-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
437 lines (349 loc) · 16.5 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
name: 'Checkmarx CxFlow++ GitHub Action'
description: 'Orchestrates vulnerability scanning and issue tracker item lifecycle.'
author: 'Nathan Leach, Principal Solutions Architect, Checkmarx'
inputs:
# Required parameters
project-name:
description: The name of the scan project. This should include the branch being scanned using your organization's established system naming convention. The string `{branch}` will be replaced by the event's branch name if found in the project name.
app-name:
description: The name of the application used when making issue tracker tags.
# Required unless disable-sast-scan is set to true
sast-url:
required: false
description: The base URL to the Checkmarx SAST server (do not include CxWebClient).
sast-team:
required: false
default: /CxServer
description: The full path of the SAST team that owns the project to scan.
sast-username:
required: false
description: The username of the SAST account to use for scanning.
sast-password:
required: false
description: The password for the selected SAST account.
# Required unless disable-sca-scan is set to true
sca-tenant:
required: false
description: The name of the SCA tenant.
sca-username:
required: false
description: The username of the SCA account to use for scanning.
sca-password:
required: false
description: The password for the selected SCA account.
# Optional parameters
cxflow-jar-path:
default: ''
description: The local path to the CxFlow jar. If blank, CxFlow will be downloaded.
cxflow-version:
default: latest
description: The CxFlow version to use for execution. Ignored if cxflow-jar-path is set.
cxflow-params:
description: Command line parameters to pass to CxFlow at every execution.
pull-request-cxflow-params:
description: Command line parameters passed to CxFlow only when executing during a pull-request event.
push-cxflow-params:
description: Command line parameters passed to CxFlow only when executing during a push event.
docker-login-registry:
default: docker.io
description: The name of the container registry to use for login.
docker-login-username:
default: ''
description: The username for the container registry login.
docker-login-password:
default: ''
description: The password for the container registry login.
upload-sarif-file:
default: true
description: Uploads the Sarif file to create entries on the GitHub security tab during push events.
delete-sarif-file:
default: true
description: Set to "false" when using the Sarif feedback channel to keep the Sarif file at the path returned in the sarif-path output parameter.
default-branch:
default: ${{ github.event.repository.default_branch }}
description: The default branch of the repository used as the root parent project in SAST from which branch projects are derived. This defaults to the repo's defined default branch.
disable-sast-scan:
default: false
description: Set to true to disable SAST scanning.
disable-sca-scan:
default: false
description: Set to true to disable SCA scanning.
enable-wire-trace:
default: false
description: Set to true to emit web API I/O wire tracing to the action logs.
sast-log-level:
default: INFO
description: The logging level for CxFlow output emitted as the action executes. (TRACE, DEBUG, ERROR, INFO)
java-opts:
default: -Xms512m -Xmx2048m
description: Options to pass to the JVM.
java-props:
default: -Djava.security.egd=file:/dev/./urandom
description: Properties to pass to the JVM.
push-feedback-channel:
default: Sarif
description: The feedback channel to use when scanning for a push.
pull-request-feedback-channel:
default: GITHUBPULL
description: The feedback channel to use when scanning for a pull request.
application-yaml-path:
default: ''
description: A path to a CxFlow yaml configuration file.
build-container-tag:
default: ''
description: Set the the tag of the container used to perform the code build. SCA Resolver will execute in an instance of this container to obtain an accurate dependency tree.
break-on-manifest-failure:
default: true
description:
scaresolver-tag:
default: ''
description: The tag for the containerized SCAResolver build environment where the action will execute dependency scanning. The image must not be built with a *-bare target. If this is not supplied, the SCA dependency scan will execute on the SCA server.
spring-props:
default: ''
description: Spring boot properties to pass to the JVM.
custom-ca-path:
default: ''
description: Path to a file or directory containing a custom CA cert chain that is imported into the Java runtime cacerts store.
outputs:
sarif-path:
description: The path to the Sarif file produced from the scan.
