diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d00baa0..4c40f67 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check-out source code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Configure git run: | git config user.name github-actions @@ -33,29 +33,27 @@ jobs: needs: update-action-references steps: - name: Check-out source code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Generate and process release PR id: release_please - uses: googleapis/release-please-action@v4 + uses: fortify/3rdparty-actions/actions/googleapis/release-please-action/v4@main with: release-type: simple - name: Publish v{major}.{minor} tag if: steps.release_please.outputs.release_created - uses: richardsimko/update-tag@v1 + uses: fortify/3rdparty-actions/actions/richardsimko/update-tag/v1@main with: tag_name: v${{steps.release_please.outputs.major}}.${{steps.release_please.outputs.minor}} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Publish v{major} tag if: steps.release_please.outputs.release_created - uses: richardsimko/update-tag@v1 + uses: fortify/3rdparty-actions/actions/richardsimko/update-tag/v1@main with: tag_name: v${{steps.release_please.outputs.major}} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Update release PR if: steps.release_please.outputs.pr diff --git a/README.md b/README.md index 571c7b6..3b7e5d6 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. -Apart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. +Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-github-artifacts`, `fortify/github-action/with-ghes-artifacts`, and `fortify/github-action/without-artifacts` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This `setup` action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. @@ -42,7 +42,10 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3 + name: Run Fortify Scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} @@ -71,7 +74,10 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3 + name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} @@ -103,13 +109,28 @@ jobs: fcli fod session logout ... ``` +### Artifact storage + +If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes. + +The top-level `fortify/github-action` action uploads debug artifacts to GitHub.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives: + +| Sub-action | Description | +|---|---| +| `fortify/github-action` | Default. Uploads to GitHub.com artifact storage using `actions/upload-artifact@v7`. | +| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. | +| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. | +| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. | + ### Detailed Documentation Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html) -* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html) +* `fortify/github-action` (default — GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-ssc.html) +* `fortify/github-action/with-github-artifacts` (explicit GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html) +* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-ssc.html) +* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html) +* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html) diff --git a/USAGE.md b/USAGE.md index d97f35c..6ed55ef 100644 --- a/USAGE.md +++ b/USAGE.md @@ -28,7 +28,10 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3 + name: Run Fortify Scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} @@ -57,7 +60,10 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3 + name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} @@ -89,13 +95,28 @@ jobs: fcli fod session logout ... ``` +### Artifact storage + +If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes. + +The top-level `fortify/github-action` action uploads debug artifacts to GitHub.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives: + +| Sub-action | Description | +|---|---| +| `fortify/github-action` | Default. Uploads to GitHub.com artifact storage using `actions/upload-artifact@v7`. | +| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. | +| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. | +| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. | + ### Detailed Documentation Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html) -* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html) +* `fortify/github-action` (default — GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-ssc.html) +* `fortify/github-action/with-github-artifacts` (explicit GitHub.com artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html) +* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-ghes-artifacts-ssc.html) +* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html) | [SSC](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html) +* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html) diff --git a/action.yml b/action.yml index e68fdb4..93d5046 100644 --- a/action.yml +++ b/action.yml @@ -1,45 +1,29 @@ name: 'Fortify AST Scan' -description: 'Find and fix vulnerabilities to build secure software with Fortify Code Security.' +description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v7 (GitHub.com).' author: 'Fortify' inputs: debug: - description: 'Whether to generate and collect debug logs; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' required: false default: 'false' debug-artifact-name: - description: 'Name for the debug artifacts archive; defaults to "fortify-debug-logs"' + description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"' required: