-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WEBUI-1377: integrate veracode in github action
- Loading branch information
1 parent
00c545d
commit f727bcc
Showing
1 changed file
with
81 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,8 +12,8 @@ on: | |
# The branches below must be a subset of the branches above | ||
branches: [ "maintenance-3.0.x" ] | ||
schedule: | ||
# At 01:00 on Sunday | ||
- cron: '0 1 * * SUN' | ||
# At 20:00 every day | ||
- cron: '0 20 * * *' | ||
workflow_call: | ||
inputs: | ||
branch: | ||
|
@@ -48,13 +48,13 @@ permissions: | |
|
||
jobs: | ||
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter | ||
sast-scan: | ||
sast-scan-build: | ||
# The type of runner that the job will run on | ||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
runs-on: ubuntu-latest | ||
runs-on: [self-hosted, master] | ||
steps: | ||
|
||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps | ||
|
@@ -65,7 +65,7 @@ jobs: | |
- uses: actions/setup-node@v1 | ||
with: | ||
registry-url: ${{ env.NPM_REPOSITORY }} | ||
node-version: 14 | ||
node-version: 18 | ||
scope: '@nuxeo' | ||
|
||
- uses: actions/setup-java@v2 | ||
|
@@ -113,6 +113,19 @@ jobs: | |
echo "ELEMENTS_HELPERS=$(npm pack 2>&1 | tail -1)" >> $GITHUB_ENV | ||
popd | ||
popd | ||
- name: add .npmrc | ||
run: | | ||
pushd /tmp/_temp/ | ||
rm .npmrc | ||
touch .npmrc | ||
popd | ||
echo ' | ||
packages.nuxeo.com/repository/npm-public/:_auth=${NODE_AUTH_TOKEN} | ||
@nuxeo:registry=https://packages.nuxeo.com/repository/npm-public/ | ||
always-auth=true | ||
' >> /tmp/_temp/.npmrc | ||
- name: Link elements to Web UI | ||
run: | | ||
npm install --no-package-lock --@nuxeo:registry="${{ env.NPM_REPOSITORY }}" nuxeo-elements/core/${ELEMENTS_CORE} | ||
|
@@ -130,64 +143,68 @@ jobs: | |
</server> | ||
</servers> | ||
</settings>' > ~/.m2/settings.xml | ||
- name: Nuxeo package build | ||
run: mvn install -DskipInstall | ||
- name: Archive packages | ||
- name: Delete Node Modules | ||
run: | | ||
rm -rf node_modules | ||
rm -rf packages/nuxeo-designer-catalog/node_modules | ||
rm -rf packages/nuxeo-web-ui-ftest/node_modules | ||
rm -rf plugin/a11y/node_modules | ||
- name: Delete Test Folders | ||
run: | | ||
rm -rf nuxeo-elements/testing-helpers/ | ||
rm -rf nuxeo-elements/ui/test/ | ||
rm -rf nuxeo-elements/storybook/ | ||
rm -rf ftest/ | ||
rm -rf plugin/ | ||
rm -rf scripts/ | ||
rm -rf test/ | ||
rm -rf packages/nuxeo-web-ui-ftest/ | ||
- name: Install zip | ||
run: apt-get install zip | ||
|
||
- name: Zip nuxeo-web-ui | ||
run: | | ||
echo nuxeo-web-ui-${{ steps.get-tag.outputs.TAG }}.zip | ||
zip -r nuxeo-web-ui.zip * | ||
- name: Upload ZIP as artifact | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: packages | ||
path: | | ||
plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip | ||
# download the Veracode Static Analysis Pipeline scan jar | ||
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip | ||
- run: unzip -o pipeline-scan-LATEST.zip | ||
- name: Code Scanning | ||
id: code_scanning | ||
run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --summary_output=true --file plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip | ||
continue-on-error: true | ||
- name: Convert pipeline scan output to SARIF format | ||
id: convert | ||
uses: Veracode/[email protected] | ||
with: | ||
pipeline-results-json: results.json | ||
output-results-sarif: veracode-results.sarif | ||
finding-rule-level: "4:3:0" | ||
- name: Upload SARIF file to repository | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
# Path to SARIF file relative to the root of the repository | ||
sarif_file: veracode-results.sarif | ||
- name: Slack notification | ||
if: (github.event_name == 'pull_request' || github.event_name == 'schedule') | ||
uses: slackapi/[email protected] | ||
env: | ||
REPO_URL: ${{ github.server_url }}/${{ github.repository }} | ||
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | ||
SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} | ||
with: | ||
channel-id: ${{ env.SLACK_CHANNEL_ID }} | ||
payload: | | ||
{ | ||
"text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ steps.code_scanning.outcome }} in nuxeo/nuxeo-web-ui <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>", | ||
"blocks": [ | ||
{ | ||
"type": "section", | ||
"text": { | ||
"type": "mrkdwn", | ||
"text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ job.status }} in nuxeo/nuxeo-WEB-UI <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>" | ||
} | ||
} | ||
] | ||
} | ||
- name: Send scan result summary to slack | ||
uses: crederauk/[email protected] | ||
with: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} | ||
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
- name: Send scan result file to slack | ||
uses: adrey/slack-file-upload-action@master | ||
with: | ||
token: ${{ secrets.SLACK_BOT_TOKEN }} | ||
path: results.txt | ||
channel: ${{ secrets.SLACK_CHANNEL_ID }} | ||
name: nuxeo-web-ui | ||
path: nuxeo-web-ui.zip | ||
|
||
sast-scan: | ||
needs: sast-scan-build | ||
permissions: | ||
contents: read | ||
security-events: write | ||
actions: read | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Download artifact | ||
uses: actions/download-artifact@v2 | ||
with: | ||
name: nuxeo-web-ui | ||
path: . | ||
|
||
- name: List downloaded artifact | ||
run: | | ||
ls -l | ||
pwd | ||
- name: Veracode Upload And Scan | ||
uses: veracode/[email protected] | ||
with: | ||
appname: 'Nuxeo Web UI' | ||
createprofile: false | ||
filepath: 'nuxeo-web-ui.zip' | ||
vid: '${{ secrets.VERACODE_SECRET_API_ID }}' | ||
vkey: '${{ secrets.VERACODE_SECRET_KEY }}' | ||
sandboxname: 'master' | ||
scantimeout: 600 | ||
include: '*.war, *.zip, *.js, *.html, *.css, *.json' | ||
criticality: 'High' | ||
includenewmodules: 'true' |