Skip to content

Commit

Permalink
feat: Add ability to run and import Debricked scans into SSC (closes #41
Browse files Browse the repository at this point in the history
)
  • Loading branch information
rsenden committed Jun 4, 2024
1 parent b02d1d7 commit 7b12023
Show file tree
Hide file tree
Showing 41 changed files with 785 additions and 171 deletions.
296 changes: 272 additions & 24 deletions README.md

Large diffs are not rendered by default.

12 changes: 10 additions & 2 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,21 @@ inputs:
description: 'Run a SAST scan, takes either true or false (default)'
default: 'false'
required: false
debricked-sca-scan:
description: 'Run a Debricked Software Composition Analysis, takes either true or false (default)'
default: 'false'
required: false
runs:
using: composite
steps:
- uses: fortify/github-action/[email protected]
if: inputs['sast-scan']=='true' && env.FOD_URL
if: inputs['sast-scan']=='true' && env.FOD_URL
- uses: fortify/github-action/[email protected]
if: inputs['sast-scan']=='true' && env.SSC_URL
if: inputs['sast-scan']=='true' && env.SSC_URL
env:
DO_DEBRICKED_SCAN: ${{ inputs['debricked-sca-scan'] }}
- uses: fortify/github-action/[email protected]
if: inputs['sast-scan']=='false' && inputs['debricked-sca-scan']=='true' && env.SSC_URL

branding:
icon: 'shield'
Expand Down
7 changes: 5 additions & 2 deletions doc-resources/action-fod-sast-scan.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,13 @@ The SAST and optional open source scan performed by this action consists of the
* Optionally wait for the scan to complete
* Optionally export scan results to the GitHub Code Scanning dashboard

Before running this action, please ensure that the appropriate release has been created on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.

{{include:action-prerequisites.md}}

Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:

* The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup.
* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.

### Action environment variable inputs

{{include:env-fod-sast-scan.md}}
Expand Down
10 changes: 7 additions & 3 deletions doc-resources/action-sc-sast-scan.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,17 @@ This action performs a SAST scan on ScanCentral SAST, consisting of the followin
* Login to ScanCentral SAST Controller
* Package application source code using ScanCentral Client
* Submit the source code package to be scanned to ScanCentral SAST Controller
* Optionally wait for the scan to complete
* Optionally run a Debricked Software Composition Analysis scan
* Optionally wait for all scans to complete and results having been processed by SSC
* Optionally export scan results to the GitHub Code Scanning dashboard

Before running this action, please ensure that the appropriate application version has been created on SSC. Future versions of this action may add support for automating application version creation.

{{include:action-prerequisites.md}}

Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:

* The appropriate application version must exist on SSC. Future versions of this action may add support for automating application version creation.
* If Debricked scanning is enabled, the [Fortify SSC Parser Plugin for Debricked results](https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx) must be installed on Fortify SSC, to allow for SSC to accept and process the Debricked scan results submitted by this action.

### Action environment variable inputs

{{include:env-sc-sast-scan.md}}
Expand Down
36 changes: 36 additions & 0 deletions doc-resources/action-ssc-debricked-scan.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
This action performs a Debricked Software Composition Analysis (SCA) scan, consisting of the following steps:

* Login to Fortify SSC
* Run Debricked scan
* Publish Debricked scan results to Fortify SSC
* Optionally wait for SSC artifact processing to complete

Note that this action is explicitly meant for Debricked/SSC integration. If you wish to run a Debricked scan without publishing the results to SSC, please see the [Debricked GitHub Integration documentation](https://portal.debricked.com/integrations-48/integration-with-github-214#github-actions)

{{include:action-prerequisites.md}}

Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:

* The appropriate application version must exist on SSC. Future versions of this action may add support for automating application version creation.
* The [Fortify SSC Parser Plugin for Debricked results](https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx) must be installed on Fortify SSC, to allow for SSC to accept and process the Debricked scan results submitted by this action.

