minor updates to PR comments

.github/workflows/nigthlySecurityScan.yml

@@ -0,0 +1,47 @@
+name: Veracode Security Scan
+
+on: 
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: 0 4 * * *
+  workflow_dispatch:
+
+jobs:
+  veracode-sca-task:
+    runs-on: ubuntu-latest
+    name: Veracode SCA scan
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Run Veracode SCA
+        env:
+          SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
+        uses: veracode/[email protected]
+
+  veracode-sast-task:
+    runs-on: ubuntu-latest
+    name: Veracode SAST policy scan
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: create new package-lock.json
+        run: npm install
+      - name: ZIP source folder
+        run: zip -r app.zip src package-lock.json
+      - name: Run Veracode Policy scan
+        uses: veracode/[email protected]
+        with:
+          appname: 'GitHub SCA Action'
+          createprofile: false
+          filepath: 'app.zip'
+          scantimeout: 30
+          vid: '${{ secrets.API_ID }}'
+          vkey: '${{ secrets.API_KEY }}'
+
+
+
+

.gitignore

@@ -28,3 +28,5 @@ node_modules/
 .env
 .env.test
 
+.DS_Store
+src.zip

README.md

@@ -1,34 +1,33 @@
 # Veracode Software Composition Analysis
-Veracode Software Composition Analysis Scaning as a GitHub Action with the following actions:
-- Run the Veracode SCA sca similar as the script in textual output mode
-- Automatically create issues from Vulnerabilities based on given CVSS threshold 
-- Fail The action step based on given CVSS threshold
+Veracode Software Composition Analysis (agent-based scan) as a GitHub Action with the following actions:
+- Run the Veracode SCA similar as the script in textual output mode
+- Ability to create issues for identified vulnerabilities without creating duplicates
 - Ability to run the scan on a remote repository
 - Ability to run the scan with the `--quick` flag 
-
+
+## Pull Request Decoration  
+If the action runs on a pull request, it will either add a comment with the scan output to the PR or it will automatically link all created GitHub issues to the PR. This will help your review process to see if the PR can be approved or not.
+
 ## Inputs
-> :exclamation: You will need to provide `SRCCLR_API_TOKEN` as environment variables. (See examples below)
-
+:exclamation: You will need to provide `SRCCLR_API_TOKEN` as an environment variable (see examples below).
+
+:exclamation: If using an org-level agent, you will need to provide `SRCCLR_WORKSPACE_SLUG` as an environment variable.
+
+## Artifacts  
+The run will store 2 different types of artifacts.  
+If `create-issues` is set to true the artifact will be the json output stored as `scaResults.json`.  
+If `create-issues` is set to false the artifact will be the text output stored as `scaResults.txt`.  
+For both the artifact name will be `Veracode Agent Based SCA Results`.  
+
 ### `github_token`
 
 **Required** - The authorization token to allow the action to create issues.
-
-You may be able to simply can use the `${{ secrets.GITHUB_TOKEN }}` as a default option - see __[more details](https://docs.github.com/en/actions/security-guides/automatic-token-authentication)__
+
+If the default value `${{ github.token }}` is not working, the token must be set on the action inputs.    
+You may be able to simply use `${{ secrets.GITHUB_TOKEN }}` as a default option - see __[more details](https://docs.github.com/en/actions/security-guides/automatic-token-authentication)__
 
 Otherwise, you may be able create and assign __as secret__ a [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and assign it with the required permissions (`repo` scope).
 
-### `min-cvss-for-issue`
-**Optional** - The minimum CVSS for creating an issue from a found vulnerability
-
-Default Value: __0__
-
-### `fail-on-cvss`
-**Optional** - The maximum allowed cvss in found vulnerabilities to pass the step
-
-Default Value: __10__
-> The step will not fail unless you explicitly specify a lower CVSS value 
-
-Value: __0__
 
 ### `create-issues`
 **Optional** - whether to create issues from found vulnerabilities
@@ -47,7 +46,7 @@ This attribute is useful in scenarios where the actual code is not in the root o
 Default Value: __`.`__ (repository root folder)
 
 ### `quick`
-__Optional__ - run the Veracode SCA scan with the `--quick` 
+__Optional__ - run the Veracode SCA scan with `--quick` 
 
 Default Value: __false__
 
@@ -69,12 +68,24 @@ Default Value: __false__
 ### `recursive`
 __Optional__ - run the Veracode SCA scan with `--recursive` 
 
+Default Value: __false__ 
+
+### `skip-vms`
+__Optional__ - run the Veracode SCA scan with `--skip-vms`  
+
+Default Value: __false__
+
+### `no-graphs`
+__Optional__ - do not include dependency graphs in the JSON output.
+
 Default Value: __false__
 
 ## Examples
 
 ### Scan your repository with textual output
 
+Run a scan but do not create issues for identified vulnerabilities.
+
 ```yaml
 on: 
   schedule:
@@ -84,24 +95,24 @@ on:
 jobs:
   veracode-sca-task:
     runs-on: ubuntu-latest
-    name: Scan remote repository for Issues
+    name: Scan repository with Veracode SCA
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+
       - name: Run Veracode SCA
         env:
           SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
-        uses: lerer/veracode-sca@v1.0.8
+        uses: veracode/veracode-sca@v2.1.10
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          create-issues: false 
-          fail-on-cvss: 1     
+          create-issues: false   
 ```
 
-### Scan the repository   
+### Scan the local repository   
 
-Scan can the local repository. Fail the step and create issues if found vulnerability with CVSS greater than 1
+Run a quick scan on the repository and create issues for all identified vulnerabilities.
 
