From 25a34d89365e292cb3e80970dd7d840dc22bf61a Mon Sep 17 00:00:00 2001 From: Karthik Bharadwaj Date: Wed, 4 Feb 2026 14:09:45 +0530 Subject: [PATCH 1/4] Debug flag, cleanup action at beginning, cmd&shell scripts to node --- ...nary-ready-veracode-sast-pipeline-scan.yml | 97 +++++---- ...binary-ready-veracode-sast-policy-scan.yml | 12 +- ...inary-ready-veracode-sast-sandbox-scan.yml | 10 +- .../veracode-build-artifact-for-scanning.yml | 6 +- .github/workflows/veracode-check-run.yml | 75 ++++--- .github/workflows/veracode-clean-up.yml | 2 +- .github/workflows/veracode-code-analysis.yml | 11 +- .github/workflows/veracode-default-build.yml | 34 +++- .../workflows/veracode-iac-secrets-scan.yml | 18 +- .github/workflows/veracode-pipeline-scan.yml | 101 +++++----- .github/workflows/veracode-policy-scan.yml | 26 +-- .github/workflows/veracode-remove-sandbox.yml | 26 ++- .github/workflows/veracode-sandbox-scan.yml | 17 +- .github/workflows/veracode-sca-scan.yml | 184 +++++++++--------- 14 files changed, 358 insertions(+), 261 deletions(-) diff --git a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml index 47106202e..b270d8790 100644 --- a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml @@ -11,7 +11,13 @@ on: types: [binary-ready-veracode-sast-pipeline-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -79,12 +85,15 @@ jobs: - name: Get list of files for matrix id: get-files - run: | - files=$(ls -1 veracode_artifact_directory | jq -R . | jq -s .) - echo "Files for matrix: $files" - files=$(echo $files | jq -c .) # Compact the JSON array to a single line - echo "matrix_files=$files" >> $GITHUB_OUTPUT - shell: bash + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs') + const dir = 'veracode_artifact_directory' + const files = fs.readdirSync(dir) + + core.info(`Files for matrix: ${JSON.stringify(files)}`) + core.setOutput('matrix_files', JSON.stringify(files)) pipeline_scan: runs-on: ${{ fromJSON(github.event.client_payload.user_config.default_runs_on) }} @@ -111,10 +120,12 @@ jobs: path: ./veracode_artifact_directory - name: Debug Matrix Content - run: | - echo "Raw matrix files: ${{ needs.prepare_pipeline_scan.outputs.matrix_files }}" - echo "Current Matrix: ${{ matrix }}" - echo "Current File: ${{ matrix.file }}" + uses: actions/github-script@v7 + with: + script: | + console.log('Raw matrix files:', `${{ needs.prepare_pipeline_scan.outputs.matrix_files }}`) + console.log('Current matrix:', JSON.stringify(${{ toJSON(matrix) }})) + console.log('Current file:', '${{ matrix.file }}') # run the pipeline scan action - name: Veracode Pipeline-Scan @@ -180,32 +191,40 @@ jobs: needs: pipeline_scan if: always() steps: - - name: Update check - id: update_check_status - shell: bash - env: - BREAK_BUILD_ON_ERROR: ${{ github.event.client_payload.user_config.break_build_on_error }} - BREAK_BUILD_ON_POLICY: ${{ github.event.client_payload.user_config.break_build_policy_findings }} - run: | - success_count=0 - conclusion="failure" - # Convert JSON string to a proper format for jq processing - echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do - status=$(echo "$job" | jq -r '.value.result') - echo "$status" - if [ "$status" = "success" ]; then - success_count=$((success_count + 1)) - echo '{"status": "completed", "conclusion": "success"}' > payload.txt - elif [ "$status" = "failure" ]; then - if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then - echo '{"status": "completed", "conclusion": "success"}' > payload.txt - else - echo '{"status": "completed", "conclusion": "failure"}' > payload.txt - fi - fi - curl -X PATCH \ - -H "Authorization: Bearer ${{ github.event.client_payload.token }}" \ - -H "Accept: application/vnd.github+json" \ - https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \ - -d @"payload.txt" - done + - name: Update check + id: update_check_status + uses: actions/github-script@v7 + with: + github-token: ${{ github.event.client_payload.token }} + script: | + const core = require('@actions/core') + + const needs = ${{ toJSON(needs) }} + + const breakOnError = + '${{ github.event.client_payload.user_config.break_build_on_error }}' === 'true' + const breakOnPolicy = + '${{ github.event.client_payload.user_config.break_build_policy_findings }}' === 'true' + + let conclusion = 'success' + + for (const [jobName, job] of Object.entries(needs)) { + core.info(`Job ${jobName}: ${job.result}`) + + if (job.result === 'failure') { + if (breakOnError || breakOnPolicy) { + conclusion = 'failure' + break + } + } + } + + core.info(`Final check conclusion: ${conclusion}`) + + await github.rest.checks.update({ + owner: '${{ github.event.client_payload.repository.owner }}', + repo: '${{ github.event.client_payload.repository.name }}', + check_run_id: Number('${{ needs.register.outputs.run_id }}'), + status: 'completed', + conclusion + }) diff --git a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml index d9811374d..57eb4f394 100644 --- a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml @@ -11,7 +11,13 @@ on: types: [binary-ready-veracode-sast-policy-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -74,7 +80,7 @@ jobs: path: ./veracode_artifact_directory - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@SDEVX-9690 id: upload_and_scan with: vid: '${{ secrets.VERACODE_API_ID }}' @@ -88,6 +94,8 @@ jobs: scantimeout: 30 failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} deleteincompletescan: true + workflowApp: true + debug: ${{ github.event.client_payload.user_config.debug }} - name: Veracode Policy Results id: prepare-results @@ -176,4 +184,4 @@ jobs: repo_owner: ${{ github.event.client_payload.repository.owner }} github-token: ${{ github.event.client_payload.token }} repo_name: ${{ github.event.client_payload.repository.name }} - commitHash: ${{ github.event.client_payload.sha }} \ No newline at end of file + commitHash: ${{ github.event.client_payload.sha }} diff --git a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml index e9849b386..7b8b112ee 100644 --- a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml @@ -11,7 +11,13 @@ on: types: [binary-ready-veracode-sast-sandbox-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + sandbox_scan: + needs: cleanup runs-on: ${{ fromJSON(github.event.client_payload.user_config.default_runs_on) }} steps: - name: Download artifact @@ -39,4 +45,6 @@ jobs: sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }} # include: ${{ github.event.client_payload.modules_to_scan }} failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} - deleteincompletescan: true \ No newline at end of file + deleteincompletescan: true + workflowApp: true + debug: ${{ github.event.client_payload.user_config.debug }} diff --git a/.github/workflows/veracode-build-artifact-for-scanning.yml b/.github/workflows/veracode-build-artifact-for-scanning.yml index c8aa63ede..d407d4bab 100644 --- a/.github/workflows/veracode-build-artifact-for-scanning.yml +++ b/.github/workflows/veracode-build-artifact-for-scanning.yml @@ -33,6 +33,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: build: @@ -49,6 +52,7 @@ jobs: bundle_version: ${{ inputs.bundle_version }} event_name: ${{ inputs.event_name }} default_runs_on: ${{ inputs.default_runs_on }} + debug: ${{ inputs.debug }} build-tsql-package: if: ${{ inputs.event_name == 'tsql-pipeline-scan' || inputs.event_name == 'tsql-policy-scan' || inputs.event_name == 'tsql-sandbox-scan'}} @@ -84,4 +88,4 @@ jobs: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} token: ${{ inputs.token }} - default_runs_on: ${{ inputs.default_runs_on }} \ No newline at end of file + default_runs_on: ${{ inputs.default_runs_on }} diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index b7365ec50..ae9288dc7 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -46,37 +46,56 @@ jobs: create_check_run: runs-on: ${{ fromJson(inputs.default_runs_on) }} outputs: - run_id: ${{ fromJson(steps.create_check_run.outputs.data).id }} - steps: - # Create check run - - name: GitHub API Request to create a check - uses: octokit/request-action@v2.x - id: create_check_run + run_id: ${{ steps.create_check.outputs.run_id }} + + steps: + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Create check run via GitHub API + id: create_check + uses: actions/github-script@v7 with: - route: POST /repos/{owner}/{repo}/check-runs - env: - GITHUB_TOKEN: ${{ inputs.github_token }} - INPUT_OWNER: ${{ inputs.repositroy_owner }} - INPUT_REPO: ${{ inputs.repositroy_name }} - INPUT_NAME: ${{ inputs.check_run_name }} - INPUT_HEAD_SHA: ${{ inputs.head_sha }} - INPUT_DETAILS_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ inputs.run_id }}" - - - name: Create metadata - id: create-metadata-json - run: | - echo '{ - "check_run_type": "${{ inputs.event_type }}", - "repository_name": "${{ inputs.repositroy_name }}", - "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }}, - "branch": "${{ inputs.branch }}", - "sha": "${{ inputs.head_sha }}" - }' > workflow-metadata.json - echo "run_id=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" - shell: bash + github-token: ${{ inputs.github_token }} + script: | + const owner = '${{ inputs.repositroy_owner }}' + const repo = '${{ inputs.repositroy_name }}' + const name = '${{ inputs.check_run_name }}' + const head_sha = '${{ inputs.head_sha }}' + const details_url = `https://github.com/${{ github.repository }}/actions/runs/${{ inputs.run_id }}` + + const response = await github.rest.checks.create({ + owner, + repo, + name, + head_sha, + status: 'in_progress', + details_url + }) + + const checkRunId = response.data.id + core.setOutput('run_id', checkRunId) + + // Create workflow-metadata.json + const fs = require('fs') + + const metadata = { + check_run_type: '${{ inputs.event_type }}', + repository_name: repo, + check_run_id: checkRunId, + branch: '${{ inputs.branch }}', + sha: head_sha + } + + fs.writeFileSync( + 'workflow-metadata.json', + JSON.stringify(metadata, null, 2) + ) + + core.info(`Created check run ${checkRunId}`) - name: Save metadata uses: actions/upload-artifact@v4 with: name: workflow-metadata - path: workflow-metadata.json \ No newline at end of file + path: workflow-metadata.json diff --git a/.github/workflows/veracode-clean-up.yml b/.github/workflows/veracode-clean-up.yml index ccdfdb002..2b4f2f3d7 100644 --- a/.github/workflows/veracode-clean-up.yml +++ b/.github/workflows/veracode-clean-up.yml @@ -14,7 +14,7 @@ jobs: if: contains(runner.os, 'Linux') run: | echo "Running final cleanup..." - sudo rm -rf $GITHUB_WORKSPACE/ + sudo rm -rf $GITHUB_WORKSPACE/* - name: Cleanup workspace and Docker - Windows if: contains(runner.os, 'Windows') diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index bdc2861c1..3cf4c1ba7 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -33,7 +33,13 @@ on: - ruby-policy-scan jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} - ${{ contains(github.event.action, 'policy') && 'Policy' || 'Pipeline' }} @@ -95,6 +101,7 @@ jobs: ruby_version: ${{ github.event.client_payload.user_config.ruby_version }} bundle_version: ${{ github.event.client_payload.user_config.bundle_version }} default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + debug: ${{ github.event.client_payload.user_config.debug }} pipeline_scan: # needs the build step before this job will start running @@ -118,6 +125,7 @@ jobs: filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} language: ${{ github.event.client_payload.repository.language }} default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + debug: ${{ github.event.client_payload.user_config.debug }} secrets: inherit policy_scan: @@ -142,4 +150,5 @@ jobs: filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }} language: ${{ github.event.client_payload.repository.language }} default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} - secrets: inherit \ No newline at end of file + debug: ${{ github.event.client_payload.user_config.debug }} + secrets: inherit diff --git a/.github/workflows/veracode-default-build.yml b/.github/workflows/veracode-default-build.yml index 200370c78..ed77afc04 100644 --- a/.github/workflows/veracode-default-build.yml +++ b/.github/workflows/veracode-default-build.yml @@ -32,6 +32,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: build-prepare: @@ -42,8 +45,10 @@ jobs: steps: - name: Identify the runner OS id: identify_runner_os - shell: bash - run: echo "runner_os=${{ runner.os }}" >> $GITHUB_OUTPUT + uses: actions/github-script@v7 + with: + script: | + core.setOutput('runner_os', process.env.RUNNER_OS); build-linux: needs: build-prepare @@ -103,7 +108,14 @@ jobs: bundle install cd .. fi - veracode package --source source-code --output veracode-artifacts --trust --verbose + PACKAGE_CMD="veracode package --source source-code --output veracode-artifacts --trust" + + if [[ "${{ inputs.debug }}" == "true" ]]; then + PACKAGE_CMD="$PACKAGE_CMD --verbose" + fi + + echo "Running: $PACKAGE_CMD" + eval "$PACKAGE_CMD" # ---------------- Error handler ---------------- - name: Package error @@ -185,7 +197,19 @@ jobs: run: | $working_path = (Get-Location).Path "working_dir=$working_path" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8 - & $env:VERACODE_CLI package --source source-code --output veracode-artifacts --trust --verbose + $packageArgs = @( + "package", + "--source", "source-code", + "--output", "veracode-artifacts", + "--trust" + ) + + if ("${{ inputs.debug }}" -eq "true") { + $packageArgs += "--verbose" + } + + Write-Host "Running: veracode $($packageArgs -join ' ')" + & $env:VERACODE_CLI @packageArgs # ---------------- Error handler ---------------- - name: Package error @@ -198,4 +222,4 @@ jobs: with: name: veracode-artifact path: "${{ steps.application_package_windows.outputs.working_dir }}/veracode-artifacts/*" - if-no-files-found: error \ No newline at end of file + if-no-files-found: error diff --git a/.github/workflows/veracode-iac-secrets-scan.yml b/.github/workflows/veracode-iac-secrets-scan.yml index 2e78f911f..437ac1f80 100644 --- a/.github/workflows/veracode-iac-secrets-scan.yml +++ b/.github/workflows/veracode-iac-secrets-scan.yml @@ -11,7 +11,13 @@ on: types: [veracode-iac-secrets-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -52,8 +58,9 @@ jobs: repository: ${{ github.event.client_payload.repository.full_name }} ref: ${{ github.event.client_payload.sha }} token: ${{ github.event.client_payload.token }} + - name: Run Veracode IaC/Secrets Scanning - uses: veracode/container_iac_secrets_scanning@v1.0.6 + uses: