forked from actions/starter-workflows
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request actions#2559 from ilya-k-1/jfrog/add_jfrog_sast_flow
Add jfrog-sast flow
- Loading branch information
Showing
2 changed files
with
70 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
| # JFrog SAST performs 1st party source code security analysis | ||
| # For more information, see | ||
| # https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast | ||
|
|
||
| name: "JFrog SAST Scan" | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ $default-branch, $protected-branches ] | ||
| pull_request: | ||
| branches: [ $default-branch, $protected-branches ] | ||
| schedule: | ||
| - cron: $cron-weekly | ||
|
|
||
| env: | ||
| # [Mandatory] | ||
| # JFrog platform URL and access token for | ||
| # a JFrog platform instance with active | ||
| # JFrog Advanced Security subscription | ||
| JF_URL: ${{ secrets.JF_URL }} | ||
| JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} | ||
| jobs: | ||
| analyze: | ||
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
|
|
||
| - name: Install and configure JFrog CLI | ||
| run: | | ||
| npm install -g jfrog-cli-v2-jf | ||
| echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin | ||
| - name: Run JFrog SAST | ||
| run: | | ||
| jf audit --sast --format=sarif > jfrog_sast.sarif | ||
| - name: Upload output to generate autofix | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: jfrog_sast.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "name": "JFrog SAST", | ||
| "description": "Scan for security vulnerabilities in source code using JFrog SAST", | ||
| "iconName": "frogbot", | ||
| "categories": | ||
| [ | ||
| "Code Scanning", | ||
| "security", | ||
| "python", | ||
| "java", | ||
| "javascript", | ||
| "typescript", | ||
| "go" | ||
| ], | ||
| "creator": "JFrog" | ||
| } |