adding ShiftLeft GitHub action #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # This workflow integrates ShiftLeft NG SAST with GitHub | |
| # Visit https://docs.shiftleft.io for help | |
| name: NG SAST Scan - ShiftLeft | |
| on: | |
| # Trigger the workflow on push to update the baseline scan | |
| # or pull request going to main | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| NextGen-Static-Analysis: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| # We are building this application with Java 11 | |
| - name: Setup Java JDK | |
| uses: actions/[email protected] | |
| with: | |
| java-version: 11.0.x | |
| - name: Package with maven | |
| run: mvn compile package | |
| - name: Download ShiftLeft CLI | |
| run: | | |
| curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl | |
| # ShiftLeft requires Java 1.8. Post the package step override the version | |
| - name: Setup Java JDK | |
| uses: actions/[email protected] | |
| with: | |
| java-version: 1.8 | |
| - name: Extract branch name | |
| shell: bash | |
| run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" | |
| id: extract_branch | |
| - name: NextGen Static Analysis | |
| # Run the analyzer and wait for it to finis, the app is a part of a group and we can dynamicaly capture the branch we're on for tagging. It's a java app and we point to where the binary can be found | |
| run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar | |
| env: | |
| SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} | |
| SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} | |
| - name: Validate Build Rules | |
| # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml | |
| if: ${{ github.event_name == 'pull_request' }} | |
| # Lets check the previous analysis for this branch to our baseline on Main, | |
| # since we specify a 'branch' we don't have to specify a '--source' | |
| run: | | |
| ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ | |
| --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ | |
| --report \ | |
| --github-pr-number=${{github.event.number}} \ | |
| --github-pr-user=${{ github.repository_owner }} \ | |
| --github-pr-repo=${{ github.event.repository.name }} \ | |
| --github-token=${{ secrets.GITHUB_TOKEN }} | |
| env: | |
| # For SL to run you'll need a Secret with an access token | |
| SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} | |