Skip to content

Cherry pick branch 'genexuslabs:itext8' into beta #1035

Cherry pick branch 'genexuslabs:itext8' into beta

Cherry pick branch 'genexuslabs:itext8' into beta #1035

Workflow file for this run

name: Fortify on Demand Scan (.NET)
# Run FoD SAST on each pull request and on merge to master, beta and release.
on:
workflow_dispatch:
pull_request:
branches:
- 'master'
- 'release-*'
push:
branches:
- 'master'
- 'beta'
- 'release-*'
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
runs-on: windows-latest
steps:
# Check out source code
- name: Checkout repository
uses: actions/checkout@v2
with:
repository: ''
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v1.1
with:
vs-prerelease: true
# Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Install .NET 8
uses: actions/setup-dotnet@v3
with:
dotnet-version: '8.0.100-preview.3.23178.7'
- name: Create temporal solution
run: |
$fortifysolution = "FortifySolution"
dotnet new sln --name $fortifysolution --output dotnet --force
dotnet msbuild dotnet\DotNetStandardClasses.sln /t:DumpProjects -p:DumpSolutionName=$fortifysolution /m:1
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@v1
- name: Package Code + Dependencies
run: scancentral package -bt msbuild -bf ./dotnet/FortifySolution.sln -o package.zip
- name: Show package contents
run: unzip -v package.zip
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@v1.0.1
- name: Perform SAST Scan
run: java -jar ${env:FOD_UPLOAD_JAR} -z package.zip -aurl ${env:FOD_API_URL} -purl ${env:FOD_URL} -rid "${env:FOD_RELEASE_ID}" -tc "${env:FOD_TENANT}" -ac "${env:FOD_USER}" "${env:FOD_PAT}" -ep 2 -pp 1 -I 1 -apf -n "${env:FOD_UPLOADER_NOTES}"
env:
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_URL: "https://ams.fortify.com"
FOD_API_URL: "https://api.ams.fortify.com"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export Results
uses: fortify/gha-export-vulnerabilities@v1.0.2
with:
export_target: GitHub
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.FOD_TENANT }}
fod_client_id: ${{ secrets.FOD_USER }}
fod_client_secret: ${{ secrets.FOD_PAT }}
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
- name: Patch sarif file
run: |
(Get-Content -Path gh-fortify-sast.sarif) |
ForEach-Object { $_ -Replace '"startLine" : 0', '"startLine" : 1' } |
Set-Content gh-fortify-sast-patched.sarif
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast-patched.sarif