### Action environment variable inputs

{{include:env-ssc-debricked-scan.md}}

{{include:env-setup.md}}

### Sample usage

The sample workflow below demonstrates how to configure the action for running a Debricked scan and publishing the results to Fortify SSC.

```yaml
steps:
- name: Check out source code
uses: actions/checkout@v4
- name: Run Debricked Scan
uses: fortify/github-action/ssc-debricked-scan@{{var:action-major-version}}
env:
{{include:nocomments.env-ssc-debricked-scan-sample.md}}
{{include:nocomments.env-setup-sample.md}}
```
2 changes: 0 additions & 2 deletions doc-resources/env-sc-sast-login.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
{{include:env-ssc-connection.md}}

**`SC_SAST_TOKEN`** - REQUIRED
Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.

Expand Down
9 changes: 9 additions & 0 deletions doc-resources/env-sc-sast-scan.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
{{include:env-ssc-connection.md}}

{{include:env-ssc-login.md}}

{{include:env-sc-sast-login.md}}

**`DO_DEBRICKED_SCAN`** - OPTIONAL
If set to `true`, this action will run both ScanCentral SAST and Debricked Software Composition Analysis (SCA) scans and publish both results to SSC. This is equivalent to setting the `debricked-sca-scan` input on the top-level `fortify/github-action` action. Note that this requires the [Fortify SSC Parser Plugin for Debricked results](https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx) to be installed on Fortify SSC, to allow for SSC to accept and process the Debricked scan results submitted by this action.

**`DEBRICKED_TOKEN`** - REQUIRED*
Required when performing a Debricked Software Composition Analysis scan; see the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.

{{include:env-ssc-appversion.md}}

{{include:env-package.md}}
Expand Down
13 changes: 13 additions & 0 deletions doc-resources/env-ssc-debricked-scan.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{include:env-ssc-connection.md}}

{{include:env-ssc-login.md}}

**`DEBRICKED_TOKEN`** - REQUIRED
See the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.

{{include:env-ssc-appversion.md}}

**`DO_WAIT`** - OPTIONAL
By default, this action will complete immediately after Debricked scan results have been uploaded to SSC. To have the workflow wait until the Debricked results have been processed by SSC (potentially failing if the results cannot be successfully processed), set the `DO_WAIT` environment variable to `true`.

For consistency with other actions, `DO_WAIT` is implied if `DO_EXPORT` is set to `true`, but since GitHub doesn't support importing Software Composition Analysis results, Debricked results will not be published to GitHub even if `DO_EXPORT` is set to `true`.
2 changes: 0 additions & 2 deletions doc-resources/env-ssc-login.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
{{include:env-ssc-connection.md}}

**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL
Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-ssc-session-login.html).
2 changes: 1 addition & 1 deletion doc-resources/env-wait-export.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below.

**`DO_EXPORT`** - OPTIONAL
If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository.
If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. Note that GitHub only supports importing SAST results; other results will not exported to GitHub.
1 change: 0 additions & 1 deletion doc-resources/nocomments.env-sc-sast-login-sample.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
{{include:nocomments.env-ssc-connection-sample.md}}
SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}}
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s
4 changes: 4 additions & 0 deletions doc-resources/nocomments.env-sc-sast-scan-sample.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
{{include:nocomments.env-ssc-connection-sample.md}}
{{include:nocomments.env-ssc-login-sample.md}}
{{include:nocomments.env-sc-sast-login-sample.md}}
{{include:nocomments.env-ssc-appversion-sample.md}}
{{include:nocomments.env-package-sample.md}}
SC_SAST_SENSOR_VERSION: 23.2
# DO_DEBRICKED_SCAN: true # Or debricked-sca-scan input on top-level action
# DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}}
# DO_WAIT: true
# DO_EXPORT: true
5 changes: 5 additions & 0 deletions doc-resources/nocomments.env-ssc-debricked-scan-sample.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{{include:nocomments.env-ssc-connection-sample.md}}
{{include:nocomments.env-ssc-login-sample.md}}
{{include:nocomments.env-ssc-appversion-sample.md}}
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}}
# DO_WAIT: true
1 change: 1 addition & 0 deletions doc-resources/nocomments.env-ssc-login-sample.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s
49 changes: 42 additions & 7 deletions doc-resources/repo-readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ The [Fortify github-action repository]({{var:repo-url}}) hosts various Fortify-r
**Fortify on Demand**

