github.com/jfrog/frogbot/v2@v2.21.0/docs/templates/jfrog-pipelines/pipelines-gradle.yml (about) 1 resources: 2 - name: cron_trigger 3 type: CronTrigger 4 configuration: 5 interval: "* */1 * * *" # Run once per hour 6 7 - name: frogbotGitRepo 8 type: GitRepo 9 configuration: 10 gitProvider: gitIntegration 11 path: "{{.jfrog-pipelines.sourceRepository}}" 12 branches: 13 include: ^{{gitBranch}}$ 14 cloneProtocol: https 15 16 pipelines: 17 - name: Frogbot 18 steps: 19 - name: Frogbot_Scan 20 type: Bash # For Windows runner: PowerShell 21 configuration: 22 integrations: 23 - name: jfrogPlatform 24 - name: gitIntegration 25 inputResources: 26 - name: cron_trigger 27 - name: frogbotGitRepo 28 runtime: 29 type: image 30 image: 31 auto: 32 language: java 33 version: "11" 34 environmentVariables: 35 # [Mandatory] 36 # JFrog platform URL 37 JF_URL: $int_jfrogPlatform_url 38 39 # [Mandatory if JF_USER and JF_PASSWORD are not provided] 40 # JFrog access token with 'read' permissions for Xray 41 JF_ACCESS_TOKEN: $int_jfrogPlatform_accessToken 42 43 # [Mandatory for Bitbucket] 44 # Username of the git provider account 45 JF_GIT_USERNAME: "" 46 47 # [Mandatory] 48 # Git provider access token with minimal permissions according to the relevant integration type. 49 # Read more - https://www.jfrog.com/confluence/display/JFROG/Pipelines+Integrations 50 JF_GIT_TOKEN: $int_gitIntegration_token 51 52 # [Mandatory] 53 # Name of your git provider: "bitbucketServer" or "github". 54 JF_GIT_PROVIDER: "" 55 56 # [Mandatory] 57 # API endpoint to your git provider 58 JF_GIT_API_ENDPOINT: $int_gitIntegration_url 59 60 # [Mandatory] 61 # Git provider project owner. 62 JF_GIT_OWNER: "" 63 64 # [Optional] 65 # By default, the Frogbot workflows download the Frogbot executable as well as other tools 66 # needed from https://releases.jfrog.io 67 # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the 68 # executable to be downloaded from an Artifactory instance, which the machine has access to: 69 # 70 # 1. Login to the Artifactory UI, with a user which has admin credentials. 71 # 2. Create a Remote Repository with the following properties set. 72 # Under the 'Basic' tab: 73 # Package Type: Generic 74 # URL: https://releases.jfrog.io 75 # Under the 'Advanced' tab: 76 # Uncheck the 'Store Artifacts Locally' option 77 # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. 78 # JF_RELEASES_REPO: "" 79 80 # [Optional] 81 # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. 82 # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) 83 # JF_SMTP_SERVER: "" 84 85 # [Mandatory if JF_SMTP_SERVER is set] 86 # The username required for authenticating with the SMTP server. 87 # JF_SMTP_USER: "" 88 89 # [Mandatory if JF_SMTP_SERVER is set] 90 # The password associated with the username required for authentication with the SMTP server. 91 # JF_SMTP_PASSWORD: "" 92 93 # [Optional] 94 # Avoid adding extra info to pull request comments. that isn't related to the scan findings. 95 # JF_AVOID_EXTRA_MESSAGES: "TRUE" 96 97 ########################################################################### 98 ## If your project uses a 'frogbot-config.yml' file, you should define ## 99 ## the following variables inside the file, instead of here. ## 100 ########################################################################### 101 102 # [Mandatory] 103 # Git repository name 104 JF_GIT_REPO: "" 105 106 # [Mandatory] 107 # Repository branch to scan 108 JF_GIT_BASE_BRANCH: $res_frogbotGitRepo_gitRepoSourceDefaultBranch 109 110 # [Optional, default: "."] 111 # Relative path to the root of the project in the Git repository 112 # JF_WORKING_DIR: path/to/project/dir 113 114 # [Default: "*.git*;*node_modules*;*target*;*venv*;*test*"] 115 # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. 116 # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*" 117 118 # [Optional] 119 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 120 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 121 122 # [Optional] 123 # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects 124 # JF_PROJECT: <project-key> 125 126 # [Optional, default: "FALSE"] 127 # Displays all existing vulnerabilities, including the ones that were added by the pull request. 