value: ${{ steps.sarif-path-gen.outputs.sarif-path }}
runs:
using: 'composite'
steps:
- uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9
with:
distribution: 'corretto'
java-version: '17'
- shell: bash
run: |
: Set Temp Paths
RESOLVER=$(mktemp -d -p "$GITHUB_ACTION_PATH")
echo "RESOLVER_PATH=$RESOLVER" >> "$GITHUB_ENV"
TOOLKIT=$(mktemp -d -p "$GITHUB_ACTION_PATH")
echo "TOOLKIT_PATH=$TOOLKIT" >> "$GITHUB_ENV"
PSCICDTOOLS=$(mktemp -d -p "$GITHUB_ACTION_PATH")
echo "PSCICDTOOLS_PATH=$PSCICDTOOLS" >> "$GITHUB_ENV"
- shell: bash
run: |
: Download PS CI/CD Tools https://github.com/checkmarx-ts/ps-cicd-tools
wget -q -O ${{ env.PSCICDTOOLS_PATH }}/cxflow-downloader.jar https://github.com/checkmarx-ts/ps-cicd-tools/releases/latest/download/cxflow-downloader.jar
wget -q -O ${{ env.PSCICDTOOLS_PATH }}/archive-downloader.jar https://github.com/checkmarx-ts/ps-cicd-tools/releases/latest/download/archive-downloader.jar
- if: inputs.cxflow-jar-path == ''
shell: bash
run: |
: Download CxFlow https://github.com/checkmarx-ltd/cx-flow
CXFLOW_DOWNLOAD_OPTS="--skip --outdir "$GITHUB_ACTION_PATH/cx-flow""
if [ "${{ inputs.cxflow-version }}" == "latest" ]; then
CXFLOW_JAR_PATH=$(java -jar ${{ env.PSCICDTOOLS_PATH }}/cxflow-downloader.jar --latest $CXFLOW_DOWNLOAD_OPTS)
else
CXFLOW_JAR_PATH=$(java -jar ${{ env.PSCICDTOOLS_PATH }}/cxflow-downloader.jar --version ${{ inputs.cxflow-version }} $CXFLOW_DOWNLOAD_OPTS)
fi
echo "CXFLOW_JAR_PATH=$CXFLOW_JAR_PATH" >> "$GITHUB_ENV"
echo Using CxFlow JAR: $CXFLOW_JAR_PATH
- shell: bash
if: inputs.cxflow-jar-path != ''
run: |
: Set CxFlow jar location environment variables
echo "CXFLOW_JAR_PATH=$(realpath ${{ inputs.cxflow-jar-path }})" >> "$GITHUB_ENV"
- shell: bash
run: |
: Configure Resolve Manifest Failure Break
if [ "${{ inputs.break-on-manifest-failure}}" == "true" ]; then
echo SCA Resolver manifest failures are set to break the build.
echo "CXFLOW_SCA_MANIFEST_FAILURE='--sca.sca-resolver-add-parameters.break-on-manifest-failure'" >> "$GITHUB_ENV"
else
echo SCA Resolver manifest failures WILL NOT break the build.
echo "CXFLOW_SCA_MANIFEST_FAILURE=" >> "$GITHUB_ENV"
fi
- shell: bash
run: |
: Setup App Name
if [ "${{ inputs.app-name }}" == "" ]; then
echo "APPNAME=$GITHUB_REPOSITORY" >> "$GITHUB_ENV"
else
echo "APPNAME=${{ inputs.app-name }}" >> "$GITHUB_ENV"
fi
- shell: bash
if: inputs.application-yaml-path != ''
run: |
: Use custom config YAML
echo "CONFIG_PARAM=--spring.config.location='${{ inputs.application-yaml-path }}'" >> "$GITHUB_ENV"
- shell: bash
if: inputs.application-yaml-path == ''
run: |
: Use default config YAML
echo "CONFIG_PARAM=--spring.config.location='$GITHUB_ACTION_PATH/cxflow-defaults.yml'" >> "$GITHUB_ENV"
- shell: bash
if: github.event_name == 'pull_request'
run: |
: Set params for PR
echo "CXFLOW_FEEDBACK_CHANNEL=${{ inputs.pull-request-feedback-channel }}" >> "$GITHUB_ENV"
echo "CXFLOW_FEEDBACK_PARAMS=--bug-tracker='${{ inputs.pull-request-feedback-channel }}' --merge-id='${{ github.event.number }}'" >> "$GITHUB_ENV"
echo "CXFLOW_EVENT_PARAMS=${{ inputs.pull-request-cxflow-params }}" >> "$GITHUB_ENV"
echo "PROPER_BRANCH_NAME=${{ github.head_ref }}" >> "$GITHUB_ENV"
- shell: bash
if: github.event_name != 'pull_request'
run: |
: Set params for push
echo "CXFLOW_FEEDBACK_CHANNEL=${{ inputs.push-feedback-channel }}" >> "$GITHUB_ENV"
