key - get yours from [SOOS Integration](https://app.soos.io/integrate/sast). | | ||
| `--apiURL` | `"https://api.soos.io/api/"` | SOOS API URL - Intended for internal use only, do not modify. | | ||
| `--appVersion` | N/A | App Version - Intended for internal use only. | | ||
| `--branchName` | `null` | The name of the branch from the SCM System. | | ||
| `--branchURI` | `null` | The URI to the branch from the SCM System. | | ||
| `--buildURI` | `null` | URI to CI build info. | | ||
| `--buildVersion` | `null` | Version of application build artifacts. | | ||
| `--clientId` | `getEnvVariable(CONSTANTS.SOOS.CLIENT_ID_ENV_VAR)` | SOOS Client ID - get yours from [SOOS Integration](https://app.soos.io/integrate/sast). | | ||
| `--commitHash` | `null` | The commit hash value from the SCM System. | | ||
| `--integrationName` | N/A | Integration Name - Intended for internal use only. | | ||
| `--integrationType` | N/A | Integration Type - Intended for internal use only. | | ||
| `--logLevel` | `LogLevel.INFO` | Minimum level to show logs: PASS, IGNORE, INFO, WARN, or FAIL. | | ||
| `--operatingEnvironment`| `null` | Set Operating environment for information purposes only. | | ||
| `--otherOptions` | `null` | Other Options to pass to syft. | | ||
| `--projectName` | N/A | Project Name - this is what will be displayed in the SOOS app. | | ||
| `--scriptVersion` | N/A | Script Version - Intended for internal use only. | | ||
| `--verbose` | `false` | Enable verbose logging. | | ||
| `sastPath` | N/A | The SAST File to scan (*.sarif.json), it could be the location of the file or the file itself. When location is specified only the first file found will be scanned. | |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.