From 5685e305ed7bdf1d08c55cec94fc8c6b8bba5563 Mon Sep 17 00:00:00 2001 From: Rakhi Bathiya <136622153+rbathiya1@users.noreply.github.com> Date: Mon, 2 Jun 2025 15:33:23 +0530 Subject: [PATCH 1/5] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 54 +++++++++---------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 360486a..469c0d7 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -1,55 +1,49 @@ -name: "Frogbot Scan Repository" +name: "Frogbot Security Scan Workflow" + on: - workflow_dispatch: + pull_request_target: + # Triggers scan-pr flow for every opened/updated pull request + types: [opened, synchronize] + push: + # Triggers scan-repo flow for every push to the specified branches + branches: + - rbathiya/frogbot schedule: - # The repository will be scanned once a day at 00:00 GMT. - - cron: "0 0 * * *" + # The repository will be scanned every Monday at 00:00 GMT (Can be change according to your needs). + - cron: "0 0 * * 1" + workflow_dispatch: # The repository will be scanned on demand + permissions: contents: write pull-requests: write security-events: write # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] - id-token: write + # id-token: write jobs: scan-repository: - runs-on: ubuntu-latest-4-cores - # container: - # # Official .NET SDK image with python3-virtualenv package installed. One-time manual creation. - # image: azuekubeacr03.azurecr.io/dotnet/sdk-python3-virtualenv:9.0.201-noble-amd64 + runs-on: public-ubuntu-latest-8-cores strategy: matrix: - # The repository scanning will be triggered periodically on the following branches. branch: ["main"] - steps: + steps: - uses: jfrog/frogbot@v2 env: - # [Mandatory] # JFrog platform URL - # Accessible from GitHub-hosted runners. - JF_URL: https://ansyscpp.jfrog.io/ + JF_URL: ${{ secrets.JF_URL }} - # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD - # JF_USER: ${{ secrets.JF_USER }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} - - # [Mandatory] - # The GitHub token is automatically generated for the job + # The GitHub access token with 'read/write' permissions to the repository (for opening or commenting on PRs). JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory] # The name of the branch on which Frogbot will perform the scan JF_GIT_BASE_BRANCH: ${{ matrix.branch }} # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD - with: - oidc-provider-name: "github-actions-oidc" - oidc-audience: GitHub ansys-internal CI/CD Pipelines \ No newline at end of file + # with: + # oidc-provider-name: "github-actions-oidc" + # oidc-audience: GitHub ansys-internal CI/CD Pipelines + + From 4826b941ebf7f973d27bcc6aaeaf57bb9ae4733d Mon Sep 17 00:00:00 2001 From: Rakhi Bathiya <136622153+rbathiya1@users.noreply.github.com> Date: Mon, 2 Jun 2025 15:36:09 +0530 Subject: [PATCH 2/5] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 469c0d7..9e019fc 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -28,22 +28,35 @@ jobs: steps: - uses: jfrog/frogbot@v2 env: + # [Mandatory] # JFrog platform URL - JF_URL: ${{ secrets.JF_URL }} + # Accessible from GitHub-hosted runners. + JF_URL: https://ansyscpp.jfrog.io/ + # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - # The GitHub access token with 'read/write' permissions to the repository (for opening or commenting on PRs). + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token is automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # [Mandatory] # The name of the branch on which Frogbot will perform the scan JF_GIT_BASE_BRANCH: ${{ matrix.branch }} # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD - # with: - # oidc-provider-name: "github-actions-oidc" - # oidc-audience: GitHub ansys-internal CI/CD Pipelines + with: + oidc-provider-name: "github-actions-oidc" + oidc-audience: GitHub ansys-internal CI/CD Pipelines From 1241d5049c6947154df322a86b6bdb14c0238ab9 Mon Sep 17 00:00:00 2001 From: Rakhi Bathiya <136622153+rbathiya1@users.noreply.github.com> Date: Mon, 2 Jun 2025 15:55:12 +0530 Subject: [PATCH 3/5] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 9e019fc..d2a5250 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -18,7 +18,7 @@ permissions: pull-requests: write security-events: write # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] - # id-token: write + id-token: write jobs: scan-repository: runs-on: public-ubuntu-latest-8-cores From 758d9f5c3a29cd899e9bbeb2020bf79230e8ed79 Mon Sep 17 00:00:00 2001 From: Rakhi Bathiya <136622153+rbathiya1@users.noreply.github.com> Date: Mon, 2 Jun 2025 16:01:44 +0530 Subject: [PATCH 4/5] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index d2a5250..f27b00b 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -1,31 +1,35 @@ -name: "Frogbot Security Scan Workflow" - -on: +name: "Frogbot Scan Repository" +on: pull_request_target: # Triggers scan-pr flow for every opened/updated pull request types: [opened, synchronize] push: # Triggers scan-repo flow for every push to the specified branches branches: - - rbathiya/frogbot + - main schedule: # The repository will be scanned every Monday at 00:00 GMT (Can be change according to your needs). - cron: "0 0 * * 1" workflow_dispatch: # The repository will be scanned on demand - + permissions: contents: write pull-requests: write security-events: write # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] id-token: write + jobs: scan-repository: - runs-on: public-ubuntu-latest-8-cores + runs-on: ubuntu-latest-4-cores + # container: + # # Official .NET SDK image with python3-virtualenv package installed. One-time manual creation. + # image: azuekubeacr03.azurecr.io/dotnet/sdk-python3-virtualenv:9.0.201-noble-amd64 strategy: matrix: + # The repository scanning will be triggered periodically on the following branches. branch: ["main"] - steps: + steps: - uses: jfrog/frogbot@v2 env: # [Mandatory] @@ -58,5 +62,3 @@ jobs: with: oidc-provider-name: "github-actions-oidc" oidc-audience: GitHub ansys-internal CI/CD Pipelines - - From 585bccd007783c9a47fe9432457448c5aad575a9 Mon Sep 17 00:00:00 2001 From: Rakhi Bathiya <136622153+rbathiya1@users.noreply.github.com> Date: Mon, 2 Jun 2025 16:02:10 +0530 Subject: [PATCH 5/5] Delete .github/workflows/frogbot-scan-pull-request.yml --- .../workflows/frogbot-scan-pull-request.yml | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 .github/workflows/frogbot-scan-pull-request.yml diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml deleted file mode 100644 index 00ce181..0000000 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: "Frogbot Scan Pull Request" -on: - pull_request_target: - types: [opened, synchronize] -permissions: - pull-requests: write - contents: read - # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] - id-token: write -jobs: - scan-pull-request: - runs-on: ubuntu-latest-4-cores - # container: - # # Official .NET SDK image with python3-virtualenv package installed. One-time manual creation. - # image: azuekubeacr03.azurecr.io/dotnet/sdk-python3-virtualenv:9.0.201-noble-amd64 - # A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the - # "frogbot" GitHub environment can approve the pull request to be scanned. - # environment: frogbot - steps: - - uses: jfrog/frogbot@v2 - env: - # [Mandatory] - # JFrog platform URL - # Temporary JFrog SaaS instance, hosted by JFrog for new feature evaluation. - # Accessible from GitHub-hosted runners. - JF_URL: https://ansyscpp.jfrog.io/ - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD - # JF_USER: ${{ secrets.JF_USER }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} - - # [Mandatory] - # The GitHub token is automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] - # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD - # OIDC identiy mappings are defined in JFrog Platform administration -> General Management -> Manage Integrations - with: - oidc-provider-name: "github-actions-oidc" - oidc-audience: GitHub ansys-internal CI/CD Pipelines \ No newline at end of file