diff --git a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml index a304ca0cb..bb6a86aa2 100644 --- a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml @@ -2,6 +2,10 @@ name: Binary Ready - Veracode Static Code Analysis run-name: Binary Ready - Static Code Analysis - ${{ github.event.client_payload.repository.name }} +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + on: repository_dispatch: types: [binary-ready-veracode-sast-pipeline-scan] @@ -17,27 +21,148 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} - - pipeline_scan: + branch: ${{ github.event.client_payload.repository.branch }} + + validations: needs: register runs-on: ubuntu-latest + name: Validations + steps: + - name: Verify Veracode API credentials + id: verify_api_creds + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validateVeracodeApiCreds + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + + - name: Verify Policy name + id: verify_policy_name + if: success() + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validatePolicyName + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + policyname: ${{ github.event.client_payload.policy_name }} + path: ${{ github.event.client_payload.annotationObj.path }} + start_line: ${{ github.event.client_payload.annotationObj.start_line }} + end_line: ${{ github.event.client_payload.annotationObj.end_line }} + break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }} + + pipeline_scan: + needs: [register, validations] + runs-on: ubuntu-latest + steps: + - name: Download artifact + id: download-artifact + uses: actions/download-artifact@v4 + with: + github-token: ${{ github.event.client_payload.token }} + repository: ${{ github.event.client_payload.repository.full_name }} + run-id: ${{ github.event.client_payload.run_id }} + + - name: Veracode Pipeline-Scan + id: pipeline-scan + uses: veracode/Veracode-pipeline-scan-action@v1.0.15 + with: + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + veracode_policy_name: ${{ github.event.client_payload.policy_name }} + file: ${{ github.event.client_payload.repository.artifact_file }} + fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + use_upgraded_version: true + + - name: Veracode Pipeline Results + if: always() + id: prepare-results + uses: Veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'preparePipelineResults' + token: ${{ github.event.client_payload.token }} + check_run_id: ${{ needs.register.outputs.run_id }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + fail_checks_on_policy: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + fail_checks_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} + filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} + + code-scanning-alert: + needs: pipeline_scan + runs-on: ubuntu-latest + if: ${{ github.event.client_payload.user_config.create_code_scanning_alert && always() }} + name: Create code scanning alerts + steps: + - name: Get scan results + uses: actions/download-artifact@v4 + with: + name: "Veracode Pipeline-Scan Results - Mitigated findings" + + - name: Convert pipeline scan output to SARIF format for Java language + if: ${{ github.event.client_payload.repository.language == 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + pipeline-results-json: filtered_results.json + output-results-sarif: veracode-results.sarif + repo_owner: ${{ github.event.client_payload.repository.owner }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitSHA: ${{ github.event.client_payload.sha }} + ref: ${{ github.event.client_payload.user_config.ref }} + githubToken: ${{ github.event.client_payload.token }} + source-base-path-1: 'com/:src/main/java/com/' + source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Convert pipeline scan output to SARIF format for non Java language + if: ${{ github.event.client_payload.repository.language != 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + pipeline-results-json: filtered_results.json + output-results-sarif: veracode-results.sarif + repo_owner: ${{ github.event.client_payload.repository.owner }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitSHA: ${{ github.event.client_payload.sha }} + ref: ${{ github.event.client_payload.user_config.ref }} + githubToken: ${{ github.event.client_payload.token }} + + create-issues: + needs: pipeline_scan + runs-on: ubuntu-latest + if: ${{ github.event.client_payload.user_config.create_issue && always() }} + name: Create issues steps: - - name: Download artifact - id: download-artifact - uses: dawidd6/action-download-artifact@v2 - with: - github_token: ${{secrets.GITHUB_TOKEN}} - run_id: ${{ github.event.client_payload.run_id }} - repo: ${{ github.event.client_payload.repository.full_name }} - - name: Get the name of the downloaded files - run: | - artifact_file=$(ls -1 ./veracode-artifact | head -n 1) - echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV - - name: Veracode Pipeline-Scan - id: pipeline-scan - uses: veracode/Veracode-pipeline-scan-action@v1.0.8 - with: - vid: ${{ secrets.VERACODE_API_ID }} - vkey: ${{ secrets.VERACODE_API_KEY }} - file: ./veracode-artifact/${{ env.veracode_artifact }} - fail_build: true + - name: Get scan results + uses: actions/download-artifact@v4 + with: + name: 'Veracode Pipeline-Scan Results - Mitigated findings' + + - name: Create flaws as issues for Java language + if: ${{ github.event.client_payload.repository.language == 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: 'filtered_results.json' + repo_owner: ${{ github.event.client_payload.repository.owner }} + github-token: ${{ github.event.client_payload.token }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitHash: ${{ github.event.client_payload.sha }} + source_base_path_1: 'com/:src/main/java/com/' + source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Create flaws as issues for non Java language + if: ${{ github.event.client_payload.repository.language != 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: 'filtered_results.json' + repo_owner: ${{ github.event.client_payload.repository.owner }} + github-token: ${{ github.event.client_payload.token }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitHash: ${{ github.event.client_payload.sha }} diff --git a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml index ff98e0c42..1995553fe 100644 --- a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml @@ -2,6 +2,10 @@ name: Binary Ready - Veracode Static Code Analysis run-name: Binary Ready - Static Code Analysis - ${{ github.event.client_payload.repository.name }} +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + on: repository_dispatch: types: [binary-ready-veracode-sast-policy-scan] @@ -17,33 +21,171 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} + branch: ${{ github.event.client_payload.repository.branch }} - policy_scan: + validations: needs: register runs-on: ubuntu-latest + name: Validations + steps: + - name: Verify Veracode API credentials + id: verify_api_creds + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validateVeracodeApiCreds + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + + - name: Verify Policy name + id: verify_policy_name + if: success() + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validatePolicyName + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + policyname: ${{ github.event.client_payload.policy_name }} + path: ${{ github.event.client_payload.annotationObj.path }} + start_line: ${{ github.event.client_payload.annotationObj.start_line }} + end_line: ${{ github.event.client_payload.annotationObj.end_line }} + break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }} + + policy_scan: + needs: [register, validations] + runs-on: ubuntu-latest steps: - name: Download artifact id: download-artifact - uses: dawidd6/action-download-artifact@v2 - with: - github_token: ${{ github.event.client_payload.token }} - run_id: ${{ github.event.client_payload.run_id }} - repo: ${{ github.event.client_payload.repository.full_name }} - - name: Get the name of the downloaded files - run: | - artifact_file=$(ls -1 ./veracode-artifact | head -n 1) - echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV + uses: actions/download-artifact@v4 + with: + github-token: ${{ github.event.client_payload.token }} + repository: ${{ github.event.client_payload.repository.full_name }} + run-id: ${{ github.event.client_payload.run_id }} + - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@main + uses: veracode/uploadandscan-action@v0.1.4 id: upload_and_scan with: vid: '${{ secrets.VERACODE_API_ID }}' vkey: '${{ secrets.VERACODE_API_KEY }}' - appname: ${{ github.event.client_payload.profile_name }} + appname: ${{ github.event.client_payload.user_config.profile_name }} createprofile: true version: '${{ github.run_id }}' - filepath: ./veracode-artifact/${{ env.veracode_artifact }} - include: ${{ github.event.client_payload.modules_to_scan }} - policy: VeraDemo Policy + filepath: ${{ github.event.client_payload.repository.artifact_file }} + # include: ${{ github.event.client_payload.modules_to_scan }} + policy: ${{ github.event.client_payload.policy_name }} scantimeout: 15 - failbuild: true \ No newline at end of file + failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + use_upgraded_version: true + + - name: Veracode Policy Results + id: prepare-results + if: always() + uses: Veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'preparePolicyResults' + token: ${{ github.event.client_payload.token }} + check_run_id: ${{ needs.register.outputs.run_id }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + fail_checks_on_policy: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + fail_checks_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} + filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} + + veracode-remove-sandbox: + needs: policy_scan + runs-on: ubuntu-latest + if: ${{ github.event.client_payload.user_config.sandbox_scan.execute_remove_sandbox_action && always() }} + name: Remove Sandbox + steps: + - uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'removeSandbox' + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + sandboxname: GitHub App Scans-${{ github.event.client_payload.user_config.sandbox_scan.branch }} + + code-scanning-alert: + needs: policy_scan + runs-on: ubuntu-latest + if: ${{ github.event.client_payload.user_config.create_code_scanning_alert && always() }} + name: Create code scanning alerts + steps: + - name: Get scan results + uses: actions/download-artifact@v4 + with: + name: policy-flaws + path: /tmp + + - name: Convert policy scan output to SARIF format for Java language + if: ${{ github.event.client_payload.repository.language == 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + scan-type: policy + results-json: '/tmp/policy_flaws.json' + output-results-sarif: veracode-results.sarif + repo_owner: ${{ github.event.client_payload.repository.owner }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitSHA: ${{ github.event.client_payload.sha }} + ref: ${{ github.event.client_payload.user_config.ref }} + githubToken: ${{ github.event.client_payload.token }} + source-base-path-1: 'com/:src/main/java/com/' + source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Convert policy scan output to SARIF format for non Java language + if: ${{ github.event.client_payload.repository.language != 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + scan-type: policy + results-json: '/tmp/policy_flaws.json' + output-results-sarif: veracode-results.sarif + repo_owner: ${{ github.event.client_payload.repository.owner }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitSHA: ${{ github.event.client_payload.sha }} + ref: ${{ github.event.client_payload.user_config.ref }} + githubToken: ${{ github.event.client_payload.token }} + + create-issues: + needs: policy_scan + if: ${{ github.event.client_payload.user_config.create_issue && always() }} + runs-on: ubuntu-latest + name: Create issues + steps: + - name: Get flaw file + uses: actions/download-artifact@v4 + with: + name: 'policy-flaws' + path: /tmp + + - name: Create flaws as issues for Java language + if: ${{ github.event.client_payload.repository.language == 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: '/tmp/policy_flaws.json' + repo_owner: ${{ github.event.client_payload.repository.owner }} + github-token: ${{ github.event.client_payload.token }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitHash: ${{ github.event.client_payload.sha }} + source_base_path_1: 'com/:src/main/java/com/' + source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Create flaws as issues for non Java language + if: ${{ github.event.client_payload.repository.language != 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: '/tmp/policy_flaws.json' + repo_owner: ${{ github.event.client_payload.repository.owner }} + github-token: ${{ github.event.client_payload.token }} + repo_name: ${{ github.event.client_payload.repository.name }} + commitHash: ${{ github.event.client_payload.sha }} diff --git a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml new file mode 100644 index 000000000..83ba2c092 --- /dev/null +++ b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml @@ -0,0 +1,39 @@ +name: Binary Ready - Veracode Static Sandbox Scanner + +run-name: Binary Ready - Veracode Sandbox Scan - ${{ github.event.client_payload.repository.name }} + +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + +on: + repository_dispatch: + types: [binary-ready-veracode-sast-sandbox-scan] + +jobs: + sandbox_scan: + runs-on: ubuntu-latest + steps: + - name: Download artifact + id: download-artifact + uses: actions/download-artifact@v4 + with: + github-token: ${{ github.event.client_payload.token }} + repository: ${{ github.event.client_payload.repository.full_name }} + run-id: ${{ github.event.client_payload.run_id }} + + - name: Veracode Upload and Scan Action Step + id: upload_and_scan + uses: veracode/uploadandscan-action@v0.1.4 + with: + appname: ${{ github.event.client_payload.user_config.profile_name }} + createprofile: true + policy: ${{ github.event.client_payload.policy_name }} + version: '${{ github.run_id }}' + filepath: ${{ github.event.client_payload.repository.artifact_file }} + vid: '${{ secrets.VERACODE_API_ID }}' + vkey: '${{ secrets.VERACODE_API_KEY }}' + createsandbox: true + sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }} + # include: ${{ github.event.client_payload.modules_to_scan }} + failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} diff --git a/.github/workflows/template-register.yaml b/.github/workflows/template-register.yaml new file mode 100644 index 000000000..ee3e948e7 --- /dev/null +++ b/.github/workflows/template-register.yaml @@ -0,0 +1,28 @@ +#This is a template Register Build step. Please place the register step at the end of any developer build file to use the local compilation option +name: Veracode Register Build + +run-name: Veracode Register Build + +on: + repository_dispatch: + types: [register-build] + +jobs: + register: + runs-on: ubuntu-latest + name: register + steps: + - name: Register build + id: register-build + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: registerBuild + token: ${{ github.event.client_payload.token }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ github.run_id }} + check_run_name: ${{ github.workflow }} + head_sha: ${{ github.event.client_payload.sha }} + event_type: ${{ github.event.client_payload.event_type }} + branch: ${{ github.event.client_payload.user_config.sandbox_scan.branch }} + issue_trigger_flow: ${{ github.event.client_payload.user_config.issue_trigger_flow }} \ No newline at end of file diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml new file mode 100644 index 000000000..50bb38451 --- /dev/null +++ b/.github/workflows/update-cli.yml @@ -0,0 +1,45 @@ +name: Update the Veracode CLI +on: + schedule: + - cron: '0 2 * * *' + workflow_dispatch: +jobs: + update-veracode-cli: + runs-on: ubuntu-latest + continue-on-error: true + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + - name: Update Veracode CLI to latest version + run: | + cd helper/cli + cliFile=$(ls -1 . | head -n 1) + echo "Filename: $cliFile" + local_version="${cliFile#*_}" + local_version="${local_version%%_*}" + echo "Local version: $local_version" + curl -sSO https://tools.veracode.com/veracode-cli/LATEST_VERSION + latest_version=$(<"LATEST_VERSION") + echo "Latest version: $latest_version" + if [[ "$local_version" == "$latest_version" ]]; then + echo "We already have the latest version - nothing to do here" + rm -rf LATEST_VERSION + else + echo "There is a new version we need to downlaod" + downloadUrl="https://tools.veracode.com/veracode-cli/veracode-cli_${latest_version}_linux_x86.tar.gz" + echo "Download URL: $downloadUrl" + curl -sSO $downloadUrl + ls -la + echo "CLEAN UP" + rm -rf veracode-cli_${local_version}_linux_x86.tar.gz + rm -rf LATEST_VERSION + ls -la + fi + - name: commit back to repo + run: | + git config --global user.name 'veracode' + git config --global user.email 'cli@veracode.com' + git add -A + git commit -am "New CLI Version" + git push --verbose \ No newline at end of file diff --git a/.github/workflows/veracode-build-artifact-for-scanning.yml b/.github/workflows/veracode-build-artifact-for-scanning.yml index c59563d2d..caeba2953 100644 --- a/.github/workflows/veracode-build-artifact-for-scanning.yml +++ b/.github/workflows/veracode-build-artifact-for-scanning.yml @@ -18,23 +18,23 @@ on: jobs: build-java-maven: - if: ${{ inputs.event_name == 'java-maven-pipeline-scan' || inputs.event_name == 'java-maven-policy-scan' }} - uses: ./.github/workflows/veracode-build-java-maven.yml + if: ${{ inputs.event_name == 'java-maven-pipeline-scan' || inputs.event_name == 'java-maven-policy-scan' || inputs.event_name == 'java-maven-sandbox-scan' }} + uses: ./.github/workflows/veracode-build-java-cli-maven.yml with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - + build-java-gradle: - if: ${{ inputs.event_name == 'java-gradle-pipeline-scan' || inputs.event_name == 'java-gradle-policy-scan' }} - uses: ./.github/workflows/veracode-build-java-gradle.yml + if: ${{ inputs.event_name == 'java-gradle-pipeline-scan' || inputs.event_name == 'java-gradle-policy-scan' || inputs.event_name == 'java-gradle-sandbox-scan' }} + uses: ./.github/workflows/veracode-build-java-cli-gradle.yml with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - + build-source-code-scan: - if: ${{ inputs.event_name == 'source-code-pipeline-scan' || inputs.event_name == 'source-code-policy-scan' }} + if: ${{ inputs.event_name == 'source-code-pipeline-scan' || inputs.event_name == 'source-code-policy-scan' || inputs.event_name == 'source-code-sandbox-scan'}} uses: ./.github/workflows/veracode-build-source-code.yml with: repository: ${{ inputs.repository }} @@ -42,7 +42,7 @@ jobs: token: ${{ inputs.token }} build-dot-net-package: - if: ${{ inputs.event_name == 'dot-net-pipeline-scan' }} + if: ${{ inputs.event_name == 'dot-net-pipeline-scan' || inputs.event_name == 'dot-net-policy-scan' || inputs.event_name == 'dot-net-sandbox-scan'}} uses: ./.github/workflows/veracode-build-dot-net.yml with: repository: ${{ inputs.repository }} @@ -50,9 +50,49 @@ jobs: token: ${{ inputs.token }} build-go-package: - if: ${{ inputs.event_name == 'go-pipeline-scan' || inputs.event_name == 'go-policy-scan' }} + if: ${{ inputs.event_name == 'go-pipeline-scan' || inputs.event_name == 'go-policy-scan' || inputs.event_name == 'go-sandbox-scan'}} uses: ./.github/workflows/veracode-build-go.yml with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} + + build-tsql-package: + if: ${{ inputs.event_name == 'tsql-pipeline-scan' || inputs.event_name == 'tsql-policy-scan' || inputs.event_name == 'tsql-sandbox-scan'}} + uses: ./.github/workflows/veracode-build-tsql.yml + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + build-plsql-package: + if: ${{ inputs.event_name == 'plsql-pipeline-scan' || inputs.event_name == 'plsql-policy-scan' || inputs.event_name == 'plsql-sandbox-scan'}} + uses: ./.github/workflows/veracode-build-plsql.yml + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + build-php-package: + if: ${{ inputs.event_name == 'php-pipeline-scan' || inputs.event_name == 'php-policy-scan' || inputs.event_name == 'php-sandbox-scan'}} + uses: ./.github/workflows/veracode-build-php.yml + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + build-scala-package: + if: ${{ inputs.event_name == 'scala-pipeline-scan' || inputs.event_name == 'scala-policy-scan' || inputs.event_name == 'scala-sandbox-scan'}} + uses: ./.github/workflows/veracode-build-scala.yml + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + build-dart-package: + if: ${{ inputs.event_name == 'dart-pipeline-scan' || inputs.event_name == 'dart-policy-scan' || inputs.event_name == 'dart-sandbox-scan'}} + uses: ./.github/workflows/veracode-build-dart.yml + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} \ No newline at end of file diff --git a/.github/workflows/veracode-build-dart.yml b/.github/workflows/veracode-build-dart.yml new file mode 100644 index 000000000..e830a0384 --- /dev/null +++ b/.github/workflows/veracode-build-dart.yml @@ -0,0 +1,46 @@ +name: Veracode Build Dart Code Package + +on: + workflow_call: + inputs: + repository: + required: true + type: string + ref: + required: true + type: string + token: + required: true + type: string + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + - name: Set up JDK 1.8 + uses: actions/setup-java@v4 + with: + java-version: 1.8 + + - name: Setup Android SDK + uses: android-actions/setup-android@v2 + + - name: Setup Flutter SDK + uses: flutter-actions/setup-flutter@v2 + with: + channel: stable + version: 3.0.2 + + - name: Build Flutter App + run: flutter build apk --debug + + - uses: actions/upload-artifact@v4 + with: + name: veracode-artifact + path: build/app/outputs/flutter-apk diff --git a/.github/workflows/veracode-build-dot-net.yml b/.github/workflows/veracode-build-dot-net.yml index d9eadca40..31aa01623 100644 --- a/.github/workflows/veracode-build-dot-net.yml +++ b/.github/workflows/veracode-build-dot-net.yml @@ -19,13 +19,13 @@ jobs: # runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - name: Setup .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: '3.1.x' - name: Build @@ -51,7 +51,7 @@ jobs: # - name: Create zip archive # run: 7z a -tzip veracode.zip ./output - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: veracode-artifact path: veracode.zip diff --git a/.github/workflows/veracode-build-go.yml b/.github/workflows/veracode-build-go.yml index 6180af789..e1b753d44 100644 --- a/.github/workflows/veracode-build-go.yml +++ b/.github/workflows/veracode-build-go.yml @@ -17,7 +17,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} @@ -34,7 +34,7 @@ jobs: fi - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: 1.x @@ -53,7 +53,7 @@ jobs: - name: Run vcgopkg run: vcgopkg - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: veracode-artifact path: ./veracode diff --git a/.github/workflows/veracode-build-java-cli-gradle.yml b/.github/workflows/veracode-build-java-cli-gradle.yml new file mode 100644 index 000000000..ff37ede76 --- /dev/null +++ b/.github/workflows/veracode-build-java-cli-gradle.yml @@ -0,0 +1,48 @@ +name: Veracode Build Java Gradle Application +on: + workflow_call: + inputs: + repository: + required: true + type: string + ref: + required: true + type: string + token: + required: true + type: string +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + - uses: actions/checkout@v4 + with: + path: 'veracode-helper' + - uses: actions/setup-java@v4 + with: + java-version: 21 + distribution: oracle + - name: Package the appliccation + env: + VERACODE_API_KEY_ID: '${{ secrets.VERACODE_API_ID }}' + VERACODE_API_KEY_SECRET: '${{ secrets.VERACODE_API_KEY }}' + run: | + cd veracode-helper/helper/cli + cliFile=$(ls -1 . | head -n 1) + cliFileName=$(echo "$cliFile" | cut -c 1-$((${#cliFile}-7))) + tar -zxvf $cliFile + cd $cliFileName + chmod +x install.sh + ./install.sh system + cd /home/runner/work/veracode/veracode/ + veracode package --source . --output veracode-artifacts --trust + zip veracode-artifact.zip veracode-artifacts/* -x .zip .tar .tar.gz .gz + - uses: actions/upload-artifact@v4 + with: + name: veracode-artifact + path: veracode-artifact.zip \ No newline at end of file diff --git a/.github/workflows/veracode-build-java-cli-maven.yml b/.github/workflows/veracode-build-java-cli-maven.yml new file mode 100644 index 000000000..4018ec98f --- /dev/null +++ b/.github/workflows/veracode-build-java-cli-maven.yml @@ -0,0 +1,53 @@ +name: Veracode Build Java Maven Application +on: + workflow_call: + inputs: + repository: + required: true + type: string + ref: + required: true + type: string + token: + required: true + type: string +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + - uses: actions/checkout@v4 + with: + path: 'veracode-helper' + - uses: actions/setup-java@v4 + with: + java-version: 17 + distribution: oracle + - name: Cache Maven Dependencies + uses: actions/cache@v4 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + - name: Package the appliccation + env: + VERACODE_API_KEY_ID: '${{ secrets.VERACODE_API_ID }}' + VERACODE_API_KEY_SECRET: '${{ secrets.VERACODE_API_KEY }}' + run: | + cd veracode-helper/helper/cli + cliFile=$(ls -1 . | head -n 1) + cliFileName=$(echo "$cliFile" | cut -c 1-$((${#cliFile}-7))) + tar -zxvf $cliFile + cd $cliFileName + chmod +x install.sh + ./install.sh system + cd /home/runner/work/veracode/veracode/ + veracode package --source . --output veracode-artifacts --trust + zip veracode-artifact.zip veracode-artifacts/* -x .zip .tar .tar.gz .gz + - uses: actions/upload-artifact@v4 + with: + name: veracode-artifact + path: veracode-artifact.zip \ No newline at end of file diff --git a/.github/workflows/veracode-build-java-gradle.yml b/.github/workflows/veracode-build-java-gradle.yml deleted file mode 100644 index 2da105d5a..000000000 --- a/.github/workflows/veracode-build-java-gradle.yml +++ /dev/null @@ -1,53 +0,0 @@ -name: Veracode Build Java Gradle Application - -on: - workflow_call: - inputs: - repository: - required: true - type: string - ref: - required: true - type: string - token: - required: true - type: string - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - repository: ${{ inputs.repository }} - ref: ${{ inputs.ref }} - token: ${{ inputs.token }} - - uses: actions/setup-java@v3 - with: - java-version: 17 - distribution: oracle - - name: Build with Gradle - run: ./gradlew build - - - name: Identify the Artifact - id: identify - run: | - jar_files=$(find build -name "*.jar" -type f -maxdepth 2 -not -name '*plain*') - war_files=$(find build -name "*.war" -type f -maxdepth 2 -not -name '*plain*') - ear_files=$(find build -name "*.ear" -type f -maxdepth 2 -not -name '*plain*') - if [ ! -z "$jar_files" ]; then - artifact_file=$jar_files - elif [ ! -z "$war_files" ]; then - artifact_file=$war_files - elif [ ! -z "$ear_files" ]; then - artifact_file=$ear_files - else - echo "no files found" - fi - echo $artifact_file - echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV - - - uses: actions/upload-artifact@v3 - with: - name: veracode-artifact - path: ${{ env.veracode_artifact }} diff --git a/.github/workflows/veracode-build-php.yml b/.github/workflows/veracode-build-php.yml new file mode 100644 index 000000000..1f00b87ab --- /dev/null +++ b/.github/workflows/veracode-build-php.yml @@ -0,0 +1,32 @@ +name: Veracode Build PHP Source Code Package + +on: + workflow_call: + inputs: + repository: + required: true + type: string + ref: + required: true + type: string + token: + required: true + type: string + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + - name: Create zip archive + run: zip -r veracode.zip . -x .git/**\* bin/**\* e2e/**\* tests/**\* node_modules/**\* *.pyd *.mwb *.exe *.dll *.bin *.png *.xml *.bat *.g2p *.gp4 *.wav *.jpg *.svg *.sfx *.prx *.sb *.nrm *.config *.ini *.pdf *.dat *.docx *.whl *.so *_arm64 *_armhf *_x64 *.xlsm *.sql + + - uses: actions/upload-artifact@v4 + with: + name: veracode-artifact + path: veracode.zip diff --git a/.github/workflows/veracode-build-plsql.yml b/.github/workflows/veracode-build-plsql.yml new file mode 100644 index 000000000..75d372fb2 --- /dev/null +++ b/.github/workflows/veracode-build-plsql.yml @@ -0,0 +1,32 @@ +name: Veracode Build PL SQL Source Code Package + +on: + workflow_call: + inputs: + repository: + required: true + type: string + ref: + required: true + type: string + token: + required: true + type: string + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + - name: Create zip archive + run: zip -r veracode.zip . -x .git/**\* bin/**\* e2e/**\* tests/**\* node_modules/**\* *.pyd *.mwb *.exe *.dll *.bin *.png *.xml *.bat *.g2p *.gp4 *.wav *.jpg *.svg *.sfx *.prx *.sb *.nrm *.config *.ini *.pdf *.dat *.docx *.whl *.so *_arm64 *_armhf *_x64 *.xlsm + + - uses: actions/upload-artifact@v4 + with: + name: veracode-artifact + path: veracode.zip diff --git a/.github/workflows/veracode-build-java-maven.yml b/.github/workflows/veracode-build-scala.yml similarity index 75% rename from .github/workflows/veracode-build-java-maven.yml rename to .github/workflows/veracode-build-scala.yml index 9b4d7a0b1..9f0bfe69e 100644 --- a/.github/workflows/veracode-build-java-maven.yml +++ b/.github/workflows/veracode-build-scala.yml @@ -1,4 +1,4 @@ -name: Veracode Build Java Maven Application +name: Veracode Build Scala Application on: workflow_call: @@ -17,22 +17,17 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: - java-version: 17 + java-version: 21 distribution: oracle - - name: Cache Maven Dependencies - uses: actions/cache@v3 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - - name: Build with Maven - run: mvn clean package + - name: Build with sbt + run: sbt clean package - name: Identify the Artifact id: identify @@ -52,7 +47,7 @@ jobs: echo $artifact_file echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: veracode-artifact path: target/${{ env.veracode_artifact }} diff --git a/.github/workflows/veracode-build-source-code.yml b/.github/workflows/veracode-build-source-code.yml index 99e235f5f..2936b4275 100644 --- a/.github/workflows/veracode-build-source-code.yml +++ b/.github/workflows/veracode-build-source-code.yml @@ -17,16 +17,16 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - name: Create zip archive - run: zip -r veracode.zip . -x .git/**\* + run: zip -r veracode.zip . -x .git/**\* bin/**\* e2e/**\* tests/**\* node_modules/**\* *.pyd *.mwb *.exe *.dll *.bin *.png *.xml *.bat *.g2p *.gp4 *.wav *.jpg *.svg *.sfx *.prx *.sb *.nrm *.config *.ini *.pdf *.dat *.docx *.whl *.so *_arm64 *_armhf *_x64 *.xlsm *.sql - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: veracode-artifact path: veracode.zip diff --git a/.github/workflows/veracode-build-tsql.yml b/.github/workflows/veracode-build-tsql.yml new file mode 100644 index 000000000..810da9657 --- /dev/null +++ b/.github/workflows/veracode-build-tsql.yml @@ -0,0 +1,32 @@ +name: Veracode Build T-SQL Source Code Package + +on: + workflow_call: + inputs: + repository: + required: true + type: string + ref: + required: true + type: string + token: + required: true + type: string + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + token: ${{ inputs.token }} + + - name: Create zip archive + run: zip -r veracode.zip . -x .git/**\* bin/**\* e2e/**\* tests/**\* node_modules/**\* *.pyd *.mwb *.exe *.dll *.bin *.png *.xml *.bat *.g2p *.gp4 *.wav *.jpg *.svg *.sfx *.prx *.sb *.nrm *.config *.ini *.pdf *.dat *.docx *.whl *.so *_arm64 *_armhf *_x64 *.xlsm + + - uses: actions/upload-artifact@v4 + with: + name: veracode-artifact + path: veracode.zip diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index 7f327b473..a1dacd979 