Changes related to compliance scan for Mend #76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Mend | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - site/** | |
| - examples/** | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| type: string | |
| required: true | |
| default: main | |
| workflow_call: | |
| secrets: | |
| WS_APIKEY_NGINX: | |
| required: true | |
| WS_USER_KEY: | |
| required: true | |
| inputs: | |
| product_name: | |
| type: string | |
| required: true | |
| project_name: | |
| required: true | |
| type: string | |
| concurrency: | |
| group: ${{ github.ref_name }}-mend | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| # check-if-allowed: | |
| # name: Verify Environment | |
| # if: ${{ ( github.repository_owner == 'nginx' || github.repository_owner == 'nginxinc' ) }} | |
| # runs-on: [ ubuntu-latest ] | |
| # steps: | |
| # - name: Check if we're in the allowed environment | |
| # run: | | |
| # org_found=0 | |
| # event_found=0 | |
| # ref_found=0 | |
| # ALLOWED_ORGS="nginx nginxinc" | |
| # ALLOWED_EVENTS="push workflow_dispatch" | |
| # ALLOWED_REFS="refs/heads/main refs/heads/master refs/heads/stable-1.28" | |
| # for org in $ALLOWED_ORGS; do | |
| # if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi | |
| # done | |
| # for event in $ALLOWED_EVENTS; do | |
| # if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi | |
| # done | |
| # for ref in $ALLOWED_REFS; do | |
| # if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi | |
| # done | |
| # if [ $org_found$event_found$ref_found -ne 111 ]; then | |
| # echo "Repository owner, event, or ref are not explicitely allowed to use this workflow: $GITHUB_REPOSITORY_OWNER, $GITHUB_EVENT_NAME, $GITHUB_REF" | |
| # exit 1 | |
| # fi | |
| # exit 0 | |
| scan: | |
| name: Mend | |
| runs-on: ubuntu-22.04 | |
| #needs: check-if-allowed | |
| outputs: | |
| mend-report-file: ${{ steps.report.outputs.mend-report-file }} | |
| mend-scan-result: ${{ steps.scan.outputs.mend-scan-result }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ inputs.branch && inputs.branch || github.ref }} | |
| - name: Download agent | |
| run: curl -fsSLJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar | |
| - name: Verify JAR | |
| run: jarsigner -verify wss-unified-agent.jar | |
| - name: Scan and upload | |
| id: scan | |
| continue-on-error: true | |
| env: | |
| WS_URL: "https://f5.whitesourcesoftware.com/agent" | |
| WS_APIKEY_NGINX: ${{ secrets.WS_APIKEY_NGINX }} | |
| WS_USER_KEY: ${{ secrets.WS_USER_KEY }} | |
| PRODUCT_NAME: ${{ inputs.product_name}} | |
| PROJECT_NAME: ${{ inputs.project_name}} | |
| WS_CHECKPOLICIES: true | |
| WS_FORCECHECKALLDEPENDENCIES: true | |
| WS_GENERATESCANREPORT: true | |
| WS_FORCEUPDATE: true | |
| WS_FORCEUPDATE_FAILBUILDONPOLICYVIOLATION: true | |
| run: | | |
| if [ -z "$WS_APIKEY_NGINX" ] || [ -z "$WS_USER_KEY" ]; then | |
| echo "Secret is empty" | |
| exit 1 | |
| fi | |
| if [ -z "$PRODUCT_NAME" ] || [ -z "$PROJECT_NAME" ]; then | |
| echo "Project Name is empty" | |
| exit 1 | |
| fi | |
| java -jar wss-unified-agent.jar -noConfig true -wss.url $WS_URL -apiKey $WS_APIKEY_NGINX -userKey $WS_USER_KEY -product $PRODUCT_NAME -project $PROJECT_NAME -d ./ | |
| exit_code=$? | |
| echo "mend-scan-result=$(echo $exit_code)" >> $GITHUB_OUTPUT | |
| echo -e "\nEXIT CODE is: $exit_code\n" | |
| - name: Check if report is generated | |
| if: success() || steps.scan.conclusion == 'failure' | |
| id: report | |
| shell: bash | |
| run: | | |
| echo "mend-report-file=$(find whitesource -type f -name "${PROJECT_NAME}*scan_report.json" | head -n 1)" >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| - name: Print scan report | |
| if: success() || steps.scan.conclusion == 'failure' | |
| id: print | |
| run: | | |
| cat ${{ steps.report.outputs.mend-report-file }} | jq . | |
| - name: Store mend report | |
| if: success() || steps.scan.conclusion == 'failure' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: mend-scan-report | |
| path: whitesource | |
| retention-days: 7 | |
| - name: Final scan result | |
| if: ${{ steps.scan.outcome }} == 'failure' | |
| run: | | |
| printf "\nSCA scan detected vulnerabilities.\n" | |
| exit 1 | |
| - name: Final scan result | |
| if: ${{ steps.scan.outcome }} == 'success' | |
| run: | | |
| exit 0 |