devverac/.github/workflows/veracode-code-analysis.yml at main · PreProdTest/devverac · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Veracode Static Code Analysis

run-name: Static Code Analysis - ${{ github.event.client_payload.repository.name }}

concurrency:
  group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }}
  cancel-in-progress: true

on:
  repository_dispatch:
    types:
      - source-code-pipeline-scan
      - source-code-policy-scan
      - dot-net-pipeline-scan
      - dot-net-policy-scan
      - go-pipeline-scan
      - go-policy-scan
      - tsql-pipeline-scan
      - tsql-policy-scan
      - plsql-pipeline-scan
      - plsql-policy-scan
      - php-pipeline-scan
      - php-policy-scan
      - scala-pipeline-scan
      - scala-policy-scan
      - dart-pipeline-scan
      - dart-policy-sca
      - java-pipeline-scan
      - java-policy-scan
      - unidentified-lang-pipeline-scan
      - unidentified-lang-policy-scan
      - ruby-pipeline-scan
      - ruby-policy-scan

jobs:
  register:
    uses: ./.github/workflows/veracode-check-run.yml
    with:
      check_run_name: ${{ github.workflow }} - ${{ contains(github.event.action, 'policy') && 'Policy' || 'Pipeline' }}
      head_sha: ${{ github.event.client_payload.sha }}
      repositroy_owner: ${{ github.event.client_payload.repository.owner }}
      repositroy_name: ${{ github.event.client_payload.repository.name }}
      event_type: ${{ github.event.client_payload.event_type }}
      github_token: ${{ github.event.client_payload.token }}
      run_id: ${{ github.run_id }}
      branch: ${{ github.event.client_payload.repository.branch }}

  validations:
    needs: register
    runs-on: ${{ fromJSON(github.event.client_payload.user_config.default_runs_on) }}
    name: Validations
    steps:
      - name: Verify Veracode API credentials
        id: verify_api_creds
        uses: veracode/github-actions-integration-helper@v0.1.8
        with:
          action: validateVeracodeApiCreds
          token: ${{ github.event.client_payload.token }}
          vid: ${{ secrets.VERACODE_API_ID }}
          vkey: ${{ secrets.VERACODE_API_KEY }}
          appname: ${{ github.event.client_payload.user_config.profile_name }}
          source_repository: ${{ github.event.client_payload.repository.full_name }}
          check_run_id: ${{ needs.register.outputs.run_id }}

      - name: Verify Policy name
        id: verify_policy_name
        if: success()
        uses: veracode/github-actions-integration-helper@v0.1.8
        with:
          action: validatePolicyName
          token: ${{ github.event.client_payload.token }}
          vid: ${{ secrets.VERACODE_API_ID }}
          vkey: ${{ secrets.VERACODE_API_KEY }}
          appname: ${{ github.event.client_payload.user_config.profile_name }}
          source_repository: ${{ github.event.client_payload.repository.full_name }}
          check_run_id: ${{ needs.register.outputs.run_id }}
          policyname: ${{ github.event.client_payload.policy_name }}
          path: ${{ github.event.client_payload.annotationObj.path }}
          start_line: ${{ github.event.client_payload.annotationObj.start_line }}
          end_line: ${{ github.event.client_payload.annotationObj.end_line }}
          break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }}

  build:
    needs: validations
    uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml
    with:
      repository: ${{ github.event.client_payload.repository.full_name }}
      ref: ${{ github.event.client_payload.sha }}
      token: ${{ github.event.client_payload.token }}
      event_name: ${{ github.event.action }}
      build_runs_on: ${{ github.event.client_payload.user_config.build_runs_on }}
      build_packager_image: ${{ github.event.client_payload.user_config.build_packager_image }}
      build_predependency_command: ${{ github.event.client_payload.user_config.build_predependency_command }}
      ruby_version: ${{ github.event.client_payload.user_config.ruby_version }}
      bundle_version: ${{ github.event.client_payload.user_config.bundle_version }}

  pipeline_scan:
    # needs the build step before this job will start running
    needs: [build, register]
    if: contains(github.event.action, 'pipeline')
    uses: ./.github/workflows/veracode-pipeline-scan.yml
    with:
      policy_name: ${{ github.event.client_payload.policy_name }}
      create_code_scanning_alert: ${{ github.event.client_payload.user_config.create_code_scanning_alert }}
      owner: ${{ github.event.client_payload.repository.owner }}
      repo: ${{ github.event.client_payload.repository.name }}
      sha: ${{ github.event.client_payload.sha }}
      token: ${{ github.event.client_payload.token }}
      ref: ${{ github.event.client_payload.user_config.ref }}
      create_issue: ${{ github.event.client_payload.user_config.create_issue }}
      source_repository: ${{ github.event.client_payload.repository.full_name }}
      check_run_id: ${{ needs.register.outputs.run_id }}
      profile_name: ${{ github.event.client_payload.user_config.profile_name }}
      break_build_policy_findings: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
      break_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }}
      filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}
      language: ${{ github.event.client_payload.repository.language }}
    secrets: inherit

  policy_scan:
    needs: [build, register]
    if: contains(github.event.action, 'policy')
    uses: ./.github/workflows/veracode-policy-scan.yml
    with:
      profile_name: ${{ github.event.client_payload.user_config.profile_name }}
      policy_name: ${{ github.event.client_payload.policy_name }}
      modules_to_scan: ${{ github.event.client_payload.modules_to_scan }}
      owner: ${{ github.event.client_payload.repository.owner }}
      repo: ${{ github.event.client_payload.repository.name }}
      sha: ${{ github.event.client_payload.sha }}
      token: ${{ github.event.client_payload.token }}
      ref: ${{ github.event.client_payload.user_config.ref }}
      create_issue: ${{ github.event.client_payload.user_config.create_issue }}
      create_code_scanning_alert: ${{ github.event.client_payload.user_config.create_code_scanning_alert }}
      source_repository: ${{ github.event.client_payload.repository.full_name }}
      check_run_id: ${{ needs.register.outputs.run_id }}
      break_build_policy_findings: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
      break_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }}
      filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}
      language: ${{ github.event.client_payload.repository.language }}
    secrets: inherit