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -1,6 +1,10 @@ name: 'Organization workflow action' on: workflow_call: + outputs: + run_id: + description: "The first output string" + value: ${{ jobs.create_check_run.outputs.run_id }} inputs: run_id: description: 'ID of workflow run (provided via GitHub syntax `github.run_id`)' @@ -30,9 +34,15 @@ on: description: 'event_type triggered by the GitHub App (provided by GitHub app via `github.event.client_payload.event_type`)' required: true type: string + branch: + description: 'branch triggered by the GitHub App (provided by GitHub app via `github.event.client_payload.repository.branch`)' + required: true + type: string jobs: create_check_run: runs-on: ubuntu-latest + outputs: + run_id: ${{ fromJson(steps.create_check_run.outputs.data).id }} steps: # Create check run - name: GitHub API Request to create a check @@ -55,11 +65,14 @@ jobs: echo '{ "check_run_type": "${{ inputs.event_type }}", "repository_name": "${{ inputs.repositroy_name }}", - "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }} + "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }}, + "branch": "${{ inputs.branch }}", + "sha": "${{ inputs.head_sha }}" }' > workflow-metadata.json + echo "run_id=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" shell: bash - name: Save metadata - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: workflow-metadata path: workflow-metadata.json \ No newline at end of file diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index 8408a50b5..ed7cc5542 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -2,18 +2,33 @@ name: Veracode Static Code Analysis run-name: Static Code Analysis - ${{ github.event.client_payload.repository.name }} +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + on: repository_dispatch: - types: [java-maven-pipeline-scan, - java-gradle-pipeline-scan, - source-code-pipeline-scan, - dot-net-pipeline-scan, - go-pipeline-scan, - dot-net-policy-scan, - java-maven-policy-scan, - java-gradle-policy-scan, - source-code-policy-scan, - go-policy-scan] + types: + - java-maven-pipeline-scan + - java-maven-policy-scan + - java-gradle-pipeline-scan + - java-gradle-policy-scan + - source-code-pipeline-scan + - source-code-policy-scan + - dot-net-pipeline-scan + - dot-net-policy-scan + - go-pipeline-scan + - go-policy-scan + - tsql-pipeline-scan + - tsql-policy-scan + - plsql-pipeline-scan + - plsql-policy-scan + - php-pipeline-scan + - php-policy-scan + - scala-pipeline-scan + - scala-policy-scan + - dart-pipeline-scan + - dart-policy-sca jobs: register: @@ -26,9 +41,45 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} - - build: + branch: ${{ github.event.client_payload.repository.branch }} + + validations: needs: register + runs-on: ubuntu-latest + name: Validations + steps: + - name: Verify Veracode API credentials + id: verify_api_creds + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validateVeracodeApiCreds + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + + - name: Verify Policy name + id: verify_policy_name + if: success() + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validatePolicyName + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + policyname: ${{ github.event.client_payload.policy_name }} + path: ${{ github.event.client_payload.annotationObj.path }} + start_line: ${{ github.event.client_payload.annotationObj.start_line }} + end_line: ${{ github.event.client_payload.annotationObj.end_line }} + break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }} + + build: + needs: validations uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml with: repository: ${{ github.event.client_payload.repository.full_name }} @@ -39,19 +90,46 @@ jobs: pipeline_scan: # needs the build step before this job will start running - needs: build + needs: [build, register] if: contains(github.event.action, 'pipeline') uses: ./.github/workflows/veracode-pipeline-scan.yml with: policy_name: ${{ github.event.client_payload.policy_name }} + create_code_scanning_alert: ${{ github.event.client_payload.user_config.create_code_scanning_alert }} + owner: ${{ github.event.client_payload.repository.owner }} + repo: ${{ github.event.client_payload.repository.name }} + sha: ${{ github.event.client_payload.sha }} + token: ${{ github.event.client_payload.token }} + ref: ${{ github.event.client_payload.user_config.ref }} + create_issue: ${{ github.event.client_payload.user_config.create_issue }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + profile_name: ${{ github.event.client_payload.user_config.profile_name }} + break_build_policy_findings: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + break_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} + filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} + language: ${{ github.event.client_payload.repository.language }} secrets: inherit policy_scan: - needs: build + needs: [build, register] if: contains(github.event.action, 'policy') uses: ./.github/workflows/veracode-policy-scan.yml with: - profile_name: ${{ github.event.client_payload.profile_name }} + profile_name: ${{ github.event.client_payload.user_config.profile_name }} policy_name: ${{ github.event.client_payload.policy_name }} modules_to_scan: ${{ github.event.client_payload.modules_to_scan }} - secrets: inherit + owner: ${{ github.event.client_payload.repository.owner }} + repo: ${{ github.event.client_payload.repository.name }} + sha: ${{ github.event.client_payload.sha }} + token: ${{ github.event.client_payload.token }} + ref: ${{ github.event.client_payload.user_config.ref }} + create_issue: ${{ github.event.client_payload.user_config.create_issue }} + create_code_scanning_alert: ${{ github.event.client_payload.user_config.create_code_scanning_alert }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + break_build_policy_findings: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + break_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} + filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} + language: ${{ github.event.client_payload.repository.language }} + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/veracode-iac-secrets-scan.yml b/.github/workflows/veracode-iac-secrets-scan.yml index ab4a14583..982a8b960 100644 --- a/.github/workflows/veracode-iac-secrets-scan.yml +++ b/.github/workflows/veracode-iac-secrets-scan.yml @@ -2,6 +2,10 @@ name: Veracode IaC/Secrets Scanning run-name: Veracode IaC/Secrets Scanning - ${{ github.event.client_payload.repository.name }} +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + on: repository_dispatch: types: [veracode-iac-secrets-scan] @@ -17,20 +21,38 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} - + branch: ${{ github.event.client_payload.repository.branch }} + + validations: + needs: register + runs-on: ubuntu-latest + name: Validations + steps: + - name: Verify Veracode API credentials + id: verify_api_creds + uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: validateVeracodeApiCreds + token: ${{ github.event.client_payload.token }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + source_repository: ${{ github.event.client_payload.repository.full_name }} + check_run_id: ${{ needs.register.outputs.run_id }} + veracode-iac-secrets-scan: - needs: [register] + needs: [register, validations] runs-on: ubuntu-latest name: Veracode IaC/Secrets Scanning steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ github.event.client_payload.repository.full_name }} ref: ${{ github.event.client_payload.sha }} token: ${{ github.event.client_payload.token }} - name: Run Veracode IaC/Secrets Scanning - uses: veracode/container_iac_secrets_scanning@v1.0.1 + uses: veracode/container_iac_secrets_scanning@v1.0.2 with: vid: ${{ secrets.VERACODE_API_ID }} vkey: ${{ secrets.VERACODE_API_KEY }} @@ -39,4 +61,4 @@ jobs: source: "./" format: "json" debug: false - fail_build: true + fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }} diff --git a/.github/workflows/veracode-not-supported.yml