Skip to content

Commit cbcf261

Browse files
committed
essentials-examples\feat(back): #1 adapt workflow
- simplify flow of actions - testing if job fails under certain scenarios
1 parent fa7faa0 commit cbcf261

2 files changed

Lines changed: 13 additions & 78 deletions

File tree

.github/.fluidattacks.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,5 +15,7 @@ sast:
1515
include:
1616
- .
1717
dast:
18+
strict_connectivity: True
1819
urls:
19-
- url: https://www.fluidattacks.com
20+
- url: https://www.fluidattacks.com
21+
- url: https://www.unreachableenvironment.co

.github/workflows/dev.yml

Lines changed: 10 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -10,22 +10,16 @@ jobs:
1010
security-events: write
1111
steps:
1212
- uses: actions/checkout@v4
13-
with:
14-
fetch-depth: 0 # required for differential scanning
1513

1614
- uses: fluidattacks/sast-action@main
1715
id: scan
1816
with:
1917
scan_config_path: .github/.fluidattacks.yaml
20-
scanner_mode: diff
18+
scanner_mode: full
2119

22-
- name: Upload SAST results
23-
if: always()
24-
uses: actions/upload-artifact@v4
25-
with:
26-
name: sast-results
27-
path: fluidattacks-results.sarif
28-
if-no-files-found: warn
20+
- name: Fail if vulnerabilities found
21+
if: steps.scan.outputs.vulnerabilities_found == 'true'
22+
run: exit 1
2923

3024
sca-scan:
3125
runs-on: ubuntu-latest
@@ -40,13 +34,9 @@ jobs:
4034
scan_config_path: .github/.fluidattacks.yaml
4135
scanner_mode: full
4236

43-
- name: Upload SCA results
44-
if: always()
45-
uses: actions/upload-artifact@v4
46-
with:
47-
name: sca-results
48-
path: fluidattacks-results.sarif
49-
if-no-files-found: warn
37+
- name: Fail if vulnerabilities found
38+
if: steps.scan.outputs.vulnerabilities_found == 'true'
39+
run: exit 1
5040

5141
dast-scan:
5242
runs-on: ubuntu-latest
@@ -74,63 +64,6 @@ jobs:
7464
with:
7565
scan_config_path: .github/.fluidattacks.yaml
7666

77-
ci-gate:
78-
runs-on: ubuntu-latest
79-
steps:
80-
- uses: fluidattacks/ci-gate-action@main
81-
with:
82-
api_token: ${{ secrets.FA_API_TOKEN }}
83-
strict: false
84-
report_output_path: ci-gate-report.json
85-
86-
- name: Upload CI gate report
87-
if: always()
88-
uses: actions/upload-artifact@v4
89-
with:
90-
name: ci-gate-report
91-
path: ci-gate-report.json
92-
if-no-files-found: warn
93-
94-
compare:
95-
needs: [sast, sca-scan, ci-gate]
96-
if: '!cancelled()'
97-
runs-on: ubuntu-latest
98-
steps:
99-
- uses: actions/checkout@v4
100-
101-
- uses: actions/download-artifact@v4
102-
continue-on-error: true
103-
with:
104-
name: sast-results
105-
path: artifacts/sast
106-
107-
- uses: actions/download-artifact@v4
108-
continue-on-error: true
109-
with:
110-
name: sca-results
111-
path: artifacts/sca
112-
113-
- uses: actions/download-artifact@v4
114-
continue-on-error: true
115-
with:
116-
name: ci-gate-report
117-
path: artifacts/ci-gate
118-
119-
- name: Compare findings against platform
120-
run: |
121-
sast_result=0
122-
sca_result=0
123-
124-
echo "--- SAST ---"
125-
python3 .github/scripts/compare-findings.py \
126-
--technique SAST \
127-
artifacts/sast/fluidattacks-results.sarif \
128-
artifacts/ci-gate/ci-gate-report.json || sast_result=$?
129-
130-
echo "--- SCA ---"
131-
python3 .github/scripts/compare-findings.py \
132-
--technique SCA \
133-
artifacts/sca/fluidattacks-results.sarif \
134-
artifacts/ci-gate/ci-gate-report.json || sca_result=$?
135-
136-
exit $((sast_result | sca_result))
67+
- name: Fail if vulnerabilities found
68+
if: steps.scan.outputs.vulnerabilities_found == 'true'
69+
run: exit 1

0 commit comments

Comments
 (0)