mirror of
https://github.com/sonatype/actions.git
synced 2026-03-31 00:22:37 +00:00
224 lines
9.2 KiB
YAML
224 lines
9.2 KiB
YAML
name: 'Evaluate'
|
|
description:
|
|
'Evaluate action runs the latest IQ CLI (jar) with the set of parameters provided and outputs the scan id and the
|
|
report URL'
|
|
author: 'Sonatype'
|
|
|
|
# Add your action's branding here. This will appear on the GitHub Marketplace.
|
|
branding:
|
|
icon: 'shield'
|
|
color: 'purple'
|
|
|
|
# Define your inputs here.
|
|
inputs:
|
|
iq-server-url:
|
|
description: 'Lifecycle (IQ Server) URL (e.g. http://localhost:8070).'
|
|
required: true
|
|
username:
|
|
description: 'The username to authenticate with Lifecycle (IQ Server).'
|
|
required: true
|
|
password:
|
|
description: 'The password to authenticate with Lifecycle (IQ Server).'
|
|
required: true
|
|
application-id:
|
|
description:
|
|
'Lifecycle (IQ Server) application ID. When Automatic Applications is enabled and the application ID has not yet
|
|
been used, a new application will be created with the given ID.'
|
|
required: true
|
|
scan-targets:
|
|
description:
|
|
'Space-separated list of paths to specific files, directories, or docker images. Apache Ant-styled patterns are
|
|
allowed.'
|
|
required: true
|
|
organization-id:
|
|
description:
|
|
'The ID for the Lifecycle organization to which the application belongs. When automatic application creation is
|
|
enabled and the application does not exist, it will be created under the organization having the provided
|
|
organization ID.'
|
|
required: false
|
|
stage:
|
|
description: 'Specify the development lifecycle stage for the analysis. Defaults to the build stage.'
|
|
required: false
|
|
default: 'build'
|
|
result-file:
|
|
description:
|
|
'If set, the analysis output (in JSON format) will be uploaded as a run artifact with the specified name.'
|
|
required: false
|
|
module-exclude:
|
|
description: 'Space-separated list of module files to ignore via Apache Ant-styled patterns.'
|
|
required: false
|
|
fail-on-policy-warnings:
|
|
description: 'Causes a failure of the evaluation if any warnings are encountered.'
|
|
required: false
|
|
default: false
|
|
ignore-system-errors:
|
|
description: 'Ignore system errors (e.g. IO, Network, server, etc.) to avoid unintentional build failures.'
|
|
required: false
|
|
default: false
|
|
ignore-scanning-errors:
|
|
description:
|
|
'Ignore scanning errors (e.g. invalid files, inaccessible files, etc). It is useful when the code base contains
|
|
invalid files for testing purposes. Scanning these files may cause unintentional build failures.'
|
|
required: false
|
|
default: false
|
|
debug:
|
|
description:
|
|
'Enables debug logging for troubleshooting. Use with caution as this log may expose sensitive information.'
|
|
required: false
|
|
default: false
|
|
keep-scan-file:
|
|
description: 'Retains and uploads the scan file as an action artifact.'
|
|
required: false
|
|
default: false
|
|
proxy:
|
|
description:
|
|
'Specify a proxy to use when connecting to Lifecycle (IQ Server). This property is set using the format
|
|
host[:port], otherwise, the CLI uses the default HTTP proxy set with the JVM.'
|
|
required: false
|
|
proxy-user:
|
|
description: 'Specify proxy credentials in the following format: username:password.'
|
|
required: false
|
|
include-sha-256:
|
|
description: 'If set, SHA256 checksums are included in the scan file.'
|
|
required: false
|
|
default: false
|
|
exclude-maven-dependency-management:
|
|
description:
|
|
'Enable this parameter to limit analysis to the projects dependencies section of a pom file while excluding the
|
|
components under the dependencyManagement section.'
|
|
required: false
|
|
default: false
|
|
sarif-file:
|
|
description:
|
|
'Generates a SARIF file with a specified name containing all identified vulnerabilities. The SARIF file extension
|
|
must be .sarif or .json. The generated file will be uploaded as an action artifact.'
|
|
required: false
|
|
upload-sarif-file:
|
|
description:
|
|
'Enable this parameter to generate or use the generated sarif-file to update the "Code scanning" section under the
|
|
GitHub repository''s Security tab. If sarif-file is not defined, the generated file will be named result.sarif by
|
|
default, and it will be uploaded as an action artifact.'
|
|
required: false
|
|
default: false
|
|
enable-callflow:
|
|
description: 'Deprecated. Use enable-reachability.'
|
|
required: false
|
|
default: false
|
|
callflow-namespaces:
|
|
description: 'Deprecated. Use reachability-namespaces.'
|
|
required: false
|
|
default: ''
|
|
enable-reachability:
|
|
description:
|
|
'Perform a reachability analysis in Java or JVM language binaries to determine the method signatures that trigger
|
|
a security vulnerability.'
|
|
required: false
|
|
default: false
|
|
reachability-namespaces:
|
|
description:
|
|
'Limit the reachability analysis to a specific namespace for faster, more precise results. Multiple namespaces can
|
|
be delimited by space.'