b/.github/workflows/veracode-not-supported.yml index e798812cc..e98ec89b8 100644 --- a/.github/workflows/veracode-not-supported.yml +++ b/.github/workflows/veracode-not-supported.yml @@ -17,7 +17,8 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} - + branch: ${{ github.event.client_payload.repository.branch }} + veracode-not-supported: needs: [register] runs-on: ubuntu-latest @@ -33,7 +34,7 @@ jobs: echo "Please contact your Veracode administrator for more information." >> error.txt echo "If you are a Veracode administrator, please contact Veracode support." >> error.txt - name: save results file - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: veracode-error path: error.txt diff --git a/.github/workflows/veracode-pipeline-scan.yml b/.github/workflows/veracode-pipeline-scan.yml index 9e7f680a6..940762243 100644 --- a/.github/workflows/veracode-pipeline-scan.yml +++ b/.github/workflows/veracode-pipeline-scan.yml @@ -6,8 +6,49 @@ on: policy_name: required: true type: string + owner: + required: true + type: string + repo: + required: true + type: string + sha: + required: true + type: string + token: + required: true + type: string + ref: + required: true + type: string + create_code_scanning_alert: + required: true + type: boolean + create_issue: + required: true + type: boolean + check_run_id: + required: true + type: string + source_repository: + required: true + type: string + profile_name: + required: true + type: string + break_build_policy_findings: + required: true + type: string + break_build_on_error: + required: true + type: string + filter_mitigated_flaws: + required: true + type: string + language: + required: true + type: string - jobs: pipeline_scan: runs-on: ubuntu-latest @@ -15,11 +56,11 @@ jobs: steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 # get the compiled binary from a previous job - name: get archive - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: veracode-artifact path: ./veracode_artifact_directory @@ -32,10 +73,97 @@ jobs: # run the pipeline scan action - name: Veracode Pipeline-Scan id: pipeline-scan - uses: veracode/Veracode-pipeline-scan-action@v1.0.10 + uses: veracode/Veracode-pipeline-scan-action@v1.0.15 with: vid: ${{ secrets.VERACODE_API_ID }} vkey: ${{ secrets.VERACODE_API_KEY }} veracode_policy_name: ${{ inputs.policy_name }} file: ./veracode_artifact_directory/${{ env.veracode_artifact }} - fail_build: true + fail_build: ${{ inputs.break_build_policy_findings }} + use_upgraded_version: true + + - name: Veracode Pipeline Results + if: always() + id: prepare-results + uses: Veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'preparePipelineResults' + token: ${{ inputs.token }} + check_run_id: ${{ inputs.check_run_id }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ inputs.profile_name }} + source_repository: ${{ inputs.source_repository }} + fail_checks_on_policy: ${{ inputs.break_build_policy_findings }} + fail_checks_on_error: ${{ inputs.break_build_on_error }} + filter_mitigated_flaws: ${{ inputs.filter_mitigated_flaws }} + + code-scanning-alert: + needs: pipeline_scan + runs-on: ubuntu-latest + if: ${{ inputs.create_code_scanning_alert && always() }} + name: Create code scanning alerts + steps: + - name: Get scan results + uses: actions/download-artifact@v4 + with: + name: "Veracode Pipeline-Scan Results - Mitigated findings" + + - name: Convert pipeline scan output to SARIF format for java language + if: ${{ inputs.language == 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + pipeline-results-json: filtered_results.json + output-results-sarif: veracode-results.sarif + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + commitSHA: ${{ inputs.sha }} + ref: ${{ inputs.ref }} + githubToken: ${{ inputs.token }} + source-base-path-1: 'com/:src/main/java/com/' + source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Convert pipeline scan output to SARIF format for non java language + if: ${{ inputs.language != 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + pipeline-results-json: filtered_results.json + output-results-sarif: veracode-results.sarif + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + commitSHA: ${{ inputs.sha }} + ref: ${{ inputs.ref }} + githubToken: ${{ inputs.token }} + + create-issues: + needs: pipeline_scan + runs-on: ubuntu-latest + if: ${{ inputs.create_issue && always() }} + name: Create issues + steps: + - name: Get scan results + uses: actions/download-artifact@v4 + with: + name: 'Veracode Pipeline-Scan Results - Mitigated findings' + + - name: Create flaws as issues for java language + if: ${{ inputs.language == 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: 'filtered_results.json' + repo_owner: ${{ inputs.owner }} + github-token: ${{ inputs.token }} + repo_name: ${{ inputs.repo }} + commitHash: ${{ inputs.sha }} + source_base_path_1: 'com/:src/main/java/com/' + source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Create flaws as issues for non java language + if: ${{ inputs.language != 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: 'filtered_results.json' + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + github-token: ${{ inputs.token }} + commitHash: ${{ inputs.sha }} diff --git a/.github/workflows/veracode-policy-scan.yml b/.github/workflows/veracode-policy-scan.yml index 19e56e7a2..30141c361 100644 --- a/.github/workflows/veracode-policy-scan.yml +++ b/.github/workflows/veracode-policy-scan.yml @@ -12,7 +12,46 @@ on: modules_to_scan: required: true type: string - + owner: + required: true + type: string + repo: + required: true + type: string + sha: + required: true + type: string + token: + required: true + type: string + ref: + required: true + type: string + create_code_scanning_alert: + required: true + type: boolean + create_issue: + required: true + type: boolean + check_run_id: + required: true + type: string + source_repository: + required: true + type: string + break_build_policy_findings: + required: true + type: string + break_build_on_error: + required: true + type: string + filter_mitigated_flaws: + required: true + type: string + language: + required: true + type: string + jobs: policy_scan: runs-on: ubuntu-latest @@ -20,33 +59,133 @@ jobs: steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 # get the compiled binary from a previous job - name: get archive - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: veracode-artifact path: ./veracode_artifact_directory - - - name: Get the name of the downloaded files - run: | - artifact_file=$(ls -1 ./veracode_artifact_directory | head -n 1) - echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV + # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@main + uses: veracode/uploadandscan-action@v0.1.4 id: upload_and_scan with: appname: ${{ inputs.profile_name }} createprofile: true policy: ${{ inputs.policy_name }} version: '${{ github.run_id }}' - filepath: ./veracode_artifact_directory/${{ env.veracode_artifact }} + filepath: ./veracode_artifact_directory/ vid: '${{ secrets.VERACODE_API_ID }}' vkey: '${{ secrets.VERACODE_API_KEY }}' #scanpollinginterval: 30 scantimeout: 15 - include: ${{ inputs.modules_to_scan }} - failbuild: true - + # include: ${{ inputs.modules_to_scan }} + failbuild: ${{ inputs.break_build_policy_findings }} + use_upgraded_version: true + + - name: Veracode Policy Results + id: prepare-results + if: always() + uses: Veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'preparePolicyResults' + token: ${{ inputs.token }} + check_run_id: ${{ inputs.check_run_id }} + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ inputs.profile_name }} + source_repository: ${{ inputs.source_repository }} + fail_checks_on_policy: ${{ inputs.break_build_policy_findings }} + fail_checks_on_error: ${{ inputs.break_build_on_error }} + filter_mitigated_flaws: ${{ inputs.filter_mitigated_flaws }} + + veracode-remove-sandbox: + needs: policy_scan + runs-on: ubuntu-latest + if: ${{ github.event.client_payload.user_config.sandbox_scan.execute_remove_sandbox_action && always() }} + name: Remove Sandbox + steps: + - uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'removeSandbox' + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + sandboxname: GitHub App Scans-${{ github.event.client_payload.user_config.sandbox_scan.branch }} + + code-scanning-alert: + needs: policy_scan + runs-on: ubuntu-latest + if: ${{ inputs.create_code_scanning_alert && always() }} + name: Create code scanning alerts + steps: + - name: Get scan results + uses: actions/download-artifact@v4 + with: + name: policy-flaws + path: /tmp + + - name: Convert policy scan output to SARIF format for java language + if: ${{ inputs.language == 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + scan-type: policy + results-json: '/tmp/policy_flaws.json' + output-results-sarif: veracode-results.sarif + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + commitSHA: ${{ inputs.sha }} + ref: ${{ inputs.ref }} + githubToken: ${{ inputs.token }} + source-base-path-1: 'com/:src/main/java/com/' + source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Convert policy scan output to SARIF format for non java language + if: ${{ inputs.language != 'Java' }} + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3 + with: + scan-type: policy + results-json: '/tmp/policy_flaws.json' + output-results-sarif: veracode-results.sarif + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + commitSHA: ${{ inputs.sha }} + ref: ${{ inputs.ref }} + githubToken: ${{ inputs.token }} + + create-issues: + needs: policy_scan + if: ${{ inputs.create_issue && always() }} + runs-on: ubuntu-latest + name: Create issues + steps: + - name: Get flaw file + uses: actions/download-artifact@v4 + with: + name: 'policy-flaws' + path: /tmp + + - name: Create flaws as issues for java language + if: ${{ inputs.language == 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: '/tmp/policy_flaws.json' + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + github-token: ${{ inputs.token }} + commitHash: ${{ inputs.sha }} + source_base_path_1: 'com/:src/main/java/com/' + source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF' + + - name: Create flaws as issues for non java language + if: ${{ inputs.language != 'Java' }} + uses: veracode/veracode-flaws-to-issues@v2.2.24 + with: + scan-results-json: '/tmp/policy_flaws.json' + repo_owner: ${{ inputs.owner }} + repo_name: ${{ inputs.repo }} + github-token: ${{ inputs.token }} + commitHash: ${{ inputs.sha }} diff --git a/.github/workflows/veracode-remove-sandbox.yml b/.github/workflows/veracode-remove-sandbox.yml new file mode 100644 index 000000000..75ecf2d85 --- /dev/null +++ b/.github/workflows/veracode-remove-sandbox.yml @@ -0,0 +1,43 @@ +name: Veracode - Remove Sandbox When Pr Closed or Branch Deleted + +run-name: Remove Veracode Sandbox - Profile ${{ github.event.client_payload.repository.name }} - Sandbox ${{ github.event.client_payload.repository.branch }} + +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + +on: + repository_dispatch: + types: [veracode-remove-sandbox] + +jobs: + create-checks-run: + name: Create Checks Run + runs-on: ubuntu-latest + steps: + - name: Create metadata + id: create_metadata_json + run: | + echo '{ + "check_run_type": "${{ github.event.client_payload.event_type }}", + "repository_name": "${{ github.event.client_payload.repository.name }}", + "check_run_id": "", + "sha": "${{ github.event.client_payload.sha }}" + }' > workflow-metadata.json + - name: Save metadata + uses: actions/upload-artifact@v4 + with: + name: workflow-metadata + path: workflow-metadata.json + veracode-remove-sandbox: + needs: create-checks-run + runs-on: ubuntu-latest + name: Remove Sandbox + steps: + - uses: veracode/github-actions-integration-helper@v0.1.2 + with: + action: 'removeSandbox' + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + appname: ${{ github.event.client_payload.user_config.profile_name }} + sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }} diff --git a/.github/workflows/veracode-sandbox-scan.yml b/.github/workflows/veracode-sandbox-scan.yml new file mode 100644 index 000000000..576037b5b --- /dev/null +++ b/.github/workflows/veracode-sandbox-scan.yml @@ -0,0 +1,61 @@ +name: Veracode Static Sandbox Scanner +run-name: Veracode Sandbox Scan - ${{ github.event.client_payload.repository.name }} + +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + +on: + repository_dispatch: + types: + - java-maven-sandbox-scan + - java-gradle-sandbox-scan + - source-code-sandbox-scan + - dot-net-sandbox-scan + - go-sandbox-scan + - tsql-sandbox-scan + - plsql-sandbox-scan + - php-sandbox-scan + - scala-sandbox-scan + - dart-sandbox-scan + +jobs: + build: + uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml + with: + repository: ${{ github.event.client_payload.repository.full_name }} + ref: ${{ github.event.client_payload.sha }} + token: ${{ github.event.client_payload.token }} + event_name: ${{ github.event.action }} + + sandbox_scan: + needs: build + runs-on: ubuntu-latest + name: sandbox scan + + steps: + - name: checkout repo + uses: actions/checkout@v4 + + # get the compiled binary from a previous job + - name: get archive + uses: actions/download-artifact@v4 + with: + name: veracode-artifact + path: ./veracode_artifact_directory + + # run the policy scan action + - name: Veracode Upload and Scan Action Step + uses: veracode/uploadandscan-action@v0.1.4 + id: upload_and_scan + with: + appname: ${{ github.event.client_payload.user_config.profile_name }} + createprofile: true + policy: ${{ github.event.client_payload.policy_name }} + version: '${{ github.run_id }}' + filepath: ./veracode_artifact_directory/ + vid: '${{ secrets.VERACODE_API_ID }}' + vkey: '${{ secrets.VERACODE_API_KEY }}' + createsandbox: true + sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }} + failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} diff --git a/.github/workflows/veracode-sca-scan.yml b/.github/workflows/veracode-sca-scan.yml index a4cc9c3ef..c9856bbd1 100644 --- a/.github/workflows/veracode-sca-scan.yml +++ b/.github/workflows/veracode-sca-scan.yml @@ -2,6 +2,10 @@ name: Veracode Software Composition Analysis run-name: Software Composition Analysis - ${{ github.event.client_payload.repository.name }} +concurrency: + group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }} + cancel-in-progress: true + on: repository_dispatch: types: [veracode-sca-scan] @@ -17,6 +21,7 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} + branch: ${{ github.event.client_payload.repository.branch }} veracode-sca-scan: needs: [register] @@ -24,15 +29,15 @@ jobs: name: Veracode Component Analysis steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ github.event.client_payload.repository.full_name }} - ref: ${{ github.event.client_payload.sha }} + ref: ${{ github.event.client_payload.repository.branch }} token: ${{ github.event.client_payload.token }} - name: Run Veracode SCA env: SRCCLR_API_TOKEN: ${{ secrets.VERACODE_AGENT_TOKEN }} - uses: veracode/veracode-sca@v2.1.9 + uses: veracode/veracode-sca@v2.1.