Skip to content

Release - 0.2.0 features #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 75 commits into from
Apr 10, 2024
Merged

Release - 0.2.0 features #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
75 commits
Select commit Hold shift + click to select a range
56c60b8
Update veracode-iac-secrets-scan.yml
shailesh-veracode Dec 20, 2023
681540c
Implemented Veracode Policy Name Validation
veeranjaneya-reddy Jan 17, 2024
a396cd2
Added Break Build for Policy validation
veeranjaneya-reddy Jan 23, 2024
113dea0
updated veracode-code-analysis.yml
veeranjaneya-reddy Jan 24, 2024
5980eaa
Implemented Annotation Object to display annotations
veeranjaneya-reddy Jan 31, 2024
9341d9b
change in generate_signature file
veeranjaneya-reddy Jan 31, 2024
d63ec00
Update veracode-update-check-run.yml
veeranjaneya-reddy Jan 31, 2024
5f350bb
Merge pull request #20 from veracode/feature/DXS_124
julz0815 Feb 1, 2024
0881027
Revert "Implemented Veracode Policy Name Validation"
julz0815 Feb 8, 2024
e6424b8
Merge pull request #24 from veracode/revert-20-feature/DXS_124
julz0815 Feb 8, 2024
c94a295
Merge branch 'main' of github.com:veracode/github-actions-integration…
shailesh-veracode Mar 12, 2024
4874fc8
added condition to support sandbox scan for all supporting language
shailesh-veracode Mar 12, 2024
acead4b
added create issue and send report to security tab for policy and pip…
shailesh-veracode Mar 12, 2024
7e2f785
update properties name for security scanning
shailesh-veracode Mar 13, 2024
c0f8257
update properties name for code scanning alert
shailesh-veracode Mar 13, 2024
94127fe
update java version
shailesh-veracode Mar 13, 2024
07c8bba
added config for some of the new languages and update the sandbox con…
shailesh-veracode Mar 13, 2024
ee0cd35
added analysis_on_platform flag for analysis feature
shailesh-veracode Mar 13, 2024
f447bf4
added config for trigger scan on issue functionality
shailesh-veracode Mar 13, 2024
a7ffa35
added repo_list config file for allow repo functionality
shailesh-veracode Mar 13, 2024
50866c8
Update veracode.yml
shailesh-veracode Mar 13, 2024
12b370b
update tag for helper actions
shailesh-veracode Mar 13, 2024
a969928
update the realease tag and replace sha with branch name in sca scan
shailesh-veracode Mar 13, 2024
75556ba
update release tag for veracode/veracode-flaws-to-issues@v2.2.22
shailesh-veracode Mar 13, 2024
0022847
update flag for policy validation
shailesh-veracode Mar 14, 2024
996b0cb
update the java and action versions
shailesh-veracode Mar 18, 2024
1c3932b
update version and remove profile supporting on org level
shailesh-veracode Mar 19, 2024
fe80190
update cache version from v3 to v4
shailesh-veracode Mar 20, 2024
5d07b44
Merge pull request #28 from veracode/DXS-338
shailesh-veracode Mar 21, 2024
0c986c3
build cli for java maven and gradle
shailesh-veracode Mar 21, 2024
0d78b1c
update the version for dot net setup
shailesh-veracode Mar 22, 2024
99d69ea
Added Break Build Policyfinding and onError flags
veeranjaneya-reddy Mar 22, 2024
c90538b
added break build in sandbox.yml
veeranjaneya-reddy Mar 23, 2024
7dce98f
modified create issue and code scanning alerts
veeranjaneya-reddy Mar 23, 2024
5663267
Update veracode-pipeline-scan.yml
shailesh-veracode Mar 23, 2024
e2f6b87
Update veracode-policy-scan.yml
shailesh-veracode Mar 23, 2024
463f95b
Merge pull request #33 from veracode/feature/DXS-258
shailesh-veracode Mar 23, 2024
e59110f
handled language for code scanning alert and issue falws
