mirror of
https://github.com/SAP/jenkins-library.git
synced 2025-01-18 05:18:24 +02:00
6b18448124
* Add credentialdiggerScan metadata * Integrate new step into piper process * Add credentialdiggerScan implementation and tests * Remove duplicated code * Add doc file for credentialdiggerScan step * Regenerate metadata * Fix return type in tests * Add credentialdiggerScan to CommonStepsTest * Fix typo * Improve code style * Add support for custom rules file in stash * Regenerate metadata for credentialdiggerScan --------- Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Anil Keshav <anil.keshav@sap.com>
125 lines
4.1 KiB
YAML
125 lines
4.1 KiB
YAML
metadata:
|
|
name: credentialdiggerScan
|
|
description: Scan a repository on GitHub with Credential Digger
|
|
longDescription: |
|
|
This step allows you to scan a repository on Github using Credential Digger.
|
|
|
|
It can for example be used for DevSecOps scenarios to verify the source code does not contain hard-coded credentials before being merged or released for production.
|
|
It supports several scan flavors, i.e., full scans of a repo, scan of a snapshot, or scan of a pull request.
|
|
spec:
|
|
inputs:
|
|
secrets:
|
|
- name: githubTokenCredentialsId
|
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
|
|
type: jenkins
|
|
params:
|
|
- name: repository
|
|
aliases:
|
|
- name: githubRepo
|
|
description: URL of the GitHub repository (was name, but we need the url). In case it's missing, use the URL of the current repository.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
mandatory: false
|
|
- name: snapshot
|
|
description: If set, scan the snapshot of the repository at this commit_id/branch.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
mandatory: false
|
|
- name: prNumber
|
|
description: If set, scan the pull request open with this number.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: int
|
|
mandatory: false
|
|
- name: exportAll
|
|
type: bool
|
|
description: Export all the findings, i.e., including non-leaks.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: apiUrl
|
|
aliases:
|
|
- name: githubApiUrl
|
|
description: Set the GitHub API url. Needed for scanning a pull request.
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
default: https://api.github.com
|
|
mandatory: true
|
|
- name: debug
|
|
aliases:
|
|
- name: verbose
|
|
description: Execute the scans in debug mode (i.e., print logs).
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: bool
|
|
default: false
|
|
- name: rulesDownloadUrl
|
|
type: string
|
|
description: URL where to download custom rules. The file published at this URL must be formatted as the default ruleset https://raw.githubusercontent.com/SAP/credential-digger/main/ui/backend/rules.yml
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
mandatory: false
|
|
- name: models
|
|
description: Machine learning models to automatically verify the findings.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: "[]string"
|
|
- name: token
|
|
aliases:
|
|
- name: githubToken
|
|
- name: access_token
|
|
description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
mandatory: true
|
|
secret: true
|
|
resourceRef:
|
|
- name: githubTokenCredentialsId
|
|
type: secret
|
|
- type: vaultSecret
|
|
default: github
|
|
name: githubVaultSecretName
|
|
- name: rulesFile
|
|
type: string
|
|
description: Name of the rules file used locally within the step. If a remote files for rules is declared as `rulesDownloadUrl`, the stashed file is ignored. If you change the file's name make sure your stashing configuration also reflects this.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: inputs/rules.yml
|
|
outputs:
|
|
resources:
|
|
- name: report
|
|
type: report
|
|
params:
|
|
- filePattern: "**/report*.csv"
|
|
type: credentialdigger-report
|
|
containers:
|
|
- image: "credentialdigger.int.repositories.cloud.sap/credential_digger:4.9.2"
|