forked from Contrast-Security-OSS/spring-petclinic
-
Notifications
You must be signed in to change notification settings - Fork 0
70 lines (61 loc) · 3.03 KB
/
localscan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Contrast Security Local Scanner
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
permissions:
contents: read
checks: write
jobs:
scan:
permissions: write-all
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: maven
- name: Contrast Local Scan
# You may pin to the exact commit or the version.
# uses: Contrast-Security-OSS/contrast-local-scan-action@d0f76824acab3dac8539c5730d9e1ec3cf77293a
- uses: actions/checkout@v3
- uses: Contrast-Security-OSS/contrast-local-scan-action@v1.0.1
with:
# Url of your contrast instance, defaults to https://app.contrastsecurity.com/
apiUrl: https://eval.contrastsecurity.com/
# User name for authentication
apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
# API Key from user settings
apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
# Service Key from user settings
apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
# Organization ID from user settings
apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION_ID }}
# If set, checks will be added to the current commit based on any vulnerabilities found. Requires the 'checks: write' permission.
checks: true
# Set this to true to include code quality rules when executing source code scanner.
codeQuality: false
# Set this to true or false explicitly override the default branching behviour in scan whereby scan results not on the default github branch are not saved against the main project.
#defaultBranch: # optional
# Label to associate with the current scan. Defaults to the current ref e.g. refs/heads/main
#label: # optional
# Memory setting passed to the underlying scan engine. Defaulted to 8g
#memory: # optional
# Path to scan with local scanner. Defaults to the current repository path.
#path: # optional
# Project to associate scan with. Defaults to current github repository name e.g. Example-ORG/example-repo
#projectName: # optional
# Resource group to assign newly created projects to.
#resourceGroup: # optional
# Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
#strategy: # optional, default is project
# Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher. Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
severity: HIGH
# Execution timeout (in seconds) setting passed to the underlying scan engine. Defaulted to 60 minutes.
#timeout: # optional
# GitHub token for GitHub API requests. Defaults to GITHUB_TOKEN.
#token: # default is ${{ github.token }}