Skip to content
Veracode Static Analysis Pipeline Scan

[2º] - Release/v1.2.0 digital product pass: Support the Digital Product Pass aspect in the backend #351

Sign in to view logs

[2º] - Release/v1.2.0 digital product pass: Support the Digital Product Pass aspect in the backend

[2º] - Release/v1.2.0 digital product pass: Support the Digital Product Pass aspect in the backend #351

Workflow file for this run

.github/workflows/veracode-pipeline.yml at 25e9e41
#################################################################################
# Catena-X - Product Passport Consumer Application
#
# Copyright (c) 2022, 2023 BASF SE, BMW AG, Henkel AG & Co. KGaA
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
# either express or implied. See the
# License for the specific language govern in permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#################################################################################
name: Veracode Static Analysis Pipeline Scan
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main", "develop"]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
permissions:
contents: read
env:
VID: '${{ secrets.VERACODE_API_ID || secrets.ORG_VERACODE_API_ID }}'
VKEY: '${{ secrets.VERACODE_API_KEY || secrets.ORG_VERACODE_API_KEY }}'
jobs:
check-secrets:
runs-on: ubuntu-latest
outputs:
secrets-available: ${{ steps.secrets-exists.outputs.available }}
steps:
- name: Check for Secrets availability
id: secrets-exists
shell: bash
## Check if the secrets are available in the environment
## Check if the secrets are available in the environment
run: |
if [ "${{ env.VID }}" != '' ] && [ "${{ env.VKEY }}" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT;
echo "Secrets are available at this environment!"
else
echo "available=false" >> $GITHUB_OUTPUT;
echo "No secrets are available at this environment!"
fi
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
build-and-pipeline-scan:
needs: [ check-secrets ]
if: needs.check-secrets.outputs.secrets-available == 'true' ## Require that the secrets are available
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ''
- uses: actions/setup-java@v3
with:
java-version: 19
distribution: 'adopt'
- name: build
run: |
cd consumer-backend/productpass
mvn dependency:purge-local-repository clean verify
- run: zip -r veracode-scan-target.zip ./
# download the Veracode Static Analysis Pipeline scan jar
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- uses: actions/setup-java@v3
with:
java-version: 8
distribution: 'temurin'
- run: java -Dpipeline.debug=true -jar pipeline-scan.jar -p "Product-Passport-Consumer-App" --veracode_api_id "${{ env.VID }}" --veracode_api_key "${{ env.VKEY }}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
id: convert
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif