Logging implementation update #819
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Fortify on Demand Scan (.NET Framework) | |
# Run FoD SAST on each pull request and on merge to master, beta and release. | |
on: | |
workflow_dispatch: | |
pull_request: | |
branches: | |
- 'master' | |
- 'release-*' | |
push: | |
branches: | |
- 'master' | |
- 'beta' | |
- 'release-*' | |
jobs: | |
FoD-SAST-Scan: | |
# Use the appropriate runner for building your source code. | |
# TODO: Use a Windows runner for .NET Framework projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. | |
runs-on: windows-latest | |
steps: | |
# Check out source code | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
with: | |
repository: '' | |
# Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) | |
- name: Setup Java | |
uses: actions/setup-java@v1 | |
with: | |
java-version: 1.8 | |
- name: Setup MSBuild | |
uses: microsoft/setup-msbuild@v1 | |
with: | |
vs-version: 10.0 | |
- name: Create temporal solution | |
run: | | |
$fortifysolution = "FortifySolution" | |
dotnet new sln --name $fortifysolution --output dotnet --force | |
dotnet msbuild dotnet\DotNetStandardClasses.sln /t:DumpProjects -p:DumpSolutionName=$fortifysolution /m:1 -p:DumpSolutionTargetFrameworkDefault=net4 | |
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. | |
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: | |
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). | |
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. | |
# ScanCentral has additional options that should be set for PHP and Python projects | |
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. | |
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ | |
- name: Download Fortify ScanCentral Client | |
uses: fortify/gha-setup-scancentral-client@v1 | |
- name: Package Code + Dependencies | |
run: scancentral package -bt msbuild -bf ./dotnet/FortifySolution.sln -o package.zip | |
- name: Show package contents | |
run: unzip -v package.zip | |
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java | |
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: | |
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). | |
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. | |
- name: Download Fortify on Demand Universal CI Tool | |
uses: fortify/gha-setup-fod-uploader@v1.0.1 | |
- name: Perform SAST Scan | |
run: java -jar ${env:FOD_UPLOAD_JAR} -z package.zip -aurl ${env:FOD_API_URL} -purl ${env:FOD_URL} -rid "${env:FOD_RELEASE_ID}" -tc "${env:FOD_TENANT}" -ac "${env:FOD_USER}" "${env:FOD_PAT}" -ep 2 -pp 1 -I 1 -apf -n "${env:FOD_UPLOADER_NOTES}" | |
env: | |
FOD_TENANT: ${{ secrets.FOD_TENANT }} | |
FOD_USER: ${{ secrets.FOD_USER }} | |
FOD_PAT: ${{ secrets.FOD_PAT }} | |
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} | |
FOD_URL: "https://ams.fortify.com" | |
FOD_API_URL: "https://api.ams.fortify.com" | |
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' | |
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. | |
- name: Export Results | |
uses: fortify/gha-export-vulnerabilities@v1.0.2 | |
with: | |
export_target: GitHub | |
fod_base_url: "https://ams.fortify.com/" | |
fod_tenant: ${{ secrets.FOD_TENANT }} | |
fod_client_id: ${{ secrets.FOD_USER }} | |
fod_client_secret: ${{ secrets.FOD_PAT }} | |
fod_release_id: ${{ secrets.FOD_RELEASE_ID }} | |
- name: Patch sarif file | |
run: | | |
(Get-Content -Path gh-fortify-sast.sarif) | | |
ForEach-Object { $_ -Replace '"startLine" : 0', '"startLine" : 1' } | | |
Set-Content gh-fortify-sast-patched.sarif | |
# Import Fortify on Demand results to GitHub Security Code Scanning | |
- name: Import Results | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: ./gh-fortify-sast-patched.sarif |