github.com/jfrog/frogbot/v2@v2.21.0/docs/templates/jfrog-pipelines/pipelines-go.yml (about) 1 resources: 2 - name: cron_trigger 3 type: CronTrigger 4 configuration: 5 interval: "0 * * * *" # Run once per hour 6 7 - name: frogbotGitRepo 8 type: GitRepo 9 configuration: 10 gitProvider: gitIntegration 11 path: "{{.jfrog-pipelines.sourceRepository}}" 12 branches: 13 include: ^{{gitBranch}}$ 14 cloneProtocol: https 15 16 pipelines: 17 - name: Frogbot 18 steps: 19 - name: Frogbot_Scan 20 type: Bash # For Windows runner: PowerShell 21 configuration: 22 integrations: 23 - name: jfrogPlatform 24 - name: gitIntegration 25 inputResources: 26 - name: cron_trigger 27 - name: frogbotGitRepo 28 runtime: 29 type: image 30 image: 31 auto: 32 language: go 33 version: "1.19" 34 environmentVariables: 35 # [Mandatory] 36 # JFrog platform URL 37 JF_URL: $int_jfrogPlatform_url 38 39 # [Mandatory if JF_USER and JF_PASSWORD are not provided] 40 # JFrog access token with 'read' permissions for Xray 41 JF_ACCESS_TOKEN: $int_jfrogPlatform_accessToken 42 43 # [Mandatory for Bitbucket] 44 # Username of the git provider account 45 JF_GIT_USERNAME: "" 46 47 # [Mandatory] 48 # Git provider access token with minimal permissions according to the relevant integration type. 49 # Read more - https://www.jfrog.com/confluence/display/JFROG/Pipelines+Integrations 50 JF_GIT_TOKEN: $int_gitIntegration_token 51 52 # [Mandatory] 53 # Name of your git provider: "bitbucketServer" or "github". 54 JF_GIT_PROVIDER: "" 55 56 # [Mandatory] 57 # API endpoint to your git provider 58 JF_GIT_API_ENDPOINT: $int_gitIntegration_url 59 60 # [Mandatory] 61 # Git provider project owner. 62 JF_GIT_OWNER: "" 63 64 # [Optional] 65 # By default, the Frogbot workflows download the Frogbot executable as well as other tools 66 # needed from https://releases.jfrog.io 67 # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the 68 # executable to be downloaded from an Artifactory instance, which the machine has access to: 69 # 70 # 1. Login to the Artifactory UI, with a user which has admin credentials. 71 # 2. Create a Remote Repository with the following properties set. 72 # Under the 'Basic' tab: 73 # Package Type: Generic 74 # URL: https://releases.jfrog.io 75 # Under the 'Advanced' tab: 76 # Uncheck the 'Store Artifacts Locally' option 77 # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. 78 # JF_RELEASES_REPO: "" 79 80 # [Optional] 81 # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. 82 # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) 83 # JF_SMTP_SERVER: "" 84 85 # [Mandatory if JF_SMTP_SERVER is set] 86 # The username required for authenticating with the SMTP server. 87 # JF_SMTP_USER: "" 88 89 # [Mandatory if JF_SMTP_SERVER is set] 90 # The password associated with the username required for authentication with the SMTP server. 91 # JF_SMTP_PASSWORD: "" 92 93 # [Optional] 94 # Avoid adding extra info to pull request comments. that isn't related to the scan findings. 95 # JF_AVOID_EXTRA_MESSAGES: "TRUE" 96 97 ########################################################################### 98 ## If your project uses a 'frogbot-config.yml' file, you should define ## 99 ## the following variables inside the file, instead of here. ## 100 ########################################################################### 101 102 # [Mandatory] 103 # Git repository name 104 JF_GIT_REPO: "" 105 106 # [Mandatory] 107 # Repository branch to scan 108 JF_GIT_BASE_BRANCH: $res_frogbotGitRepo_gitRepoSourceDefaultBranch 109 110 # [Optional, default: "."] 111 # Relative path to the root of the project in the Git repository 112 # JF_WORKING_DIR: path/to/project/dir 113 114 # [Default: "*.git*;*node_modules*;*target*;*venv*;*test*"] 115 # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. 116 # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*" 117 118 # [Optional] 119 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 120 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 121 122 # [Optional] 123 # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects 124 # JF_PROJECT: <project-key> 125 126 # [Optional, default: "FALSE"] 127 # Displays all existing vulnerabilities, including the ones that were added by the pull request. 