veracode/container_iac_secrets_scanning@v1.0.7 with: vid: ${{ secrets.VERACODE_API_ID }} vkey: ${{ secrets.VERACODE_API_KEY }} @@ -61,13 +68,6 @@ jobs: type: "directory" source: "./" format: "json" - debug: false + debug: ${{ github.event.client_payload.user_config.debug }} fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }} fail_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} - - cleanup: - needs: veracode-iac-secrets-scan - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file diff --git a/.github/workflows/veracode-pipeline-scan.yml b/.github/workflows/veracode-pipeline-scan.yml index 4633ba982..3870c7bf9 100644 --- a/.github/workflows/veracode-pipeline-scan.yml +++ b/.github/workflows/veracode-pipeline-scan.yml @@ -51,6 +51,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: prepare_pipeline_scan: @@ -72,12 +75,15 @@ jobs: - name: Get list of files for matrix id: get-files - run: | - files=$(ls -1 veracode_artifact_directory | jq -R . | jq -s .) - echo "Files for matrix: $files" - files=$(echo $files | jq -c .) # Compact the JSON array to a single line - echo "matrix_files=$files" >> $GITHUB_OUTPUT - shell: bash + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs') + const dir = 'veracode_artifact_directory' + const files = fs.readdirSync(dir) + + core.info(`Files for matrix: ${JSON.stringify(files)}`) + core.setOutput('matrix_files', JSON.stringify(files)) pipeline_scan: runs-on: ${{ fromJson(inputs.default_runs_on) }} @@ -98,11 +104,14 @@ jobs: with: name: veracode-artifact path: ./veracode_artifact_directory + - name: Debug Matrix Content - run: | - echo "Raw matrix files: ${{ needs.prepare_pipeline_scan.outputs.matrix_files }}" - echo "Current Matrix: ${{ matrix }}" - echo "Current File: ${{ matrix.file }}" + uses: actions/github-script@v7 + with: + script: | + console.log('Raw matrix files:', `${{ needs.prepare_pipeline_scan.outputs.matrix_files }}`) + console.log('Current matrix:', JSON.stringify(${{ toJSON(matrix) }})) + console.log('Current file:', '${{ matrix.file }}') - name: Veracode Pipeline-Scan if: always() @@ -120,7 +129,7 @@ jobs: json_output_file: ${{ strategy.job-index }}-results.json filtered_json_output_file: ${{ strategy.job-index }}-filtered_results.json artifact_name: ${{ matrix.file }} - debug: 1 + debug: ${{ inputs.debug == true && '1' || '0' }} workflow_app: true - name: Veracode Pipeline Results @@ -161,45 +170,41 @@ jobs: github-token: ${{ inputs.token }} repo_name: ${{ inputs.repo }} commitHash: ${{ inputs.sha }} - + update-checks-status: runs-on: ${{ fromJson(inputs.default_runs_on) }} needs: pipeline_scan if: always() steps: - - name: Update check - id: update_check_status - shell: bash - env: - BREAK_BUILD_ON_ERROR: ${{ inputs.break_build_on_error }} - BREAK_BUILD_ON_POLICY: ${{ inputs.break_build_policy_findings }} - run: | - success_count=0 - conclusion="failure" - # Convert JSON string to a proper format for jq processing - echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do - status=$(echo "$job" | jq -r '.value.result') - echo "$status" - if [ "$status" = "success" ]; then - success_count=$((success_count + 1)) - echo '{"status": "completed", "conclusion": "success"}' > payload.txt - elif [ "$status" = "failure" ]; then - if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then - echo '{"status": "completed", "conclusion": "success"}' > payload.txt - else - echo '{"status": "completed", "conclusion": "failure"}' > payload.txt - fi - fi - curl -X PATCH \ - -H "Authorization: Bearer ${{ inputs.token }}" \ - -H "Accept: application/vnd.github+json" \ - https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/check-runs/${{ inputs.check_run_id }} \ - -d @"payload.txt" - done - - cleanup: - needs: update-checks-status - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ inputs.default_runs_on }} \ No newline at end of file + - name: Update check + id: update_check_status + uses: actions/github-script@v7 + with: + github-token: ${{ inputs.token }} + script: | + const needs = ${{ toJSON(needs) }} + const breakOnError = '${{ inputs.break_build_on_error }}' === 'true' + const breakOnPolicy = '${{ inputs.break_build_policy_findings }}' === 'true' + + let conclusion = 'success' + + for (const [jobName, job] of Object.entries(needs)) { + core.info(`Job ${jobName} result: ${job.result}`) + + if (job.result === 'failure') { + if (breakOnError || breakOnPolicy) { + conclusion = 'failure' + break + } + } + } + + core.info(`Final check conclusion: ${conclusion}`) + + await github.rest.checks.update({ + owner: '${{ inputs.owner }}', + repo: '${{ inputs.repo }}', + check_run_id: Number('${{ inputs.check_run_id }}'), + status: 'completed', + conclusion + }) diff --git a/.github/workflows/veracode-policy-scan.yml b/.github/workflows/veracode-policy-scan.yml index 2af99737f..d671a95e4 100644 --- a/.github/workflows/veracode-policy-scan.yml +++ b/.github/workflows/veracode-policy-scan.yml @@ -54,6 +54,9 @@ on: default_runs_on: required: true type: string + debug: + required: false + type: string jobs: policy_scan: @@ -71,14 +74,18 @@ jobs: name: veracode-artifact path: ./veracode_artifact_directory - - name: set version - shell: bash - run: | - echo "VERSION=${{ github.run_id }}-$(date +'%Y%m%d-%H%M%S')" >> $GITHUB_ENV + - name: Set version + uses: actions/github-script@v7 + with: + script: | + core.exportVariable( + 'VERSION', + `${process.env.GITHUB_RUN_ID}-${new Date().toISOString().replace(/[-:]/g,'').slice(0,15)}` + ) # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@SDEVX-9690 id: upload_and_scan with: appname: ${{ inputs.profile_name }} @@ -94,6 +101,8 @@ jobs: failbuild: ${{ inputs.break_build_policy_findings }} gitRepositoryUrl: ${{ github.server_url }}/${{ inputs.source_repository }} deleteincompletescan: true + workflowApp: true + debug: ${{ inputs.debug }} - name: Veracode Policy Results id: prepare-results @@ -183,10 +192,3 @@ jobs: repo_name: ${{ inputs.repo }} github-token: ${{ inputs.token }} commitHash: ${{ inputs.sha }} - - cleanup: - needs: [policy_scan, veracode-remove-sandbox, code-scanning-alert, create-issues] - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ inputs.default_runs_on }} \ No newline at end of file diff --git a/.github/workflows/veracode-remove-sandbox.yml b/.github/workflows/veracode-remove-sandbox.yml index a2f05a4c3..84fed155d 100644 --- a/.github/workflows/veracode-remove-sandbox.yml +++ b/.github/workflows/veracode-remove-sandbox.yml @@ -17,14 +17,22 @@ jobs: steps: - name: Create metadata id: create_metadata_json - shell: bash - run: | - echo '{ - "check_run_type": "${{ github.event.client_payload.event_type }}", - "repository_name": "${{ github.event.client_payload.repository.name }}", - "check_run_id": "", - "sha": "${{ github.event.client_payload.sha }}" - }' > workflow-metadata.json + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs') + + const metadata = { + check_run_type: '${{ github.event.client_payload.event_type }}', + repository_name: '${{ github.event.client_payload.repository.name }}', + check_run_id: '', + sha: '${{ github.event.client_payload.sha }}' + } + + fs.writeFileSync( + 'workflow-metadata.json', + JSON.stringify(metadata, null, 2) + ) - name: Save metadata uses: actions/upload-artifact@v4 @@ -50,4 +58,4 @@ jobs: if: always() uses: ./.github/workflows/veracode-clean-up.yml with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} diff --git a/.github/workflows/veracode-sandbox-scan.yml b/.github/workflows/veracode-sandbox-scan.yml index 6f12b7e74..38c2c2720 100644 --- a/.github/workflows/veracode-sandbox-scan.yml +++ b/.github/workflows/veracode-sandbox-scan.yml @@ -21,7 +21,13 @@ on: - ruby-sandbox-scan jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + build: + needs: cleanup uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml with: repository: ${{ github.event.client_payload.repository.full_name }} @@ -53,7 +59,7 @@ jobs: # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@SDEVX-9690 id: upload_and_scan with: appname: ${{ github.event.client_payload.user_config.profile_name }} @@ -68,10 +74,5 @@ jobs: failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }} gitRepositoryUrl: ${{ github.server_url }}/${{ github.event.client_payload.repository.full_name }} deleteincompletescan: true - - cleanup: - needs: sandbox_scan - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file + workflowApp: true + debug: ${{ github.event.client_payload.user_config.debug }} diff --git a/.github/workflows/veracode-sca-scan.yml b/.github/workflows/veracode-sca-scan.yml index f0091624b..83f2ab7da 100644 --- a/.github/workflows/veracode-sca-scan.yml +++ b/.github/workflows/veracode-sca-scan.yml @@ -11,7 +11,13 @@ on: types: [veracode-sca-scan] jobs: + cleanup: + uses: ./.github/workflows/veracode-clean-up.yml + with: + runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} + register: + needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -40,100 +46,90 @@ jobs: with: path: 'veracode-helper' - - name: Find yarn JS apps using workspaces - Linux - if: contains(runner.os, 'Linux') - run: | - if [ -f "package.json" ] && [ -f "pnpm-lock.yaml" ] && [ -f "pnpm-workspace.yaml" ]; then - echo "- The file package.json, pnpm-lock.yml and pnpm-workspace.yaml exist. This looks like a PNPM workspace project." - if grep -q "workspaces" "package.json"; then - echo "-- The package.json file contains workspaces - running PNPM lockfile generator" - node veracode-helper/helper/pnpm-helper.js --folder '/home/runner/work/veracode/veracode' --intRepoPrefix '${{ github.event.client_payload.repository.owner }}' --repoName '${{ github.event.client_payload.repository.name }}' - else - echo "-- The package.json file does not contain workspace - this will fail - exiting" - fi - elif [ -f "package.json" ] && [ ! -f "pnpm-lock.yml" ] && [ ! -f "pnpm-workspace.yaml" ]; then - if grep -q "workspaces" "package.json"; then - echo "- The package.json file exists, and it contains 'workspaces'." - if grep -q "yarn" "package.json"; then - echo "-- Yarn was identified on the package.json file" - version=$(grep 'yarn' package.json | grep -oE '[0-9]' | head -n 1) - if [ -z "$version" ]; then - echo "-- The yarn version could not be identified." - else - echo "-- The yarn version is: $version" - - if [ $version -lt "3" ]; then - echo "---- Running v2 lockfile generator" - node veracode-helper/helper/yarn-lock-file-generator-v2.js --folder /home/runner/work/veracode/veracode - elif [ $version -ge "3" ]; then - echo "---- Running v3 lockfile generator" - node veracode-helper/helper/yarn-lock-file-generator-v3.js --folder /home/runner/work/veracode/veracode - fi - fi - else - echo "- Yarn was not identified on the package.json file" - fi - else - echo "- The package.json file exists, but it does not contain 'workspaces'." - fi - else - echo "The package.json file does not exist." - fi - rm -rf veracode-helper - - - name: Find yarn JS apps using workspaces - Windows - shell: pwsh - if: contains(runner.os, 'Windows') - run: | - if ((Test-Path "package.json") -and (Test-Path "pnpm-lock.yaml") -and (Test-Path "pnpm-workspace.yaml")) { - Write-Host "- The files package.json, pnpm-lock.yaml, and pnpm-workspace.yaml exist. This looks like a PNPM workspace project." - $packageJson = Get-Content "package.json" -Raw - if ($packageJson -match '"workspaces"') { - Write-Host "-- The package.json file contains workspaces - running PNPM lockfile generator" - node "veracode-helper/helper/pnpm-helper.js" ` - --folder "/home/runner/work/veracode/veracode" ` - --intRepoPrefix "${{ github.event.client_payload.repository.owner }}" ` - --repoName "${{ github.event.client_payload.repository.name }}" - } - else { - Write-Host "-- The package.json file does not contain workspaces - exiting" + - name: Detect workspace and generate lockfiles + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs') + const path = require('path') + const { execSync } = require('child_process') + + const rootDir = '/home/runner/work/veracode/veracode' + const packageJsonPath = path.join(rootDir, 'package.json') + const pnpmLock = path.join(rootDir, 'pnpm-lock.yaml') + const pnpmWorkspace = path.join(rootDir, 'pnpm-workspace.yaml') + + const owner = '${{ github.event.client_payload.repository.owner }}' + const repo = '${{ github.event.client_payload.repository.name }}' + + const exists = p => fs.existsSync(p) + + if (exists(packageJsonPath) && exists(pnpmLock) && exists(pnpmWorkspace)) { + core.info( + '- The file package.json, pnpm-lock.yaml and pnpm-workspace.yaml exist. This looks like a PNPM workspace project.' + ) + + const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8')) + + if (pkg.workspaces) { + core.info('-- The package.json file contains workspaces - running PNPM lockfile generator') + execSync( + `node veracode-helper/helper/pnpm-helper.js \ + --folder "${rootDir}" \ + --intRepoPrefix "${owner}" \ + --repoName "${repo}"`, + { stdio: 'inherit' } + ) + } else { + core.warning('-- The package.json file does not contain workspace - this will fail') } - } - elseif ((Test-Path "package.json") -and -not (Test-Path "pnpm-lock.yaml") -and -not (Test-Path "pnpm-workspace.yaml")) { - $packageJson = Get-Content "package.json" -Raw - if ($packageJson -match '"workspaces"') { - Write-Host "- The package.json file exists and contains 'workspaces'." - if ($packageJson -match '"yarn"') { - Write-Host "-- Yarn was identified in the package.json file" - $match = Select-String '"yarn"' package.json | Select-Object -First 1 - $version = ($match.Line -split '\D+' | Where-Object { $_ -match '^\d+$' } | Select-Object -First 1) - if (-not $version) { - Write-Host "-- The yarn version could not be identified." - } - else { - Write-Host "-- The yarn version is: $version" - if ([int]$version -lt 3) { - Write-Host "---- Running v2 lockfile generator" - node "veracode-helper/helper/yarn-lock-file-generator-v2.js" --folder "/home/runner/work/veracode/veracode" - } - elseif ([int]$version -ge 3) { - Write-Host "---- Running v3 lockfile generator" - node "veracode-helper/helper/yarn-lock-file-generator-v3.js" --folder "/home/runner/work/veracode/veracode" - } - } + + } else if (exists(packageJsonPath) && !exists(pnpmLock) && !exists(pnpmWorkspace)) { + const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8')) + + if (pkg.workspaces) { + core.info("- The package.json file exists, and it contains 'workspaces'.") + + const pkgText = fs.readFileSync(packageJsonPath, 'utf8') + + if (pkgText.includes('yarn')) { + core.info('-- Yarn was identified on the package.json file') + + const match = pkgText.match(/yarn[^0-9]*([0-9]+)/) + const version = match?.