From 8b645990cd8e99531359065436daf61165092a8f Mon Sep 17 00:00:00 2001 From: Ryan Park Date: Wed, 9 Jul 2025 13:53:59 +1000 Subject: [PATCH] feat: make the scan result upload optional --- README.md | 157 ++++++++++++++++++++++++++++++--------------------- action.yml | 6 +- src/index.ts | 80 +++++++++++++------------- 3 files changed, 141 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index 022de3c..7d001f3 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Veracode Pipeline Scan Action runs the Veracode pipeline-scan as an action on any GitHub pipeline -The only pre-requisites is to have the application compiled/packaged according the Veracode Packaging Instructions [here](https://docs.veracode.com/r/compilation_packaging) +The only pre-requisites is to have the application compiled/packaged according the Veracode Packaging Instructions [here](https://docs.veracode.com/r/compilation_packaging) ## About @@ -16,19 +16,19 @@ For more information on Pipeline Scan, visit the [Veracode Docs](https://docs.ve ## Usage -Intended usage is to add a job to your CI/CD pipeline, after a build job, uploads the "application", scans it and returns the results. -A build can be failed upon findings, as well the action allows you to generate a new baseline file and commit it back into a different branch of your repository where it can be used to sort out previous findings in order to report on net-new findings. Please refere to the Veracode documentation [here](https://docs.veracode.com/r/Using_a_Pipeline_Scan_Baseline_File). - -If the action will run within a PR, it will automatically add a comment with all results to the PR. This is done for easy review and approval processes. -![](/media/pr-comment.png) - -If the parameter `fail_build` is set to `true`, the action will fail the step upon findings. If set to `false`, the step will not show as failed. -![](/media/fail-build.png) - -The full output of the action can still be reviewed on the action run overview and on the command line output. - ![](/media/action-overview.png) - ![](/media/command-line-output.png) - +Intended usage is to add a job to your CI/CD pipeline, after a build job, uploads the "application", scans it and returns the results. +A build can be failed upon findings, as well the action allows you to generate a new baseline file and commit it back into a different branch of your repository where it can be used to sort out previous findings in order to report on net-new findings. Please refere to the Veracode documentation [here](https://docs.veracode.com/r/Using_a_Pipeline_Scan_Baseline_File). + +If the action will run within a PR, it will automatically add a comment with all results to the PR. This is done for easy review and approval processes. +![](/media/pr-comment.png) + +If the parameter `fail_build` is set to `true`, the action will fail the step upon findings. If set to `false`, the step will not show as failed. +![](/media/fail-build.png) + +The full output of the action can still be reviewed on the action run overview and on the command line output. + ![](/media/action-overview.png) + ![](/media/command-line-output.png) + The tool will need some information passed to it as parameters (many are optional): @@ -75,6 +75,7 @@ The tool will need some information passed to it as parameters (many are optiona * app_id * development_stage * include + * upload_results * Baseline file * if a baseline file should be stored from the scan all paramters are required @@ -83,30 +84,30 @@ The tool will need some information passed to it as parameters (many are optiona * store_baseline_file_branch: * Enter the branch name where the baseline file should be stored * create_baseline_from: - * From which results should the baseline file be created. standard = full results || filtered = filtered results - -### ATTENTION + * From which results should the baseline file be created. standard = full results || filtered = filtered results + +### ATTENTION If you store a baseline file from a pipeline scan the action will commit and push that file to a specified branch on the same repository using these commands: ```sh -git config --global user.name "${ process.env.GITHUB_ACTOR }" -git config --global user.email "username@users.noreply.github.com" -git add "${baselineFileName}" -git stash -git pull origin ${parameters.store_baseline_file_branch} || echo "Couldn't find remote branch" -git checkout stash -- . -git commit -m "Veracode Baseline File push from pipeline" -git push origin HEAD:${parameters.store_baseline_file_branch} --force-with-lease -``` -Make sure that doesn't have any side effects on your repository. If you are not sure, don't store the baseline file from the action itself, instead store it as an artifact and commit/push it yourself to the place where it should be stored. - -## Examples -All examples follow the same strucutre, the will all `need` the `build` to be finished before the they will start running. Veraocde's static analysis is mainly binary static analysis, therefore a compile/build action is required before a pipeline scan can be started. Please read about the packaging and compilation requirements here: https://docs.veracode.com/r/compilation_packaging. -The examples will checkout the repository, they will download the previously generated build artefact, that