diff --git a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml index 47106202e..43b20841c 100644 --- a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml @@ -208,4 +208,4 @@ jobs: -H "Accept: application/vnd.github+json" \ https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \ -d @"payload.txt" - done + done \ No newline at end of file diff --git a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml index d9811374d..5ce9d05d2 100644 --- a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml @@ -11,7 +11,13 @@ on: types: [binary-ready-veracode-sast-policy-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -74,7 +80,7 @@ jobs: path: ./veracode_artifact_directory - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@v0.2.0 id: upload_and_scan with: vid: '${{ secrets.VERACODE_API_ID }}' @@ -88,6 +94,8 @@ jobs: scantimeout: 30 failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} deleteincompletescan: true + workflowApp: true + debug: ${{ github.event.client_payload.user_config.debug }} - name: Veracode Policy Results id: prepare-results @@ -176,4 +184,4 @@ jobs: repo_owner: ${{ github.event.client_payload.repository.owner }} github-token: ${{ github.event.client_payload.token }} repo_name: ${{ github.event.client_payload.repository.name }} - commitHash: ${{ github.event.client_payload.sha }} \ No newline at end of file + commitHash: ${{ github.event.client_payload.sha }} diff --git a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml index e9849b386..655df9184 100644 --- a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml @@ -11,7 +11,13 @@ on: types: [binary-ready-veracode-sast-sandbox-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + sandbox_scan: + needs: cleanup runs-on: ${{ fromJSON(github.event.client_payload.user_config.default_runs_on) }} steps: - name: Download artifact @@ -26,7 +32,7 @@ jobs: - name: Veracode Upload and Scan Action Step id: upload_and_scan - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@v0.2.0 with: appname: ${{ github.event.client_payload.user_config.profile_name }} createprofile: true @@ -39,4 +45,6 @@ jobs: sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }} # include: ${{ github.event.client_payload.modules_to_scan }} failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} - deleteincompletescan: true \ No newline at end of file + deleteincompletescan: true + workflowApp: true + debug: ${{ github.event.client_payload.user_config.debug }} diff --git a/.github/workflows/veracode-build-artifact-for-scanning.yml b/.github/workflows/veracode-build-artifact-for-scanning.yml index c8aa63ede..d407d4bab 100644 --- a/.github/workflows/veracode-build-artifact-for-scanning.yml +++ b/.github/workflows/veracode-build-artifact-for-scanning.yml @@ -33,6 +33,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: build: @@ -49,6 +52,7 @@ jobs: bundle_version: ${{ inputs.bundle_version }} event_name: ${{ inputs.event_name }} default_runs_on: ${{ inputs.default_runs_on }} + debug: ${{ inputs.debug }} build-tsql-package: if: ${{ inputs.event_name == 'tsql-pipeline-scan' || inputs.event_name == 'tsql-policy-scan' || inputs.event_name == 'tsql-sandbox-scan'}} @@ -84,4 +88,4 @@ jobs: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - default_runs_on: ${{ inputs.default_runs_on }} \ No newline at end of file + default_runs_on: ${{ inputs.default_runs_on }} diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index b7365ec50..49af49320 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -61,7 +61,7 @@ jobs: INPUT_NAME: ${{ inputs.check_run_name }} INPUT_HEAD_SHA: ${{ inputs.head_sha }} INPUT_DETAILS_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ inputs.run_id }}" - + - name: Create metadata id: create-metadata-json run: | @@ -79,4 +79,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: workflow-metadata - path: workflow-metadata.json \ No newline at end of file + path: workflow-metadata.json diff --git a/.github/workflows/veracode-clean-up.yml b/.github/workflows/veracode-clean-up.yml index ccdfdb002..2b4f2f3d7 100644 --- a/.github/workflows/veracode-clean-up.yml +++ b/.github/workflows/veracode-clean-up.yml @@ -14,7 +14,7 @@ jobs: if: contains(runner.os, 'Linux') run: | echo "Running final cleanup..." - sudo rm -rf $GITHUB_WORKSPACE/ + sudo