diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config new file mode 100644 index 0000000..6b00ade --- /dev/null +++ b/.github/workflows/mend.config @@ -0,0 +1,109 @@ +#################################################################### +# WhiteSource Unified-Agent configuration file for GO +# GENERAL SCAN MODE: Package Managers only +#################################################################### + +# !!! Important for WhiteSource "DIST - *" Products: +# Please set +# checkPolicies=false +# forceCheckAllDependencies=false +# since Policy checks are not applicable for Security scans and also +# not suitable for DIST category. CheckPolicies just cover IP scan +# related license checks for SAP hosted cloud products only ("SHC - *"). +checkPolicies=true +forceCheckAllDependencies=true + +# forceUpdate is important and need to be true +forceUpdate=true +# In some cases it could happen that Unified Agent is reporting SUCCESS but scan is incomplete or +# did not work at all. So parameter failErrorLevel=ALL needs to be set to break the scan if there are issues. +failErrorLevel=ALL +# failBuildOnPolicyViolation: +# If the flag is true, the Unified Agent exit code will be the result of the policy check. +# If the flag is false, the Unified Agent exit code will be the result of the scan. +forceUpdate.failBuildOnPolicyViolation=false +# offline parameter is important and need to be false +offline=false + +# ignoreSourceFiles parameter is important and need to be true +# IMPORTANT: This parameter is going to be deprecated in future +# and will be replaced by a new parameter, fileSystemScan. +ignoreSourceFiles=true +# fileSystemScan parameter is important and need to be false as a +# replacement for ignoreSourceFiles=true and overrides the +# soon-to-be-deprecated ignoreSourceFiles. +fileSystemScan=false +# resolveAllDependencies is important and need to be false +resolveAllDependencies=false + +#wss.connectionTimeoutMinutes=60 +# URL to your WhiteSource server. +# wss.url=https://sap.whitesourcesoftware.com/agent + +# resolveDependencies parameter is important and need to be true +#if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false. +#For any other dependency manager, this value is set to true. + +go.resolveDependencies=true +#defaut value for ignoreSourceFiles is set to false +# ignoreSourceFiles parameter is important and need to be true +go.ignoreSourceFiles=true +go.collectDependenciesAtRuntime=false +# dependencyManager: Determines the Go dependency manager to use when scanning a Go project. +# Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' +# If empty, then the Unified Agent will try to resolve the dependencies using each one +# of the package managers above. +#go.dependencyManager= +#go.glide.ignoreTestPackages=false +#go.gogradle.enableTaskAlias=true + +#The below configuration is for the 'modules' dependency manager. +#Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager. +# Default value is true. If set to true, it resolves Go Modules dependencies. +go.modules.resolveDependencies=true +#default value is true. If set to true, this will ignore Go source files during the scan. +#go.modules.ignoreSourceFiles=true +#default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. +#go.modules.removeDuplicateDependencies=false +#default value is false. if set to true, scans Go Modules project test dependencies. +#go.modules.includeTestDependencies=true +###################### + + +################################## +# Organization tokens: +################################## +# ! In case of PIPER, apiKey may not be used in this configuration, +# but set in configuration of piper. +# Please look at PIPER documentation for more information. +# ! For CoDePipes you may look at CoDePipes for more information. +# apiKey= + +# userKey is required if WhiteSource administrator has enabled "Enforce user level access" option. +# ! In case of PIPER, apiKey may not be used in this configuration, +# but set in configuration of piper. +# Please look at PIPER documentation for more information. +# ! For CoDePipes you may look at CoDePipes for more information. +# userKey= + +projectName=mpas-product-controller +# projectVersion= +# projectToken= + +productName=shc-open-component-model +# productVersion= +# productToken +#updateType=APPEND +#requesterEmail=user@provider.com + +######################################################################################### +# Includes/Excludes Glob patterns - PLEASE USE ONLY ONE EXCLUDE LINE AND ONE INCLUDE LINE +######################################################################################### + +includes=**/*.lock + +## Exclude file extensions or specific directories by adding **/*. or **/** +excludes=**/*sources.jar **/*javadoc.jar + +case.sensitive.glob=false +followSymbolicLinks=true diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml new file mode 100644 index 0000000..ce6a0cd --- /dev/null +++ b/.github/workflows/mend_scan.yaml @@ -0,0 +1,37 @@ +name: Mend Security Scan + +on: + schedule: + - cron: '20 0 * * 0' + +jobs: + mend-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Set up Java 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version-file: '${{ github.workspace }}/go.mod' + + - name: Download Mend Universal Agent + run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar + + - name: Run Mend Scan + run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN + env: + USER_KEY: ${{ secrets.MEND_USER_KEY }} + PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }} + WSS_URL: ${{ secrets.MEND_URL }} + API_KEY: ${{ secrets.MEND_API_TOKEN }} + CONFIG_FILE: './.github/workflows/mend.config' +