DevSecOps with Fortify on Demand #169

Workflow file for this run


	# Create GitHub Action Repository Variables for your version of the application:
	# FOD_BASE_URL - FoD BASE URL for your tenant (e.g. https://ams.fortify.com)
	# FOD_API_URL - FoD API URL for your tenant (e.g. https://api.ams,fortify.com)
	# FORTIFY_APP_NAME_POSTFIX - A postfix string to apply to the application to make it unique, set to empty to use DEFAULT_APP_NAME
	# FOD_PARENT_RELEASE_NAME - FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
	# FOD_DEFAULT_OWNER - The user id of the Application Owner (only needed if an application does not already exist)
	# FOD_DEFAULT_ASSESSMENT_TYPE - The default Assessment Type to use, e.g. "Static Assessment"
	# Create GitHub Action Secrets for your version of the application:
	# FOD_CLIENT_ID should be an API Key obtained from your FoD tenant.
	# FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant.
	# Helpful hints:
	# API Key credentials can be obtained from your FoD tenant, under Administration -> Settings -> API
	# It is recommended to create credentials with 'Security Lead' Role selected.
	# "Automated Audit preference" should be configured for the release's Static Scan Settings.
	name: DevSecOps with Fortify on Demand

	on:
	# Triggers the workflow on push or pull request events but only for the main or develop branches
	push:
	paths-ignore:
	- '.github//'
	- 'Jenkinsfile'
	- 'bin/**'
	- 'data/**'
	- 'etc/**'
	- 'tests/**'
	- '*.md'
	- 'LICENSE'
	#branches-ignore:
	# - main
	# - develop
	branches:
	- '**' # matches every branch
	pull_request:
	branches: [ main, develop ]

	# Allows you to run this workflow manually from the Actions tab
	workflow_dispatch:
	inputs:
	runFoDSASTScan:
	description: 'Carry out SAST scan using Fortify on Demand'
	required: false
	default: 'true'
	runFoDOSSScan:
	description: 'Carry out OSS scan using Fortify on Demand'
	required: false
	default: 'true'
	deployApp:
	description: 'Deploy App'
	required: false
	default: 'true'
	runFoDDASTScan:
	description: 'Carry out DAST scan using Fortify on Demand'
	required: false
	default: 'false'

	# Global environment variables
	env:
	DEFAULT_APP_NAME: "IWA-Java"
	GRADLE_VERSION: "7.6.4"
	JAVA_VERSION: "17"
	BASE_DIR: "."

	jobs:

	Build-And-Unit-Test:
	# The type of runner that the job will run on
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	# Setup JDK 17 on host
	- uses: actions/setup-java@v4
	with:
	distribution: 'temurin'
	java-version: ${{ env.JAVA_VERSION}}
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@v3
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	# Build / Test with Gradle
	- name: Build with Gradle
	run: ./gradlew clean build test
	# Publish test results
	- name: Publish Test Results
	uses: EnricoMi/publish-unit-test-result-action@v2
	if: always()
	with:
	files: \|
	build/test-results/*/.xml
	build/test-results/*/.trx
	build/test-results/*/.json

	Quality-Gate:
	runs-on: ubuntu-latest
	if: ${{ always() }}
	needs: [ Build-And-Unit-Test ]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	# TBD

	FoD-SAST-Scan:
	runs-on: ubuntu-latest
	if: ${{ (github.event_name == 'push') \|\| (github.event_name == 'pull_request') \|\| (github.event.inputs.runFoDSASTScan == 'true') }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	# Setup JDK 17 on host
	- uses: actions/setup-java@v4
	with:
	distribution: 'temurin'
	java-version: ${{ env.JAVA_VERSION }}

