From 76346192a1ffce56c2c262229917cf30cb2f0370 Mon Sep 17 00:00:00 2001 From: dearchap Date: Tue, 20 Jun 2023 09:39:00 -0400 Subject: [PATCH] Update frogbot-scan-pr.yml --- .github/workflows/frogbot-scan-pr.yml | 87 +++++++++++++++++---------- 1 file changed, 55 insertions(+), 32 deletions(-) diff --git a/.github/workflows/frogbot-scan-pr.yml b/.github/workflows/frogbot-scan-pr.yml index 277c050536..02d68ebc45 100644 --- a/.github/workflows/frogbot-scan-pr.yml +++ b/.github/workflows/frogbot-scan-pr.yml @@ -1,18 +1,7 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# Frogbot Scan Pull Request does the following: -# Automatically scans new pull requests for security vulnerabilities. -# Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot - -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - name: "Frogbot Scan Pull Request" on: pull_request_target: - types: [ opened, synchronize ] + types: [opened, synchronize] permissions: pull-requests: write contents: read @@ -21,31 +10,20 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. - # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md environment: frogbot steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - + + # Install prerequisites - name: Setup Go uses: actions/setup-go@v3 with: - go-version: 1.20.x + go-version: 1.20.x - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e + - uses: jfrog/frogbot@v2 env: - # [Mandatory if the two conditions below are met] - # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies - # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. - # - # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") - # JF_INSTALL_DEPS_CMD: "" - # [Mandatory] # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} @@ -66,14 +44,59 @@ jobs: # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + # [Optional] - # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository - # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # If the machine that runs Frogbot has no access to the internet, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io # The 'frogbot' executable and other tools it needs will be downloaded through this repository. # JF_RELEASES_REPO: "" + + + ########################################################################## + ## If your project uses a 'frogbot-config.yml' file, you can define ## + ## the following variables inside the file, instead of here. ## + ########################################################################## + + # [Optional, default: "."] + # Relative path to the root of the project in the Git repository + # JF_WORKING_DIR: path/to/project/dir + # [Optional] - # Frogbot will download the project dependencies, if they're not cached locally. To download the - # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + # JF_PROJECT: + + # [Optional, default: "FALSE"] + # Displays all existing vulnerabilities, including the ones that were added by the pull request. + # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" + + # [Optional, default: "TRUE"] + # Fails the Frogbot task if any security issue is found. + # JF_FAIL: "FALSE" + + # [Optional] + # Frogbot will download the project dependencies if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no # need to set this value, if it is set in the frogbot-config.yml file. # JF_DEPS_REPO: "" + + # [Optional, Default: "FALSE"] + # If TRUE, Frogbot creates a single pull request with all the fixes. + # If FALSE, Frogbot creates a separate pull request for each fix. + # JF_GIT_AGGREGATE_FIXES: "FALSE" + + # [Optional, Default: "FALSE"] + # Handle vulnerabilities with fix versions only + # JF_FIXABLE_ONLY: "TRUE" + + # [Optional] + # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests + # The following values are accepted: Low, Medium, High or Critical + # JF_MIN_SEVERITY: ""