|
| 1 | +--- |
| 2 | +name: Shiftleft Scan |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + branches: |
| 6 | + - master |
| 7 | + workflow_dispatch: |
| 8 | + inputs: |
| 9 | + logLevel: |
| 10 | + description: Log level |
| 11 | +jobs: |
| 12 | + scanning: |
| 13 | + env: |
| 14 | + APP_ID: 6e4487e629008a3ff4483925941bfdfb650857d21469554eea9fd726d1170518 |
| 15 | + BRANCH_NAME: master |
| 16 | + SCAN_ID: a33f2a026be63aeabe0fe2a21e9db4cd3d8a0d9019dbe65e4c8c97d44012404c |
| 17 | + REQ_URL_MAP: "${{toJSON('{\"SL_RESULT_API_HOST\":\"https://slresultapi.qa.securin.io/resultapi\"\ |
| 18 | + ,\"SL_RESULTPARSER_API_HOST\":\"https://slresultparserapi.qa.securin.io/resultparserapi\"\ |
| 19 | + }')}}" |
| 20 | + steps: |
| 21 | + - name: Retrieve Token Info |
| 22 | + id: auth_token |
| 23 | + run: "respJson=$(curl --location --request GET 'https://slresultapi.qa.securin.io/resultapi/aws/ecr/token'\ |
| 24 | + \ --header 'Authorization: Bearer ${{secrets.CLI_ACCESS_TOKEN}}' --data-raw\ |
| 25 | + \ ' ' )\necho \"::set-output name=authTokenJson::$respJson\"" |
| 26 | + - uses: actions/checkout@v2 |
| 27 | + - name: Build with Maven |
| 28 | + run: mvn -q --batch-mode --update-snapshots verify |
| 29 | + - name: Scan Initiated |
| 30 | + id: sec_scan_init |
| 31 | + run: "usrVal=$(echo '${{fromJson(steps.auth_token.outputs.authTokenJson).user}}'\ |
| 32 | + \ | openssl enc -aes-256-cbc -d -a -K ${{secrets.ENC_KEY}} -iv ${{secrets.ENC_IV}}\ |
| 33 | + \ ) \nusrPassword=$(echo '${{fromJson(steps.auth_token.outputs.authTokenJson).password}}'\ |
| 34 | + \ | openssl enc -aes-256-cbc -d -base64 -A -K ${{secrets.ENC_KEY}} -iv ${{secrets.ENC_IV}}\ |
| 35 | + \ ) \nusrPrxyUrl=$(echo '${{fromJson(steps.auth_token.outputs.authTokenJson).proxyUrl}}'\ |
| 36 | + \ | openssl enc -aes-256-cbc -d -a -K ${{secrets.ENC_KEY}} -iv ${{secrets.ENC_IV}}\ |
| 37 | + \ ) \nusrImgTag=$(echo '${{fromJson(steps.auth_token.outputs.authTokenJson).imageTag}}'\ |
| 38 | + \ | openssl enc -aes-256-cbc -d -a -K ${{secrets.ENC_KEY}} -iv ${{secrets.ENC_IV}}\ |
| 39 | + \ ) \ndocker login --username $usrVal --password $usrPassword $usrPrxyUrl\ |
| 40 | + \ \ndocker pull -q $usrImgTag \ndocker run -v ${{github.workspace}}:/src \ |
| 41 | + \ --volume ${{github.workspace}}:/workdir -v /var/run/docker.sock:/var/run/docker.sock\ |
| 42 | + \ $usrImgTag -access_tkn ${{secrets.CLI_ACCESS_TOKEN}} -app_id ${{ env.APP_ID\ |
| 43 | + \ }} -scan_id ${{ env.SCAN_ID }} -branch_name ${{ env.BRANCH_NAME }} -req_url_map\ |
| 44 | + \ ${{ env.REQ_URL_MAP }} event:${{ github.event_name }} pr_number:${{ github.event.number\ |
| 45 | + \ }}" |
| 46 | + - name: Upload SARIF file |
| 47 | + uses: github/codeql-action/upload-sarif@v1 |
| 48 | + with: |
| 49 | + sarif_file: "${{github.workspace}}/results/result.sarif" |
| 50 | + if: hashFiles('**/result.sarif') !='' |
| 51 | + - name: Evaluate build status |
| 52 | + run: "cat ${{github.workspace}}/results/status.txt\nexit 1\n" |
| 53 | + if: hashFiles('**/status.txt') !='' |
| 54 | + runs-on: ubuntu-latest |
0 commit comments