rm -rf $GITHUB_WORKSPACE/* - name: Cleanup workspace and Docker - Windows if: contains(runner.os, 'Windows') diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index bdc2861c1..3cf4c1ba7 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -33,7 +33,13 @@ on: - ruby-policy-scan jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} - ${{ contains(github.event.action, 'policy') && 'Policy' || 'Pipeline' }} @@ -95,6 +101,7 @@ jobs: ruby_version: ${{ github.event.client_payload.user_config.ruby_version }} bundle_version: ${{ github.event.client_payload.user_config.bundle_version }} default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + debug: ${{ github.event.client_payload.user_config.debug }} pipeline_scan: # needs the build step before this job will start running @@ -118,6 +125,7 @@ jobs: filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} language: ${{ github.event.client_payload.repository.language }} default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + debug: ${{ github.event.client_payload.user_config.debug }} secrets: inherit policy_scan: @@ -142,4 +150,5 @@ jobs: filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} language: ${{ github.event.client_payload.repository.language }} default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} - secrets: inherit \ No newline at end of file + debug: ${{ github.event.client_payload.user_config.debug }} + secrets: inherit diff --git a/.github/workflows/veracode-default-build.yml b/.github/workflows/veracode-default-build.yml index 200370c78..ec58d04ce 100644 --- a/.github/workflows/veracode-default-build.yml +++ b/.github/workflows/veracode-default-build.yml @@ -32,6 +32,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: build-prepare: @@ -103,7 +106,14 @@ jobs: bundle install cd .. fi - veracode package --source source-code --output veracode-artifacts --trust --verbose + PACKAGE_CMD="veracode package --source source-code --output veracode-artifacts --trust" + + if [[ "${{ inputs.debug }}" == "true" ]]; then + PACKAGE_CMD="$PACKAGE_CMD --verbose" + fi + + echo "Running: $PACKAGE_CMD" + eval "$PACKAGE_CMD" # ---------------- Error handler ---------------- - name: Package error @@ -185,7 +195,19 @@ jobs: run: | $working_path = (Get-Location).Path "working_dir=$working_path" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8 - & $env:VERACODE_CLI package --source source-code --output veracode-artifacts --trust --verbose + $packageArgs = @( + "package", + "--source", "source-code", + "--output", "veracode-artifacts", + "--trust" + ) + + if ("${{ inputs.debug }}" -eq "true") { + $packageArgs += "--verbose" + } + + Write-Host "Running: veracode $($packageArgs -join ' ')" + & $env:VERACODE_CLI @packageArgs # ---------------- Error handler ---------------- - name: Package error @@ -198,4 +220,4 @@ jobs: with: name: veracode-artifact path: "${{ steps.application_package_windows.outputs.working_dir }}/veracode-artifacts/*" - if-no-files-found: error \ No newline at end of file + if-no-files-found: error diff --git a/.github/workflows/veracode-iac-secrets-scan.yml b/.github/workflows/veracode-iac-secrets-scan.yml index 2e78f911f..437ac1f80 100644 --- a/.github/workflows/veracode-iac-secrets-scan.yml +++ b/.github/workflows/veracode-iac-secrets-scan.yml @@ -11,7 +11,13 @@ on: types: [veracode-iac-secrets-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -52,8 +58,9 @@ jobs: repository: ${{ github.event.client_payload.repository.full_name }} ref: ${{ github.event.client_payload.sha }} token: ${{ github.event.client_payload.token }} + - name: Run Veracode IaC/Secrets Scanning - uses: veracode/container_iac_secrets_scanning@v1.0.6 + uses: veracode/container_iac_secrets_scanning@v1.0.7 with: vid: ${{ secrets.VERACODE_API_ID }} vkey: ${{ secrets.VERACODE_API_KEY }} @@ -61,13 +68,6 @@ jobs: type: "directory" source: "./" format: "json" - debug: false + debug: ${{ github.event.client_payload.user_config.debug }} fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }} fail_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} - - cleanup: - needs: veracode-iac-secrets-scan - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file diff --git a/.github/workflows/veracode-pipeline-scan.yml b/.github/workflows/veracode-pipeline-scan.yml index 