 
 ```yaml
@@ -115,22 +126,20 @@ on:
 jobs:
   veracode-sca-task:
     runs-on: ubuntu-latest
-    name: Scan repository for Issues
+    name: Scan repository with Veracode SCA
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+
       - name: Run Veracode SCA
         env:
           SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
-        uses: lerer/[email protected]
-
+        uses: veracode/[email protected]
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           quick: true
           create-issues: true 
-          fail-on-cvss: 1
-          min-cvss-for-issue: 1
 ```
 ## User Interface
 
@@ -142,4 +151,11 @@ jobs:
 ### Individual Issue
 <p align="center">
   <img src="/media/issue.png" width="700px" alt="Individual issues ticket content"/>
-</p>
+</p>  
+
+## Compile the action  
+The action comes pre-compiled as transpiled JavaScript. If you want to fork and build it on your own you need NPM to be installed, use `ncc` to compile all node modules into a single file, so they don't need to be installed on every action run. The command to build is simply  
+
+```sh
+ncc build ./src/action.ts  
+```

SECURITY.md

@@ -0,0 +1,19 @@
+# Our Commitment to Security
+
+Veracode was founded on the idea that companies should be able to access technology that allows them to scan their software for vulnerabilities so that they can identify them, fix them and improve their security. Since that time, we have created new technologies and services to enable our customers to scan for flaws in along the entire software development lifecycle, seeing results in seconds or minutes, to allow them to code securely while also remaining on schedule with continuous release cycles.
+
+Veracode envisions a world where the software fueling our economic growth and solving society's greatest challenges is developed secure from the start.
+
+We value transparency in the security industry and openness with sharing information that could improve security for every organization. Veracode is committed to engaging the research community in a professional, positive and agreeable manner that protects our company and our customers.
+
+As such, we encourage and welcome anyone who believes he or she has identified a vulnerability to contact us with security concerns or pertinent information to the integrity, functionality or confidentiality of our software.
+
+The terms below apply to any website, application or service distributed by or hosted by Veracode, Inc.
+
+Please use the email address  [**[email protected]**](mailto:[email protected]?subject=Responsible%20Disclosure%20Notice&body=URL(s)/Application(s)%20Impacted:%0A%0ASuspected%20Vulnerability%20Details:%0A%0ADescription%20of%20how%20the%20Vulnerability%20was%20found:%0A%0AContact%20Information:%0A%0AAny%20other%20relevant%20information:%0A%0A)  to alert us to:
+
+-   Vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data, software, or services, or our customers’ data
+-   Applications that mimic, mislabel, misdirect, or "copycat" Veracode, or phishing attacks even if they do not originate from Veracode sources
+-   Written or verbal discussion, activities, or data in any public forum which you believe constitutes a threat to Veracode, our employees or our customers
+
+For more, please refer to our [**Responsible Disclosure Policy**](https://www.veracode.com/legal-privacy/responsible-disclosure-policy)

action.yml

@@ -1,15 +1,16 @@
 # action.yml
-name: 'Veracode Software Composition Analysis'
+name: 'Veracode Dependency Scanning'
 description: 'An action to execute Veracode Agent-Based SCA and import findings as issues'
 branding:
   icon: 'play'
   color: 'blue'
 inputs:
   github_token:
     description: "Authorization token to query and create issues"
+    default: ${{ github.token }}
     required: true
   quick:
-    description: ""
+    description: "Run the SRCCLR with the `--quick` options"
     required: false
     default: "false"
   update_advisor:
@@ -20,14 +21,6 @@ inputs:
     description: "A git URL to work with in case the scan is not for the current repository"
     required: false
     default: ""
-  min-cvss-for-issue:
-    description: "The minimum CVSS value for vulnerability to be added as an issue"
-    required: false
-    default: "0"
-  fail-on-cvss:
-    description: "The maximum allowed cvss in found vulnerabilities to pass the step"
-    required: false
-    default: "10"
   create-issues:
     description: "An attribute to instruct the action to create an issue from found vulnerability or just simple text output"
     required: false
@@ -52,6 +45,14 @@ inputs:
     description: "Run the SRCCLR with the `--recursive` option"
     required: false
     default: "false"
+  skip-vms:
+    description: "Run the SRCCLR with the `--skip-vms` option"
+    required: false
+    default: "false"
+  no-graphs:
+    description: "Run the SRCCLR with the `--no-graphs` option"
+    required: false
+    default: "false"
 runs:
-  using: 'node12'
-  main: 'dist/index.js'
+  using: 'node16'
+  main: 'dist/index.js'