From 8f83eb1f20a4fdc55ce9e8fff23fa276b2e97f75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D8=A8=D9=84=D8=A7=D9=84=20=D9=85=D8=B3=D9=84=D9=88=D8=A8?= Date: Thu, 8 Aug 2024 16:47:04 +0200 Subject: [PATCH] Create contrast-scan.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: بلال مسلوب --- .github/workflows/contrast-scan.yml | 53 +++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/contrast-scan.yml diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml new file mode 100644 index 0000000000..aa5766c223 --- /dev/null +++ b/.github/workflows/contrast-scan.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ "Main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "Main" ] + schedule: + - cron: '25 6 * * 0' + +permissions: + contents: read + +name: Scan analyze workflow +jobs: + build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v4 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output