-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathbasic.yml
100 lines (85 loc) · 2.81 KB
/
basic.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# An example workflow using the NowSecure action that builds an Android application
# in the "build" phase and then runs it against NowSecure in the "scan" phase.
# This action is run each time a commit is pushed to the "main" branch.
name: "NowSecure"
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
branches: [main]
jobs:
# EXAMPLE: Build and upload an Android application to GH artifacts.
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install Java
uses: actions/setup-java@v2
with:
java-version: "11"
distribution: "adopt"
cache: "gradle"
- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action@v1
- name: Build application
run: ./gradlew assembleDebug --stacktrace --no-daemon
- name: Upload application
uses: actions/upload-artifact@v2
with:
name: app
path: ./app/build/outputs/apk/insecure/debug/app-insecure-debug.apk
retention-days: 3
# Scan the Android application with NowSecure.
scan:
runs-on: ubuntu-latest
outputs:
report_id: ${{ steps.upload.outputs.report_id }}
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v2
# NOTE: ripgrep is required for line-of-code identification.
- name: Install ripgrep
run: sudo apt-get install -y ripgrep
- name: Download application
uses: actions/download-artifact@v2
with:
name: app
- id: upload
name: NowSecure upload app
uses: nowsecure/nowsecure-action/upload-app@v3
with:
platform_token: ${{ secrets.NS_TOKEN }}
app_file: app-insecure-debug.apk
# TODO: Replace the Group ID.
group_id: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
# Pulls the NowSecure report, converts it to SARIF and uploads it.
process:
if: ${{ needs.scan.outputs.report_id }}
runs-on: ubuntu-latest
environment:
name: nowsecure-env
needs: scan
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: NowSecure download report
uses: nowsecure/nowsecure-action/convert-sarif@v3
timeout-minutes: 60
with:
report_id: ${{ needs.scan.outputs.report_id }}
platform_token: ${{ secrets.NS_TOKEN }}
# TODO: Replace the Group ID.
group_id: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: NowSecure.sarif
- name: Upload SARIF to artifacts
uses: actions/upload-artifact@v2
with:
name: NowSecure.sarif
path: ./NowSecure.sarif