-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from vishalhcl-5960/ASA-9151
v2 - v4
- Loading branch information
Showing
7 changed files
with
155 additions
and
146 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -65,28 +65,27 @@ If you don't have an account, register on [HCL AppScan on Cloud (ASoC)](https:// | |
| | application_id | The ID of the application in ASoC. | | ||
|
|
||
| # Optional Inputs | ||
| | Name | Description | Default Value | Available options | | ||
| | :--- | :--- | :--- | :--- | | ||
| | scan_name | The name of the scan created in ASoC. | The GitHub repository name + GITHUB SHA | | | ||
| | scan_type | The type of the scan | staging | staging, production | | ||
| | dynamic_scan_type | Choose between dast or upload. DAST will require you to specify starting URL and login, while upload will only require you to specify a .scan or .scant file | dast | dast, upload | | ||
| | scan_or_scant_file |(applicable only if **dynamic_scan_type** = upload) Provide the path to the .scan or .scant file here| | | | ||
| | starting_URL|(applicable only if **dynamic_scan_type** = dast)The starting URL of the DAST scan|https://demo.testfire.net?mode=demo || | ||
| |optimization|Level of test optimization|Fast|NoOptimization, Fast, Faster, Fastest| | ||
| |network|Set the type of network, if this is set to private, you must have AppScan Presence created in advance|public|public, private| | ||
| |presence_id|(applicable only if network = private)||| | ||
| |login_method|(applicable only if **dynamic_scan_type** = dast)Login Method of the scan, none: no authentication required for the application, userpass: basic username/password authentication, recorded: you will provide a recorded login sequence dast.config file |none|none, userpass, or recorded| | ||
| |login_user|(applicable only if **login_method** = userpass) Type the username used for logging into the application||| | ||
| |login_password|(applicable only if **login_method** = userpass) Type the password used logging into the application||| | ||
| |login_sequence_file|Provide a path to the Login Traffic File data. Supported file type: DAST.CONFIG: AppScan Activity Recorder file||| | ||
| |email_notification|Send email notification uponn scan completion|false|true,false| | ||
| | personal_scan | Make this a [personal scan](https://help.hcltechsw.com/appscan/ASoC/appseccloud_scans_personal.html). | false | true, false| | ||
| |wait_for_analysis|If set to true, the job will suspend and wait until DAST scan is complete before finishing the job| true| true, false| | ||
| |wait_for_analysis_timeout_minutes|(applicable only if **wait_for_analysis** = true) Maximum duration in minutes before the job will no longer wait and proceeds to complete, default is 360 (6 hours)|360|| | ||
| |fail_for_noncompliance|If **fail_for_noncompliance** is true, fail the job if any non-compliant issues are found in the scan|false|true, false| | ||
| |fail_by_severity|If **fail_by_severity** is set to true, failure_threshold must also be set. This will fail the job if any issues equal to or higher (more severe) than **failure_threshold** are found in the scan|false|false| | ||
| |failure_threshold|(applicable only if **failure_threshold** = true) Set the severity level that indicates a failure. Lesser severities will not be considered a failure. For example, if **failure_threshold** is set to Medium, Informational and/or Low severity issues will not cause a failure. Medium, High, and/or Critical issues will cause a failure.|High|Informational, Low, Medium, High, Critical| | ||
| |ephemeral_presence|If set to true, a temp instance of AppScan Presence will be deployed in the runner and will be used for the scan. When enabled, this will force **wait_for_analysis** to true and **network** to private regardless of user settings | false| true, false| | ||
| | Name | Description | Default Value | Available options | | ||
| |:---------------------------------------| :--- |:---------------------------------------| :--- | | ||
| | scan_name | The name of the scan created in ASoC. | The GitHub repository name + GITHUB SHA | | | | ||
| | dynamic_scan_type | Choose between dast or upload. DAST will require you to specify starting URL and login, while upload will only require you to specify a .scan or .scant file | dast | dast, upload | | ||
| | scan_or_scant_file |(applicable only if **dynamic_scan_type** = upload) Provide the path to the .scan or .scant file here| | | | ||
| | starting_URL |(applicable only if **dynamic_scan_type** = dast)The starting URL of the DAST scan| https://demo.testfire.net?mode=demo || | ||
| | optimization |Level of test optimization| Fast |NoOptimization, Fast, Faster, Fastest| | ||
| | network |Set the type of network, if this is set to private, you must have AppScan Presence created in advance| public |public, private| | ||
| | presence_id |(applicable only if network = private)||| | ||
