From b605d553977f75cfbbff27e98d7f06cb5fc26f04 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 22 Aug 2023 14:05:45 +0100 Subject: [PATCH 1/4] Update to remove dockerfile and entrypoint.sh --- Dockerfile | 11 -------- action.yml | 76 +++++++++++++++++++++++++++++++++++++++++++++++---- entrypoint.sh | 46 ------------------------------- 3 files changed, 71 insertions(+), 62 deletions(-) delete mode 100644 Dockerfile delete mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 487f235..0000000 --- a/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -# Container image that runs your code -FROM ubuntu:latest - -RUN apt-get update && apt-get install -y curl \ - && curl --location -O https://pkg.contrastsecurity.com/artifactory/cli/1.0.18/linux/contrast \ - && chmod +x contrast && mv contrast /usr/bin - -COPY entrypoint.sh /entrypoint.sh - -ENTRYPOINT ["/entrypoint.sh"] - diff --git a/action.yml b/action.yml index 6835663..5bf4023 100644 --- a/action.yml +++ b/action.yml @@ -10,13 +10,13 @@ inputs: orgId: description: 'The ID of your organization in Contrast (required).' required: true + artifact: + description: 'The Artifact to Scan on the Contrast Platform.' + required: true apiUrl: description: 'The name of the host. Includes the protocol section of the URL (https://). Defaults to https://ce.contrastsecurity.com. (optional)' required: false default: "https://ce.contrastsecurity.com" - artifact: - description: 'The Artifact to Scan on the Contrast Platform.' - required: true projectName: description: 'The name of the project you want to scan in Contrast.' required: false @@ -36,6 +36,72 @@ inputs: fail: description: 'When set to true, fails the action if CVEs have been detected that match at least the severity option specified.' required: false + runs: - using: 'docker' - image: 'Dockerfile' + using: "composite" + steps: + - name: Get Latest CLI + run: | + echo "Downloading Contrast CLI 2.1.0" + curl --location 'https://pkg.contrastsecurity.com/artifactory/cli/v2/2.1.0/linux/contrast' --output contrast + shell: bash + - run: chmod +x contrast + shell: bash + + - name: Get CLI Required Arguments + id: required-args + shell: bash + run: | + echo "Setting Required Args..." + args=() + args+=("--api-key ${{ inputs.apiKey }}") + args+=("--authorization ${{ inputs.authHeader }}") + args+=("--organization-id ${{ inputs.orgId }}") + args+=("--file ${{ inputs.artifact }}") + args+=("--host ${{ inputs.apiUrl }}") + + echo "args=${args[@]}" >> $GITHUB_OUTPUT + + - name: Get CLI Optional Arguments + id: optional-args + shell: bash + run: | + echo "Setting Optional Args..." + args=() + if [ -n "${{ inputs.projectName }}" ]; then + args+=("--name") + args+=("${{ inputs.projectName }}") + fi + if [ -n "${{ inputs.projectId }}" ]; then + args+=("--project-id") + args+=("${{ inputs.projectId }}") + fi + if [ -n "${{ inputs.language }}" ]; then + args+=("--language") + args+=("${{ inputs.language }}") + fi + if [ -n "${{ inputs.timeout }}" ]; then + args+=("--timeout") + args+=("${{ inputs.timeout }}") + fi + if [ -n "${{inputs.severity}}" ]; then + args+=("--severity") + args+=("${{ inputs.severity }}") + fi + if [ -n "${{inputs.severity}}" ]; then + args+=("--severity") + args+=("${{ inputs.severity }}") + fi + if [ "${{inputs.fail}}" = true ]; then + args+=("--fail") + fi + + echo "args=${args[@]}" >> $GITHUB_OUTPUT + + - name: Run Contrast Scan CLI Command + continue-on-error: true + id: run-scan + shell: bash + run: | + echo "Running the Contrast Scan Command..." + ./contrast scan ${{ steps.required-args.outputs.args }} ${{ steps.optional-args.outputs.args }} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index ed0dabd..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -l - -echo "Org ID: $INPUT_ORGID" -echo "Project Name: $INPUT_PROJECTNAME" -echo "Project ID: $INPUT_PROJECTID" -echo "API URL: $INPUT_APIURL" -echo "Artifact: $INPUT_ARTIFACT" -echo "Language: $INPUT_LANGUAGE" -echo "Timeout: $INPUT_TIMEOUT" - -[ -z "$INPUT_ORGID" ] && echo "Organization ID is required but not present" && exit 1; -[ -z "$INPUT_ARTIFACT" ] && echo "Artifact is required but not present" && exit 1; -[ -z "$INPUT_APIKEY" ] && echo "Contrast API Key is required but not present" && exit 1; -[ -z "$INPUT_AUTHHEADER" ] && echo "Contrast Authorization Header is required but not present" && exit 1; - -if [ -n "$INPUT_SEVERITY" ] -then - if [ -z "$INPUT_FAIL" ] || [ "$INPUT_FAIL" != true ] - then - echo "ERROR: Severity has been set without