Send all manipulated images to temp media directory #475
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Code scanning by Fortify | |
| # TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - 'master' | |
| - 'release-*' | |
| push: | |
| branches: | |
| - 'master' | |
| - 'beta' | |
| - 'release-*' | |
| jobs: | |
| FoD-SAST-Scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Setup Java | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: 17 | |
| distribution: 'temurin' | |
| - name: Setup Maven | |
| uses: stCarolas/setup-maven@v4.5 | |
| with: | |
| maven-version: 3.8.7 | |
| - name: Setup Maven settings | |
| uses: whelk-io/maven-settings-xml-action@v14 | |
| with: | |
| repositories: '[{ "id": "github-genexuslabs", "url": "https://maven.pkg.github.com/genexuslabs/*", "releases": { "enabled": "true" }, "snapshots": { "enabled": "true" } }]' | |
| servers: '[{ "id": "github-genexuslabs", "username": "genexusbot", "password": "${{ secrets.SECURE_TOKEN }}" }]' | |
| - name: Download Fortify ScanCentral Client | |
| uses: fortify/gha-setup-scancentral-client@v1 | |
| - name: Package Code + Dependencies | |
| run: scancentral package $PACKAGE_OPTS -o package.zip | |
| env: | |
| PACKAGE_OPTS: "-bt mvn -bf pom.xml" | |
| - name: Show package contents | |
| run: unzip -l package.zip | |
| - name: Download Fortify on Demand Universal CI Tool | |
| uses: fortify/gha-setup-fod-uploader@v1.0.1 | |
| - name: Perform SAST Scan | |
| run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -ac "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" | |
| env: | |
| FOD_TENANT: ${{ secrets.FOD_TENANT }} | |
| FOD_USER: ${{ secrets.FOD_USER }} | |
| FOD_PAT: ${{ secrets.FOD_PAT }} | |
| FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} | |
| FOD_URL: "https://ams.fortify.com" | |
| FOD_API_URL: "https://api.ams.fortify.com" | |
| FOD_UPLOADER_OPTS: "-ep 2 -pp 1 -I 1 -apf" | |
| FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' | |
| - name: Export results to GitHub-optimized SARIF | |
| uses: fortify/gha-export-vulnerabilities@v1.0.2 | |
| with: | |
| export_target: GitHub | |
| fod_base_url: "https://ams.fortify.com/" | |
| fod_tenant: ${{ secrets.FOD_TENANT }} | |
| fod_client_id: ${{ secrets.FOD_USER }} | |
| fod_client_secret: ${{ secrets.FOD_PAT }} | |
| fod_release_id: ${{ secrets.FOD_RELEASE_ID }} | |
| - name: Import Results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ./gh-fortify-sast.sarif |