forked from veracode/verademo
-
Notifications
You must be signed in to change notification settings - Fork 9
106 lines (88 loc) · 3.37 KB
/
pipelinescan-java.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert
name: Veracode Static Analysis Pipeline Scan
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
workflow_dispatch:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# build the application
- uses: actions/setup-java@v1 # Make java accessible on path so the uploadandscan action can run.
with:
java-version: '8'
- name: Check for Maven build
id: check_maven
uses: andstor/file-existence-action@v1
with:
files: "pom.xml"
- name: Check for Gradle build
id: check_gradle
uses: andstor/file-existence-action@v1
with:
files: "build.gradle"
- name: Build application with mvn
if: steps.check_maven.outputs.files_exists == 'true'
run: mvn -B package --file pom.xml
- name: Build application with gradle
if: steps.check_gradle.outputs.files_exists == 'true'
run: gradle clean build
- name: Archive package
uses: actions/upload-artifact@v2
with:
name: CodePackage
path: '**/*.war'
pipeline-scan:
needs: build
runs-on: ubuntu-latest
container:
image: veracode/pipeline-scan:latest
options: --user root # our normal luser doesn't have privs to write to github directories
steps:
- name: Retrieve artifact
uses: actions/download-artifact@v2
with:
name: CodePackage
path: /github/home
# Submit project to pipeline scan
- name: Pipeline Scan
run: |
cd /github/home/target
java -jar /opt/veracode/pipeline-scan.jar --veracode_api_id="${{secrets.VERACODE_API_ID}}" --veracode_api_key="${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file="verademo.war" --app_id="${{secrets.VERACODE_APP_ID}}" --json_output_file="results.json"
continue-on-error: true
- uses: actions/upload-artifact@v2
with:
name: ScanResults
path: /github/home/target/results.json
# Convert pipeline scan output to SARIF format
process-results:
needs: pipeline-scan
runs-on: ubuntu-latest
steps:
- name: Retrieve results
uses: actions/download-artifact@v2
with:
name: ScanResults
- name: convert
uses: veracode/veracode-pipeline-scan-results-to-sarif@master
with:
pipeline-results-json: results.json
output-results-sarif: veracode-results.sarif
finding-rule-level: "4:3:0"
- uses: actions/upload-artifact@v2
with:
name: SarifFile
path: veracode-results.sarif
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif