|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | +# Frogbot Scan Pull Request does the following: |
| 6 | +# Automatically scans new pull requests for security vulnerabilities. |
| 7 | +# Uses JFrog Xray to scan the project. |
| 8 | +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot |
| 9 | + |
| 10 | +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration |
| 11 | + |
| 12 | +name: "Frogbot Scan Pull Request" |
| 13 | +on: |
| 14 | + pull_request_target: |
| 15 | + types: [ opened, synchronize ] |
| 16 | +permissions: |
| 17 | + pull-requests: write |
| 18 | + contents: read |
| 19 | +jobs: |
| 20 | + scan-pull-request: |
| 21 | + runs-on: ubuntu-latest |
| 22 | + # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the |
| 23 | + # "frogbot" GitHub environment can approve the pull request to be scanned. |
| 24 | + # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions |
| 25 | + environment: frogbot |
| 26 | + steps: |
| 27 | + - uses: actions/checkout@v4 |
| 28 | + with: |
| 29 | + ref: ${{ github.event.pull_request.head.sha }} |
| 30 | + |
| 31 | + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 |
| 32 | + env: |
| 33 | + # [Mandatory if the two conditions below are met] |
| 34 | + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies |
| 35 | + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. |
| 36 | + # |
| 37 | + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") |
| 38 | + # JF_INSTALL_DEPS_CMD: "" |
| 39 | + |
| 40 | + # [Mandatory] |
| 41 | + # JFrog platform URL |
| 42 | + JF_URL: ${{ secrets.JF_URL }} |
| 43 | + |
| 44 | + # [Mandatory if JF_USER and JF_PASSWORD are not provided] |
| 45 | + # JFrog access token with 'read' permissions on Xray service |
| 46 | + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} |
| 47 | + |
| 48 | + # [Mandatory if JF_ACCESS_TOKEN is not provided] |
| 49 | + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD |
| 50 | + # JF_USER: ${{ secrets.JF_USER }} |
| 51 | + |
| 52 | + # [Mandatory if JF_ACCESS_TOKEN is not provided] |
| 53 | + # JFrog password. Must be provided with JF_USER |
| 54 | + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} |
| 55 | + |
| 56 | + # [Mandatory] |
| 57 | + # The GitHub token automatically generated for the job |
| 58 | + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 59 | + |
| 60 | + # [Optional] |
| 61 | + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository |
| 62 | + # in Artifactory, which proxies https://releases.jfrog.io/artifactory |
| 63 | + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. |
| 64 | + # JF_RELEASES_REPO: "" |
| 65 | + |
| 66 | + # [Optional] |
| 67 | + # Frogbot will download the project dependencies, if they're not cached locally. To download the |
| 68 | + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no |
| 69 | + # need to set this value, if it is set in the frogbot-config.yml file. |
| 70 | + # JF_DEPS_REPO: "" |
0 commit comments