echo "CXFLOW_FEEDBACK_PARAMS=--bug-tracker='${{ inputs.push-feedback-channel }}'" >> "$GITHUB_ENV"
echo "CXFLOW_EVENT_PARAMS=${{ inputs.push-cxflow-params }}" >> "$GITHUB_ENV"
echo "PROPER_BRANCH_NAME=${{ github.ref_name }}" >> "$GITHUB_ENV"
- shell: bash
run: |
: Set project name
if [ "${{ inputs.project-name }}" == "" ]; then
PROJECT_NAME="$GITHUB_REPOSITORY-{branch}"
else
PROJECT_NAME="${{ inputs.project-name }}"
fi
PROJECT_NAME=$(echo $PROJECT_NAME | sed -E "s/(.*)(\{branch\})(.*)/\1${{ env.PROPER_BRANCH_NAME }}\3/")
echo "PROJECT_NAME=$PROJECT_NAME" >> "$GITHUB_ENV"
- shell: bash
run: |
: Set log level
echo "CXFLOW_LOGLEVEL_PARAMS=--logging.level.com.checkmarx='${{ inputs.sast-log-level }}'" >> "$GITHUB_ENV"
- if: inputs.enable-wire-trace == 'true'
shell: bash
run: |
: Set wire trace
echo "WIRE_TRACE_PARAMS=--logging.level.org.apache.http.wire=TRACE" >> "$GITHUB_ENV"
- name: Container Registry Login
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
if: inputs.docker-login-username != '' && inputs.docker-login-password != ''
with:
registry: ${{ inputs.docker-login-registry }}
username: ${{ inputs.docker-login-username }}
password: ${{ inputs.docker-login-password }}
- name: Set up Docker Buildx
if: inputs.scaresolver-tag != '' || inputs.build-container-tag != ''
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
- shell: bash
if: inputs.scaresolver-tag != ''
run: |
: Set SCAResolver parameters for scaresolver-tag
echo "CONTAINER_TAG=${{ inputs.scaresolver-tag }}" >> "$GITHUB_ENV"
cp $GITHUB_ACTION_PATH/ScaResolver "${{ env.RESOLVER_PATH }}"
echo "SCA_RESOLVER_CONFIG=--sca.enable-sca-resolver=true --sca.path-to-sca-resolver='${{ env.RESOLVER_PATH }}'" >> "$GITHUB_ENV"
- shell: bash
if: inputs.scaresolver-tag == ''
run: |
: Download Supply Chain Toolkit https://github.com/checkmarx-ts/cx-supply-chain-toolkit
java -jar ${{ env.PSCICDTOOLS_PATH }}/archive-downloader.jar \
--url https://github.com/checkmarx-ts/cx-supply-chain-toolkit/releases/latest/download/build-environment.zip \
--outdir "${{ env.TOOLKIT_PATH }}" --unzip
- if: inputs.custom-ca-path != ''
shell: bash
run: |
: Import custom CA certs
if [ -f "${{ inputs.custom-ca-path }}" ];
then
keytool -importcert -cacerts -storepass changeit -noprompt -file "${{ inputs.custom-ca-path }}"
cp "${{ inputs.custom-ca-path }}" "${{ env.TOOLKIT_PATH }}"/cacerts/
fi
if [ -d "${{ inputs.custom-ca-path }}" ];
then
for CA in $(ls ${{ inputs.custom-ca-path }});
do
keytool -alias "$CA" -importcert -cacerts -storepass changeit -noprompt -file "${{ inputs.custom-ca-path }}/${CA}" \
&& echo "Imported $CA" || echo "$CA was not imported"
cp "$CA" "${{ env.TOOLKIT_PATH }}"/cacerts/
done
fi
- shell: bash
if: inputs.scaresolver-tag == '' && inputs.build-container-tag == ''
run: |
: Set SCAResolver parameters for runner execution
RESOLVER=$(java -jar ${{ env.PSCICDTOOLS_PATH }}/archive-downloader.jar --resolver --outdir "${{ env.RESOLVER_PATH }}")
echo "SCA_RESOLVER_CONFIG=--sca.enable-sca-resolver=true --sca.path-to-sca-resolver='$RESOLVER'" >> "$GITHUB_ENV"
$RESOLVER/ScaResolver --version
- shell: bash
if: inputs.scaresolver-tag == '' && inputs.build-container-tag != ''
run: |
: Set SCAResolver parameters for autobuild execution
CONTAINER_TAG=$(${{ env.TOOLKIT_PATH }}/autobuild.sh -t "${{ inputs.build-container-tag }}" -d "${{ env.TOOLKIT_PATH }}" -u -g -a "--load")