[1] + + if (!version) { + core.warning('-- The yarn version could not be identified.') + } else { + core.info(`-- The yarn version is: ${version}`) + + if (Number(version) < 3) { + core.info('---- Running v2 lockfile generator') + execSync( + `node veracode-helper/helper/yarn-lock-file-generator-v2.js --folder "${rootDir}"`, + { stdio: 'inherit' } + ) + } else { + core.info('---- Running v3 lockfile generator') + execSync( + `node veracode-helper/helper/yarn-lock-file-generator-v3.js --folder "${rootDir}"`, + { stdio: 'inherit' } + ) } - else { - Write-Host "- Yarn was not identified in the package.json file" - } - } - else { - Write-Host "- The package.json file exists, but it does not contain 'workspaces'." + } + } else { + core.info('- Yarn was not identified on the package.json file') } + } else { + core.info("- The package.json file exists, but it does not contain 'workspaces'.") + } + + } else { + core.info('The package.json file does not exist.') } - else { - Write-Host "The package.json file does not exist." - } - Remove-Item -Recurse -Force "veracode-helper" -ErrorAction SilentlyContinue + + // Cleanup + fs.rmSync('veracode-helper', { recursive: true, force: true }) - name: Run Veracode SCA env: @@ -146,10 +142,4 @@ jobs: recursive: true allow-dirty: true breakBuildOnPolicyFindings: ${{ github.event.client_payload.user_config.break_build_policy_findings }} - - cleanup: - needs: veracode-sca-scan - if: always() - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} \ No newline at end of file + debug: ${{ github.event.client_payload.user_config.debug }} \ No newline at end of file From dcb3f28016eb44326b642ef7beb33f792324c4c2 Mon Sep 17 00:00:00 2001 From: Karthik Bharadwaj Date: Thu, 5 Feb 2026 00:18:07 +0530 Subject: [PATCH 2/4] Revert node scripts back to bash --- ...nary-ready-veracode-sast-pipeline-scan.yml | 87 ++++----- ...binary-ready-veracode-sast-policy-scan.yml | 2 +- .github/workflows/veracode-check-run.yml | 71 +++----- .github/workflows/veracode-default-build.yml | 6 +- .github/workflows/veracode-pipeline-scan.yml | 82 ++++----- .github/workflows/veracode-policy-scan.yml | 12 +- .github/workflows/veracode-remove-sandbox.yml | 24 +-- .github/workflows/veracode-sca-scan.yml | 170 +++++++++--------- 8 files changed, 205 insertions(+), 249 deletions(-) diff --git a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml index b270d8790..78c687352 100644 --- a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml @@ -85,15 +85,12 @@ jobs: - name: Get list of files for matrix id: get-files - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs') - const dir = 'veracode_artifact_directory' - const files = fs.readdirSync(dir) - - core.info(`Files for matrix: ${JSON.stringify(files)}`) - core.setOutput('matrix_files', JSON.stringify(files)) + run: | + files=$(ls -1 veracode_artifact_directory | jq -R . | jq -s .) + echo "Files for matrix: $files" + files=$(echo $files | jq -c .) # Compact the JSON array to a single line + echo "matrix_files=$files" >> $GITHUB_OUTPUT + shell: bash pipeline_scan: runs-on: ${{ fromJSON(github.event.client_payload.user_config.default_runs_on) }} @@ -120,12 +117,10 @@ jobs: path: ./veracode_artifact_directory - name: Debug Matrix Content - uses: actions/github-script@v7 - with: - script: | - console.log('Raw matrix files:', `${{ needs.prepare_pipeline_scan.outputs.matrix_files }}`) - console.log('Current matrix:', JSON.stringify(${{ toJSON(matrix) }})) - console.log('Current file:', '${{ matrix.file }}') + run: | + echo "Raw matrix files: ${{ needs.prepare_pipeline_scan.outputs.matrix_files }}" + echo "Current Matrix: ${{ matrix }}" + echo "Current File: ${{ matrix.file }}" # run the pipeline scan action - name: Veracode Pipeline-Scan @@ -193,38 +188,30 @@ jobs: steps: - name: Update check id: update_check_status - uses: actions/github-script@v7 - with: - github-token: ${{ github.event.client_payload.token }} - script: | - const core = require('@actions/core') - - const needs = ${{ toJSON(needs) }} - - const breakOnError = - '${{ github.event.client_payload.user_config.break_build_on_error }}' === 'true' - const breakOnPolicy = - '${{ github.event.client_payload.user_config.break_build_policy_findings }}' === 'true' - - let conclusion = 'success' - - for (const [jobName, job] of Object.entries(needs)) { - core.info(`Job ${jobName}: ${job.result}`) - - if (job.result === 'failure') { - if (breakOnError || breakOnPolicy) { - conclusion = 'failure' - break - } - } - } - - core.info(`Final check conclusion: ${conclusion}`) - - await github.rest.checks.update({ - owner: '${{ github.event.client_payload.repository.owner }}', - repo: '${{ github.event.client_payload.repository.name }}', - check_run_id: Number('${{ needs.register.outputs.run_id }}'), - status: 'completed', - conclusion - }) + shell: bash + env: + BREAK_BUILD_ON_ERROR: ${{ github.event.client_payload.user_config.break_build_on_error }} + BREAK_BUILD_ON_POLICY: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + run: | + success_count=0 + conclusion="failure" + # Convert JSON string to a proper format for jq processing + echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do + status=$(echo "$job" | jq -r '.value.result') + echo "$status" + if [ "$status" = "success" ]; then + success_count=$((success_count + 1)) + echo '{"status": "completed", "conclusion": "success"}' > payload.txt + elif [ "$status" = "failure" ]; then + if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then + echo '{"status": "completed", "conclusion": "success"}' > payload.txt + else + echo '{"status": "completed", "conclusion": "failure"}' > payload.txt + fi + fi + curl -X PATCH \ + -H "Authorization: Bearer ${{ github.event.client_payload.token }}" \ + -H "Accept: application/vnd.github+json" \ + https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \ + -d @"payload.txt" + done diff --git a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml index 57eb4f394..5ce9d05d2 100644 --- a/.github/workflows/binary-ready-veracode-sast-policy-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-policy-scan.yml @@ -80,7 +80,7 @@ jobs: path: ./veracode_artifact_directory - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@SDEVX-9690 + uses: veracode/uploadandscan-action@v0.2.0 id: upload_and_scan with: vid: '${{ secrets.VERACODE_API_ID }}' diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index ae9288dc7..49af49320 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -46,53 +46,34 @@ jobs: create_check_run: runs-on: ${{ fromJson(inputs.default_runs_on) }} outputs: - run_id: ${{ steps.create_check.outputs.run_id }} - - steps: - - name: Setup Node.js - uses: actions/setup-node@v4 - - - name: Create check run via GitHub API - id: create_check - uses: actions/github-script@v7 + run_id: ${{ fromJson(steps.create_check_run.outputs.data).id }} + steps: + # Create check run + - name: GitHub API Request to create a check + uses: octokit/request-action@v2.x + id: create_check_run with: - github-token: ${{ inputs.github_token }} - script: | - const owner = '${{ inputs.repositroy_owner }}' - const repo = '${{ inputs.repositroy_name }}' - const name = '${{ inputs.check_run_name }}' - const head_sha = '${{ inputs.head_sha }}' - const details_url = `https://github.com/${{ github.repository }}/actions/runs/${{ inputs.run_id }}` - - const response = await github.rest.checks.create({ - owner, - repo, - name, - head_sha, - status: 'in_progress', - details_url - }) - - const checkRunId = response.data.id - core.setOutput('run_id', checkRunId) - - // Create workflow-metadata.json - const fs = require('fs') - - const metadata = { - check_run_type: '${{ inputs.event_type }}', - repository_name: repo, - check_run_id: checkRunId, - branch: '${{ inputs.branch }}', - sha: head_sha - } - - fs.writeFileSync( - 'workflow-metadata.json', - JSON.stringify(metadata, null, 2) - ) + route: POST /repos/{owner}/{repo}/check-runs + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + INPUT_OWNER: ${{ inputs.repositroy_owner }} + INPUT_REPO: ${{ inputs.repositroy_name }} + INPUT_NAME: ${{ inputs.check_run_name }} + INPUT_HEAD_SHA: ${{ inputs.head_sha }} + INPUT_DETAILS_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ inputs.run_id }}" - core.info(`Created check run ${checkRunId}`) + - name: Create metadata + id: create-metadata-json + run: | + echo '{ + "check_run_type": "${{ inputs.event_type }}", + "repository_name": "${{ inputs.repositroy_name }}", + "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }}, + "branch": "${{ inputs.branch }}", + "sha": "${{ inputs.head_sha }}" + }' > workflow-metadata.json + echo "run_id=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" + shell: bash - name: Save metadata uses: actions/upload-artifact@v4 diff --git a/.github/workflows/veracode-default-build.yml b/.github/workflows/veracode-default-build.yml index ed77afc04..ec58d04ce 100644 --- a/.github/workflows/veracode-default-build.yml +++ b/.github/workflows/veracode-default-build.yml @@ -45,10 +45,8 @@ jobs: steps: - name: Identify the runner OS id: identify_runner_os - uses: actions/github-script@v7 - with: - script: | - core.setOutput('runner_os', process.env.RUNNER_OS); + shell: bash + run: echo "runner_os=${{ runner.os }}" >> $GITHUB_OUTPUT build-linux: needs: build-prepare diff --git a/.github/workflows/veracode-pipeline-scan.yml b/.github/workflows/veracode-pipeline-scan.yml index 3870c7bf9..d57449ebd 100644 --- a/.github/workflows/veracode-pipeline-scan.yml +++ b/.github/workflows/veracode-pipeline-scan.yml @@ -75,15 +75,12 @@ jobs: - name: Get list of files for matrix id: get-files - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs') - const dir = 'veracode_artifact_directory' - const files = fs.readdirSync(dir) - - core.info(`Files for matrix: ${JSON.stringify(files)}`) - core.setOutput('matrix_files', JSON.stringify(files)) + run: | + files=$(ls -1 veracode_artifact_directory | jq -R . | jq -s .) + echo "Files for matrix: $files" + files=$(echo $files | jq -c .) # Compact the JSON array to a single line + echo "matrix_files=$files" >> $GITHUB_OUTPUT + shell: bash pipeline_scan: runs-on: ${{ fromJson(inputs.default_runs_on) }} @@ -106,12 +103,10 @@ jobs: path: ./veracode_artifact_directory - name: Debug Matrix Content - uses: actions/github-script@v7 - with: - script: | - console.log('Raw matrix files:', `${{ needs.prepare_pipeline_scan.outputs.matrix_files }}`) - console.log('Current matrix:', JSON.stringify(${{ toJSON(matrix) }})) - console.log('Current file:', '${{ matrix.file }}') + run: | + echo "Raw matrix files: ${{ needs.prepare_pipeline_scan.outputs.matrix_files }}" + echo "Current Matrix: ${{ matrix }}" + echo "Current File: ${{ matrix.file }}" - name: Veracode Pipeline-Scan if: always() @@ -178,33 +173,30 @@ jobs: steps: - name: Update check id: update_check_status - uses: actions/github-script@v7 - with: - github-token: ${{ inputs.token }} - script: | - const needs = ${{ toJSON(needs) }} - const breakOnError = '${{ inputs.break_build_on_error }}' === 'true' - const breakOnPolicy = '${{ inputs.break_build_policy_findings }}' === 'true' - - let conclusion = 'success' - - for (const [jobName, job] of Object.entries(needs)) { - core.info(`Job ${jobName} result: ${job.result}`) - - if (job.result === 'failure') { - if (breakOnError || breakOnPolicy) { - conclusion = 'failure' - break - } - } - } - - core.info(`Final check conclusion: ${conclusion}`) - - await github.rest.checks.update({ - owner: '${{ inputs.owner }}', - repo: '${{ inputs.repo }}', - check_run_id: Number('${{ inputs.check_run_id }}'), - status: 'completed', - conclusion - }) + shell: bash + env: + BREAK_BUILD_ON_ERROR: ${{ inputs.break_build_on_error }} + BREAK_BUILD_ON_POLICY: ${{ inputs.break_build_policy_findings }} + run: | + success_count=0 + conclusion="failure" + # Convert JSON string to a proper format for jq processing + echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do + status=$(echo "$job" | jq -r '.value.result') + echo "$status" + if [ "$status" = "success" ]; then + success_count=$((success_count + 1)) + echo '{"status": "completed", "conclusion": "success"}' > payload.txt + elif [ "$status" = "failure" ]; then + if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then + echo '{"status": "completed", "conclusion": "success"}' > payload.txt + else + echo '{"status": "completed", "conclusion": "failure"}' > payload.txt + fi + fi + curl -X PATCH \ + -H "Authorization: Bearer ${{ inputs.token }}" \ + -H "Accept: application/vnd.github+json" \ + https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/check-runs/${{ inputs.check_run_id }} \ + -d @"payload.txt" + done diff --git a/.github/workflows/veracode-policy-scan.yml b/.github/workflows/veracode-policy-scan.yml index d671a95e4..7133868e2 100644 --- a/.github/workflows/veracode-policy-scan.yml +++ b/.github/workflows/veracode-policy-scan.yml @@ -75,17 +75,13 @@ jobs: path: ./veracode_artifact_directory - name: Set version - uses: actions/github-script@v7 - with: - script: | - core.exportVariable( - 'VERSION', - `${process.env.GITHUB_RUN_ID}-${new Date().toISOString().replace(/[-:]/g,'').slice(0,15)}` - ) + shell: bash + run: | + echo "VERSION=${{ github.run_id }}-$(date +'%Y%m%d-%H%M%S')" >> $GITHUB_ENV # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@SDEVX-9690 + uses: veracode/uploadandscan-action@v0.2.0 id: upload_and_scan with: appname: ${{ inputs.profile_name }} diff --git a/.github/workflows/veracode-remove-sandbox.yml b/.github/workflows/veracode-remove-sandbox.yml index 84fed155d..7266b2669 100644 --- a/.github/workflows/veracode-remove-sandbox.yml +++ b/.github/workflows/veracode-remove-sandbox.yml @@ -17,22 +17,14 @@ jobs: steps: - name: Create metadata id: create_metadata_json - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs') - - const metadata = { - check_run_type: '${{ github.event.client_payload.event_type }}', - repository_name: '${{ github.event.client_payload.repository.name }}', - check_run_id: '', - sha: '${{ github.event.client_payload.sha }}' - } - - fs.writeFileSync( - 'workflow-metadata.json', - JSON.stringify(metadata, null, 2) - ) + shell: bash + run: | + echo '{ + "check_run_type": "${{ github.event.client_payload.event_type }}", + "repository_name": "${{ github.event.client_payload.repository.name }}", + "check_run_id": "", + "sha": "${{ github.event.client_payload.sha }}" + }' > workflow-metadata.json - name: Save metadata uses: actions/upload-artifact@v4 diff --git a/.github/workflows/veracode-sca-scan.yml b/.github/workflows/veracode-sca-scan.yml index 83f2ab7da..ffa29d20b 100644 --- a/.github/workflows/veracode-sca-scan.yml +++ b/.github/workflows/veracode-sca-scan.yml @@ -46,90 +46,100 @@ jobs: with: path: 'veracode-helper' - - name: Detect workspace and generate lockfiles - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs') - const path = require('path') - const { execSync } = require('child_process') - - const rootDir = '/home/runner/work/veracode/veracode' - const packageJsonPath = path.join(rootDir, 'package.json') - const pnpmLock = path.join(rootDir, 'pnpm-lock.yaml') - const pnpmWorkspace = path.join(rootDir, 'pnpm-workspace.yaml') - - const owner = '${{ github.event.client_payload.repository.owner }}' - const repo = '${{ github.event.client_payload.repository.name }}' - - const exists = p => fs.existsSync(p) - - if (exists(packageJsonPath) && exists(pnpmLock) && exists(pnpmWorkspace)) { - core.info( - '- The file package.json, pnpm-lock.yaml and pnpm-workspace.yaml exist. This looks like a PNPM workspace project.' - ) - - const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8')) - - if (pkg.workspaces) { - core.info('-- The package.json file contains workspaces - running PNPM lockfile generator') - execSync( - `node veracode-helper/helper/pnpm-helper.js \ - --folder "${rootDir}" \ - --intRepoPrefix "${owner}" \ - --repoName "${repo}"`, - { stdio: 'inherit' } - ) - } else { - core.warning('-- The package.json file does not contain workspace - this will fail') + - name: Find yarn JS apps using workspaces - Linux + if: contains(runner.os, 'Linux') + run: | + if [ -f "package.json" ] && [ -f "pnpm-lock.yaml" ] && [ -f "pnpm-workspace.yaml" ]; then + echo "- The file package.json, pnpm-lock.yml and pnpm-workspace.yaml exist. This looks like a PNPM workspace project." + if grep -q "workspaces" "package.json"; then + echo "-- The package.json file contains workspaces - running PNPM lockfile generator" + node veracode-helper/helper/pnpm-helper.js --folder '/home/runner/work/veracode/veracode' --intRepoPrefix '${{ github.event.client_payload.repository.owner }}' --repoName '${{ github.event.client_payload.repository.name }}' + else + echo "-- The package.json file does not contain workspace - this will fail - exiting" + fi + elif [ -f "package.json" ] && [ ! -f "pnpm-lock.yml" ] && [ ! -f "pnpm-workspace.yaml" ]; then + if grep -q "workspaces" "package.json"; then + echo "- The package.json file exists, and it contains 'workspaces'." + if grep -q "yarn" "package.json"; then + echo "-- Yarn was identified on the package.json file" + version=$(grep 'yarn' package.json | grep -oE '[0-9]' | head -n 1) + if [ -z "$version" ]; then + echo "-- The yarn version could not be identified." + else + echo "-- The yarn version is: $version" + + if [ $version -lt "3" ]; then + echo "---- Running v2 lockfile generator" + node veracode-helper/helper/yarn-lock-file-generator-v2.js --folder /home/runner/work/veracode/veracode + elif [ $version -ge "3" ]; then + echo "---- Running v3 lockfile generator" + node veracode-helper/helper/yarn-lock-file-generator-v3.js --folder /home/runner/work/veracode/veracode + fi + fi + else + echo "- Yarn was not identified on the package.json file" + fi + else + echo "- The package.json file exists, but it does not contain 'workspaces'." + fi + else + echo "The package.json file does not exist." + fi + rm -rf veracode-helper + + - name: Find yarn JS apps using workspaces - Windows + shell: pwsh + if: contains(runner.os, 'Windows') + run: | + if ((Test-Path "package.json") -and (Test-Path "pnpm-lock.yaml") -and (Test-Path "pnpm-workspace.yaml")) { + Write-Host "- The files package.json, pnpm-lock.yaml, and pnpm-workspace.yaml exist. This looks like a PNPM workspace project." + $packageJson = Get-Content "package.json" -Raw + if ($packageJson -match '"workspaces"') { + Write-Host "-- The package.json file contains workspaces - running PNPM lockfile generator" + node "veracode-helper/helper/pnpm-helper.js" ` + --folder "/home/runner/work/veracode/veracode" ` + --intRepoPrefix "${{ github.event.client_payload.repository.owner }}" ` + --repoName "${{ github.event.client_payload.repository.name }}" } - - } else if (exists(packageJsonPath) && !exists(pnpmLock) && !exists(pnpmWorkspace)) { - const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8')) - - if (pkg.workspaces) { - core.info("- The package.json file exists, and it contains 'workspaces'.") - - const pkgText = fs.readFileSync(packageJsonPath, 'utf8') - - if (pkgText.includes('yarn')) { - core.info('-- Yarn was identified on the package.json file') - - const match = pkgText.match(/yarn[^0-9]*([0-9]+)/) - const version = match?.[1] - - if (!version) { - core.warning('-- The yarn version could not be identified.') - } else { - core.info(`-- The yarn version is: ${version}`) - - if (Number(version) < 3) { - core.info('---- Running v2 lockfile generator') - execSync( - `node veracode-helper/helper/yarn-lock-file-generator-v2.js --folder "${rootDir}"`, - { stdio: 'inherit' } - ) - } else { - core.info('---- Running v3 lockfile generator') - execSync( - `node veracode-helper/helper/yarn-lock-file-generator-v3.js --folder "${rootDir}"`, - { stdio: 'inherit' } - ) + else { + Write-Host "-- The package.json file does not contain workspaces - exiting" + } + } + elseif ((Test-Path "package.json") -and -not (Test-Path "pnpm-lock.yaml") -and -not (Test-Path "pnpm-workspace.yaml")) { + $packageJson = Get-Content "package.json" -Raw + if ($packageJson -match '"workspaces"') { + Write-Host "- The package.json file exists and contains 'workspaces'." + if ($packageJson -match '"yarn"') { + Write-Host "-- Yarn was identified in the package.json file" + $match = Select-String '"yarn"' package.json | Select-Object -First 1 + $version = ($match.Line -split '\D+' | Where-Object { $_ -match '^\d+$' } | Select-Object -First 1) + if (-not $version) { + Write-Host "-- The yarn version could not be identified." + } + else { + Write-Host "-- The yarn version is: $version" + if ([int]$version -lt 3) { + Write-Host "---- Running v2 lockfile generator" + node "veracode-helper/helper/yarn-lock-file-generator-v2.js" --folder "/home/runner/work/veracode/veracode" + } + elseif ([int]$version -ge 3) { + Write-Host "---- Running v3 lockfile generator" + node "veracode-helper/helper/yarn-lock-file-generator-v3.js" --folder "/home/runner/work/veracode/veracode" + } + } + } + else { + Write-Host "- Yarn was not identified in the package.json file" } - } - } else { - core.info('- Yarn was not identified on the package.json file') } - } else { - core.info("- The package.json file exists, but it does not contain 'workspaces'.") - } - - } else { - core.info('The package.json file does not exist.') + else { + Write-Host "- The package.json file exists, but it does not contain 'workspaces'." + } + } + else { + Write-Host "The package.json file does not exist." } - - // Cleanup - fs.rmSync('veracode-helper', { recursive: true, force: true }) + Remove-Item -Recurse -Force "veracode-helper" -ErrorAction SilentlyContinue - name: Run Veracode SCA env: From b2ff73c00e475babcb4c7b5d5bdfc0bbf854650e Mon Sep 17 00:00:00 2001 From: Karthik Bharadwaj Date: Thu, 5 Feb 2026 00:19:40 +0530 Subject: [PATCH 3/4] Revert node scripts back to bash --- .github/workflows/binary-ready-veracode-sast-sandbox-scan.yml | 2 +- .github/workflows/veracode-sandbox-scan.