Merge pull request #37 from veracode/issue/DXS-412

Sandbox scan should not show on the PR checks for static scan

Author: shailesh-veracode

.github/workflows/veracode-code-analysis.yml

@@ -8,36 +8,27 @@ concurrency:
 
 on:
   repository_dispatch:
-    types: [java-maven-pipeline-scan,
-            java-maven-policy-scan,
-            java-maven-sandbox-scan,
-            java-gradle-pipeline-scan,
-            java-gradle-policy-scan,
-            java-gradle-sandbox-scan,
-            source-code-pipeline-scan,
-            source-code-policy-scan,
-            source-code-sandbox-scan,
-            dot-net-pipeline-scan,
-            dot-net-policy-scan,
-            dot-net-sandbox-scan,
-            go-pipeline-scan,
-            go-policy-scan,
-            go-sandbox-scan,
-            tsql-pipeline-scan,
-            tsql-policy-scan,
-            tsql-sandbox-scan,
-            plsql-pipeline-scan,
-            plsql-policy-scan,
-            plsql-sandbox-scan,
-            php-pipeline-scan,
-            php-policy-scan,
-            php-sandbox-scan,
-            scala-pipeline-scan,
-            scala-policy-scan,
-            scala-sandbox-scan,
-            dart-pipeline-scan,
-            dart-policy-scan,
-            dart-sandbox-scan]
+    types: 
+      - java-maven-pipeline-scan
+      - java-maven-policy-scan
+      - java-gradle-pipeline-scan
+      - java-gradle-policy-scan
+      - source-code-pipeline-scan
+      - source-code-policy-scan
+      - dot-net-pipeline-scan
+      - dot-net-policy-scan
+      - go-pipeline-scan
+      - go-policy-scan
+      - tsql-pipeline-scan
+      - tsql-policy-scan
+      - plsql-pipeline-scan
+      - plsql-policy-scan
+      - php-pipeline-scan
+      - php-policy-scan
+      - scala-pipeline-scan
+      - scala-policy-scan
+      - dart-pipeline-scan
+      - dart-policy-sca
 
 jobs:
   register:
@@ -141,16 +132,4 @@ jobs:
       break_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }}
       filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}
       language: ${{ github.event.client_payload.repository.language }}
-    secrets: inherit
-
-  sandbox_scan:
-    needs: build
-    if: contains(github.event.action, 'sandbox')
-    uses: ./.github/workflows/veracode-sandbox-scan.yml
-    with:
-      profile_name: ${{ github.event.client_payload.user_config.profile_name }}
-      policy_name: ${{ github.event.client_payload.policy_name }}
-      branch: ${{ github.event.client_payload.repository.branch }}
-      modules_to_scan: ${{ github.event.client_payload.modules_to_scan }}
-      break_build_policy_findings: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
-    secrets: inherit
+    secrets: inherit

.github/workflows/veracode-iac-secrets-scan.yml

@@ -61,4 +61,4 @@ jobs:
             source: "./"
             format: "json"
             debug: false
-            fail_build: true
+            fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }}

.github/workflows/veracode-sandbox-scan.yml

@@ -1,26 +1,35 @@
 name: Veracode Static Sandbox Scanner
+run-name: Veracode Sandbox scan - ${{ github.event.client_payload.repository.name }}
+
+concurrency:
+  group: ${{ github.event.client_payload.event_type }}-${{ github.event.client_payload.repository.name }}-${{ github.event.client_payload.repository.branch }}
+  cancel-in-progress: true
 
 on:
-  workflow_call:
-    inputs:
-      profile_name:
-        required: true
-        type: string
-      modules_to_scan:
-        required: true
-        type: string
-      branch:
-        required: false
-        type: string
-      policy_name:
-        required: true
-        type: string
-      break_build_policy_findings: 
-        required: true
-        type: string
+  repository_dispatch:
+    types:
+      - java-maven-sandbox-scan
+      - java-gradle-sandbox-scan
+      - source-code-sandbox-scan
+      - dot-net-sandbox-scan
+      - go-sandbox-scan
+      - tsql-sandbox-scan
+      - plsql-sandbox-scan
+      - php-sandbox-scan
+      - scala-sandbox-scan
+      - dart-sandbox-scan
 
 jobs:
+  build:
+    uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml
+    with:
+      repository: ${{ github.event.client_payload.repository.full_name }}
+      ref: ${{ github.event.client_payload.sha }}
+      token: ${{ github.event.client_payload.token }}
+      event_name: ${{ github.event.action }}
+
   sandbox_scan:
+    needs: build
     runs-on: ubuntu-latest
     name: sandbox scan
 
@@ -40,14 +49,13 @@ jobs:
         uses: veracode/[email protected]
         id: upload_and_scan
         with:
-          appname: ${{ inputs.profile_name }}
+          appname: ${{ github.event.client_payload.user_config.profile_name }}
           createprofile: true
-          policy: ${{ inputs.policy_name }}
+          policy: ${{ github.event.client_payload.policy_name }}
           version: '${{ github.run_id }}'
           filepath: ./veracode_artifact_directory/
           vid: '${{ secrets.VERACODE_API_ID }}'
           vkey: '${{ secrets.VERACODE_API_KEY }}'
           createsandbox: true
-          sandboxname: GitHub App Scans-${{ inputs.branch }}
-          # include: ${{ inputs.modules_to_scan }}
-          failbuild: ${{ inputs.break_build_policy_findings }}
+          sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }}
+          failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}

veracode.yml

@@ -81,6 +81,8 @@ veracode_iac_secrets_scan:
       - synchronize
     target_branch:
       - default_branch
+  # If break_build_policy_findings is set to true, the build will break when findings violate the policy.
+  break_build_policy_findings: true
   # If the break_build_on_error is set to true, the build will break if the scan failed to complete or with an error, no libraries were found, 
   # or no build system was found and the error_message will be displayed.
   break_build_on_error: true