echo "CONTAINER_TAG=$CONTAINER_TAG" >> "$GITHUB_ENV"
cp $GITHUB_ACTION_PATH/ScaResolver "${{ env.RESOLVER_PATH }}"
echo "SCA_RESOLVER_CONFIG=--sca.enable-sca-resolver=true --sca.path-to-sca-resolver='${{ env.RESOLVER_PATH }}'" >> "$GITHUB_ENV"
- id: sarif-path-gen
shell: bash
run: |
: Set Sarif File Path
SARIF_FILE=$(dirname ${{ env.CXFLOW_JAR_PATH }})/${{ github.run_id }}.sarif
echo "SARIF_FILE=$SARIF_FILE" >> "$GITHUB_ENV"
echo "sarif-path=$SARIF_FILE" >> "$GITHUB_OUTPUT"
- shell: bash
run: |
: Enable Scanners
SCANNERS=""
[[ "${{ inputs.disable-sast-scan }}" == "false" ]] && SCANNERS="sast," || :
[[ "${{ inputs.disable-sca-scan }}" == "false" ]] && SCANNERS="${SCANNERS}sca" || :
echo "SCANNER_CONFIG=--cx-flow.enabled-vulnerability-scanners='${SCANNERS}'" >> "$GITHUB_ENV"
- if: inputs.disable-sast-scan == 'false' || inputs.disable-sca-scan == 'false'
shell: bash
env:
CHECKMARX_BASE_URL: ${{ inputs.sast-url }}
CHECKMARX_URL: ${{ inputs.sast-url }}/cxrestapi
CHECKMARX_USERNAME: ${{ inputs.sast-username }}
CHECKMARX_PASSWORD: ${{ inputs.sast-password }}
SCA_TENANT: ${{ inputs.sca-tenant }}
SCA_USERNAME: ${{ inputs.sca-username }}
SCA_PASSWORD: ${{ inputs.sca-password }}
CONTAINER_TAG: ${{ env.CONTAINER_TAG }}
SARIF_FILE_PATH: ${{ env.SARIF_FILE }}
GITHUB_TOKEN: ${{ github.token }}
GITHUB_APIURL: ${{ github.api_url }}/repos
GITHUB_URL: ${{ github.server_url }}
run: |
: Orchestrate scans with CxFlow
set +e
java ${{ inputs.java-opts }} ${{ inputs.java-props }} ${{ inputs.spring-props }} \
-jar ${{ env.CXFLOW_JAR_PATH}} \
${{ env.CONFIG_PARAM }} \
--scan --f=. \
${{ env.SCA_RESOLVER_CONFIG }} \
${{ env.CXFLOW_SCA_MANIFEST_FAILURE }} \
--cx-team='${{ inputs.sast-team }}' \
--cx-project='${{ env.PROJECT_NAME }}' \
--namespace='${{ github.repository_owner }}' \
--repo-name='${{ github.event.repository.name }}' \
--branch='${{ env.PROPER_BRANCH_NAME }}' \
--default-branch='${{ inputs.default-branch }}' \
${{ env.CXFLOW_FEEDBACK_PARAMS }} \
${{ env.CXFLOW_LOGLEVEL_PARAMS }} \
${{ env.WIRE_TRACE_PARAMS }} \
${{ env.SCANNER_CONFIG }} \
--SHA='${{ github.sha }}' \
--app='${{ env.APPNAME }}' \
${{ inputs.cxflow-params }} \
${{ env.CXFLOW_EVENT_PARAMS }}
echo "CXFLOW_RESULT=$?" >> "$GITHUB_ENV"
- name: Upload Sarif Results
if: env.CXFLOW_RESULT == 0 && inputs.upload-sarif-file == 'true' && env.CXFLOW_FEEDBACK_CHANNEL == 'Sarif' && (inputs.disable-sast-scan == 'false' || inputs.disable-sca-scan == 'false')
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c
with:
sarif_file: ${{ env.SARIF_FILE }}
- if: env.CXFLOW_FEEDBACK_CHANNEL == 'Sarif' && inputs.delete-sarif-file == 'true'
shell: bash
run: |
: Remove Sarif File
[[ -f "${{ env.SARIF_FILE }}" ]] && rm -f ${{ env.SARIF_FILE }} || :
- if: ${{ !cancelled() }}
shell: bash
run: |
: Finalize Execution
if [ ${{ env.CXFLOW_RESULT }} -eq 10 -a "${{ inputs.break-on-manifest-failure}}" == "true" ]; then
cat $GITHUB_ACTION_PATH/sca-error.txt
fi
exit ${{ env.CXFLOW_RESULT }}
- if: always()
shell: bash
run: |
: Cleanup temp directories
[ -d ${{ env.RESOLVER_PATH }} ] && rm -rf ${{ env.RESOLVER_PATH }} || :
[ -d ${{ env.TOOLKIT_PATH }} ] && rm -rf ${{ env.TOOLKIT_PATH }} || :
[ -d ${{ env.PSCICDTOOLS_PATH }} ] && rm -rf ${{ env.PSCICDTOOLS_PATH }} || :
branding:
color: 'green'
icon: 'layers'