false - default: 'fortify-debug-logs' + default: 'fortify-debug-artifacts' debug-retention-days: - description: 'Number of days to retain debug artifacts; defaults to 1' + description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data' required: false default: '1' + runs: using: composite steps: - - name: Set Fortify data directory - run: echo "FORTIFY_DATA_DIR=${{ runner.temp }}/fortify-data" >> $GITHUB_ENV - shell: bash - - uses: fortify/github-action/setup@main - with: - fcli: bootstrapped - export-path: false - - run: | - mkdir -p "${FORTIFY_DATA_DIR}" && cd "${FORTIFY_DATA_DIR}" - "${FCLI_CMD}" action run ci --debug=${{ inputs.debug == 'true' || runner.debug == '1' }} - shell: bash - env: - GITHUB_TOKEN: ${{ github.token }} - SAST_EXPORT_EXTRA_OPTS: --publish=true ${{ env.SAST_EXPORT_EXTRA_OPTS || '' }} - DEBRICKED_EXPORT_EXTRA_OPTS: --publish=true ${{ env.DEBRICKED_EXPORT_EXTRA_OPTS || '' }} - - name: Upload debug logs - if: ${{ always() && (inputs.debug == 'true' || runner.debug == '1') }} - uses: actions/upload-artifact@v4 + - uses: fortify/github-action/with-github-artifacts@feat/configurable-debug-upload with: - name: ${{ inputs.debug-artifact-name }}-${{ github.job }} - path: ${{ env.FORTIFY_DATA_DIR }} - retention-days: ${{ inputs.debug-retention-days }} - + debug: ${{ inputs.debug }} + debug-artifact-name: ${{ inputs.debug-artifact-name }} + debug-retention-days: ${{ inputs.debug-retention-days }} + branding: icon: 'shield' color: 'blue' diff --git a/doc-resources/repo-intro.md b/doc-resources/repo-intro.md index 9eac509..35f2cf9 100644 --- a/doc-resources/repo-intro.md +++ b/doc-resources/repo-intro.md @@ -2,7 +2,7 @@ The `fortify/github-action` GitHub Action allows for easy integration of OpenTex As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. -Apart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. +Apart from the top-level `fortify/github-action` (and related `fortify/github-action/with-github-artifacts`, `fortify/github-action/with-ghes-artifacts`, and `fortify/github-action/without-artifacts` sub-actions) for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This `setup` action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products. {{include:repo-usage-text.md}} diff --git a/doc-resources/repo-usage-text.md b/doc-resources/repo-usage-text.md index b0e794f..81dbb29 100644 --- a/doc-resources/repo-usage-text.md +++ b/doc-resources/repo-usage-text.md @@ -20,7 +20,10 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3 + name: Run Fortify Scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} @@ -49,7 +52,10 @@ jobs: steps: - uses: actions/checkout@v4 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project - - uses: fortify/github-action@v3 # Run Fortify scans + # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts + # to GitHub artifact storage (see artifact storage section below for alternative options) + - uses: fortify/github-action@v3 + name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} @@ -81,12 +87,27 @@ jobs: fcli fod session logout ... ``` +### Artifact storage + +If debugging is enabled (either via the `debug: true` action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes. + +The top-level `fortify/github-action` action uploads debug artifacts to GitHub.com artifact storage using `actions/upload-artifact@v7`. If this doesn't match your environment, the following sub-actions provide alternatives: + +| Sub-action | Description | +|---|---| +| `fortify/github-action` | Default. Uploads to GitHub.com artifact storage using `actions/upload-artifact@v7`. | +| `fortify/github-action/with-github-artifacts` | Identical to the default; use this when you want to make the artifact storage choice explicit in your workflow. | +| `fortify/github-action/with-ghes-artifacts` | Uploads to GHES-compatible artifact storage using `actions/upload-artifact@v3`. Use this on GitHub Enterprise Server. | +| `fortify/github-action/without-artifacts` | Does not upload artifacts. Exposes `upload-debug-artifacts` and `debug-artifacts-dir` outputs so you can add your own upload step targeting any storage backend. | + ### Detailed Documentation Given that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website: -* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-fod.html) -* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-ssc.html) +* `fortify/github-action` (default — GitHub.com artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-ssc.html) +* `fortify/github-action/with-github-artifacts` (explicit GitHub.com artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-github-artifacts-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-github-artifacts-ssc.html) +* `fortify/github-action/with-ghes-artifacts` (GHES-compatible artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-ghes-artifacts-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-with-ghes-artifacts-ssc.html) +* `fortify/github-action/without-artifacts` (custom artifact upload): [FoD]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-without-artifacts-fod.html) | [SSC]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/ast-action-without-artifacts-ssc.html) * [`fortify/github-action/setup`]({{var:fcli-doc-base-url}}/ci/github/{{var:action-doc-version}}/setup-action.html) diff --git a/doc-resources/template-values.md b/doc-resources/template-values.md index 0b0b3d9..d685a1a 100644 --- a/doc-resources/template-values.md +++ b/doc-resources/template-values.md @@ -11,4 +11,4 @@ https://github.com/fortify/github-action https://fortify.github.io/fcli/v3 # action-doc-version -v3.0.x +v3.1.x diff --git a/update-action-refs.sh b/update-action-refs.sh index 40daa86..4a91488 100755 --- a/update-action-refs.sh +++ b/update-action-refs.sh @@ -1,7 +1,10 @@ #!