fail flag. Please set fail to true in order to fail the action if vulnerabilities are found." - exit 1 - fi -fi - -if [ "$INPUT_FAIL" = true ] -then - FAIL=true -fi - -export CONTRAST_CODESEC_CI=true -export CODESEC_INVOCATION_ENVIRONMENT="GITHUB" - -/usr/bin/contrast scan --file "$INPUT_ARTIFACT" --api-key "$INPUT_APIKEY" --authorization "$INPUT_AUTHHEADER" \ - --organization-id "$INPUT_ORGID" --host "$INPUT_APIURL" \ - ${INPUT_PROJECTNAME:+"--name"} ${INPUT_PROJECTNAME:+"$INPUT_PROJECTNAME"} \ - ${INPUT_PROJECTID:+"--project-id"} ${INPUT_PROJECTID:+"$INPUT_PROJECTID"} \ - ${INPUT_LANGUAGE:+"--language"} ${INPUT_LANGUAGE:+"$INPUT_LANGUAGE"} \ - ${FAIL:+"--fail"} ${INPUT_SEVERITY:+"--severity"} ${INPUT_SEVERITY:+"$INPUT_SEVERITY"} \ - --timeout "${INPUT_TIMEOUT}" -s sarif - - CONTRAST_RET_VAL=$? - if [ $CONTRAST_RET_VAL -ne 0 ] && [ $CONTRAST_RET_VAL -ne 2 ]; then - echo "An error occurred while executing the Scan. Please contact support." - fi - -exit $CONTRAST_RET_VAL \ No newline at end of file From fba266579f429bced730d26f99978bf8bc9f0261 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 22 Aug 2023 15:51:00 +0100 Subject: [PATCH 2/4] Added releases and updating tags --- .github/workflows/release.yml | 36 +++++++++++++++++++++++++++++++ .github/workflows/update_tags.yml | 15 +++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/update_tags.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..5dd7dcc --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,36 @@ +name: create-release + + +on: + workflow_dispatch: + pull_request: + branches: + - 'main' + types: + - closed + + +permissions: + contents: write +jobs: + tagged-release: + name: "Tagged Release" + runs-on: "ubuntu-latest" + steps: + - uses: actions/checkout@v2.3.3 + with: + fetch-depth: 0 + + - name: Git Version + id: version + uses: codacy/git-version@80c816f11db8dea5e3a81025f598193015b51832 + with: + release-branch: main + prefix: v + + - name: Create Release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 + with: + tag_name: ${{ steps.version.outputs.version }} + token: ${{secrets.SCA_OSS_PAT}} # Used so pipeline gets triggered from this one + # See https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow \ No newline at end of file diff --git a/.github/workflows/update_tags.yml b/.github/workflows/update_tags.yml new file mode 100644 index 0000000..b2216d0 --- /dev/null +++ b/.github/workflows/update_tags.yml @@ -0,0 +1,15 @@ +name: Keep the versions up-to-date + +on: + release: + types: [published, edited] + +permissions: + contents: write +jobs: + actions-tagger: + runs-on: "ubuntu-latest" + steps: + - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb + with: + publish_latest_tag: false \ No newline at end of file From 42791398be5265de22fe7f4c8f411195a65754da Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 23 Aug 2023 10:42:21 +0100 Subject: [PATCH 3/4] Removed duplicate severity --- action.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/action.yml b/action.yml index 5bf4023..4a82175 100644 --- a/action.yml +++ b/action.yml @@ -88,10 +88,6 @@ runs: args+=("--severity") args+=("${{ inputs.severity }}") fi - if [ -n "${{inputs.severity}}" ]; then - args+=("--severity") - args+=("${{ inputs.severity }}") - fi if [ "${{inputs.fail}}" = true ]; then args+=("--fail") fi From 1148c0eff8198b51e87332eb8cfc0447f5f3c635 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 29 Aug 2023 16:48:56 +0100 Subject: [PATCH 4/4] Removed defunct test suite --- .github/workflows/regression.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/regression.yml diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml deleted file mode 100644 index a812a1f..0000000 --- a/.github/workflows/regression.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Contrast Scan Action Regression -on: - pull_request: -jobs: - trigger_tests: - runs-on: ubuntu-latest - steps: - - name: Trigger Tests and Wait - uses: convictional/trigger-workflow-and-wait@v1.6.1 - with: - owner: Contrast-Security-Inc - repo: contrast-github-actions-regression - github_token: ${{ secrets.SCAN_PAT }} - ref: master - client_payload: '{"branch_name": "${{ github.event.pull_request.head.ref }}","trigger_repo_url": "${{ github.event.repository.html_url }}","trigger_commit_url": "${{ github.event.head_commit.url }}"}' - workflow_file_name: test-run.yml - wait_interval: 10 - propagate_failure: true - trigger_workflow: true - wait_workflow: true \ No newline at end of file