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml index 7b8b112ee..655df9184 100644 --- a/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml @@ -32,7 +32,7 @@ jobs: - name: Veracode Upload and Scan Action Step id: upload_and_scan - uses: veracode/uploadandscan-action@v0.1.9 + uses: veracode/uploadandscan-action@v0.2.0 with: appname: ${{ github.event.client_payload.user_config.profile_name }} createprofile: true diff --git a/.github/workflows/veracode-sandbox-scan.yml b/.github/workflows/veracode-sandbox-scan.yml index 38c2c2720..bdb8deb53 100644 --- a/.github/workflows/veracode-sandbox-scan.yml +++ b/.github/workflows/veracode-sandbox-scan.yml @@ -59,7 +59,7 @@ jobs: # run the policy scan action - name: Veracode Upload and Scan Action Step - uses: veracode/uploadandscan-action@SDEVX-9690 + uses: veracode/uploadandscan-action@v0.2.0 id: upload_and_scan with: appname: ${{ github.event.client_payload.user_config.profile_name }} From e9b5ab6ca99ab725ebdc2375bc8e9db30ee8510e Mon Sep 17 00:00:00 2001 From: Karthik Bharadwaj Date: Thu, 5 Feb 2026 00:36:02 +0530 Subject: [PATCH 4/4] Revert node scripts back to bash --- ...nary-ready-veracode-sast-pipeline-scan.yml | 60 +++++++++---------- .github/workflows/veracode-pipeline-scan.yml | 57 +++++++++--------- 2 files changed, 55 insertions(+), 62 deletions(-) diff --git a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml index 78c687352..43b20841c 100644 --- a/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml +++ b/.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml @@ -11,13 +11,7 @@ on: types: [binary-ready-veracode-sast-pipeline-scan] jobs: - cleanup: - uses: ./.github/workflows/veracode-clean-up.yml - with: - runs_on: ${{ github.event.client_payload.user_config.default_runs_on }} - register: - needs: cleanup uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -186,32 +180,32 @@ jobs: needs: pipeline_scan if: always() steps: - - name: Update check - id: update_check_status - shell: bash - env: - BREAK_BUILD_ON_ERROR: ${{ github.event.client_payload.user_config.break_build_on_error }} - BREAK_BUILD_ON_POLICY: ${{ github.event.client_payload.user_config.break_build_policy_findings }} - run: | - success_count=0 - conclusion="failure" - # Convert JSON string to a proper format for jq processing - echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do - status=$(echo "$job" | jq -r '.value.result') - echo "$status" - if [ "$status" = "success" ]; then - success_count=$((success_count + 1)) + - name: Update check + id: update_check_status + shell: bash + env: + BREAK_BUILD_ON_ERROR: ${{ github.event.client_payload.user_config.break_build_on_error }} + BREAK_BUILD_ON_POLICY: ${{ github.event.client_payload.user_config.break_build_policy_findings }} + run: | + success_count=0 + conclusion="failure" + # Convert JSON string to a proper format for jq processing + echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do + status=$(echo "$job" | jq -r '.value.result') + echo "$status" + if [ "$status" = "success" ]; then + success_count=$((success_count + 1)) + echo '{"status": "completed", "conclusion": "success"}' > payload.txt + elif [ "$status" = "failure" ]; then + if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then echo '{"status": "completed", "conclusion": "success"}' > payload.txt - elif [ "$status" = "failure" ]; then - if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then - echo '{"status": "completed", "conclusion": "success"}' > payload.txt - else - echo '{"status": "completed", "conclusion": "failure"}' > payload.txt - fi + else + echo '{"status": "completed", "conclusion": "failure"}' > payload.txt fi - curl -X PATCH \ - -H "Authorization: Bearer ${{ github.event.client_payload.token }}" \ - -H "Accept: application/vnd.github+json" \ - https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \ - -d @"payload.txt" - done + fi + curl -X PATCH \ + -H "Authorization: Bearer ${{ github.event.client_payload.token }}" \ + -H "Accept: application/vnd.github+json" \ + https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \ + -d @"payload.txt" + done \ No newline at end of file diff --git a/.github/workflows/veracode-pipeline-scan.yml b/.github/workflows/veracode-pipeline-scan.yml index d57449ebd..b22fa9c8a 100644 --- a/.github/workflows/veracode-pipeline-scan.yml +++ b/.github/workflows/veracode-pipeline-scan.yml @@ -101,7 +101,6 @@ jobs: with: name: veracode-artifact path: ./veracode_artifact_directory - - name: Debug Matrix Content run: | echo "Raw matrix files: ${{ needs.prepare_pipeline_scan.outputs.matrix_files }}" @@ -165,38 +164,38 @@ jobs: github-token: ${{ inputs.token }} repo_name: ${{ inputs.repo }} commitHash: ${{ inputs.sha }} - + update-checks-status: runs-on: ${{ fromJson(inputs.default_runs_on) }} needs: pipeline_scan if: always() steps: - - name: Update check - id: update_check_status - shell: bash - env: - BREAK_BUILD_ON_ERROR: ${{ inputs.break_build_on_error }} - BREAK_BUILD_ON_POLICY: ${{ inputs.break_build_policy_findings }} - run: | - success_count=0 - conclusion="failure" - # Convert JSON string to a proper format for jq processing - echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do - status=$(echo "$job" | jq -r '.value.result') - echo "$status" - if [ "$status" = "success" ]; then - success_count=$((success_count + 1)) + - name: Update check + id: update_check_status + shell: bash + env: + BREAK_BUILD_ON_ERROR: ${{ inputs.break_build_on_error }} + BREAK_BUILD_ON_POLICY: ${{ inputs.break_build_policy_findings }} + run: | + success_count=0 + conclusion="failure" + # Convert JSON string to a proper format for jq processing + echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do + status=$(echo "$job" | jq -r '.value.result') + echo "$status" + if [ "$status" = "success" ]; then + success_count=$((success_count + 1)) + echo '{"status": "completed", "conclusion": "success"}' > payload.txt + elif [ "$status" = "failure" ]; then + if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then echo '{"status": "completed", "conclusion": "success"}' > payload.txt - elif [ "$status" = "failure" ]; then - if [ "$BREAK_BUILD_ON_ERROR" = "false" && "$BREAK_BUILD_ON_POLICY" = "false" ]; then - echo '{"status": "completed", "conclusion": "success"}' > payload.txt - else - echo '{"status": "completed", "conclusion": "failure"}' > payload.txt - fi + else + echo '{"status": "completed", "conclusion": "failure"}' > payload.txt fi - curl -X PATCH \ - -H "Authorization: Bearer ${{ inputs.token }}" \ - -H "Accept: application/vnd.github+json" \ - https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/check-runs/${{ inputs.check_run_id }} \ - -d @"payload.txt" - done + fi + curl -X PATCH \ + -H "Authorization: Bearer ${{ inputs.token }}" \ + -H "Accept: application/vnd.github+json" \ + https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/check-runs/${{ inputs.check_run_id }} \ + -d @"payload.txt" + done \ No newline at end of file