diff --git a/.github/workflows/checkmarx_and_whitesource.yml b/.github/workflows/checkmarx_and_whitesource.yml new file mode 100644 index 0000000..a2d105d --- /dev/null +++ b/.github/workflows/checkmarx_and_whitesource.yml @@ -0,0 +1,59 @@ +# This workflow is to automate Checkmarx SAST scans. It runs on a push to the main branch. +# +# The following GitHub Secrets must be first defined: +# - CHECKMARX_URL +# - CHECKMARX_USER +# - CHECKMARX_PASSWORD +# - CHECKMARX_CLIENT_SECRET +# +# For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action + + +name: Checkmarx and Whitesource scans +on: + push: + branches: + - master +jobs: + mend-scan: + name: Mend Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.1.0 + - name: Get branch name + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT + id: get_branch_name + - name: Mend + env: + WHITESOURCE_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }} + WHITESOURCE_API_BASE_URL: ${{ vars.WHITESOURCE_API_BASE_URL }} + WHITESOURCE_SERVER_URL: ${{ vars.WHITESOURCE_SERVER_URL }} + BRANCH: ${{ steps.get_branch_name.outputs.branch }} + shell: bash + run: | + echo $'\n'projectName=${{ github.event.repository.name }} >>./scripts/whitesource/agent.config + echo $'\n'productName=foundry >>./scripts/whitesource/agent.config + bash ./scripts/whitesource/mend_scan.sh + checkmarx-scan: + name: Checkmarx Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4.1.0 + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.4 #Github Action version + with: + # report-file: checkmarx.json + # auth-scopes: access_control_api sast_rest_api + # version: '9.4' + break_build: false + checkmarx_url: ${{ vars.CHECKMARX_URL }} # To be stored in GitHub Secrets. + checkmarx_username: ${{ vars.CHECKMARX_USERNAME }} # To be stored in GitHub Secrets. + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} # To be stored in GitHub Secrets. + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} # To be stored in GitHub Secrets. + params: --namespace=${{ github.repository_owner }} --checkmarx.settings-override=true --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref_name }} --cx-flow.filterSeverity --cx-flow.filterCategory --checkmarx.disable-clubbing=true + preset: Blackbaud SAST + project: ${{ github.event.repository.name }} # <-- Insert Checkmarx SAST Project Name + team: /CxServer/SP/Company/Everfi + scanners: sast diff --git a/.gitignore b/.gitignore index 8f994bd..001d28f 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ spec/reports test/tmp test/version_tmp tmp +.idea diff --git a/scripts/whitesource/agent.config b/scripts/whitesource/agent.config new file mode 100644 index 0000000..1f19b51 --- /dev/null +++ b/scripts/whitesource/agent.config @@ -0,0 +1,38 @@ +#skyux-spa Whitesource configuration file +#Whitesource Config File Documentation +#https://whitesource.atlassian.net/wiki/spaces/WD/pages/489160834/Unified+Agent+Configuration+File+Parameters +checkPolicies=false +forceCheckAllDependencies=false +forceUpdate=false +forceUpdate.failBuildOnPolicyViolation=false +offline=false +wss.url=https://app.whitesourcesoftware.com/agent +npm.resolveDependencies=true +npm.identifyByNameAndVersion=true +npm.runPreStep=false +npm.includeDevDependencies=true +bower.resolveDependencies=false +nuget.resolveDependencies=false +python.resolveDependencies=false +maven.resolveDependencies=false +gradle.resolveDependencies=false +paket.resolveDependencies=false +go.resolveDependencies=false +ruby.resolveDependencies=true +ruby.identifyByNameAndVersion=true +ruby.includeDevDependencies=true +ruby.runBundleInstall=true +sbt.resolveDependencies=false +php.resolveDependencies=false +html.resolveDependencies=true +html.identifyByNameAndVersion=true +html.includeDevDependencies=true +cocoapods.resolveDependencies=false +r.resolveDependencies=false +cargo.resolveDependencies=false +bazel.resolveDependencies=false +projectName=adminifi +productName=foundry +includes=**/*.js **/*.rb **/*.html **/*.html.erb +case.sensitive.glob=false +followSymbolicLinks=true diff --git a/scripts/whitesource/mend_scan.sh b/scripts/whitesource/mend_scan.sh new file mode 100644 index 0000000..16ed2a5 --- /dev/null +++ b/scripts/whitesource/mend_scan.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +if [[ -z "$WHITESOURCE_API_KEY" ]]; then + echo "WHITESOURCE_API_KEY has not been set, please set it up in the project environment variables since its mandatory" + exit 1 +fi + +echo apiKey="${WHITESOURCE_API_KEY}" >>scripts/whitesource/agent.config +echo scanComment="${BRANCH}-${GITHUB_RUN_ID}" >>scripts/whitesource/agent.config + +if [[ -f install_commands.sh ]]; then + echo "Executing file: install_commands.sh" + echo "" + chmod +x install_commands.sh + ./install_commands.sh +fi + +bash <(curl -s -L https://raw.githubusercontent.com/whitesource/unified-agent-distribution/master/standAlone/wss_agent_orb.sh) -apiKey "$WHITESOURCE_API_KEY" -c scripts/whitesource/agent.config -d .