* [`fortify/github-action`](#fortify-github-action)
For now, this action provides the same functionality as the `fod-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other FoD actions.
For now, this action provides the same functionality as the `fod-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other FoD operations.
* [`fortify/github-action/fod-sast-scan`](#fortify-github-action-fod-sast-scan)
Package source code, submit static application security testing (SAST) scan request to Fortify on Demand, optionally wait for completion and export results back to the GitHub Security dashboard.
* [`fortify/github-action/package`](#fortify-github-action-package)
Expand All @@ -13,12 +13,14 @@ The [Fortify github-action repository]({{var:repo-url}}) hosts various Fortify-r
* [`fortify/github-action/setup`](#fortify-github-action-setup)
Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline

**Fortify Sofware Security Center (SSC) / ScanCentral SAST**
**Fortify Sofware Security Center (SSC) / ScanCentral SAST / Debricked**

* [`fortify/github-action`](#fortify-github-action)
For now, this action provides the same functionality as the `sc-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other SSC / ScanCentral actions.
Depending on inputs, this action will run either or both a ScanCentral SAST and Debricked Software Composition Analysis (SCA) scan and publish scan results to SSC. Future versions may add support for running other types of scans or performing other SSC / ScanCentral operations.
* [`fortify/github-action/sc-sast-scan`](#fortify-github-action-sc-sast-scan)
Package source code, submit SAST scan request to ScanCentral SAST, optionally wait for completion and export results back to the GitHub Security dashboard.
Run a ScanCentral SAST and optionally Debricked Software Composition Analysis scan by packaging source code, submitting ScanCentral SAST scan and optional Debricked scan request, and optionally waiting for completion and exporting SAST results back to the GitHub Security dashboard.
* [`fortify/github-action/ssc-debricked-scan`](#fortify-github-action-ssc-debricked-scan)
Run a Debricked Software Composition Analysis scan and publish scan results to SSC, optionally waiting for scan results to be fully processed on SSC.
* [`fortify/github-action/package`](#fortify-github-action-package)
Package source code for running a SAST scan, using the latest version of ScanCentral Client.
* [`fortify/github-action/ssc-export`](#fortify-github-action-ssc-export)
Expand All @@ -39,7 +41,10 @@ The primary `fortify/github-action` action currently allows for running SAST sca
**`sast-scan`** - OPTIONAL
When set to true, the action will run a SAST scan on either Fortify on Demand (if the `FOD_URL` environment variable has been specified), or on ScanCentral SAST (if the `SSC_URL` environment variable has been specified). This includes packaging the source code, running the scan, and optionally reporting SAST scan results back into GitHub.

If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan.
If not specified or when set to false, no SAST scan will be performed. For FoD, this means that the action will complete without doing any work. For SSC, the action could still run a Debricked-only scan based on the `debricked-sca-scan` input as listed below. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of (or in combination with) a SAST scan.

**`debricked-sca-scan`** - OPTIONAL
(Not applicable to Fortify on Demand) When set to true, the action will run a Debricked Software Composition Analysis (SCA) scan and publish the results to Fortify SSC. You can either run a Debricked-only scan (`sast-scan` set to `false`), or both SAST and Debricked SCA scan if both inputs are set to `true`.

