forked from veracode/github-actions-integration
-
Notifications
You must be signed in to change notification settings - Fork 0
90 lines (82 loc) · 3.96 KB
/
veracode-sca-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Veracode Software Composition Analysis
run-name: Software Composition Analysis - ${{ github.event.client_payload.repository.name }}
concurrency:
group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }}
cancel-in-progress: true
on:
repository_dispatch:
types: [veracode-sca-scan]
jobs:
register:
uses: ./.github/workflows/veracode-check-run.yml
with:
check_run_name: ${{ github.workflow }}
head_sha: ${{ github.event.client_payload.sha }}
repositroy_owner: ${{ github.event.client_payload.repository.owner }}
repositroy_name: ${{ github.event.client_payload.repository.name }}
event_type: ${{ github.event.client_payload.event_type }}
github_token: ${{ github.event.client_payload.token }}
run_id: ${{ github.run_id }}
branch: ${{ github.event.client_payload.repository.branch }}
veracode-sca-scan:
needs: [register]
runs-on: ubuntu-latest
name: Veracode Component Analysis
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
repository: ${{ github.event.client_payload.repository.full_name }}
ref: ${{ github.event.client_payload.repository.branch }}
token: ${{ github.event.client_payload.token }}
- uses: actions/checkout@v4
with:
path: 'veracode-helper'
- name: Find yarn JS apps using workspaces
run: |
if [ -f "package.json" ] && [ -f "pnpm-lock.yaml" ] && [ -f "pnpm-workspace.yaml" ]; then
echo "- The file package.json, pnpm-lock.yml and pnpm-workspace.yaml exist. This looks like a PNPM workspace project."
if grep -q "workspaces" "package.json"; then
echo "-- The package.json file contains workspaces - running PNPM lockfile generator"
node veracode-helper/helper/pnpm-helper.js --folder '/home/runner/work/veracode/veracode' --intRepoPrefix '${{ github.event.client_payload.repository.owner }}' --repoName '${{ github.event.client_payload.repository.name }}'
else
echo "-- The package.json file does not contain workspace - this will fail - exiting"
fi
elif [ -f "package.json" ] && [ ! -f "pnpm-lock.yml" ] && [ ! -f "pnpm-workspace.yaml" ]; then
if grep -q "workspaces" "package.json"; then
echo "- The package.json file exists, and it contains 'workspaces'."
if grep -q "yarn" "package.json"; then
echo "-- Yarn was identified on the package.json file"
version=$(grep 'yarn' package.json | grep -oE '[0-9]' | head -n 1)
if [ -z "$version" ]; then
echo "-- The yarn version could not be identified."
else
echo "-- The yarn version is: $version"
if [ $version -lt "3" ]; then
echo "---- Running v2 lockfile generator"
node veracode-helper/helper/yarn-lock-file-generator-v2.js --folder /home/runner/work/veracode/veracode
elif [ $version -ge "3" ]; then
echo "---- Running v3 lockfile generator"
node veracode-helper/helper/yarn-lock-file-generator-v3.js --folder /home/runner/work/veracode/veracode
fi
fi
else
echo "- Yarn was not identified on the package.json file"
fi
else
echo "- The package.json file exists, but it does not contain 'workspaces'."
fi
else
echo "The package.json file does not exist."
fi
rm -rf veracode-helper
- name: Run Veracode SCA
env:
SRCCLR_API_TOKEN: ${{ secrets.VERACODE_AGENT_TOKEN }}
JAVA_OPTS: -Xms2g -Xmx4g
uses: veracode/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
create-issues: false
recursive: true
allow-dirty: true