shailesh-veracode Mar 23, 2024
ffbf221
update pipeline and policy scan version to handle the artofact versio…
shailesh-veracode Mar 23, 2024
b390e66
use_custom_workflow & CLI related changes
veraakarthikbharadwaj Mar 23, 2024
75a457c
executing create issue and code scanning alert job always if flag is …
shailesh-veracode Mar 23, 2024
6469556
CLI and version fixes
veraakarthikbharadwaj Mar 23, 2024
5082f3f
Updated version for JAVA
veraakarthikbharadwaj Mar 24, 2024
097e3ce
Update binary-ready-veracode-sast-policy-scan.yml
veraakarthikbharadwaj Mar 24, 2024
1dd604b
Merge pull request #34 from veracode/feature/DXS-201
shailesh-veracode Mar 24, 2024
b0b148c
Enabled CLI for sandbox scan
veraakarthikbharadwaj Mar 24, 2024
6b7888a
Update issues job and fixed repo name typo
veraakarthikbharadwaj Mar 24, 2024
a2a618e
removed java build file as we have cli integrated
shailesh-veracode Mar 26, 2024
b4aa84d
refering matigated filtered result for pipeline scan for issue creati…
shailesh-veracode Mar 26, 2024
1ccdba2
Update veracode.yml
p-nayak Mar 26, 2024
bdd2519
Update veracode.yml
p-nayak Mar 27, 2024
f46e901
Merge pull request #35 from p-nayak/yml_update
shailesh-veracode Mar 29, 2024
99d263f
update issue flaws config to show preview
shailesh-veracode Mar 29, 2024
3635b55
Merge branch 'develop' of github.com:veracode/github-actions-integrat…
shailesh-veracode Mar 29, 2024
245ea6e
update code scanning alert action version which having the fixed for …
shailesh-veracode Mar 29, 2024
e002245
fixed preview bug in issue creation flow
shailesh-veracode Apr 1, 2024
ef5d102
updated the version for action-helper
shailesh-veracode Apr 1, 2024
b941d48
removed flaws_report.yml
shailesh-veracode Apr 1, 2024
c914ee1
update workflow to handle multiple file
shailesh-veracode Apr 1, 2024
ec69dac
update tags to test the functionality
shailesh-veracode Apr 2, 2024
f91ffa7
Artifact name to artifact file
veraakarthikbharadwaj Apr 3, 2024
3956af1
update version and mitigation artifact name
shailesh-veracode Apr 3, 2024
0ee3acc
Merge branch 'develop' of github.com:veracode/github-actions-integrat…
shailesh-veracode Apr 3, 2024
f4b245e
Added register step template
veraakarthikbharadwaj Apr 5, 2024
10d6a30
executing remove-sandbox action after completing execution of policy …
shailesh-veracode Apr 5, 2024
11d1ad9
Introduce issue_trigger_flow flag to the metadata
veraakarthikbharadwaj Apr 8, 2024
e08bbb5
Added support for break build on finding for IAC scan
shailesh-veracode Apr 9, 2024
9be4881
Sandbox scan should not show on the PR checks for static scan
shailesh-veracode Apr 9, 2024
62565e6
Merge pull request #37 from veracode/issue/DXS-412
shailesh-veracode Apr 9, 2024
f98bbb6
Update binary-ready-veracode-sast-sandbox-scan
shailesh-veracode Apr 9, 2024
9bff1f2
fixed typo in sandbox scan workflow name
shailesh-veracode Apr 9, 2024
3dc6adf
update the release tag for github workflow helper action
shailesh-veracode Apr 10, 2024
ab48981
updated the release tag for github action integration helper action
shailesh-veracode Apr 10, 2024
f7971e5
added content permission to update the CLI on workflow repo
shailesh-veracode Apr 10, 2024
6acf0e6
updated the release tag for pipeline action and added the content per…
shailesh-veracode Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
167 changes: 146 additions & 21 deletions .github/workflows/binary-ready-veracode-sast-pipeline-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: Binary Ready - Veracode Static Code Analysis

