-
Notifications
You must be signed in to change notification settings - Fork 23
107 lines (98 loc) · 4.05 KB
/
mend-cli-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Run Mend CLS Scan
on:
workflow_call:
secrets:
MEND_EMAIL:
description: Mend email
required: true
MEND_USER_KEY:
description: Mend user key
required: true
SLACK_WEBHOOK:
description: Slack Notifier Incoming Webhook
required: true
jobs:
mend-cli-scan:
runs-on: ubuntu-latest
steps:
# Clone the repo
- name: Clone the repository
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
# Setup JDK and cache and restore dependencies.
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
cache: 'gradle'
# Setup Mend CLI
- name: Download and cache the Mend CLI executable
id: cache-mend
uses: actions/cache@v3
env:
mend-cache-name: cache-mend-executable
with:
path: /usr/local/bin/mend
key: ${{ runner.os }}-${{ env.mend-cache-name }}-${{ hashFiles('/usr/local/bin/mend') }}
restore-keys: |
${{ runner.os }}-${{ env.mend-cache-name }}-
# Download Mend CLI if it's not cached...
- if: ${{ steps.cache-mend.outputs.cache-hit != 'true' }}
name: Download Mend CLI executable (cache miss...)
continue-on-error: true
run: |
echo "Download Mend CLI executable (cache miss...)"
curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend
# Execute the Mend CLI scan
- name: Mend CLI Scan
env:
MEND_EMAIL: ${{secrets.MEND_EMAIL}}
MEND_USER_KEY: ${{secrets.MEND_USER_KEY}}
MEND_URL: ${{ vars.MEND_SERVER_URL }}
run: |
mend dep --no-color -s ${{ vars.MEND_PRODUCT_NAME }}//${{ vars.MEND_PROJECT_NAME }} -u > mend-scan-result.txt
echo "MEND_SCAN_URL=$(cat mend-scan-result.txt | grep -Eo '(http|https)://[a-zA-Z0-9./?!=_%:-\#]*')" >> $GITHUB_ENV
echo "MEND_SCAN_SUMMARY=$(cat mend-scan-result.txt | grep -Eoiw '(Detected [0-9]* vulnerabilities.*)')" >> $GITHUB_ENV
echo "MEND_CRITICAL_COUNT=$(cat mend-scan-result.txt | grep -Eoiw '(Detected [0-9]* vulnerabilities.*)' | grep -oi '[0-9]* Critical' | grep -o [0-9]*)" >> $GITHUB_ENV
echo "MEND_HIGH_COUNT=$(cat mend-scan-result.txt | grep -Eoiw '(Detected [0-9]* vulnerabilities.*)' | grep -oi '[0-9]* High' | grep -o [0-9]*)" >> $GITHUB_ENV
# Check for failures and set the outcome of the workflow
- name: Parse the result and set job status
if: always()
run: |
if [ '${{ env.MEND_CRITICAL_COUNT }}' -gt '0' ] || [ '${{ env.MEND_HIGH_COUNT }}' -gt '0' ]; then
exit 1
else
exit 0
fi
# Publish the result
- name: Mend Scan Result
uses: LouisBrunner/[email protected]
if: always()
with:
name: "Mend Scan Result"
token: ${{ secrets.GITHUB_TOKEN }}
conclusion: ${{ job.status }}
output_text_description_file: mend-scan-result.txt
output: |
{"title":"Mend Scan Result", "summary":"${{ job.status }}"}
# Send slack notification with result status
- name: Send slack notification
uses: 8398a7/action-slack@v3
with:
status: custom
fields: all
custom_payload: |
{
attachments: [{
title: 'ForgeRock Android SDK Mend Scan',
color: '${{ job.status }}' === 'success' ? 'good' : '${{ job.status }}' === 'failure' ? 'danger' : 'warning',
text: `\nStatus: ${{ job.status }}\nWorkflow: ${process.env.AS_WORKFLOW} -> ${process.env.AS_JOB}\nSummary: ${{ env.MEND_SCAN_SUMMARY }}\nScan URL: ${{ env.MEND_SCAN_URL }}`,
}]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
if: always()