Sample workflow is full of mistakes
fortifysoftware opened this issue · 2 comments
The sample workflow .yaml script in the README is riddled with mistakes. Please fix it. Here's a correct version of the script for reference:
name: Fortify ScanCentral SAST Scan
on:
workflow_dispatch:
push:
branch: 'main'
pull_request:
# The branches below must be a subset of the branches above
branch: 'main'
jobs:
Fortify-SAST:
# Use the appropriate runner for building your source code
runs-on: ubuntu-latest
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Java 8 required by ScanCentral Client
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.11
### Set up Fortify ScanCentral Client ###
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@v1.1.1
with:
version: 20.2.0
client-auth-token: ${{ secrets.CLIENT_AUTH_TOKEN }} # Optional, but required if ScanCentral Controller requires client authentication
### Run Fortify ScanCentral Client ###
# Update BUILD_OPTS based on the ScanCentral Client documentation and your project's included tech stack(s).
# ScanCentral Client will download dependencies for maven, gradle and msbuild projects.
# For other build tools, add your build commands to the workflow to download necessary dependencies and prepare according to Fortify SCA documentation.
- name: Perform SAST Scan
run: scancentral -ssctoken $TOKEN -sscurl ${URL} start $BUILD_OPTS -upload -application $APPLICATION -version $VERSION -uptoken $TOKEN
env:
URL: ${{ secrets.SSC_URL }}
TOKEN: ${{ secrets.SSC_UPLOAD_TOKEN }}
APPLICATION: "WebGoat"
VERSION: "8.1"
BUILD_OPTS: "-bt mvn"
### Archive ScanCentral Client logs on failure ###
- name: Save ScanCentral Logs
uses: actions/upload-artifact@v2
if: failure()
with:
name: scancentral-logs
path: /home/runner/.fortify/scancentral/log
Also, JDK 11 works fine with the ScanCentral client tool. Feel free to contact me if you have any questions.
Thanks for your input. Below are some comments based on comparing your example with the sample workflow in the documentation.
From what I can see there are two syntax errors in the sample workflow that need to be fixed:
- The
steps:
element is missing - Double
@
sign for thegha-setup-scancentral-client
action
Following changes would make sense, but don't prevent the workflow from running:
- As GitHub is moving towards
main
as the name for the default branch, it makes sense to update the sample workflow to trigger on pushes tomain
rather thanmaster
- Change the ScanCentral Client version to 20.2.0 (actually the
gha-setup-scancentral-client
action should also be updated to make this the default version) - If ScanCentral Client indeed runs fine on Java 11 (I couldn't find a definite answer in the Fortify documentation), then the comment stating that only Java 8 is supported should be removed
The following changes depend on the application to be scanned and personal preference:
- Which Java version to set up; if you're scanning a Java 8 application you may still want to set up Java 8. Java versions beyond 1.8 are usually referred to as 9, 10, 11, ..., so I would probably set up Java version
11
rather than1.11
- Whether to specify
-sscurl
or-url
in thescancentral
command; actually-url
may be preferred in order to not having to expose SSC to the internet when using GitHub-hosted runners
I don't necessarily agree with the following changes:
- According to the GitHub documentation, the correct syntax is
on.push.branches
as in the sample workflow, noton.push.branch
as in your example - Specifying the explicit home directory path to the ScanCentral log directory; using
~
seems to work fine or probably you could also use${{ env.HOME }}
or something similar; this would avoid any issues if GitHub ever decides to move the home directory to a different location
Any further thoughts on this?
Sample workflow and documentation have been updated, taking into account the considerations from my previous comment.