/bin/bash for f in $(find . -name 'action.yml'); do - if grep -qrlZ 'uses: fortify/github-action/' $f; then + if grep -qrlZ 'uses: fortify/github-action' $f; then echo "Updating $f: version $1" && \ - sed -r -i -e "s|(uses: fortify\/github-action\/[^@]+)@.*|\1@$1|g" "$f" + sed -r -i \ + -e "s|(uses: fortify\/github-action\/[^@]+)@.*|\1@$1|g" \ + -e "s|(uses: fortify\/github-action)@.*|\1@$1|g" \ + "$f" fi done diff --git a/with-ghes-artifacts/action.yml b/with-ghes-artifacts/action.yml new file mode 100644 index 0000000..83f6524 --- /dev/null +++ b/with-ghes-artifacts/action.yml @@ -0,0 +1,33 @@ +name: 'Fortify AST Scan (with GHES artifacts)' +description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v3 (GHES-compatible).' +author: 'Fortify' +inputs: + debug: + description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + required: false + default: 'false' + debug-artifact-name: + description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"' + required: false + default: 'fortify-debug-artifacts' + debug-retention-days: + description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data' + required: false + default: '1' + +runs: + using: composite + steps: + - name: Run Fortify AST Scan + id: run_ast_scan + uses: fortify/github-action/without-artifacts@feat/configurable-debug-upload + with: + debug: ${{ inputs.debug }} + + - name: Upload debug artifacts (GHES) + if: ${{ always() && steps.run_ast_scan.outputs.upload-debug-artifacts == 'true' }} + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.debug-artifact-name }}-${{ github.job }} + path: ${{ steps.run_ast_scan.outputs.debug-artifacts-dir }} + retention-days: ${{ inputs.debug-retention-days }} diff --git a/with-github-artifacts/action.yml b/with-github-artifacts/action.yml new file mode 100644 index 0000000..0586386 --- /dev/null +++ b/with-github-artifacts/action.yml @@ -0,0 +1,33 @@ +name: 'Fortify AST Scan (with GitHub artifacts)' +description: 'Run Fortify AST Scan and upload debug artifacts using actions/upload-artifact@v7 (GitHub.com).' +author: 'Fortify' +inputs: + debug: + description: 'Whether to generate & collect debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + required: false + default: 'false' + debug-artifact-name: + description: 'Name for the debug artifacts archive; defaults to "fortify-debug-artifacts"' + required: false + default: 'fortify-debug-artifacts' + debug-retention-days: + description: 'Number of days to retain debug artifacts; defaults to 1 due to sensitivity of data' + required: false + default: '1' + +runs: + using: composite + steps: + - name: Run Fortify AST Scan + id: run_ast_scan + uses: fortify/github-action/without-artifacts@feat/configurable-debug-upload + with: + debug: ${{ inputs.debug }} + + - name: Upload debug artifacts (github.com) + if: ${{ always() && steps.run_ast_scan.outputs.upload-debug-artifacts == 'true' }} + uses: actions/upload-artifact@v7 + with: + name: ${{ inputs.debug-artifact-name }}-${{ github.job }} + path: ${{ steps.run_ast_scan.outputs.debug-artifacts-dir }} + retention-days: ${{ inputs.debug-retention-days }} diff --git a/without-artifacts/action.yml b/without-artifacts/action.yml new file mode 100644 index 0000000..ba229dd --- /dev/null +++ b/without-artifacts/action.yml @@ -0,0 +1,44 @@ +name: 'Fortify AST Scan (without artifacts)' +description: 'Run Fortify AST Scan without uploading debug artifacts; use this sub-action to implement a custom debug artifact upload mechanism.' +author: 'Fortify' +inputs: + debug: + description: 'Whether to output debug artifacts; note that these may contain sensitive data like access tokens or credentials. Automatically enabled when workflow is re-run with "Enable debug logging" checked.' + required: false + default: 'false' +outputs: + upload-debug-artifacts: + description: '"true" if debug artifacts should be uploaded (inputs.debug==true or runner.debug==1)' + value: ${{ steps.set-outputs.outputs.upload-debug-artifacts }} + debug-artifacts-dir: + description: 'Path to the debug artifacts directory (env.FORTIFY_DATA_DIR)' + value: ${{ steps.set-outputs.outputs.debug-artifacts-dir }} +runs: + using: composite + steps: + - name: Set Fortify data directory + run: echo "FORTIFY_DATA_DIR=${{ runner.temp }}/fortify-data" >> $GITHUB_ENV + shell: bash + - uses: fortify/github-action/setup@feat/configurable-debug-upload + with: + fcli: bootstrapped + export-path: false + - run: | + mkdir -p "${FORTIFY_DATA_DIR}" && cd "${FORTIFY_DATA_DIR}" + "${FCLI_CMD}" action run ci --debug=${{ inputs.debug == 'true' || runner.debug == '1' }} + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + SAST_EXPORT_EXTRA_OPTS: --publish=true ${{ env.SAST_EXPORT_EXTRA_OPTS || '' }} + DEBRICKED_EXPORT_EXTRA_OPTS: --publish=true ${{ env.DEBRICKED_EXPORT_EXTRA_OPTS || '' }} + - name: Set action outputs + if: always() # Ensure outputs are set even if the previous step fails, so that debug artifacts can be uploaded when enabled + id: set-outputs + run: | + if [ "${{ inputs.debug }}" = "true" ] || [ "${{ runner.debug }}" = "1" ]; then + echo "upload-debug-artifacts=true" >> $GITHUB_OUTPUT + else + echo "upload-debug-artifacts=false" >> $GITHUB_OUTPUT + fi + echo "debug-artifacts-dir=${FORTIFY_DATA_DIR}" >> $GITHUB_OUTPUT + shell: bash