Skip to content

Commit

Permalink
WEBUI-1377: integrate veracode in github action
Browse files Browse the repository at this point in the history
  • Loading branch information
rakeshkumar1019 committed May 10, 2024
1 parent d4d2a33 commit f1c2b91
Showing 1 changed file with 81 additions and 64 deletions.
145 changes: 81 additions & 64 deletions .github/workflows/veracode.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ on:
# The branches below must be a subset of the branches above
branches: [ "maintenance-3.0.x" ]
schedule:
# At 01:00 on Sunday
- cron: '0 1 * * SUN'
# At 20:00 every day
- cron: '0 20 * * *'
workflow_call:
inputs:
branch:
Expand Down Expand Up @@ -48,13 +48,13 @@ permissions:

jobs:
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
sast-scan:
sast-scan-build:
# The type of runner that the job will run on
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
runs-on: [self-hosted, master]
steps:

# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
Expand All @@ -65,7 +65,7 @@ jobs:
- uses: actions/setup-node@v1
with:
registry-url: ${{ env.NPM_REPOSITORY }}
node-version: 14
node-version: 18
scope: '@nuxeo'

- uses: actions/setup-java@v2
Expand Down Expand Up @@ -113,6 +113,19 @@ jobs:
echo "ELEMENTS_HELPERS=$(npm pack 2>&1 | tail -1)" >> $GITHUB_ENV
popd
popd
- name: add .npmrc
run: |
pushd /tmp/_temp/
rm .npmrc
touch .npmrc
popd
echo '
packages.nuxeo.com/repository/npm-public/:_auth=${NODE_AUTH_TOKEN}
@nuxeo:registry=https://packages.nuxeo.com/repository/npm-public/
always-auth=true
' >> /tmp/_temp/.npmrc
- name: Link elements to Web UI
run: |
npm install --no-package-lock --@nuxeo:registry="${{ env.NPM_REPOSITORY }}" nuxeo-elements/core/${ELEMENTS_CORE}
Expand All @@ -130,64 +143,68 @@ jobs:
</server>
</servers>
</settings>' > ~/.m2/settings.xml
- name: Nuxeo package build
run: mvn install -DskipInstall
- name: Archive packages
- name: Delete Node Modules
run: |
rm -rf node_modules
rm -rf packages/nuxeo-designer-catalog/node_modules
rm -rf packages/nuxeo-web-ui-ftest/node_modules
rm -rf plugin/a11y/node_modules
- name: Delete Test Folders
run: |
rm -rf nuxeo-elements/testing-helpers/
rm -rf nuxeo-elements/ui/test/
rm -rf nuxeo-elements/storybook/
rm -rf ftest/
rm -rf plugin/
rm -rf scripts/
rm -rf test/
rm -rf packages/nuxeo-web-ui-ftest/
- name: Install zip
run: apt-get install zip

- name: Zip nuxeo-web-ui
run: |
echo nuxeo-web-ui-${{ steps.get-tag.outputs.TAG }}.zip
zip -r nuxeo-web-ui.zip *
- name: Upload ZIP as artifact
uses: actions/upload-artifact@v2
with:
name: packages
path: |
plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip
# download the Veracode Static Analysis Pipeline scan jar
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- name: Code Scanning
id: code_scanning
run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --summary_output=true --file plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
id: convert
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5
with:
pipeline-results-json: results.json
output-results-sarif: veracode-results.sarif
finding-rule-level: "4:3:0"
- name: Upload SARIF file to repository
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
- name: Slack notification
if: (github.event_name == 'pull_request' || github.event_name == 'schedule')
uses: slackapi/slack-github-action@v1.23.0
env:
REPO_URL: ${{ github.server_url }}/${{ github.repository }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
with:
channel-id: ${{ env.SLACK_CHANNEL_ID }}
payload: |
{
"text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ steps.code_scanning.outcome }} in nuxeo/nuxeo-web-ui <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ job.status }} in nuxeo/nuxeo-WEB-UI <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>"
}
}
]
}
- name: Send scan result summary to slack
uses: crederauk/slack-workflow-summary@v1.2.2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Send scan result file to slack
uses: adrey/slack-file-upload-action@master
with:
token: ${{ secrets.SLACK_BOT_TOKEN }}
path: results.txt
channel: ${{ secrets.SLACK_CHANNEL_ID }}
name: nuxeo-web-ui
path: nuxeo-web-ui.zip

sast-scan:
needs: sast-scan-build
permissions:
contents: read
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: actions/download-artifact@v2
with:
name: nuxeo-web-ui
path: .

- name: List downloaded artifact
run: |
ls -l
pwd
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@0.2.6
with:
appname: 'Nuxeo Web UI'
createprofile: false
filepath: 'nuxeo-web-ui.zip'
vid: '${{ secrets.VERACODE_SECRET_API_ID }}'
vkey: '${{ secrets.VERACODE_SECRET_KEY }}'
sandboxname: 'master'
scantimeout: 600
include: '*.war, *.zip, *.js, *.html, *.css, *.json'
criticality: 'High'
includenewmodules: 'true'

0 comments on commit f1c2b91

Please sign in to comment.