run-name: Binary Ready - Static Code Analysis - ${{ github.event.client_payload.repository.name }}

concurrency:
group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }}
cancel-in-progress: true

on:
repository_dispatch:
types: [binary-ready-veracode-sast-pipeline-scan]
Expand All @@ -17,27 +21,148 @@ jobs:
event_type: ${{ github.event.client_payload.event_type }}
github_token: ${{ github.event.client_payload.token }}
run_id: ${{ github.run_id }}

pipeline_scan:
branch: ${{ github.event.client_payload.repository.branch }}

validations:
needs: register
runs-on: ubuntu-latest
name: Validations
steps:
- name: Verify Veracode API credentials
id: verify_api_creds
uses: veracode/github-actions-integration-helper@v0.1.2
with:
action: validateVeracodeApiCreds
token: ${{ github.event.client_payload.token }}
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
source_repository: ${{ github.event.client_payload.repository.full_name }}
check_run_id: ${{ needs.register.outputs.run_id }}

- name: Verify Policy name
id: verify_policy_name
if: success()
uses: veracode/github-actions-integration-helper@v0.1.2
with:
action: validatePolicyName
token: ${{ github.event.client_payload.token }}
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
source_repository: ${{ github.event.client_payload.repository.full_name }}
check_run_id: ${{ needs.register.outputs.run_id }}
policyname: ${{ github.event.client_payload.policy_name }}
path: ${{ github.event.client_payload.annotationObj.path }}
start_line: ${{ github.event.client_payload.annotationObj.start_line }}
end_line: ${{ github.event.client_payload.annotationObj.end_line }}
break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }}

pipeline_scan:
needs: [register, validations]
runs-on: ubuntu-latest
steps:
- name: Download artifact
id: download-artifact
uses: actions/download-artifact@v4
with:
github-token: ${{ github.event.client_payload.token }}
repository: ${{ github.event.client_payload.repository.full_name }}
run-id: ${{ github.event.client_payload.run_id }}

- name: Veracode Pipeline-Scan
id: pipeline-scan
uses: veracode/Veracode-pipeline-scan-action@v1.0.15
with:
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
veracode_policy_name: ${{ github.event.client_payload.policy_name }}
file: ${{ github.event.client_payload.repository.artifact_file }}
fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
use_upgraded_version: true

- name: Veracode Pipeline Results
if: always()
id: prepare-results
uses: Veracode/github-actions-integration-helper@v0.1.2
with:
action: 'preparePipelineResults'
token: ${{ github.event.client_payload.token }}
check_run_id: ${{ needs.register.outputs.run_id }}
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
source_repository: ${{ github.event.client_payload.repository.full_name }}
fail_checks_on_policy: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
fail_checks_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }}
filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}

code-scanning-alert:
needs: pipeline_scan
runs-on: ubuntu-latest
if: ${{ github.event.client_payload.user_config.create_code_scanning_alert && always() }}
name: Create code scanning alerts
steps:
- name: Get scan results
uses: actions/download-artifact@v4
with:
name: "Veracode Pipeline-Scan Results - Mitigated findings"

- name: Convert pipeline scan output to SARIF format for Java language
if: ${{ github.event.client_payload.repository.language == 'Java' }}
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3
with:
pipeline-results-json: filtered_results.json
output-results-sarif: veracode-results.sarif
repo_owner: ${{ github.event.client_payload.repository.owner }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitSHA: ${{ github.event.client_payload.sha }}
ref: ${{ github.event.client_payload.user_config.ref }}
githubToken: ${{ github.event.client_payload.token }}
source-base-path-1: 'com/:src/main/java/com/'
source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF'

- name: Convert pipeline scan output to SARIF format for non Java language
if: ${{ github.event.client_payload.repository.language != 'Java' }}
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3
with:
pipeline-results-json: filtered_results.json
output-results-sarif: veracode-results.sarif
repo_owner: ${{ github.event.client_payload.repository.owner }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitSHA: ${{ github.event.client_payload.sha }}
ref: ${{ github.event.client_payload.user_config.ref }}
githubToken: ${{ github.event.client_payload.token }}

create-issues:
needs: pipeline_scan
runs-on: ubuntu-latest
if: ${{ github.event.client_payload.user_config.create_issue && always() }}
name: Create issues
steps:
- name: Download artifact
id: download-artifact
uses: dawidd6/action-download-artifact@v2
with:
github_token: ${{secrets.GITHUB_TOKEN}}
run_id: ${{ github.event.client_payload.run_id }}
repo: ${{ github.event.client_payload.repository.full_name }}
- name: Get the name of the downloaded files
run: |
artifact_file=$(ls -1 ./veracode-artifact | head -n 1)
echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV
- name: Veracode Pipeline-Scan
id: pipeline-scan
uses: veracode/Veracode-pipeline-scan-action@v1.0.8
with:
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
file: ./veracode-artifact/${{ env.veracode_artifact }}
fail_build: true
- name: Get scan results
uses: actions/download-artifact@v4
with:
name: 'Veracode Pipeline-Scan Results - Mitigated findings'

