forked from qa-nowsecure/nowsecure-action-DJ_GHA46
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnowsecure.yml
72 lines (60 loc) · 1.95 KB
/
nowsecure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# An example workflow using the NowSecure action that builds an Android application
# in the "build" phase and then runs it against NowSecure in the "scan" phase.
# This action is run each time a commit is pushed to the "main" branch.
name: "NowSecure"
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
branches: [ main ]
jobs:
# EXAMPLE: Build and upload an Android application to GH artifacts.
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install Java
uses: actions/setup-java@v2
with:
java-version: "11"
distribution: "adopt"
cache: "gradle"
- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action@v1
- name: Build application
run: ./gradlew assembleDebug --stacktrace --no-daemon
- name: Upload application
uses: actions/upload-artifact@v2
with:
name: app
path: ./app/build/outputs/apk/insecure/debug/app-insecure-debug.apk
retention-days: 3
# Scan the Android application with NowSecure.
scan:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v2
# NOTE: ripgrep is required for line-of-code identification.
- name: Install ripgrep
run: sudo apt-get install -y ripgrep
- name: Download application
uses: actions/download-artifact@v2
with:
name: app
- name: NowSecure
uses: nowsecure/nowsecure-action@v1
timeout-minutes: 60
with:
token: ${{ secrets.NS_TOKEN }}
app_file: app-insecure-debug.apk
# TODO: Replace the Group ID
group_id: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: NowSecure.sarif