forked from JoyChou93/java-sec-code
-
Notifications
You must be signed in to change notification settings - Fork 1
69 lines (69 loc) · 3.72 KB
/
main.yml
File metadata and controls
69 lines (69 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: CI-Polaris
on:
push:
branches: [ main, master, develop, stage, release ]
pull_request:
branches: '**' #[ main, master, develop, stage, release ]
jobs:
polaris-scan:
runs-on: [ ubuntu-latest ]
steps:
- name: Checkout Source
uses: actions/checkout@v3
- name: Polaris Full Scan
if: ${{ github.event_name != 'pull_request' }}
uses: synopsys-sig/[email protected]
with:
polaris_server_url: ${{ vars.POLARIS_SERVERURL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESSTOKEN }}
polaris_application_name: RAF-ACME_Labs
polaris_project_name: ${{ github.event.repository.name }}
polaris_assessment_types: "SCA,SAST"
# polaris_waitForScan: false # Used to support the async mode
# project_directory: ${{ vars.PROJECT_DIRECTORY }}
### Uncomment below configuration for source code upload
# polaris_assessment_mode: "SOURCE_UPLOAD"
# project_source_archive: ${{ vars.PROJECT_SOURCE_ARCHIVE }}
# project_source_excludes: ${{ vars.PROJECT_SOURCE_EXCLUDES }} # Accepts Multiple Values
# project_source_preserveSymLinks: true
### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded
# include_diagnostics: true
### SARIF report generation and upload to GitHub Adavanced Security Tab: Uncomment below to enable
# polaris_reports_sarif_create: true
# polaris_reports_sarif_file_path: '/Users/tmp/report.sarif.json' # File path (including file name) where SARIF report is created.
# polaris_reports_sarif_severities: "CRITICAL,HIGH"
# polaris_reports_sarif_groupSCAIssues: true
# polaris_reports_sarif_issue_types: 'SCA, SAST'
# polaris_upload_sarif_report: true
# github_token: ${{ secrets.GITHUB_TOKEN }} # Required when polaris_upload_sarif_report is set as true
### Signature scan
#polaris_test_sca_type: "SCA-SIGNATURE"
### Uncomment below to add arbitrary CL parameters
# blackduck_search_depth: 2
# blackduck_args: '--detect.diagnostic=true'
# blackduck_config_path: '/Users/Config/application.properties'
# coverity_build_command: mvn clean install
# coverity_clean_command: mvn clean
# coverity_config_path: /Users/Config/coverity.yml
# coverity_args: --config-override capture.build.build-command=mvn install
- name: Polaris PR Scan
if: ${{ github.event_name == 'pull_request' }}
uses: synopsys-sig/[email protected]
with:
polaris_server_url: ${{ vars.POLARIS_SERVERURL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESSTOKEN }}
polaris_application_name: RAF-ACME_Labs
polaris_project_name: ${{ github.event.repository.name }}
polaris_assessment_types: "SCA,SAST"
# project_directory: ${{ vars.PROJECT_DIRECTORY }}
### Uncomment below configuration for source code upload
# polaris_assessment_mode: "SOURCE_UPLOAD"
# project_source_archive: ${{ vars.PROJECT_SOURCE_ARCHIVE }}
# project_source_excludes: ${{ vars.PROJECT_SOURCE_EXCLUDES }} # Accepts Multiple Values
# project_source_preserveSymLinks: true
### Below configuration is used to enable feedback from Polaris security testing as pull request comment
polaris_prComment_enabled: true
github_token: ${{ secrets.GITHUB_TOKEN }}
# Mandatory when polaris_prComment_enabled is set to 'true'
### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded
# include_diagnostics: true