-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathissues.yml
107 lines (93 loc) · 3.12 KB
/
issues.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# An example workflow using the NowSecure Issues action.
# This action is run each time a commit is pushed to the "main" branch,
# on pull requests or the workflow is manually triggered
#
# This workflow builds an Android application saving the output apk as
# an artifact in the "build" phase.
#
# In the "scan" phase the apk is uploaded to NowSecure, generating a
# report.
#
# In the "issues" phase the report is downloaded from NowSecure and
# issues are generated for findings that match the filter criteria
# (which can be overridden in .nsconfig.yml)
#
# In the CI/CD config:
# - Set the NS_TOKEN secret to a NowSecure Api token for your NowSecure user
# - Set the NS_GROUP_ID secret to the id of the group to which the
# application should be added.
name: "NowSecure"
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
branches: [main]
env:
# Name of the output file from the build stage without a path
# defined as a var since it's used more than once.
BUILD_OUTPUT_NAME: "app-insecure-debug.apk"
jobs:
# EXAMPLE: Build and upload an Android application to GH artifacts.
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install Java
uses: actions/setup-java@v2
with:
java-version: "11"
distribution: "adopt"
cache: "gradle"
- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action@v1
- name: Build application
run: ./gradlew assembleDebug --stacktrace --no-daemon
- name: Upload application
uses: actions/upload-artifact@v2
with:
name: app
path: ./app/build/outputs/apk/insecure/debug/${{ env.BUILD_OUTPUT_NAME }}
retention-days: 3
# Scan the Android application with NowSecure.
scan:
runs-on: ubuntu-latest
outputs:
report_id: ${{ steps.upload.outputs.report_id }}
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v2
# NOTE: ripgrep is required for line-of-code identification.
- name: Install ripgrep
run: sudo apt-get install -y ripgrep
- name: Download application
uses: actions/download-artifact@v2
with:
name: app
- id: upload
name: NowSecure upload app
uses: nowsecure/nowsecure-action/upload-app@v3
with:
platform_token: ${{ secrets.NS_TOKEN }}
group_id: ${{ secrets.NS_GROUP_ID }}
app_file: ${{ env.BUILD_OUTPUT_NAME }}
issues:
needs: scan
if: ${{ needs.scan.outputs.report_id }}
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Checkout repository
uses: actions/checkout@v2
# create issues. Uses the defaults: create issues in the current
# repository and assign them to the repository owner
- id: createIssues
uses: nowsecure/nowsecure-action/create-issues@v3
timeout-minutes: 60
with:
report_id: ${{ needs.scan.outputs.report_id }}
platform_token: ${{ secrets.NS_TOKEN }}
config: "issues"