add auto-rewrite to policy scan results #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: [push] | |
| jobs: | |
| # This step will build the maven application | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: actions/setup-java@v1 | |
| with: | |
| java-version: 1.8 | |
| - name: Cache Maven packages | |
| uses: actions/cache@v2 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| - name: Build with Maven | |
| run: mvn clean package | |
| - uses: actions/upload-artifact@v1 | |
| with: | |
| name: verademo.war | |
| path: target/verademo.war | |
| # This step will run the Veracode pipeline scan | |
| pipeline-scan: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| container: | |
| image: veracode/pipeline-scan:latest | |
| options: --user root | |
| steps: | |
| - name: get archive | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: verademo.war | |
| path: /tmp | |
| - name: pipeline-scan | |
| run: | | |
| java -jar /opt/veracode/pipeline-scan.jar \ | |
| -vid "${{secrets.VERACODE_API_ID}}" \ | |
| -vkey "${{secrets.VERACODE_API_KEY}}" \ | |
| --fail_on_severity="Very High, High" \ | |
| --file /tmp/verademo.war \ | |
| -jf results.json \ | |
| -fjf filtered_results.json | |
| continue-on-error: true | |
| - name: save standard results | |
| uses: actions/upload-artifact@v1 | |
| with: | |
| name: PipelineScanResults | |
| path: results.json | |
| - name: save filtered results | |
| uses: actions/upload-artifact@v1 | |
| with: | |
| name: filtered-results | |
| path: filtered_results.json | |
| import_flaws_job: | |
| runs-on: ubuntu-latest | |
| needs: pipeline-scan | |
| name: import flaws | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: get flaw file | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: filtered-results | |
| - name: Flaw importer action step | |
| id: import | |
| uses: ./ | |
| with: | |
| scan-results-json: 'filtered_results.json' | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| source-base-path_1: "com/veracode:src/main/java/com/veracode" | |
| source-base-path_2: "WEB-INF:src/main/webapp/WEB-INF" | |
| commit-hash: ${{ GITHUB.SHA }} |