sap-jenkins-library/resources/metadata/credentialdiggerScan.yaml

metadata:
  name: credentialdiggerScan
  description: Scan a repository on GitHub with Credential Digger
  longDescription: |
    This step allows you to scan a repository on Github using Credential Digger.

    It can for example be used for DevSecOps scenarios to verify the source code does not contain hard-coded credentials before being merged or released for production.
    It supports several scan flavors, i.e., full scans of a repo, scan of a snapshot, or scan of a pull request.
spec:
  inputs:
    secrets:
      - name: githubTokenCredentialsId
        description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
        type: jenkins
    params:
      - name: repository
        aliases:
          - name: githubRepo
        description: URL of the GitHub repository (was name, but we need the url). In case it's missing, use the URL of the current repository.
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        type: string
        mandatory: false
      - name: snapshot
        description: If set, scan the snapshot of the repository at this commit_id/branch.
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        type: string
        mandatory: false
      - name: prNumber
        description: If set, scan the pull request open with this number.
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        type: int
        mandatory: false
      - name: exportAll
        type: bool
        description: Export all the findings, i.e., including non-leaks.
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: false
      - name: apiUrl
        aliases:
          - name: githubApiUrl
        description: Set the GitHub API url. Needed for scanning a pull request.
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        type: string
        default: https://api.github.com
        mandatory: true
      - name: debug
        aliases:
          - name: verbose
        description: Execute the scans in debug mode (i.e., print logs).
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        type: bool
        default: false
      - name: rulesDownloadUrl
        type: string
        description: URL where to download custom rules. The file published at this URL must be formatted as the default ruleset https://raw.githubusercontent.com/SAP/credential-digger/main/ui/backend/rules.yml
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        mandatory: false
      - name: models
        description: Machine learning models to automatically verify the findings.
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        type: "[]string"
      - name: token
        aliases:
          - name: githubToken
          - name: access_token
        description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        type: string
        mandatory: true
        secret: true
        resourceRef:
          - name: githubTokenCredentialsId
            type: secret
          - type: vaultSecret
            default: github
            name: githubVaultSecretName
      - name: rulesFile
        type: string
        description: Name of the rules file used locally within the step. If a remote files for rules is declared as `rulesDownloadUrl`, the stashed file is ignored. If you change the file's name make sure your stashing configuration also reflects this.
        mandatory: false
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: inputs/rules.yml
  outputs:
    resources:
      - name: report
        type: report
        params:
          - filePattern: "**/report*.csv"
            type: credentialdigger-report
  containers:
    - image: "credentialdigger.int.repositories.cloud.sap/credential_digger:4.9.2"
Add credentialdiggerScan step (#4141) * Add credentialdiggerScan metadata * Integrate new step into piper process * Add credentialdiggerScan implementation and tests * Remove duplicated code * Add doc file for credentialdiggerScan step * Regenerate metadata * Fix return type in tests * Add credentialdiggerScan to CommonStepsTest * Fix typo * Improve code style * Add support for custom rules file in stash * Regenerate metadata for credentialdiggerScan --------- Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Anil Keshav <anil.keshav@sap.com> 2023-04-04 16:57:15 +02:00			`metadata:`
			`name: credentialdiggerScan`
			`description: Scan a repository on GitHub with Credential Digger`
			`longDescription: \|`
			`This step allows you to scan a repository on Github using Credential Digger.`

			`It can for example be used for DevSecOps scenarios to verify the source code does not contain hard-coded credentials before being merged or released for production.`
			`It supports several scan flavors, i.e., full scans of a repo, scan of a snapshot, or scan of a pull request.`
			`spec:`
			`inputs:`
			`secrets:`
			`- name: githubTokenCredentialsId`
			`description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.`
			`type: jenkins`
			`params:`
			`- name: repository`
			`aliases:`
			`- name: githubRepo`
			`description: URL of the GitHub repository (was name, but we need the url). In case it's missing, use the URL of the current repository.`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: string`
			`mandatory: false`
			`- name: snapshot`
			`description: If set, scan the snapshot of the repository at this commit_id/branch.`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: string`
			`mandatory: false`
			`- name: prNumber`
			`description: If set, scan the pull request open with this number.`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: int`
			`mandatory: false`
			`- name: exportAll`
			`type: bool`
			`description: Export all the findings, i.e., including non-leaks.`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: false`
			`- name: apiUrl`
			`aliases:`
			`- name: githubApiUrl`
			`description: Set the GitHub API url. Needed for scanning a pull request.`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: string`
			`default: https://api.github.com`
			`mandatory: true`
			`- name: debug`
			`aliases:`
			`- name: verbose`
			`description: Execute the scans in debug mode (i.e., print logs).`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: bool`
			`default: false`
			`- name: rulesDownloadUrl`
			`type: string`
			`description: URL where to download custom rules. The file published at this URL must be formatted as the default ruleset https://raw.githubusercontent.com/SAP/credential-digger/main/ui/backend/rules.yml`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`mandatory: false`
			`- name: models`
			`description: Machine learning models to automatically verify the findings.`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: "[]string"`
			`- name: token`
			`aliases:`
			`- name: githubToken`
			`- name: access_token`
			`description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: string`
			`mandatory: true`
			`secret: true`
			`resourceRef:`
			`- name: githubTokenCredentialsId`
			`type: secret`
			`- type: vaultSecret`
			`default: github`
			`name: githubVaultSecretName`
			`- name: rulesFile`
			`type: string`
			description: Name of the rules file used locally within the step. If a remote files for rules is declared as `rulesDownloadUrl`, the stashed file is ignored. If you change the file's name make sure your stashing configuration also reflects this.
			`mandatory: false`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: inputs/rules.yml`
			`outputs:`
			`resources:`
			`- name: report`
			`type: report`
			`params:`
			`- filePattern: "*/report.csv"`
			`type: credentialdigger-report`
			`containers:`
			`- image: "credentialdigger.int.repositories.cloud.sap/credential_digger:4.9.2"`