### Action environment variable inputs

Expand All @@ -49,12 +54,18 @@ If not specified or when set to false, no SAST scan will be performed. For now,

{{include:env-setup.md}}

#### ScanCentral SAST
#### ScanCentral SAST with optional Debricked scan

{{include:env-sc-sast-scan.md}}

{{include:env-setup.md}}

#### Debricked-only scan and publish to SSC

{{include:env-ssc-debricked-scan.md}}

{{include:env-setup.md}}

### Sample workflows

The sample workflows below demonstrate how to configure the action for running a SAST scan on either Fortify on Demand or ScanCentral SAST.
Expand All @@ -74,7 +85,7 @@ The sample workflows below demonstrate how to configure the action for running a
{{include:nocomments.env-setup-sample.md}}
```

#### ScanCentral SAST
#### ScanCentral SAST with optional Debricked scan

```yaml
steps:
Expand All @@ -84,11 +95,28 @@ The sample workflows below demonstrate how to configure the action for running a
uses: fortify/github-action@{{var:action-major-version}}
with:
sast-scan: true
# debricked-sca-scan: true
env:
{{include:nocomments.env-sc-sast-scan-sample.md}}
{{include:nocomments.env-setup-sample.md}}
```

#### Debricked-only scan and publish to SSC

```yaml
steps:
- name: Check out source code
uses: actions/checkout@v4
- name: Run Debricked Scan
uses: fortify/github-action@{{var:action-major-version}}
with:
sast-scan: false
debricked-sca-scan: true
env:
{{include:nocomments.env-ssc-debricked-scan-sample.md}}
{{include:nocomments.env-setup-sample.md}}
```

### More information

Depending on input, this action delegates to the appropriate sub-action(s). Please refer to the documentation of these actions for a more detailed description of action behavior & requirements:
Expand Down Expand Up @@ -132,6 +160,13 @@ Depending on input, this action delegates to the appropriate sub-action(s). Plea
{{include:action-sc-sast-scan.md}}


<a name="fortify-github-action-ssc-debricked-scan"></a>

## fortify/github-action/ssc-debricked-scan

{{include:action-ssc-debricked-scan.md}}


<a name="fortify-github-action-ssc-export"></a>

## fortify/github-action/ssc-export
Expand Down
11 changes: 11 additions & 0 deletions doc-resources/templates/ssc-debricked-scan/README.template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# fortify/github-action/ssc-debricked-scan@{{var:action-major-version}}

{{include:p.marketing-intro.md}}

{{include:action-ssc-debricked-scan.md}}

{{include:h2.support.md}}

---

*[This document was auto-generated; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*
9 changes: 6 additions & 3 deletions fod-sast-scan/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ The SAST and optional open source scan performed by this action consists of the
* Optionally wait for the scan to complete
* Optionally export scan results to the GitHub Code Scanning dashboard

Before running this action, please ensure that the appropriate release has been created on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.


<!-- START-INCLUDE:action-prerequisites.md -->

Expand All @@ -38,6 +36,11 @@ This action assumes the standard software packages as provided by GitHub-hosted
<!-- END-INCLUDE:action-prerequisites.md -->


Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:

* The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup.
* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.

### Action environment variable inputs


Expand Down Expand Up @@ -102,7 +105,7 @@ Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](http
By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below.

**`DO_EXPORT`** - OPTIONAL
If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository.
If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. Note that GitHub only supports importing SAST results; other results will not exported to GitHub.

<!-- END-INCLUDE:env-wait-export.md -->

Expand Down
5 changes: 2 additions & 3 deletions internal/fod-login/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,8 @@ runs:
- uses: fortify/github-action/internal/[email protected]
if: ${{ !env._FOD_LOGGED_IN }}
with:
cwd: ${{ github.action_path }}
script: ./fod-login.sh
post: ./fod-logout.sh
script: fod-login.sh
post: fod-logout.sh

branding:
icon: 'shield'
Expand Down
Loading

0 comments on commit 7b12023

Please sign in to comment.