feat(UserStory#2908412): Enable Mend scan

EverFi · May 2, 2024 · 71c06c9 · 71c06c9
1 parent fa9f1fb
commit 71c06c9
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 0 deletions.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,66 @@
+# This workflow is to automate Checkmarx SAST scans.  It runs on a push to the main branch.
+#
+# The following GitHub Secrets must be first defined:
+#   - CHECKMARX_URL
+#   - CHECKMARX_USER
+#   - CHECKMARX_PASSWORD
+#   - CHECKMARX_CLIENT_SECRET
+#
+# For full documentation, including a list of all inputs, please refer to the README https://github.com/checkmarx-ts/checkmarx-cxflow-github-action
+
+name: Security Scans
+
+on:
+  push:
+    branches:
+      - master
+      - '5.x.x'
+      - test-whitesource
+      - test-cx-scan
+      - test-gha-security
+
+jobs:
+  Checkmarx:
+    name: Checkmarx CxFlow Action
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Checkmarx CxFlow Action
+        uses: checkmarx-ts/[email protected] #Github Action version
+        with:
+          # report-file: checkmarx.json
+          # auth-scopes: access_control_api sast_rest_api
+          # version: '9.4'
+          break_build: false
+          checkmarx_url: ${{ vars.CHECKMARX_URL }} # To be stored in GitHub Secrets.
+          checkmarx_username: ${{ vars.CHECKMARX_USERNAME }} # To be stored in GitHub Secrets.
+          checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} # To be stored in GitHub Secrets.
+          checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} # To be stored in GitHub Secrets.
+          params: --namespace=${{ github.repository_owner }} --checkmarx.settings-override=true --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref_name }} --cx-flow.filterSeverity --cx-flow.filterCategory  --checkmarx.disable-clubbing=true
+          preset: Blackbaud SAST
+          project: ${{ github.event.repository.name }} # <-- Insert Checkmarx SAST Project Name
+          team: /CxServer/SP/Company/Everfi
+          scanners: sast
+
+  Mend:
+    name: Mend Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Get branch name
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+        id: get_branch_name
+      - name: Mend
+        env:
+          WHITESOURCE_API_KEY: ${{ secrets.WHITESOURCE_API_KEY }}
+          WHITESOURCE_API_BASE_URL: ${{ vars.WHITESOURCE_API_BASE_URL }}
+          WHITESOURCE_SERVER_URL: ${{ vars.WHITESOURCE_SERVER_URL }}
+          BRANCH: ${{ steps.get_branch_name.outputs.branch }}
+        shell: bash
+        run: |
+          echo $'\n'projectName=${{ github.event.repository.name }} >>scripts/whitesource/agent.config
+          echo $'\n'productName=foundry >>scripts/whitesource/agent.config
+          bash ./scripts/whitesource/scan.sh
diff --git a/scripts/whitesource/agent.config b/scripts/whitesource/agent.config
@@ -0,0 +1,40 @@
+########################################
+# WhiteSource FS-Agent configuration file
+# Docs: https://whitesource.atlassian.net/wiki/spaces/WD/pages/489160834/Unified+Agent+Configuration+File+Parameters
+########################################
+
+#### Language settings ####
+bazel.resolveDependencies=false
+bower.resolveDependencies=false
+cargo.resolveDependencies=false
+case.sensitive.glob=false
+checkPolicies=false
+cocoapods.resolveDependencies=false
+followSymbolicLinks=true
+forceCheckAllDependencies=false
+forceUpdate=false
+forceUpdate.failBuildOnPolicyViolation=false
+go.resolveDependencies=false
+gradle.resolveDependencies=false
+html.resolveDependencies=true
+html.identifyByNameAndVersion=true
+html.includeDevDependencies=true
+maven.resolveDependencies=false
+npm.resolveDependencies=true
+npm.identifyByNameAndVersion=true
+npm.runPreStep=false
+npm.includeDevDependencies=true
+nuget.resolveDependencies=false
+offline=false
+paket.resolveDependencies=false
+php.resolveDependencies=false
+python.resolveDependencies=false
+r.resolveDependencies=false
+ruby.resolveDependencies=false
+sbt.resolveDependencies=false
+
+#### WS server URL ####
+wss.url=https://app.whitesourcesoftware.com/agent
+
+#### Glob patterns ####
+includes=**/*.js **/*.html **/*.html.erb
diff --git a/scripts/whitesource/scan.sh b/scripts/whitesource/scan.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [[ -z "$WHITESOURCE_API_KEY" ]]; then
+  echo "WHITESOURCE_API_KEY has not been set, please set it up in the project environment variables since its mandatory"
+  exit 1
+fi
+
+echo apiKey="${WHITESOURCE_API_KEY}" >>scripts/whitesource/agent.config
+echo scanComment="${BRANCH}-${GITHUB_RUN_ID}" >>scripts/whitesource/agent.config
+
+if [[ -f install_commands.sh ]]; then
+  echo "Executing file: install_commands.sh"
+  echo ""
+  chmod +x install_commands.sh
+  ./install_commands.sh
+fi
+
+bash <(curl -s -L https://raw.githubusercontent.com/whitesource/unified-agent-distribution/master/standAlone/wss_agent_orb.sh) -apiKey "$WHITESOURCE_API_KEY" -c scripts/whitesource/agent.config -d .