	# Manually package source and libs
	#- name: Package Source and Libs
	# run: ./gradlew clean build -x test zip
	#- name: Setup Fortify tools
	# uses: fortify/github-action/setup@v1
	# with:
	# #tool-definitions: https://github.com/fortify/tool-definitions/releases/download/v1/tool-definitions.yaml.zip
	# export-path: true
	# fcli: latest
	#- name: Perform FoD SAST Scan
	# shell: bash
	# run: \|
	# fcli --version
	# fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --session github-actions
	# ./gradlew clean build -x test zip
	# fcli fod sast-scan start --release "${FOD_RELEASE}" -f $PACKAGE_FILE --store curScan --session github-actions
	# sleep 10
	# echo "fod_scan_id=$(fcli util var contents curScan -o 'expr={scanId}')" >> $GITHUB_OUTPUT
	# fcli fod sast-scan wait-for ::curScan:: --session github-actions
	# fcli fod session logout --session github-actions
	# env:
	# FOD_API_URI: ${{ vars.FOD_API_URL }}
	# FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
	# FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
	# PACKAGE_FILE: "./build/distributions/iwa-1.0-src.zip"
	# FOD_RELEASE: ${{ format('{0}{1}:{2}', env.DEFAULT_APP_NAME, vars.FORTIFY_APP_NAME_POSTFIX, github.ref_name) }}

	#
	# See: https://github.com/marketplace/actions/fortify-ast-scan
	#
	- name: Run Fortify on Demand SAST Scan
	uses: fortify/github-action@v1
	with:
	sast-scan: true
	debricked-sca-scan: false # we will do this separately using fcli
	env:
	FOD_URL: ${{ vars.FOD_URL }}
	#FOD_TENANT: ${{secrets.FOD_TENANT}}
	#FOD_USER: ${{secrets.FOD_USER}}
	#FOD_PASSWORD: ${{secrets.FOD_PAT}}
	FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
	FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
	# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s
	FOD_RELEASE: ${{ format('{0}{1}:{2}', env.DEFAULT_APP_NAME, vars.FORTIFY_APP_NAME_POSTFIX, github.ref_name) }}
	DO_SETUP: true
	# SETUP_ACTION: https://scm.my.org/shared-repos/fcli-actions/setup.yaml
	# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
	SETUP_EXTRA_OPTS: ${{ format('--copy-from "{0}{1}:{2}" --sdlc-status Development --app-owner {3} --assessment-type "{4}"', env.DEFAULT_APP_NAME, vars.FORTIFY_APP_NAME_POSTFIX, vars.FORTIFY_PARENT_APPVER_NAME, vars.FOD_DEFAULT_OWNER, vars.FOD_DEFAULT_ASSESSMENT_TYPE) }}
	#SC_CLIENT_VERSION: 24.4.1
	#DO_PACKAGE_DEBUG: true
	PACKAGE_EXTRA_OPTS: -bt gradle -bf build.gradle -bc "clean build -x test"
	# FOD_SAST_SCAN_EXTRA_OPTS:
	DO_WAIT: true
	# DO_POLICY_CHECK: true
	# POLICY_CHECK_ACTION: https://scm.my.org/shared-repos/fcli-actions/check-policy.yaml
	# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore
	DO_JOB_SUMMARY: true
	# JOB_SUMMARY_ACTION: https://scm.my.org/shared-repos/fcli-actions/job-summary.yaml
	# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore
	DO_PR_COMMENT: true
	# PR_COMMENT_ACTION: https://scm.my.org/shared-repos/fcli-actions/github-pr-comment.yaml
	# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore
	DO_EXPORT: true
	# EXPORT_ACTION: https://scm.my.org/shared-repos/fcli-actions/github-sast-report.yaml
	# EXPORT_EXTRA_OPTS: --on-unsigned=ignore
	# TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