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} create-issues: false diff --git a/helper/cli/veracode-cli_2.9.1_linux_x86.tar.gz b/helper/cli/veracode-cli_2.13.0_linux_x86.tar.gz similarity index 76% rename from helper/cli/veracode-cli_2.9.1_linux_x86.tar.gz rename to helper/cli/veracode-cli_2.13.0_linux_x86.tar.gz index f3e885e2b..3f06525be 100644 Binary files a/helper/cli/veracode-cli_2.9.1_linux_x86.tar.gz and b/helper/cli/veracode-cli_2.13.0_linux_x86.tar.gz differ diff --git a/repo_list.yml b/repo_list.yml new file mode 100644 index 000000000..362219b8c --- /dev/null +++ b/repo_list.yml @@ -0,0 +1,17 @@ +# NOTE: You can also perform advanced search to include/exclude the repos by giving repos name as mentioned below: +# IMPORTANT: Please give all the repo name(s) in single quotes like 'abc' or '*' to avoid any errors and to perform advanced searches effectively. + + # - 'example-*' -- This will match the character(s) starting with 'example-' followed by anything. + # - 'vu*' -- This will match the character(s) starting with 'vu' followed by anything. + # - '*example*' -- This will match the character(s) anything before and after * and 'example' in between. + # - 'e*-*' -- This will match the character(s) starting with 'e' any character in between followed by '-' followed by anything. + # - 'e*pt' -- This will match the character(s) starting with 'e' and any character in between ending with 'pt'. + + +#Populate the list of repos required to scan under org or leave it blank or '*' to include all +include_repos: + - '*' + +#Populate the list of repos to skip from running the veracode scan(s) under org or leave it blank or '*' to exclude all +exclude_repos: + - 'veracode' \ No newline at end of file diff --git a/veracode.yml b/veracode.yml index 96446d320..2bf2ba25e 100644 --- a/veracode.yml +++ b/veracode.yml @@ -1,7 +1,4 @@ veracode_static_scan: - # Please only specify trigger:true for either push event or - # pull request event. Specifying both will only execute push event. - # Leaving them both false means this will never run push: trigger: true # Please only specify either branches_to_run or branches_to_exclude @@ -17,27 +14,36 @@ veracode_static_scan: - synchronize target_branch: - default_branch - # What branch would you like to use for platform analysis - # By selecting a branch here - Veracode will save your last scan result - # As an App Profile - given the current name of your scanned repo - # Use 'none' if you would not like any scans saved to the platform - analysis_branch: ENTER_BRANCH_NAME_HERE - #If the break_build_policy_findings is set to true, the build will break if the pipeline scan finds any policy violations. + # If the analysis_on_platform is set to true, + # Veracode will save your last scan result, on the default branch, as an application profile with the same name as your scanned repository on the Veracode platform. + # If the analysis_on_platform is set to false, scan results will not be saved to the Veracode platform. + analysis_on_platform: false + # If break_build_policy_findings is set to true, the build will break when findings violate the policy. break_build_policy_findings: true - #If the break_build_on_error is set to true, the build will break if the scan failed to complete in time or with an error. + # If break_build_invalid_policy is set to true, the build will break when the policy name is invalid. + break_build_invalid_policy: true + # If the break_build_on_error is set to true, the build will break if the scan failed to complete in time or with an error and the error_message will be displayed. break_build_on_error: false - #If the break_build_on_policy_error is set to true, this is the error message that will be displayed if the pipeline scan fails to complete in time or with an error. - error_message: "Veracode SAST scan faced a problem. Please contact your Veracode administrator for more information. If you are a Veracode administrator, please contact Veracode support." + error_message: "Veracode static scan faced a problem. Please contact your Veracode administrator for more information." + # Default policy to be used if a policy isn't already assigned to the application profile. policy: 'Veracode Recommended Medium + SCA' - compile_locally: false - local_compilation_workflow: na + # If the create_code_scanning_alert is set to true, GitHub security code scanning vulnerability alerts will be created for static findings. + create_code_scanning_alert: false + # If the create_issue is set to true, GitHub Issues will be created for static findings. + create_issue: false + # If the trigger is set to true, a scan is triggered when you create an issue containing the commands value or add a comment containing the commands value to an issue. + # Syntax to be used - COMMANDS_VALUE [branch: BRANCH_NAME] + issues: + trigger: false + commands: + - "Veracode Static Scan" -veracode_sca_scan: - # Please only specify trigger:true for either push event or - # pull request event. Specifying both will only execute push event. - # Leaving them both false means this will never run +veracode_sca_scan: push: trigger: true + # Please only specify either branches_to_run or branches_to_exclude + # Entering both will only execute branches_to_run + # Leaving them both blank means this will never run branches_to_run: - '*' branches_to_exclude: @@ -48,19 +54,23 @@ veracode_sca_scan: - synchronize target_branch: - default_branch - #If the break_build_policy_findings is set to true, the build will break if the SCA scan finds any policy violations. - break_build_policy_findings: true - #If the break_build_on_error is set to true, the build will break if the scan failed to complete, no libraries found, no build system found or on any other error. + # If the break_build_on_error is set to true, the build will break if the scan failed to complete or with an error, no libraries were found, + # or no build system was found and the error_message will be displayed. break_build_on_error: true - #If the break_build_on_policy_error is set to true, this is the error message that will be displayed if the SCA scan fails to complete, no libraries found, no build system found or on any other error. - error_message: "Veracode SCA scan faced a problem. Please contact your Veracode administrator for more information. If you are a Veracode administrator, please contact Veracode support." + error_message: "Veracode SCA scan faced a problem. Please contact your Veracode administrator for more information." + # If the trigger is set to true, a scan is triggered when you create an issue containing the commands value or add a comment containing the commands value to an issue. + # Syntax to be used - COMMANDS_VALUE [branch: BRANCH_NAME] + issues: + trigger: false + commands: + - "Veracode SCA Scan" veracode_iac_secrets_scan: - # Please only specify trigger:true for either push event or - # pull request event. Specifying both will only execute push event. - # Leaving them both false means this will never run push: trigger: true + # Please only specify either branches_to_run or branches_to_exclude + # Entering both will only execute branches_to_run + # Leaving them both blank means this will never run branches_to_run: - '*' branches_to_exclude: @@ -71,10 +81,15 @@ veracode_iac_secrets_scan: - synchronize target_branch: - default_branch - #If the break_build_policy_findings is set to true, the build will break if the IaC/Secrets scan finds any policy violations. + # If break_build_policy_findings is set to true, the build will break when findings violate the policy. break_build_policy_findings: true - #If the break_build_on_error is set to true, the build will break if the scan failed to complete, no libraries found or on any other error. + # If the break_build_on_error is set to true, the build will break if the scan failed to complete or with an error, no libraries were found, + # or no build system was found and the error_message will be displayed. break_build_on_error: true - #If the break_build_on_policy_error is set to true, this is the error message that will be displayed if the IaC/Secrets scan fails to complete, no libraries found or on any other error. - error_message: "Veracode SCA scan faced a problem. Please contact your Veracode administrator for more information. If you are a Veracode administrator, please contact Veracode support." - + error_message: "Veracode IAC secrets scan faced a problem. Please contact your Veracode administrator for more information." + # If the trigger is set to true, a scan is triggered when you create an issue containing the commands value or add a comment containing the commands value to an issue. + # Syntax to be used - COMMANDS_VALUE [branch: BRANCH_NAME] + issues: + trigger: false + commands: + - "Veracode IAC Scan"