- name: Create flaws as issues for Java language
if: ${{ github.event.client_payload.repository.language == 'Java' }}
uses: veracode/veracode-flaws-to-issues@v2.2.24
with:
scan-results-json: 'filtered_results.json'
repo_owner: ${{ github.event.client_payload.repository.owner }}
github-token: ${{ github.event.client_payload.token }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitHash: ${{ github.event.client_payload.sha }}
source_base_path_1: 'com/:src/main/java/com/'
source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF'

- name: Create flaws as issues for non Java language
if: ${{ github.event.client_payload.repository.language != 'Java' }}
uses: veracode/veracode-flaws-to-issues@v2.2.24
with:
scan-results-json: 'filtered_results.json'
repo_owner: ${{ github.event.client_payload.repository.owner }}
github-token: ${{ github.event.client_payload.token }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitHash: ${{ github.event.client_payload.sha }}
174 changes: 158 additions & 16 deletions .github/workflows/binary-ready-veracode-sast-policy-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: Binary Ready - Veracode Static Code Analysis

run-name: Binary Ready - Static Code Analysis - ${{ github.event.client_payload.repository.name }}

concurrency:
group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }}
cancel-in-progress: true

on:
repository_dispatch:
types: [binary-ready-veracode-sast-policy-scan]
Expand All @@ -17,33 +21,171 @@ jobs:
event_type: ${{ github.event.client_payload.event_type }}
github_token: ${{ github.event.client_payload.token }}
run_id: ${{ github.run_id }}
branch: ${{ github.event.client_payload.repository.branch }}

policy_scan:
validations:
needs: register
runs-on: ubuntu-latest
name: Validations
steps:
- name: Verify Veracode API credentials
id: verify_api_creds
uses: veracode/github-actions-integration-helper@v0.1.2
with:
action: validateVeracodeApiCreds
token: ${{ github.event.client_payload.token }}
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
source_repository: ${{ github.event.client_payload.repository.full_name }}
check_run_id: ${{ needs.register.outputs.run_id }}

- name: Verify Policy name
id: verify_policy_name
if: success()
uses: veracode/github-actions-integration-helper@v0.1.2
with:
action: validatePolicyName
token: ${{ github.event.client_payload.token }}
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
source_repository: ${{ github.event.client_payload.repository.full_name }}
check_run_id: ${{ needs.register.outputs.run_id }}
policyname: ${{ github.event.client_payload.policy_name }}
path: ${{ github.event.client_payload.annotationObj.path }}
start_line: ${{ github.event.client_payload.annotationObj.start_line }}
end_line: ${{ github.event.client_payload.annotationObj.end_line }}
break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }}

policy_scan:
needs: [register, validations]
runs-on: ubuntu-latest
steps:
- name: Download artifact
id: download-artifact
uses: dawidd6/action-download-artifact@v2
with:
github_token: ${{ github.event.client_payload.token }}
run_id: ${{ github.event.client_payload.run_id }}
repo: ${{ github.event.client_payload.repository.full_name }}
- name: Get the name of the downloaded files
run: |
artifact_file=$(ls -1 ./veracode-artifact | head -n 1)
echo "veracode_artifact=$artifact_file" >> $GITHUB_ENV
uses: actions/download-artifact@v4
with:
github-token: ${{ github.event.client_payload.token }}
repository: ${{ github.event.client_payload.repository.full_name }}
run-id: ${{ github.event.client_payload.run_id }}

