ACS-6931 Re-enable Veracode SAST Scan (#2690)

ACS-6931 Re-enable Veracode SAST Scan
2025-07-24 17:32:48 +00:00 · 2024-06-19 11:51:40 +02:00
parent 08e49c98dd
commit b73b8df892
1 changed files with 50 additions and 52 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -74,58 +74,56 @@ jobs:
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh
-#  SEE: ACS-6931 Currently times out after an hour. TO BE RESTORED after resolving the issue with Veracode Support.
+  veracode_sast:
-#
+    name: "Pipeline SAST Scan"
-#  veracode_sast:
+    runs-on: ubuntu-latest
-#    name: "Pipeline SAST Scan"
+    needs: [prepare]
-#    runs-on: ubuntu-latest
+    if: >
-#    needs: [prepare]
+      (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
-#    if: >
+      github.actor != 'dependabot[bot]' &&
-#      (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') &&
+      !contains(github.event.head_commit.message, '[skip tests]') &&
-#      github.actor != 'dependabot[bot]' &&
+      !contains(github.event.head_commit.message, '[force')
-#      !contains(github.event.head_commit.message, '[skip tests]') &&
+    steps:
-#      !contains(github.event.head_commit.message, '[force')
+      - uses: actions/checkout@v4
-#    steps:
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
-#      - uses: actions/checkout@v4
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
+      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
+        with:
-#      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
-#        with:
+          repository: "Alfresco/veracode-baseline-archive"
-#          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          file-path: "alfresco-community-repo/alfresco-community-repo-baseline.json"
-#          repository: "Alfresco/veracode-baseline-archive"
+          target: "baseline.json"
-#          file-path: "alfresco-community-repo/alfresco-community-repo-baseline.json"
+      - name: "Build"
-#          target: "baseline.json"
+        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
-#      - name: "Build"
+        run: |
-#        timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
+          bash ./scripts/ci/init.sh
-#        run: |
+          bash ./scripts/ci/build.sh
-#          bash ./scripts/ci/init.sh
+      - name: "Run SAST Scan"
-#          bash ./scripts/ci/build.sh
+        uses: veracode/Veracode-pipeline-scan-action@v1.0.16
-#      - name: "Run SAST Scan"
+        with:
-#        uses: veracode/Veracode-pipeline-scan-action@v1.0.10
+          vid: ${{ secrets.VERACODE_API_ID }}
-#        with:
+          vkey: ${{ secrets.VERACODE_API_KEY }}
-#          vid: ${{ secrets.VERACODE_API_ID }}
+          file: "packaging/war/target/alfresco.war"
-#          vkey: ${{ secrets.VERACODE_API_KEY }}
+          fail_build: true
-#          file: "packaging/war/target/alfresco.war"
+          project_name: alfresco-community-repo
-#          fail_build: true
+          issue_details: true
-#          project_name: alfresco-community-repo
+          veracode_policy_name: Alfresco Default
-#          issue_details: true
+          summary_output: true
-#          veracode_policy_name: Alfresco Default
+          summary_output_file: results.json
-#          summary_output: true
+          summary_display: true
-#          summary_output_file: results.json
+          baseline_file: baseline.json
-#          summary_display: true
+      - name: Upload scan result
-#          baseline_file: baseline.json
+        if: success() || failure()
-#      - name: Upload scan result
+        run: zip readable_output.zip results.json
-#        if: success() || failure()
+      - name: Upload Artifact
-#        run: zip readable_output.zip results.json
+        if: success() || failure()
-#      - name: Upload Artifact
+        uses: actions/upload-artifact@v3
-#        if: success() || failure()
+        with:
-#        uses: actions/upload-artifact@v3
+          name: Veracode Pipeline-Scan Results (Human Readable)
-#        with:
+          path: readable_output.zip
-#          name: Veracode Pipeline-Scan Results (Human Readable)
+      - name: "Clean Maven cache"
-#          path: readable_output.zip
+        run: bash ./scripts/ci/cleanup_cache.sh
 #      - name: "Clean Maven cache"
 #        run: bash ./scripts/ci/cleanup_cache.sh
  pmd_scan:
    name: "PMD Scan"