-
Notifications
You must be signed in to change notification settings - Fork 8
101 lines (87 loc) · 4.82 KB
/
fortify-net-framework.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Fortify on Demand Scan (.NET Framework)
# Run FoD SAST on each pull request and on merge to master, beta and release.
on:
workflow_dispatch:
pull_request:
branches:
- 'master'
- 'release-*'
push:
branches:
- 'master'
- 'beta'
- 'release-*'
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET Framework projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
runs-on: windows-latest
steps:
# Check out source code
- name: Checkout repository
uses: actions/checkout@v2
with:
repository: ''
# Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v1
with:
vs-version: 10.0
- name: Create temporal solution
run: |
$fortifysolution = "FortifySolution"
dotnet new sln --name $fortifysolution --output dotnet --force
dotnet msbuild dotnet\DotNetStandardClasses.sln /t:DumpProjects -p:DumpSolutionName=$fortifysolution /m:1 -p:DumpSolutionTargetFrameworkDefault=net4
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@v1
- name: Package Code + Dependencies
run: scancentral package -bt msbuild -bf ./dotnet/FortifySolution.sln -o package.zip
- name: Show package contents
run: unzip -v package.zip
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/[email protected]
- name: Perform SAST Scan
run: java -jar ${env:FOD_UPLOAD_JAR} -z package.zip -aurl ${env:FOD_API_URL} -purl ${env:FOD_URL} -rid "${env:FOD_RELEASE_ID}" -tc "${env:FOD_TENANT}" -ac "${env:FOD_USER}" "${env:FOD_PAT}" -ep 2 -pp 1 -I 1 -apf -n "${env:FOD_UPLOADER_NOTES}"
env:
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_URL: "https://ams.fortify.com"
FOD_API_URL: "https://api.ams.fortify.com"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export Results
uses: fortify/[email protected]
with:
export_target: GitHub
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.FOD_TENANT }}
fod_client_id: ${{ secrets.FOD_USER }}
fod_client_secret: ${{ secrets.FOD_PAT }}
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
- name: Patch sarif file
run: |
(Get-Content -Path gh-fortify-sast.sarif) |
ForEach-Object { $_ -Replace '"startLine" : 0', '"startLine" : 1' } |
Set-Content gh-fortify-sast-patched.sarif
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast-patched.sarif