128 # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" 129 130 # [Optional, default: "FALSE"] 131 # When adding new comments on pull requests, keep old comments that were added by previous scans. 132 # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" 133 134 # [Optional, default: "TRUE"] 135 # Fails the Frogbot task if any security issue is found. 136 # JF_FAIL: "FALSE" 137 138 # [Optional] 139 # Frogbot will download the project dependencies if they're not cached locally. To download the 140 # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no 141 # need to set this value, if it is set in the frogbot-config.yml file. 142 # JF_DEPS_REPO: "" 143 144 # [Optional, default: "."] 145 # Relative path to the project in the git repository 146 # JF_WORKING_DIR: path/to/project/dir 147 148 # [Optional] 149 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 150 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 151 152 # [Optional] 153 # Template for the branch name generated by Frogbot when creating pull requests with fixes. 154 # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. 155 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 156 # JF_BRANCH_NAME_TEMPLATE: "'frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}'" 157 158 # [Optional] 159 # Template for the commit message generated by Frogbot when creating pull requests with fixes 160 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 161 # JF_COMMIT_MESSAGE_TEMPLATE: "'Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 162 163 # [Optional] 164 # Template for the pull request title generated by Frogbot when creating pull requests with fixes. 165 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 166 # JF_PULL_REQUEST_TITLE_TEMPLATE: "'[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 167 168 # [Optional, Default: "FALSE"] 169 # If TRUE, Frogbot creates a single pull request with all the fixes. 170 # If FALSE, Frogbot creates a separate pull request for each fix. 171 # JF_GIT_AGGREGATE_FIXES: "FALSE" 172 173 # [Optional, Default: "FALSE"] 174 # Handle vulnerabilities with fix versions only 175 # JF_FIXABLE_ONLY: "TRUE" 176 177 # [Optional] 178 # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests 179 # The following values are accepted: Low, Medium, High or Critical 180 # JF_MIN_SEVERITY: "" 181 182 # [Optional, Default: eco-system+frogbot@jfrog.com] 183 # Set the email of the commit author 184 # JF_GIT_EMAIL_AUTHOR: "" 185 186 # [Optional] 187 # List of comma separated email addresses to receive email notifications about secrets 188 # detected during pull request scanning. The notification is also sent to the email set 189 # in the committer git profile regardless of whether this variable is set or not. 190 # JF_EMAIL_RECEIVERS: "" 191 192 # [Optional] 193 # Set the list of allowed licenses 194 # The full list of licenses can be found in: 195 # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md 196 # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" 197 198 # [Optional] 199 # Add a title to pull request comments generated by Frogbot. 200 # JF_PR_COMMENT_TITLE: "" 201 202 execution: 203 onExecute: 204 - cd $res_frogbotGitRepo_resourcePath 205 # For Linux/Mac runner: 206 - | 207 getFrogbotScriptPath=$( [[ -z "$JF_RELEASES_REPO" ]] && echo "https://releases.jfrog.io" || echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}" ) 208 curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh 209 restore_cache_files go_cache ~/go/pkg 210 ./frogbot scan-all-pull-requests 211 ./frogbot scan-multiple-repositories 212 add_cache_files go_cache ~/go/pkg || true 213 214 # For Windows runner: 215 # - | 216 # if (-not $env:JF_RELEASES_REPO) { 217 # $getFrogbotScriptPath = "https://releases.jfrog.io" 218 # } else { 219 # $getFrogbotScriptPath = "$($env:JF_URL)/artifactory/$($env:JF_RELEASES_REPO)" 220 # } 221 # 222 # $scriptUrl = "$($getFrogbotScriptPath)/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" 223 # Invoke-Expression (Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing).Content 224 # restore_cache_files dotnet_cache "%userprofile%\go\packages" 225 # .\frogbot.exe scan-all-pull-requests 226 # .\frogbot.exe scan-multiple-repositories 227 # add_cache_files dotnet_cache "%userprofile%\go\packages" || true