|
|
required: false
|
|
default: ''
|
|
reachability-entrypoint-strategy:
|
|
description: 'Entrypoint strategy for Java reachability analysis.'
|
|
required: false
|
|
enable-reachability-js:
|
|
description: 'Enable JavaScript reachability analysis (Default: false)'
|
|
required: false
|
|
default: false
|
|
reachability-js-sources:
|
|
description:
|
|
'JavaScript source patterns for reachability analysis (required for JS reachability; these are app files; do not
|
|
include tests or node_modules files here)'
|
|
required: false
|
|
default: ''
|
|
reachability-js-excludes:
|
|
description:
|
|
'JavaScript exclude patterns for reachability analysis (e.g. tests and other source files that are not relevant
|
|
for the analysis)'
|
|
required: false
|
|
default: ''
|
|
reachability-node-path:
|
|
description: 'Path to Node.js executable'
|
|
required: false
|
|
reachability-js-project-root:
|
|
description: 'JavaScript project root directory (i.e. where the main package.json file resides)'
|
|
required: false
|
|
ignore-reachability-errors:
|
|
description: 'Ignore reachability analysis errors (reachability analysis failed to run) (Default: false)'
|
|
required: false
|
|
default: false
|
|
|
|
# Define your outputs here.
|
|
outputs:
|
|
scan-id:
|
|
value: ${{ steps.run-iq-cli.outputs.scan-id }}
|
|
description:
|
|
'Scan id result of the run operation. It can be used to access the Lifecycle report of related artifacts.'
|
|
report-url:
|
|
value: ${{ steps.run-iq-cli.outputs.report-url }}
|
|
description: 'Link to navigate directly to the analysis report in Lifecycle (IQ Server).'
|
|
priorities-url:
|
|
value: ${{ steps.run-iq-cli.outputs.priorities-url }}
|
|
description: 'Link to navigate directly to the priorities report in Lifecycle (IQ Server).'
|
|
sarif-file:
|
|
value: ${{ steps.run-iq-cli.outputs.sarif-file }}
|
|
description: 'Name of the generated SARIF file containing all found vulnerabilities, if configured.'
|
|
|
|
runs:
|
|
using: 'composite'
|
|
steps:
|
|
- name: Setup IQ CLI Action
|
|
id: setup-iq-cli
|
|
uses: sonatype/actions/setup-iq-cli@v1.9.3
|
|
with:
|
|
iq-cli-version: 'latest'
|
|
|
|
- uses: actions/setup-java@v4
|
|
with:
|
|
distribution: 'temurin'
|
|
java-version: '17'
|
|
|
|
- name: Run IQ CLI Action
|
|
id: run-iq-cli
|
|
uses: sonatype/actions/run-iq-cli@v1.9.3
|
|
with:
|
|
iq-cli-version: ${{ steps.setup-iq-cli.outputs.iq-cli-version }}
|
|
username: ${{ inputs.username }}
|
|
password: ${{ inputs.password }}
|
|
iq-server-url: ${{ inputs.iq-server-url }}
|
|
application-id: ${{ inputs.application-id }}
|
|
organization-id: ${{ inputs.organization-id }}
|
|
result-file: ${{ inputs.result-file }}
|
|
keep-scan-file: ${{ inputs.keep-scan-file }}
|
|
scan-targets: ${{ inputs.scan-targets }}
|
|
stage: ${{ inputs.stage }}
|
|
module-exclude: ${{ inputs.module-exclude }}
|
|
fail-on-policy-warnings: ${{ inputs.fail-on-policy-warnings }}
|
|
ignore-system-errors: ${{ inputs.ignore-system-errors }}
|
|
debug: ${{ inputs.debug }}
|
|
ignore-scanning-errors: ${{ inputs.ignore-scanning-errors }}
|
|
proxy: ${{ inputs.proxy }}
|
|
proxy-user: ${{ inputs.proxy-user }}
|
|
include-sha-256: ${{ inputs.include-sha-256 }}
|
|
exclude-maven-dependency-management: ${{ inputs.exclude-maven-dependency-management }}
|
|
sarif-file: ${{ inputs.sarif-file || inputs.upload-sarif-file }}
|
|
enable-callflow: ${{ inputs.enable-callflow }}
|
|
callflow-namespaces: ${{ inputs.callflow-namespaces }}
|
|
enable-reachability: ${{ inputs.enable-reachability }}
|
|
reachability-namespaces: ${{ inputs.reachability-namespaces }}
|
|
reachability-entrypoint-strategy: ${{ inputs.reachability-entrypoint-strategy }}
|
|
enable-reachability-js: ${{ inputs.enable-reachability-js }}
|
|
reachability-js-sources: ${{ inputs.reachability-js-sources }}
|
|
reachability-js-excludes: ${{ inputs.reachability-js-excludes }}
|
|
reachability-node-path: ${{ inputs.reachability-node-path }}
|
|
reachability-js-project-root: ${{ inputs.reachability-js-project-root }}
|
|
ignore-reachability-errors: ${{ inputs.ignore-reachability-errors }}
|
|
|
|
- name: Upload result to GitHub Code Scanning
|
|
if: ( success() || failure() ) && steps.run-iq-cli.outputs.sarif-file && inputs.upload-sarif-file == 'true'
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ steps.run-iq-cli.outputs.sarif-file }}
|