4633ba982..b22fa9c8a 100644 --- a/.github/workflows/veracode-pipeline-scan.yml +++ b/.github/workflows/veracode-pipeline-scan.yml @@ -51,6 +51,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: prepare_pipeline_scan: @@ -120,7 +123,7 @@ jobs: json_output_file: ${{ strategy.job-index }}-results.json filtered_json_output_file: ${{ strategy.job-index }}-filtered_results.json artifact_name: ${{ matrix.file }} - debug: 1 + debug: ${{ inputs.debug == true && '1' || '0' }} workflow_app: true - name: Veracode Pipeline Results @@ -195,11 +198,4 @@ jobs: -H "Accept: application/vnd.github+json" \ https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/check-runs/${{ inputs.check_run_id }} \ -d @"payload.txt" - done - - cleanup: - needs: update-checks-status - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ inputs.default_runs_on }} \ No newline at end of file + done \ No newline at end of file diff --git a/.github/workflows/veracode-policy-scan.yml b/.github/workflows/veracode-policy-scan.yml index 2af99737f..7133868e2 100644 --- a/.github/workflows/veracode-policy-scan.yml +++ b/.github/workflows/veracode-policy-scan.yml @@ -54,6 +54,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: policy_scan: @@ -71,14 +74,14 @@ jobs: name: veracode-artifact path: ./veracode_artifact_directory - - name: set version + - name: Set version shell: bash run: | echo "VERSION=${{ github.run_id }}-$(date +'%Y%m%d-%H%M%S')" >> $GITHUB_ENV # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@v0.2.0 id: upload_and_scan with: appname: ${{ inputs.profile_name }} @@ -94,6 +97,8 @@ jobs: failbuild: ${{ inputs.break_build_policy_findings }} gitRepositoryUrl: ${{ github.server_url }}/${{ inputs.source_repository }} deleteincompletescan: true + workflowApp: true + debug: ${{ inputs.debug }} - name: Veracode Policy Results id: prepare-results @@ -183,10 +188,3 @@ jobs: repo_name: ${{ inputs.repo }} github-token: ${{ inputs.token }} commitHash: ${{ inputs.sha }} - - cleanup: - needs: [policy_scan, veracode-remove-sandbox, code-scanning-alert, create-issues] - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ inputs.default_runs_on }} \ No newline at end of file diff --git a/.github/workflows/veracode-remove-sandbox.yml b/.github/workflows/veracode-remove-sandbox.yml index a2f05a4c3..7266b2669 100644 --- a/.github/workflows/veracode-remove-sandbox.yml +++ b/.github/workflows/veracode-remove-sandbox.yml @@ -50,4 +50,4 @@ jobs: if: always() uses: ./.github/workflows/veracode-clean-up.yml with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} diff --git a/.github/workflows/veracode-sandbox-scan.yml b/.github/workflows/veracode-sandbox-scan.yml index 6f12b7e74..bdb8deb53 100644 --- a/.github/workflows/veracode-sandbox-scan.yml +++ b/.github/workflows/veracode-sandbox-scan.yml @@ -21,7 +21,13 @@ on: - ruby-sandbox-scan jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + build: + needs: cleanup uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml with: repository: ${{ github.event.client_payload.repository.full_name }} @@ -53,7 +59,7 @@ jobs: # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@v0.2.0 id: upload_and_scan with: appname: ${{ github.event.client_payload.user_config.profile_name }} @@ -68,10 +74,5 @@ jobs: failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} gitRepositoryUrl: ${{ github.server_url }}/${{ github.event.client_payload.repository.full_name }} deleteincompletescan: true - - cleanup: - needs: sandbox_scan - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file + workflowApp: true + debug: ${{ github.event.client_payload.user_config.debug }} diff --git a/.github/workflows/veracode-sca-scan.yml b/.github/workflows/veracode-sca-scan.yml index f0091624b..ffa29d20b 100644 --- a/.github/workflows/veracode-sca-scan.yml +++ b/.github/workflows/veracode-sca-scan.yml @@ -11,7 +11,13 @@ on: types: [veracode-sca-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -146,10 +152,4 @@ jobs: recursive: true allow-dirty: true breakBuildOnPolicyFindings: ${{ github.event.client_payload.user_config.break_build_policy_findings }} - - cleanup: - needs: veracode-sca-scan - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file + debug: ${{ github.event.client_payload.user_config.debug }} \ No newline at end of file