Skip to content

Updating themes and logging #24

Updating themes and logging

Updating themes and logging #24

Workflow file for this run

# Create GitHub Action Repository Variables for your version of the application:
# FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://ams.fortify.com)
# FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.ams,fortify.com)
# FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
# Create GitHub Action Secrets for your version of the application:
# FOD_CLIENT_ID should be an API Key obtained from your FoD tenant.
# FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant.
# Helpful hints:
# API Key credentials can be obtained from your FoD tenant, under Administration -> Settings -> API
# It is recommended to create credentials with 'Security Lead' Role selected.
# "Automated Audit preference" should be configured for the release's Static Scan Settings.
name: DevSecOps with Fortify on Demand
on:
# Triggers the workflow on push or pull request events but only for the main or develop branches
push:
paths-ignore:
- '.github/**/**'
- 'bin/**'
- 'data/**'
- 'etc/**'
- 'tests/**'
- 'README.md'
- 'LICENSE'
branches:
- '**' # matches every branch
pull_request:
branches: [ main, develop ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
runFoDSASTScan:
description: 'Carry out SAST scan using Fortify on Demand'
required: false
default: 'true'
runFoDDASTScan:
description: 'Carry out DAST scan using Fortify on Demand'
required: false
default: 'false'
deployApp:
description: 'Deploy App'
required: false
default: 'true'
# Global environment variables
env:
DEFAULT_APP_NAME: "FortifyDemoApp"
AZURE_WEBAPP_NAME: fortifydemoapp
PYTHON_VERSION: "3.12.3"
jobs:
Build-And-Unit-Test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Create and start virtual environment
run: |
python -m venv venv
source venv/bin/activate
- name: Install dependencies
run: pip install -r requirements.txt
#- uses: pavelzw/pytest-action@v2
# with:
# emoji: true
# verbose: true
# job-summary: true
# Publish test results
#- name: Publish Test Results
# uses: EnricoMi/publish-unit-test-result-action@v2
# if: always()
# with:
# files: |
# build/test-results/**/*.xml
# build/test-results/**/*.trx
# build/test-results/**/*.json
- name: Upload artifact for deployment jobs
uses: actions/upload-artifact@v3
with:
name: python-app
path: |
.
!venv/
Quality-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Build-And-Unit-Test ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD
FoD-SAST-Scan:
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFoDSASTScan == 'true') }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
# Uncomment below to debug FoD App/Release names
#- name: Print App and Release Name
# shell: bash
# run: |
# echo "FoD App Name: ${FOD_APP_NAME}"
# echo "FoD Release Name: ${FOD_RELEASE_NAME}"
# env:
# FOD_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
# FOD_RELEASE_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
- name: Python FoD SAST scan
id: python-fod-sast-scan
uses: fortify-presales/github-actions/python-fod-sast-scan@main
with:
fod_url: ${{ vars.FOD_URL }}
fod_api_url: ${{ vars.FOD_API_URL }}
fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
fod_parent_release_name: ${{ steps.fortify-app-and-rel-name.outputs.parent_release_name }}
Deploy-App:
permissions:
contents: none
runs-on: ubuntu-latest
needs: [ Build-And-Unit-Test, FoD-SAST-Scan ]
environment:
name: 'Development'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
if: ${{ success() && github.ref_name == github.event.repository.default_branch }}
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v3
with:
name: python-app
path: .
- name: 'Deploy to Azure Web App'
id: deploy-to-webapp
uses: azure/webapps-deploy@v2
with:
app-name: ${{ env.AZURE_WEBAPP_NAME }}
publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
Functional-Test:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Deploy-App ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD
FoD-DAST-Scan:
runs-on: ubuntu-latest
if: ${{ success() && github.ref_name == github.event.repository.default_branch }}
needs: [ Deploy-App ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
- name: FoD DAST scan
id: fod-dast-scan
uses: fortify-presales/github-actions/fod-dast-scan@main
with:
working_directory: ${{ env.BASE_DIR }}
fod_url: ${{ vars.FOD_URL }}
fod_api_url: ${{ vars.FOD_API_URL }}
fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
# fod_release_name: ${{ format('{0}#{1}', steps.fortify-app-and-rel-name.outputs.release_name, github.run_number) }}
fod_parent_release_name: ${{ steps.fortify-app-and-rel-name.outputs.parent_release_name }}
# fod_parent_release_name: "dast-web-base"
Security-Gate:
runs-on: ubuntu-latest
if: ${{ always() }}
needs: [ Functional-Test, FoD-DAST-Scan ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Fortify App and Release Name
id: fortify-app-and-rel-name
uses: fortify-presales/github-actions/fortify-app-and-release-name@main
with:
default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
default_fortify_release_name: ${{ github.ref_name }}
app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
- name: Verify FoD Security Policy
uses: fortify-presales/github-actions/verify-fod-security-policy@main
with:
fod_api_url: ${{ vars.FOD_API_URL }}
fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
Release-To-Prod:
runs-on: ubuntu-latest
needs: [ Quality-Gate, Security-Gate ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
# TBD