	FoD-OSS-Scan:
	runs-on: ubuntu-latest
	if: ${{ (github.event_name == 'push') \|\| (github.event_name == 'pull_request') \|\| (github.event.inputs.runFoDOSSScan == 'true') }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Fortify tools
	uses: fortify/github-action/setup@v1
	with:
	#tool-definitions: https://github.com/fortify/tool-definitions/releases/download/v1/tool-definitions.yaml.zip
	export-path: true
	fcli: latest
	debricked-cli: 2.6.1 # change to latest
	- name: Perform FoD OSS Scan
	shell: bash
	run: \|
	fcli --version
	fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --session github-actions
	rm -f $PACKAGE_FILE
	debricked resolve
	zip $PACKAGE_FILE gradle.debricked.lock debricked-config.yaml
	fcli fod oss-scan start --release "${FOD_RELEASE}" -f $PACKAGE_FILE --store curScan --session github-actions
	sleep 10
	echo "fod_scan_id=$(fcli util var contents curScan -o 'expr={scanId}')" >> $GITHUB_OUTPUT
	fcli fod oss-scan wait-for ::curScan:: --session github-actions
	fcli fod session logout --session github-actions
	env:
	FOD_API_URI: ${{ vars.FOD_API_URL }}
	FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
	FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
	PACKAGE_FILE: "osspackage.zip"
	FOD_RELEASE: ${{ format('{0}{1}:{2}', env.DEFAULT_APP_NAME, vars.FORTIFY_APP_NAME_POSTFIX, github.ref_name) }}

	Deploy-App:
	runs-on: ubuntu-latest
	if: ${{ (github.event_name == 'push') \|\| (github.event_name == 'pull_request') \|\| (github.event.inputs.deployApp == 'true') }}
	needs: [ Build-And-Unit-Test, FoD-SAST-Scan, FoD-OSS-Scan ]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Deploy App
	shell: bash
	run: \|
	echo "Simulating deployment"
	env:
	FOD_APP_NAME: ${{ env.DEFAULT_APP_NAME }}
	# TBD

	Functional-Test:
	runs-on: ubuntu-latest
	if: ${{ always() }}
	needs: [ Deploy-App ]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	# TBD

	FoD-DAST-Scan:
	runs-on: ubuntu-latest
	if: ${{ (github.ref_name == github.event.repository.default_branch) && (github.event.inputs.runFoDDASTScan == 'true') }}
	needs: [ Deploy-App ]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Fortify App and Release Name
	id: fortify-app-and-rel-name
	uses: fortify-presales/github-actions/fortify-app-and-release-name@main
	with:
	default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
	default_fortify_release_name: ${{ github.ref_name }}
	app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
	- name: FoD DAST scan
	id: fod-dast-scan
	uses: fortify-presales/github-actions/fod-dast-scan@main
	with:
	working_directory: ${{ env.BASE_DIR }}
	fod_url: ${{ vars.FOD_URL }}
	fod_api_url: ${{ vars.FOD_API_URL }}
	fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
	fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
	fod_app_name: ${{ format('{0}{1}', env.DEFAULT_APP_NAME, vars.FORTIFY_APP_NAME_POSTFIX) }}
	fod_release_name: ${{ github.ref_name }}
	#fod_release_name: ${{ format('{0}#{1}', steps.fortify-app-and-rel-name.outputs.release_name, github.run_number) }}
	#fod_parent_release_name: ${{ steps.fortify-app-and-rel-name.outputs.parent_release_name }}

	Security-Gate:
	runs-on: ubuntu-latest
	if: ${{ always() }}
	needs: [ Functional-Test, FoD-DAST-Scan ]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Fortify App and Release Name
	id: fortify-app-and-rel-name
	uses: fortify-presales/github-actions/fortify-app-and-release-name@main
	with:
	default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
	default_fortify_release_name: ${{ github.ref_name }}
	app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
	- name: Verify FoD Security Policy
	uses: fortify-presales/github-actions/verify-fod-security-policy@main
	with:
	fod_api_url: ${{ vars.FOD_API_URL }}
	fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
	fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
	fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
	fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}

	Release-To-Prod:
	runs-on: ubuntu-latest
	needs: [ Quality-Gate, Security-Gate ]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	# TBD

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DevSecOps with Fortify on Demand #169

Workflow file

DevSecOps with Fortify on Demand #169

Jobs

Run details

Workflow file for this run