PA-11698 SAST Wrapper Script (#1)

* PA-11698 SAST Wrapper Script

* readme

* workflows

* added local installation

* code review

.github/pull_request_template.md

@@ -0,0 +1,11 @@
+### Changes:
+  - Description of the change
+  - Updated package.json version
+
+**Ticket:** https://soos.atlassian.net/browse/PA-0000
+
+<!---
+If you want to create a release make sure to bump the version on package.json, once it's merged just push a tag with the version
+eg if package version is 1.0.0 push a tag with the version v1.0.0 (make sure to use the v as a prefix).
+ This will be enough to release a new version
+-->

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,50 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '15 15 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'typescript' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/publish.yml

@@ -0,0 +1,31 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish to npm
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.gitignore

@@ -0,0 +1,2 @@
+/node_modules
+/bin

.npmignore

@@ -0,0 +1,5 @@
+tsconfig.json
+.prettierrc
+/.vscode
+/.github
+/src

.prettierrc

@@ -0,0 +1,6 @@
+{
+  "parser": "typescript",
+  "printWidth": 100,
+  "quoteProps": "consistent",
+  "endOfLine": "auto"
+}

.vscode/settings.json

@@ -0,0 +1,12 @@
+{
+    "editor.tabSize": 2,
+    "editor.formatOnSave": true,
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "prettier.configPath": "./.prettierrc",
+    "cSpell.words": [
+      "Levelkey",
+      "SAST",
+      "SOOS"
+    ],
+    "sarif-viewer.connectToGithubCodeScanning": "off",
+  }

README.md

@@ -1,2 +1,46 @@
-# soos-sast
-SOOS wrapper script to upload SAST files.
+# [SOOS SAST](https://soos.io/products/sast)
+
+SOOS is an independent software security company, located in Winooski, VT USA, building security software for your team. [SOOS, Software security, simplified](https://soos.io).
+
+Use SOOS to scan your software for [vulnerabilities](https://app.soos.io/research/vulnerabilities) and [open source license](https://app.soos.io/research/licenses) issues with [SOOS Core SCA](https://soos.io/sca-product). [Generate SBOMs](https://kb.soos.io/help/generating-a-software-bill-of-materials-sbom). Govern your open source dependencies. Run the [SOOS DAST vulnerability scanner](https://soos.io/dast-product) against your web apps or APIs.
+
+[Demo SOOS](https://app.soos.io/demo) or [Register for a Free Trial](https://app.soos.io/register).
+
+If you maintain an Open Source project, sign up for the Free as in Beer [SOOS Community Edition](https://soos.io/products/community-edition).
+
+## Requirements
+  - [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)
+
+## Installation
+
+### Globally
+run `npm i -g @soos-io/soos-sast@latest`
+Then Run `soos-sast` from any terminal and add the parameters you want.
+
+### Locally
+run `npm install --prefix ./soos @soos-io/soos-sast`
+Then run from the same terminal `node ./soos/node_modules/@soos-io/soos-sast/bin/index.js`
+
+## Parameters
+
+
+| Argument                | Default                                   | Description                                                                                                                          |
+| ----------------------- | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| `--apiKey`              | `getEnvVariable(CONSTANTS.SOOS.API_KEY_ENV_VAR)` | SOOS API Key - get yours from [SOOS Integration](https://app.soos.io/integrate/sast).                                           |
+| `--apiURL`              | `"https://api.soos.io/api/"`              | SOOS API URL - Intended for internal use only, do not modify.                                                                       |
+| `--appVersion`          | N/A                                       | App Version - Intended for internal use only.                                                                                      |
+| `--branchName`          | `null`                                    | The name of the branch from the SCM System.                                                                                         |
+| `--branchURI`           | `null`                                    | The URI to the branch from the SCM System.                                                                                          |
+| `--buildURI`            | `null`                                    | URI to CI build info.                                                                                                               |
+| `--buildVersion`        | `null`                                    | Version of application build artifacts.                                                                                             |
+| `--clientId`            | `getEnvVariable(CONSTANTS.SOOS.CLIENT_ID_ENV_VAR)` | SOOS Client ID - get yours from [SOOS Integration](https://app.soos.io/integrate/sast).                                           |
+| `--commitHash`          | `null`                                    | The commit hash value from the SCM System.                                                                                         |
+| `--integrationName`     | N/A                                       | Integration Name - Intended for internal use only.                                                                                 |
+| `--integrationType`     | N/A                                       | Integration Type - Intended for internal use only.                                                                                 |
+| `--logLevel`            | `LogLevel.INFO`                          | Minimum level to show logs: PASS, IGNORE, INFO, WARN, or FAIL.                                                                      |
+| `--operatingEnvironment`| `null`                                    | Set Operating environment for information purposes only.                                                                           |
+| `--otherOptions`        | `null`                                    | Other Options to pass to syft.                                                                                                      |
+| `--projectName`         | N/A                                       | Project Name - this is what will be displayed in the SOOS app.                                                                     |
+| `--scriptVersion`       | N/A                                       | Script Version - Intended for internal use only.                                                                                   |
+| `--verbose`             | `false`                                   | Enable verbose logging.                                                                                                             |
+| `sastPath`              | N/A                                       | The SAST File to scan (*.sarif.json), it could be the location of the file or the file itself. When location is specified only the first file found will be scanned. |