Test gh acttion

.github/workflows/shiftleft.yml

@@ -0,0 +1,66 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    # We are building this application with Java 11
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Package with maven
+      run: mvn compile package
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    # ShiftLeft requires Java 1.8. Post the package step override the version
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 1.8
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }}
+    - name: Create status check
+      run: |
+        URL="https://www.shiftleft.io/violationlist/ShiftLeftJava?apps=ShiftLeftJava&isApp=1"
+        GH_CHECK_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/check-runs"
+        curl -XPOST $GH_CHECK_URL -H "Authorization: Token ${GITHUB_TOKEN}" -H "accept: application/vnd.github.antiope-preview+json" -H "Content-Type: application/json" -d "{\"name\": \"ShiftLeft NG SAST\", \"head_sha\": \"${GITHUB_REF}\", \"external_id\": \"ShiftLeftJava\", \"details_url\": \"${URL}\", \"status\": \"completed\", \"conclusion\": \"action_required\", \"output\": {\"title\": \"ShiftLeft NG SAST Findings\", \"summary\": \"Visit ${URL} for the findings\"}}"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  Build-Rules: 
+    runs-on: ubuntu-latest
+    needs: NextGen-Static-Analysis
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    - name: Validate Build Rules
+      run: ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \
+            --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \
+            --report \
+            --github-pr-number=${{github.event.number}} \
+            --github-pr-user=${{ github.repository_owner }} \
+            --github-pr-repo=${{ github.event.repository.name }} \
+            --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+

Jenkinsfile

@@ -0,0 +1,87 @@
+pipeline {
+  agent any
+  stages {
+    stage('Build') {
+      steps {
+        sh '''
+                    echo "PATH = ${PATH}"
+                    echo "M2_HOME = ${M2_HOME}"
+                    mvn clean package -B
+                '''
+      }
+    }
+
+    stage('Scan App - Build Container') {
+      parallel {
+        stage('IQ-BOM') {
+          steps {
+            nexusPolicyEvaluation(iqApplication: 'sljavademo', iqStage: 'build', iqScanPatterns: [[scanPattern: '']])
+          }
+        }
+
+        stage('Shiftleft Analyze') {
+          steps {
+            sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-*.jar'
+          }
+        }
+
+        stage('Build Container') {
+          steps {
+            echo '...need to learn the build process first'
+          }
+        }
+
+      }
+    }
+
+    stage('Test Container') {
+      post {
+        success {
+          echo '...the Test Scan Passed!'
+        }
+
+        failure {
+          echo '...the Test  FAILED'
+          error '...the Container Test FAILED'
+        }
+
+      }
+      steps {
+        echo '...run container and test it'
+      }
+    }
+
+    stage('Scan Container') {
+      post {
+        success {
+          echo '...the IQ Scan PASSED'
+          postGitHub(commitId, 'success', 'analysis', 'Nexus Lifecycle Container Analysis succeeded', "${policyEvaluationResult.applicationCompositionReportUrl}")
+        }
+
+        failure {
+          echo '...the IQ Scan FAILED'
+          postGitHub(commitId, 'failure', 'analysis', 'Nexus Lifecycle Containe Analysis failed', "${policyEvaluationResult.applicationCompositionReportUrl}")
+          error '...the IQ Scan FAILED'
+        }
+
+      }
+      steps {
+        echo '...TODO scan container'
+      }
+    }
+
+    stage('Publish Container') {
+      when {
+        branch 'master'
+      }
+      steps {
+        echo '...figure out container'
+      }
+    }
+
+  }
+  tools {
+    jdk 'jdk8'
+    maven 'M3'
+  }
+}

shiftleft.yml

@@ -0,0 +1,11 @@
+build_rules:
+  - id: allow-zero-findings
+    finding_types:
+      - vuln
+      - secret
+      - insight
+    severity:
+      - SEVERITY_MEDIUM_IMPACT
+      - SEVERITY_HIGH_IMPACT
+      - SEVERITY_LOW_IMPACT
+    threshold: 0