diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 26556934e..4d314a627 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -1,7 +1,7 @@ --- -# This workflow integrates qwiet.ai preZero with GitHub +# This workflow integrates Harness SAST and SCA with GitHub # Visit https://docs.shiftleft.io for help -name: qwiet.ai +name: Harness SAST and SCA on: pull_request: @@ -12,49 +12,47 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Setup Java JDK v11.0.x - uses: actions/setup-java@v3 - with: - distribution: zulu - java-version: 11.0.x - - - name: Download ShiftLeft CLI + - name: Download Harness SAST and SCA CLI run: | curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - name: preZero Static Analysis run: | + pip install -r requirements.txt + ${GITHUB_WORKSPACE}/sl --version ${GITHUB_WORKSPACE}/sl analyze --strict --wait \ - --app shiftleft-java-demo \ + --app QwietAI-java-demo \ --tag branch=${{ github.head_ref }} \ - --javasrc --container 18fgsa/s3-resource . + --pythonsrc $(pwd) env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} SHIFTLEFT_API_HOST: www.shiftleft.io SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 - Build-Rules: - runs-on: ubuntu-latest - permissions: write-all - needs: NextGen-Static-Analysis - steps: - - uses: actions/checkout@v3 - - name: Download ShiftLeft CLI - run: | - curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - - name: Validate Build Rules - run: | - ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ - --github-pr-number=${{github.event.number}} \ - --github-pr-user=${{ github.repository_owner }} \ - --github-pr-repo=${{ github.event.repository.name }} \ - --github-token=${{ secrets.GITHUB_TOKEN }} - env: - SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - SHIFTLEFT_API_HOST: www.shiftleft.io - SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 - SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 +# Build-Rules: +# runs-on: ubuntu-latest +# permissions: write-all +# needs: NextGen-Static-Analysis +# steps: +# - uses: actions/checkout@v3 +# - name: Download Harness SAST and SCA CLI +# run: | +# curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl +# - name: Validate Build Rules +# run: | +# ${GITHUB_WORKSPACE}/sl check-analysis --app QwietAI-java-demo \ +# --github-pr-number=${{github.event.number}} \ +# --github-pr-user=${{ github.repository_owner }} \ +# --github-pr-repo=${{ github.event.repository.name }} \ +# --github-token=${{ secrets.GITHUB_TOKEN }} +# env: +# # SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} +# +# SHIFTLEFT_API_HOST: www.shiftleft.io +# SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 +# SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 +# diff --git a/shiftleft.yml b/shiftleft.yml index 9258e2a14..820144af2 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -1,22 +1,15 @@ -version: 2 # implies that check-analysis v2 should be used and therefore - # the --v2 flag can be omitted when running sl check-analysis +version: 2 build_rules: -- id: Allow no critical findings - finding_types: - - vuln - severities: - - critical - threshold: 0 - options: - num_findings: 10 # Return 10 sast findings -- id: Allow one OSS or container finding - finding_types: - - oss_vuln - - container - threshold: 1 -- id: Allow no reachable OSS vulnerability - finding_types: - - oss_vuln - - container - options: - reachable: true + - id: Allow no critical findings + severities: + - critical + - id: Allow one OSS or container finding + finding_types: + - oss_vuln + - container + threshold: 1 + - id: Allow no reachable OSS vulnerability + finding_types: + - oss_vuln + options: + reachable: true