is named `verademo.war` and then run the action. - - -The basic yml - - ```yml +git config --global user.name "${ process.env.GITHUB_ACTOR }" +git config --global user.email "username@users.noreply.github.com" +git add "${baselineFileName}" +git stash +git pull origin ${parameters.store_baseline_file_branch} || echo "Couldn't find remote branch" +git checkout stash -- . +git commit -m "Veracode Baseline File push from pipeline" +git push origin HEAD:${parameters.store_baseline_file_branch} --force-with-lease +``` +Make sure that doesn't have any side effects on your repository. If you are not sure, don't store the baseline file from the action itself, instead store it as an artifact and commit/push it yourself to the place where it should be stored. + +## Examples +All examples follow the same strucutre, the will all `need` the `build` to be finished before the they will start running. Veraocde's static analysis is mainly binary static analysis, therefore a compile/build action is required before a pipeline scan can be started. Please read about the packaging and compilation requirements here: https://docs.veracode.com/r/compilation_packaging. +The examples will checkout the repository, they will download the previously generated build artefact, that is named `verademo.war` and then run the action. + + +The basic yml + + ```yml pipeline_scan: # needs the build step before this job will start running needs: build @@ -116,7 +117,7 @@ The basic yml steps: - name: checkout repo uses: actions/checkout@v4 - + # get the compiled binary from a previous job - name: get archive uses: actions/download-artifact@v4 @@ -130,13 +131,13 @@ The basic yml with: vid: ${{ secrets.VID }} vkey: ${{ secrets.VKEY }} - file: "verademo.war" - ``` - + file: "verademo.war" + ``` + -Rate the findings according to a policy and fail the build - - ```yml +Rate the findings according to a policy and fail the build + + ```yml pipeline_scan: # needs the build step before this job will start running needs: build @@ -146,7 +147,7 @@ Rate the findings according to a policy and fail the build steps: - name: checkout repo uses: actions/checkout@v4 - + # get the compiled binary from a previous job - name: get archive uses: actions/download-artifact@v4 @@ -160,15 +161,15 @@ Rate the findings according to a policy and fail the build with: vid: ${{ secrets.VID }} vkey: ${{ secrets.VKEY }} - file: "verademo.war" + file: "verademo.war" veracode_policy_name: "VeraDemo Policy" fail_build: true - ``` - + ``` + -Sort out previous findings using a baseline file - - ```yml +Sort out previous findings using a baseline file + + ```yml pipeline_scan: # needs the build step before this job will start running needs: build @@ -178,7 +179,7 @@ Sort out previous findings using a baseline file steps: - name: checkout repo uses: actions/checkout@v4 - + # get the compiled binary from a previous job - name: get archive uses: actions/download-artifact@v4 @@ -192,16 +193,16 @@ Sort out previous findings using a baseline file with: vid: ${{ secrets.VID }} vkey: ${{ secrets.VKEY }} - file: "verademo.war" + file: "verademo.war" baseline_file: "veracode-pipeline-scan-baseline-file.json" fail_build: true - ``` + ``` + - -Sort out previous findings using a baseline file, create a new baseline file and store on a specified branch - - ```yml +Sort out previous findings using a baseline file, create a new baseline file and store on a specified branch + + ```yml pipeline_scan: # needs the build step before this job will start running needs: build @@ -211,7 +212,7 @@ Sort out previous findings using a baseline file, create a new baseline file and steps: - name: checkout repo uses: actions/checkout@v4 - + # get the compiled binary from a previous job - name: get archive uses: actions/download-artifact@v4 @@ -225,17 +226,47 @@ Sort out previous findings using a baseline file, create a new baseline file and with: vid: ${{ secrets.VID }} vkey: ${{ secrets.VKEY }} - file: "verademo.war" + file: "verademo.war" store_baseline_file: true store_baseline_file_branch: my-featur-branch create_baseline_from: standard baseline_file: "veracode-pipeline-scan-baseline-file.json" fail_build: true - ``` + ``` + +Disable upload of scan results as artifacts + + ```yml + pipeline_scan: + # needs the build step before this job will start running + needs: build + runs-on: ubuntu-latest + name: pipeline scan + + steps: + - name: checkout repo + uses: actions/checkout@v4 + + # get the compiled binary from a previous job + - name: get archive + uses: actions/download-artifact@v4 + with: + name: verademo.war + + # run the pipeline scan action + - name: pipeline-scan action step + id: pipeline-scan + uses: veracode/Veracode-pipeline-scan-action@v1.0.12 + with: + vid: ${{ secrets.VID }} + vkey: ${{ secrets.VKEY }} + file: "verademo.war" + upload_results: false + ``` -## Compile the action -The action comes pre-compiled as transpiled JavaScript. If you want to fork and build it on your own you need NPM to be installed, use `ncc` to compile all node modules into a single file, so they don't need to be installed on every action run. The command to build is simply +## Compile the action +The action comes pre-compiled as transpiled JavaScript. If you want to fork and build it on your own you need NPM to be installed, use `ncc` to compile all node modules into a single file, so they don't need to be installed on every action run. The command to build is simply ```sh -ncc build ./src/index.ts +ncc build ./src/index.ts ``` diff --git a/action.yml b/action.yml index 5fcfbae..925d6f2 100644 --- a/action.yml +++ b/action.yml @@ -97,12 +97,16 @@ inputs: fail_build: description: 'Fail the build upon findings. Takes true or false' required: false - include: + include: description: 'Enter a case-sensitive, comma-separated list of name patterns that represent the names of the modules to scan as top-level modules. Veracode identifies these modules during prescan. The * wildcard matches zero or more characters. The ? wildcard matches exactly one character. For example, to include various module names that contain module: --include "module 1, module-*, module2.jar". The scan results show the names of the modules that Veracode identified and the modules included in the scan. This parameter does not pause, stop, or impact the performance of your pipeline.' required: false artifact_name: description: 'Enter the name of the artifact to be uploaded to Github.' required: false + upload_results: + description: 'Upload scan results as GitHub artifacts. Takes true or false. Default is true.' + required: false + default: 'true' runs: using: 'node20' diff --git a/src/index.ts b/src/index.ts index de1f848..8fd3846 100644 --- a/src/index.ts +++ b/src/index.ts @@ -109,18 +109,19 @@ parameters['store_baseline_file_branch'] = store_baseline_file_branch const create_baseline_from = core.getInput('create_baseline_from', {required: false} ); parameters['create_baseline_from'] = create_baseline_from -//standard or filtered +//standard or filtered const fail_build = core.getInput('fail_build', {required: false} ); parameters['fail_build'] = fail_build -//true or false +//true or false const artifact_name = core.getInput('artifact_name', {required: false} ); parameters['artifact_name'] = artifact_name -//string - - +//string +const upload_results = core.getInput('upload_results', {required: false} ); +parameters['upload_results'] = upload_results +//true or false async function run (parameters:any){ @@ -168,44 +169,47 @@ async function run (parameters:any){ core.info('---- DEBUG OUTPUT END ----') } + //check if upload_result is enabled + if (parameters.upload_results == 'true') { //check if results files exists and if so store them as artifacts - if ( existsSync(rootDirectory+'/'+parameters.json_output_file && rootDirectory+'/'+parameters.filtered_json_output_file && rootDirectory+'/'+parameters.summary_output_file) ){ - core.info('Results files exist - storing as artifact') - - - //store output files as artifacts - const { DefaultArtifactClient } = require('@actions/artifact') - const artifactClient = new DefaultArtifactClient() - const artifactName = 'Veracode Pipeline-Scan Results - '+parameters.artifact_name; - const files = [ - parameters.json_output_file, - parameters.filtered_json_output_file, - parameters.summary_output_file - ] + if ( existsSync(rootDirectory+'/'+parameters.json_output_file && rootDirectory+'/'+parameters.filtered_json_output_file && rootDirectory+'/'+parameters.summary_output_file) ){ + core.info('Results files exist - storing as artifact') - const rootDirectory = process.cwd() - const options = { - continueOnError: true - } + //store output files as artifacts + const { DefaultArtifactClient } = require('@actions/artifact') + const artifactClient = new DefaultArtifactClient() + const artifactName = 'Veracode Pipeline-Scan Results - '+parameters.artifact_name; + const files = [ + parameters.json_output_file, + parameters.filtered_json_output_file, + parameters.summary_output_file + ] - try { - const uploadResult = await artifactClient.uploadArtifact(artifactName, files, rootDirectory, options) - core.info('Artifact upload result:') - core.info(uploadResult) - } catch (error) { - core.info('Artifact upload failed:') - core.info(String(error)) - } + const rootDirectory = process.cwd() + const options = { + continueOnError: true + } + + try { + const uploadResult = await artifactClient.uploadArtifact(artifactName, files, rootDirectory, options) + core.info('Artifact upload result:') + core.info(uploadResult) + } catch (error) { + core.info('Artifact upload failed:') + core.info(String(error)) + } - if (parameters.debug == 1 ){ - core.info('---- DEBUG OUTPUT START ----') - core.info('---- index.ts / run() create artifacts ----') - core.info('---- Artifact filenames: '+files) - core.info('---- DEBUG OUTPUT END ----') - } + if (parameters.debug == 1 ){ + core.info('---- DEBUG OUTPUT START ----') + core.info('---- index.ts / run() create artifacts ----') + core.info('---- Artifact filenames: '+files) + core.info('---- DEBUG OUTPUT END ----') + } + + } } else { core.info('Results files do not exist - no artifact to store') @@ -324,7 +328,7 @@ async function run (parameters:any){ core.info('---- DEBUG OUTPUT START ----') core.info('---- index.ts / run() check if we need to fail the build ----') core.info('---- Fail build value found : '+failBuild) - core.info('---- DEBUG OUTPUT END ----') + core.info('---- DEBUG OUTPUT END ----') } @@ -336,4 +340,4 @@ async function run (parameters:any){ } -run(parameters) \ No newline at end of file +run(parameters)