AutoFix PR #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow integrates Qwiet preZero with GitHub | |
| # Visit https://docs.shiftleft.io for help | |
| name: Qwiet | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| push: | |
| # We recommend triggering a scan when merging to your default branch | |
| # as a best practice, especially if you'd like to compare the results | |
| # of two scans (e.g., a feature branch against the default branch) | |
| branches: | |
| - main | |
| - master | |
| permissions: | |
| security-events: write # Ensure proper permissions to upload SARIF results | |
| id-token: write | |
| contents: read | |
| jobs: | |
| ngsast-build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Download the Qwiet CLI and set permissions | |
| run: | | |
| curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl | |
| # Qwiet requires Java 1.8 | |
| - name: Set up Java | |
| uses: actions/[email protected] | |
| with: | |
| java-version: 1.8 | |
| - name: Package with Maven | |
| run: mvn clean package | |
| - name: NextGen Static Analysis | |
| run: ${GITHUB_WORKSPACE}/sl analyze --app qwiet-java-demo-github --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --verbose --strict --wait | |
| env: | |
| SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} | |
| SHIFTLEFT_API_HOST: www.shiftleft.io | |
| SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 | |
| SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 | |
| - name: Download export.py and requirements.txt | |
| run: | | |
| curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py | |
| curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py | |
| curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py | |
| curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt | |
| - name: Install Python dependencies | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| python3 -m pip install -r requirements.txt | |
| - name: Run export.py and generate SARIF report | |
| run: | | |
| APP_NAME=${{ github.event.repository.name }}-github | |
| python3 export.py -f sarif -a $APP_NAME | |
| env: | |
| SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} | |
| - name: Upload SARIF file to GitHub Security Tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ./ngsast-report-${{ github.event.repository.name }}-github.sarif # Correct dynamic path for SARIF output |