QwietAI-java-demo/.github/workflows/TestSecTab.yml at master · ongamse/QwietAI-java-demo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# This workflow integrates QwietAI preZero SAST with GitHub and exports SARIF results to the Security Tab
name: QwietAFPRnBR2

on:
  pull_request:
  workflow_dispatch:
  schedule:
    # * is a special character in YAML so you have to quote this string
    - cron: '0 11 * * 6'

permissions:
  security-events: write  # Ensure proper permissions to upload SARIF results

jobs:
  QwietAI-preZero-Analysis:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - name: Setup Java JDK v8
      uses: actions/setup-java@v3
      with:
        distribution: zulu
        java-version: 8

    - name: Download QwietAI CLI
      run: |
        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl

    - name: Extract branch name
      shell: bash
      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
      id: extract_branch

    - name: QwietAI preZero Analysis
      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Qwietjavatab --verbose --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} . -- --exclude common.py,export2.py,export3.py,export4.py
      env:
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
        SHIFTLEFT_API_HOST: www.shiftleft.io
        SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
        SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443

    - name: Download export.py and requirements.txt
      run: |
        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py
        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py
        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py
        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt
    - name: Verify export.py file exists
      run: |
        ls -la ${GITHUB_WORKSPACE}

    - name: Install Python dependencies
      run: |
        python3 -m pip install --upgrade pip
        python3 -m pip install -r requirements.txt

    - name: Run export.py and generate SARIF report
      run: |
        #APP_NAME=${{ github.event.repository.name }}
        python3 ${GITHUB_WORKSPACE}/export.py -f sarif -a Qwietjavatab
      env:
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

    - name: Upload SARIF file to GitHub Security Tab
      uses: github/codeql-action/upload-sarif@v3  # Updated to v3
      with:
        sarif_file: ./ngsast-report-Qwietjavatab.sarif  # Correct dynamic path for SARIF output