128 # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" 129 130 # [Optional, default: "FALSE"] 131 # When adding new comments on pull requests, keep old comments that were added by previous scans. 132 # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" 133 134 # [Optional] 135 # Frogbot will download the project dependencies if they're not cached locally. To download the 136 # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no 137 # need to set this value, if it is set in the frogbot-config.yml file. 138 # JF_DEPS_REPO: "" 139 140 # [Optional, default: "."] 141 # Relative path to the project in the git repository 142 # JF_WORKING_DIR: path/to/project/dir 143 144 # [Optional] 145 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 146 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 147 148 # [Optional, default: "TRUE"] 149 # Fails the Frogbot task if any security issue is found. 150 # JF_FAIL: "FALSE" 151 152 # [Optional, default: "TRUE"] 153 # Use Gradle wrapper 154 # USE_WRAPPER: "FALSE" 155 156 # [Optional] 157 # Template for the branch name generated by Frogbot when creating pull requests with fixes. 158 # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. 159 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 160 # JF_BRANCH_NAME_TEMPLATE: "'frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}'" 161 162 # [Optional] 163 # Template for the commit message generated by Frogbot when creating pull requests with fixes 164 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 165 # JF_COMMIT_MESSAGE_TEMPLATE: "'Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 166 167 # [Optional] 168 # Template for the pull request title generated by Frogbot when creating pull requests with fixes. 169 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 170 # JF_PULL_REQUEST_TITLE_TEMPLATE: "'[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 171 172 # [Optional, Default: "FALSE"] 173 # If TRUE, Frogbot creates a single pull request with all the fixes. 174 # If FALSE, Frogbot creates a separate pull request for each fix. 175 # JF_GIT_AGGREGATE_FIXES: "FALSE" 176 177 # [Optional, Default: "FALSE"] 178 # Handle vulnerabilities with fix versions only 179 # JF_FIXABLE_ONLY: "TRUE" 180 181 # [Optional] 182 # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests 183 # The following values are accepted: Low, Medium, High or Critical 184 # JF_MIN_SEVERITY: "" 185 186 # [Optional, Default: eco-system+frogbot@jfrog.com] 187 # Set the email of the commit author 188 # JF_GIT_EMAIL_AUTHOR: "" 189 190 # [Optional] 191 # List of comma separated email addresses to receive email notifications about secrets 192 # detected during pull request scanning. The notification is also sent to the email set 193 # in the committer git profile regardless of whether this variable is set or not. 194 # JF_EMAIL_RECEIVERS: "" 195 196 # [Optional] 197 # Set the list of allowed licenses 198 # The full list of licenses can be found in: 199 # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md 200 # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" 201 202 # [Optional] 203 # Add a title to pull request comments generated by Frogbot. 204 # JF_PR_COMMENT_TITLE: "" 205 206 execution: 207 onExecute: 208 - cd $res_frogbotGitRepo_resourcePath 209 # For Linux/Mac runner: 210 - | 211 getFrogbotScriptPath=$( [[ -z "$JF_RELEASES_REPO" ]] && echo "https://releases.jfrog.io" || echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}" ) 212 curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh 213 restore_cache_files gradle_cache ~/.gradle/caches 214 ./frogbot scan-all-pull-requests 215 ./frogbot scan-multiple-repositories 216 add_cache_files gradle_cache ~/.gradle/caches || true 217 218 # For Windows runner: 219 # - | 220 # if (-not $env:JF_RELEASES_REPO) { 221 # $getFrogbotScriptPath = "https://releases.jfrog.io" 222 # } else { 223 # $getFrogbotScriptPath = "$($env:JF_URL)/artifactory/$($env:JF_RELEASES_REPO)" 224 # } 225 # 226 # $scriptUrl = "$($getFrogbotScriptPath)/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" 227 # Invoke-Expression (Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing).Content 228 # restore_cache_files gradle_cache "%userprofile%\.gradle\caches" 229 # .\frogbot.exe scan-all-pull-requests 230 # .\frogbot.exe scan-multiple-repositories 231 # add_cache_files gradle_cache "%userprofile%\.gradle\caches" || true