From 6eed66622b0c14026311283cdce264bd0a357a54 Mon Sep 17 00:00:00 2001 From: Daniel Rivera Date: Fri, 4 Oct 2024 10:18:34 -0400 Subject: [PATCH 1/3] Add Veracode scanning --- .github/workflows/security.yml | 50 ++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 000000000..69c87fcd0 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,50 @@ +name: security-check + +on: + push: + branches: + - master + - sicurezza + +jobs: + veracode: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Node + uses: actions/setup-node@v4 + with: + node-version: '18.x' + + - name: Install dependencies + run: yarn install --frozen-lockfile --silent + + - name: Veracode Agent Based Scan + env: + SRCCLR_API_TOKEN: ${{ secrets.AS__VERACODE_AGENT_TOKEN }} + GITHUB_USER: ${{ vars.AS__GITHUB_USER }} + GITHUB_TOKEN: ${{ secrets.AS__GITHUB_TOKEN }} + uses: veracode/veracode-sca@v2.1.9 + with: + github_token: $${{ secrets.AS__GITHUB_TOKEN }} + create-issues: false + allow-dirty: true + + - name: Veracode (create zip) + run: zip -r src.zip . -x ".git/*" ".github/*" ".env*" + + - name: Veracode Upload and Scan + uses: veracode/veracode-uploadandscan-action@0.2.6 + with: + appname: '${{ github.repository }}' + version: '${{ github.head_ref || github.ref_name }} - ${{ github.sha }}' + filepath: './src.zip' + vid: '${{ secrets.AS__VERACODE_API_ID }}' + vkey: '${{ secrets.AS__VERACODE_API_KEY }}' + scanallnonfataltoplevelmodules: true + allow-dirty: true + From 8c7245b857d43b5b433820c33fef76b1557e2fc2 Mon Sep 17 00:00:00 2001 From: Daniel Rivera Date: Wed, 9 Oct 2024 11:08:05 -0400 Subject: [PATCH 2/3] Upgrade Veracode actions and fix warning --- .github/workflows/security.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 69c87fcd0..2312b400f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -28,7 +28,7 @@ jobs: SRCCLR_API_TOKEN: ${{ secrets.AS__VERACODE_AGENT_TOKEN }} GITHUB_USER: ${{ vars.AS__GITHUB_USER }} GITHUB_TOKEN: ${{ secrets.AS__GITHUB_TOKEN }} - uses: veracode/veracode-sca@v2.1.9 + uses: veracode/veracode-sca@v2.1.12 with: github_token: $${{ secrets.AS__GITHUB_TOKEN }} create-issues: false @@ -38,7 +38,7 @@ jobs: run: zip -r src.zip . -x ".git/*" ".github/*" ".env*" - name: Veracode Upload and Scan - uses: veracode/veracode-uploadandscan-action@0.2.6 + uses: veracode/veracode-uploadandscan-action@0.2.7 with: appname: '${{ github.repository }}' version: '${{ github.head_ref || github.ref_name }} - ${{ github.sha }}' @@ -46,5 +46,3 @@ jobs: vid: '${{ secrets.AS__VERACODE_API_ID }}' vkey: '${{ secrets.AS__VERACODE_API_KEY }}' scanallnonfataltoplevelmodules: true - allow-dirty: true - From bbc3d945ba8f9857a62659f9c5c52713f8864073 Mon Sep 17 00:00:00 2001 From: Daniel Rivera Date: Mon, 4 Nov 2024 16:27:50 -0500 Subject: [PATCH 3/3] Remove unused vars --- .github/workflows/security.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 2312b400f..29dc72076 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,11 +26,8 @@ jobs: - name: Veracode Agent Based Scan env: SRCCLR_API_TOKEN: ${{ secrets.AS__VERACODE_AGENT_TOKEN }} - GITHUB_USER: ${{ vars.AS__GITHUB_USER }} - GITHUB_TOKEN: ${{ secrets.AS__GITHUB_TOKEN }} uses: veracode/veracode-sca@v2.1.12 with: - github_token: $${{ secrets.AS__GITHUB_TOKEN }} create-issues: false allow-dirty: true