| | login_method |(applicable only if **dynamic_scan_type** = dast)Login Method of the scan, none: no authentication required for the application, userpass: basic username/password authentication, recorded: you will provide a recorded login sequence dast.config file | none |none, userpass, or recorded| | ||
| | login_user |(applicable only if **login_method** = userpass) Type the username used for logging into the application||| | ||
| | login_password |(applicable only if **login_method** = userpass) Type the password used logging into the application||| | ||
| | login_sequence_file |Provide a path to the Login Traffic File data. Supported file type: DAST.CONFIG: AppScan Activity Recorder file||| | ||
| | email_notification |Send email notification uponn scan completion| false |true,false| | ||
| | personal_scan | Make this a [personal scan](https://help.hcltechsw.com/appscan/ASoC/appseccloud_scans_personal.html). | false | true, false| | ||
| | wait_for_analysis |If set to true, the job will suspend and wait until DAST scan is complete before finishing the job| true | true, false| | ||
| | wait_for_analysis_timeout_minutes |(applicable only if **wait_for_analysis** = true) Maximum duration in minutes before the job will no longer wait and proceeds to complete, default is 360 (6 hours)| 360 || | ||
| | fail_for_noncompliance |If **fail_for_noncompliance** is true, fail the job if any non-compliant issues are found in the scan| false |true, false| | ||
| | fail_by_severity |If **fail_by_severity** is set to true, failure_threshold must also be set. This will fail the job if any issues equal to or higher (more severe) than **failure_threshold** are found in the scan| false |false| | ||
| | failure_threshold |(applicable only if **failure_threshold** = true) Set the severity level that indicates a failure. Lesser severities will not be considered a failure. For example, if **failure_threshold** is set to Medium, Informational and/or Low severity issues will not cause a failure. Medium, High, and/or Critical issues will cause a failure.| High |Informational, Low, Medium, High, Critical| | ||
| | ephemeral_presence | If set to true, a temp instance of AppScan Presence will be deployed in the runner and will be used for the scan. When enabled, this will force **wait_for_analysis** to true and **network** to private regardless of user settings | false | true, false | | ||
|
|
||
| # Example 1 - DAST scan with basic username and password login method, using the public network | ||
| ```yaml | ||
|
|
@@ -98,15 +97,14 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@v4 | ||
| - name: Run ASoC DAST Scan | ||
| uses: HCL-TECH-SOFTWARE/[email protected].5 | ||
| uses: HCL-TECH-SOFTWARE/[email protected].6 | ||
| with: | ||
| baseurl: https://cloud.appscan.com | ||
| asoc_key: ${{secrets.ASOC_KEY}} | ||
| asoc_secret: ${{secrets.ASOC_SECRET}} | ||
| application_id: acd3ef50-6276-461d-8514-abc6e7113577 | ||
| scan_type: 'staging' | ||
| dynamic_scan_type: dast | ||
| starting_URL: 'https://demo.testfire.net?mode=demo' | ||
| login_method: userpass | ||
|
|
@@ -115,7 +113,7 @@ jobs: | |
| network: public | ||
| fail_for_noncompliance: false | ||
| wait_for_analysis: true | ||
| - uses: actions/upload-artifact@v3 | ||
| - uses: actions/upload-artifact@v4 | ||
| name: Upload HCL AppScan HTML Report to Github Artifacts | ||
| with: | ||
| name: AppScan Security Scan HTML Report | ||
|
|
@@ -133,22 +131,21 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@v4 | ||
| - name: Run ASoC DAST Scan | ||
| uses: HCL-TECH-SOFTWARE/[email protected].5 | ||
| uses: HCL-TECH-SOFTWARE/[email protected].6 | ||
| with: | ||
| baseurl: https://cloud.appscan.com | ||
| asoc_key: ${{secrets.ASOC_KEY}} | ||
| asoc_secret: ${{secrets.ASOC_SECRET}} | ||
| application_id: acd3ef50-6276-461d-8514-abc6e7113577 | ||
| scan_type: 'staging' | ||
| dynamic_scan_type: upload | ||
| scan_or_scant_file: 'altoro.scant' | ||
| network: private | ||
| presence_id: f185efda-67bf-ed11-ba76-14cb65723612 | ||
| fail_for_noncompliance: false | ||
| wait_for_analysis: true | ||
| - uses: actions/upload-artifact@v3 | ||
| - uses: actions/upload-artifact@v4 | ||
| name: Upload HCL AppScan HTML Report to Github Artifacts | ||
| with: | ||
| name: AppScan Security Scan HTML Report | ||
|
|
@@ -165,20 +162,19 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@v4 | ||
| - name: Run ASoC DAST Scan | ||
| uses: HCL-TECH-SOFTWARE/[email protected].5 | ||
| uses: HCL-TECH-SOFTWARE/[email protected].6 | ||
|
|
||
| with: | ||
| baseurl: https://cloud.appscan.com | ||
| asoc_key: ${{secrets.ASOC_KEY}} | ||
| asoc_secret: ${{secrets.ASOC_SECRET}} | ||
| application_id: acd3ef50-6276-461d-8514-abc6e7113577 | ||
| scan_type: 'staging' | ||
| dynamic_scan_type: dast | ||
| starting_URL: 'https://demo.testfire.net' | ||
| ephemeral_presence: true | ||
| - uses: actions/upload-artifact@v3 | ||
| - uses: actions/upload-artifact@v4 | ||
| name: Upload HCL AppScan HTML Report to Github Artifacts | ||
| with: | ||
| name: AppScan Security Scan HTML Report | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.