@@ -10,22 +10,16 @@ jobs:
1010 security-events : write
1111 steps :
1212 - uses : actions/checkout@v4
13- with :
14- fetch-depth : 0 # required for differential scanning
1513
1614 - uses : fluidattacks/sast-action@main
1715 id : scan
1816 with :
1917 scan_config_path : .github/.fluidattacks.yaml
20- scanner_mode : diff
18+ scanner_mode : full
2119
22- - name : Upload SAST results
23- if : always()
24- uses : actions/upload-artifact@v4
25- with :
26- name : sast-results
27- path : fluidattacks-results.sarif
28- if-no-files-found : warn
20+ - name : Fail if vulnerabilities found
21+ if : steps.scan.outputs.vulnerabilities_found == 'true'
22+ run : exit 1
2923
3024 sca-scan :
3125 runs-on : ubuntu-latest
4034 scan_config_path : .github/.fluidattacks.yaml
4135 scanner_mode : full
4236
43- - name : Upload SCA results
44- if : always()
45- uses : actions/upload-artifact@v4
46- with :
47- name : sca-results
48- path : fluidattacks-results.sarif
49- if-no-files-found : warn
37+ - name : Fail if vulnerabilities found
38+ if : steps.scan.outputs.vulnerabilities_found == 'true'
39+ run : exit 1
5040
5141 dast-scan :
5242 runs-on : ubuntu-latest
7464 with :
7565 scan_config_path : .github/.fluidattacks.yaml
7666
77- ci-gate :
78- runs-on : ubuntu-latest
79- steps :
80- - uses : fluidattacks/ci-gate-action@main
81- with :
82- api_token : ${{ secrets.FA_API_TOKEN }}
83- strict : false
84- report_output_path : ci-gate-report.json
85-
86- - name : Upload CI gate report
87- if : always()
88- uses : actions/upload-artifact@v4
89- with :
90- name : ci-gate-report
91- path : ci-gate-report.json
92- if-no-files-found : warn
93-
94- compare :
95- needs : [sast, sca-scan, ci-gate]
96- if : ' !cancelled()'
97- runs-on : ubuntu-latest
98- steps :
99- - uses : actions/checkout@v4
100-
101- - uses : actions/download-artifact@v4
102- continue-on-error : true
103- with :
104- name : sast-results
105- path : artifacts/sast
106-
107- - uses : actions/download-artifact@v4
108- continue-on-error : true
109- with :
110- name : sca-results
111- path : artifacts/sca
112-
113- - uses : actions/download-artifact@v4
114- continue-on-error : true
115- with :
116- name : ci-gate-report
117- path : artifacts/ci-gate
118-
119- - name : Compare findings against platform
120- run : |
121- sast_result=0
122- sca_result=0
123-
124- echo "--- SAST ---"
125- python3 .github/scripts/compare-findings.py \
126- --technique SAST \
127- artifacts/sast/fluidattacks-results.sarif \
128- artifacts/ci-gate/ci-gate-report.json || sast_result=$?
129-
130- echo "--- SCA ---"
131- python3 .github/scripts/compare-findings.py \
132- --technique SCA \
133- artifacts/sca/fluidattacks-results.sarif \
134- artifacts/ci-gate/ci-gate-report.json || sca_result=$?
135-
136- exit $((sast_result | sca_result))
67+ - name : Fail if vulnerabilities found
68+ if : steps.scan.outputs.vulnerabilities_found == 'true'
69+ run : exit 1
0 commit comments