- name: Veracode Upload and Scan Action Step
uses: veracode/uploadandscan-action@main
uses: veracode/uploadandscan-action@v0.1.4
id: upload_and_scan
with:
vid: '${{ secrets.VERACODE_API_ID }}'
vkey: '${{ secrets.VERACODE_API_KEY }}'
appname: ${{ github.event.client_payload.profile_name }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
createprofile: true
version: '${{ github.run_id }}'
filepath: ./veracode-artifact/${{ env.veracode_artifact }}
include: ${{ github.event.client_payload.modules_to_scan }}
policy: VeraDemo Policy
filepath: ${{ github.event.client_payload.repository.artifact_file }}
# include: ${{ github.event.client_payload.modules_to_scan }}
policy: ${{ github.event.client_payload.policy_name }}
scantimeout: 15
failbuild: true
failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
use_upgraded_version: true

- name: Veracode Policy Results
id: prepare-results
if: always()
uses: Veracode/github-actions-integration-helper@v0.1.2
with:
action: 'preparePolicyResults'
token: ${{ github.event.client_payload.token }}
check_run_id: ${{ needs.register.outputs.run_id }}
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
source_repository: ${{ github.event.client_payload.repository.full_name }}
fail_checks_on_policy: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
fail_checks_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }}
filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}

veracode-remove-sandbox:
needs: policy_scan
runs-on: ubuntu-latest
if: ${{ github.event.client_payload.user_config.sandbox_scan.execute_remove_sandbox_action && always() }}
name: Remove Sandbox
steps:
- uses: veracode/github-actions-integration-helper@v0.1.2
with:
action: 'removeSandbox'
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
appname: ${{ github.event.client_payload.user_config.profile_name }}
sandboxname: GitHub App Scans-${{ github.event.client_payload.user_config.sandbox_scan.branch }}

code-scanning-alert:
needs: policy_scan
runs-on: ubuntu-latest
if: ${{ github.event.client_payload.user_config.create_code_scanning_alert && always() }}
name: Create code scanning alerts
steps:
- name: Get scan results
uses: actions/download-artifact@v4
with:
name: policy-flaws
path: /tmp

- name: Convert policy scan output to SARIF format for Java language
if: ${{ github.event.client_payload.repository.language == 'Java' }}
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3
with:
scan-type: policy
results-json: '/tmp/policy_flaws.json'
output-results-sarif: veracode-results.sarif
repo_owner: ${{ github.event.client_payload.repository.owner }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitSHA: ${{ github.event.client_payload.sha }}
ref: ${{ github.event.client_payload.user_config.ref }}
githubToken: ${{ github.event.client_payload.token }}
source-base-path-1: 'com/:src/main/java/com/'
source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF'

- name: Convert policy scan output to SARIF format for non Java language
if: ${{ github.event.client_payload.repository.language != 'Java' }}
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3
with:
scan-type: policy
results-json: '/tmp/policy_flaws.json'
output-results-sarif: veracode-results.sarif
repo_owner: ${{ github.event.client_payload.repository.owner }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitSHA: ${{ github.event.client_payload.sha }}
ref: ${{ github.event.client_payload.user_config.ref }}
githubToken: ${{ github.event.client_payload.token }}

create-issues:
needs: policy_scan
if: ${{ github.event.client_payload.user_config.create_issue && always() }}
runs-on: ubuntu-latest
name: Create issues
steps:
- name: Get flaw file
uses: actions/download-artifact@v4
with:
name: 'policy-flaws'
path: /tmp

- name: Create flaws as issues for Java language
if: ${{ github.event.client_payload.repository.language == 'Java' }}
uses: veracode/veracode-flaws-to-issues@v2.2.24
with:
scan-results-json: '/tmp/policy_flaws.json'
repo_owner: ${{ github.event.client_payload.repository.owner }}
github-token: ${{ github.event.client_payload.token }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitHash: ${{ github.event.client_payload.sha }}
source_base_path_1: 'com/:src/main/java/com/'
source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF'

- name: Create flaws as issues for non Java language
if: ${{ github.event.client_payload.repository.language != 'Java' }}
uses: veracode/veracode-flaws-to-issues@v2.2.24
with:
scan-results-json: '/tmp/policy_flaws.json'
repo_owner: ${{ github.event.client_payload.repository.owner }}
github-token: ${{ github.event.client_payload.token }}
repo_name: ${{ github.event.client_payload.repository.name }}
commitHash: ${{ github.event.client_payload.sha }}
Loading