JavaVulnerableLab/.github/workflows/gh-bugtrack-cxflow.yml at master · jvlstuff/JavaVulnerableLab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# This is a basic workflow to help you get started with Actions

name: CxFlow Github Bugtracking
on:
  workflow_call:
    inputs:
      bugtracker:
        required: true
        type: string
      branch:
        required: true
        type: string
    secrets:
      sast_username:
        required: false
        description: Cx sast username
      sast_password:
         required: false
         description: Cx sast password
      sca_username:
        required: false
        description: Cx sca username
      sca_password:
         required: false
         description: Cx sca password


# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job

    steps:
      - name: Create vars
        env:
            github_branch: ${{inputs.branch}}
            toverify: To Verify
            cfm: Confirmed
            ne: Not Exploitable
            recurrent: Recurrent
            new: New
            medium: Medium
            hi_me: High,Medium
        shell: bash
        run:  |
          echo github_branch ${github_branch#refs/heads/}
          echo state ${cfm}
          echo status ${recurrent}
          echo severity ${hi_me}
          echo "::set-output name=branch::${github_branch#refs/heads/}"
          echo "::set-output name=state::${cfm}"
          echo "::set-output name=status::${recurrent}"
          echo "::set-output name=severity::${hi_me}"

        id: myvars

      - name: print vars
        run: |
          echo merge id ${{ github.event.number }}
          echo repo-name ${{ github.event.repository.name }}
          echo namespace ${{ github.repository_owner }}
          echo branch for cxflow parameter ${{inputs.branch}}
          echo branch for project name ${{steps.myvars.outputs.branch}}
          echo state for filtering "${{steps.myvars.outputs.state}}"
          echo status for filtering "${{steps.myvars.outputs.status}}"
          echo severity for filtering "${{steps.myvars.outputs.severity}}"


      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v2

      - name: Checkmarx CxFlow Action
      # You may pin to the exact commit or the version.
        uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.4
        with:
    # Provide Checkmarx URL
          checkmarx_url: https://cxprivatecloud.checkmarx.net/
    # Select a Checkmarx Team
          team: CxServer/SP/EMEA/checkmarx.ch - 972
    # Provide Checkmarx Username
          checkmarx_username: ${{ secrets.sast_username }}
    # Provide Checkmarx Password
          checkmarx_password: ${{ secrets.sast_password }}
    # Provide Checkmarx Client Secret
          checkmarx_client_secret: 014DF517-39D1-4453-B7B3-9930C563627C
    # Select a Checkmarx Project
          project:  ${{ GITHUB.REPOSITORY }}
    # Select an Application Name used by downstream bug tracker systems
          app: ${{ GITHUB.REPOSITORY }}
    # Select a Checkmarx Preset
          preset: 'Checkmarx Express'
    # Break build based on Checkmarx findings?
          break_build: true  # optional
    # Bug tracker for the scan results.
          bug_tracker: ${{ inputs.bugtracker}}
    # Incremental Scans?
          incremental: false # optional, default is true
    # Additional CLI parameters
          params: --branch=${{ inputs.branch }}
                  --repo-name=${{ github.event.repository.name }}
                  --merge-id=${{ github.event.number }}
                  --namespace=${{ github.repository_owner }}
                  --cx-flow.filter-state=${{ steps.myvars.outputs.state }}
                  --cx-flow.filter-severity=${{ steps.myvars.outputs.severity }}
    #              --sca.filter-severity=${{ steps.myvars.outputs.severity }}
    #              --cx-flow.filter-status=${{ steps.myvars.outputs.status }}
    #              --sca.filter-score=9.0
    #             --cx-flow.filter-category=""
    #             --sca.includeSources=true
    #             --sca.enabledZipScan=true
    # GitHub API Token
          github_token: ${{ secrets.GITHUB_TOKEN }}
    # Vulnerability Scanners (sast, sca, ast, cxgo)
          scanners: sast
    # Provide SCA API URL
          sca_api_url: https://api-sca.checkmarx.net
    # Provide SCA APP URL
          sca_app_url: https://sca.checkmarx.net
    # Provide SCA Access Control URL
          sca_access_control_url: https://platform.checkmarx.net
    # Provide SCA Tenant
          sca_tenant: SCA_Jurgan_Eitle
    # Provide SCA Username
          sca_username: ${{ secrets.sca_username }}
    # Provide SCA Password
          sca_password: ${{ secrets.sca_password }}