github.com/jfrog/frogbot/v2@v2.21.0/docs/templates/jfrog-pipelines/pipelines-npm.yml (about) 1 resources: 2 - name: cron_trigger 3 type: CronTrigger 4 configuration: 5 interval: "0 * * * *" # Run once per hour 6 7 - name: frogbotGitRepo 8 type: GitRepo 9 configuration: 10 gitProvider: gitIntegration 11 path: "{{.jfrog-pipelines.sourceRepository}}" 12 branches: 13 include: ^{{gitBranch}}$ 14 cloneProtocol: https 15 16 pipelines: 17 - name: Frogbot 18 steps: 19 - name: Frogbot_Scan 20 type: Bash # For Windows runner: PowerShell 21 configuration: 22 integrations: 23 - name: jfrogPlatform 24 - name: gitIntegration 25 inputResources: 26 - name: cron_trigger 27 - name: frogbotGitRepo 28 runtime: 29 type: image 30 image: 31 auto: 32 language: node 33 version: "16" 34 environmentVariables: 35 # [Mandatory] 36 # JFrog platform URL 37 JF_URL: $int_jfrogPlatform_url 38 39 # [Mandatory if JF_USER and JF_PASSWORD are not provided] 40 # JFrog access token with 'read' permissions for Xray 41 JF_ACCESS_TOKEN: $int_jfrogPlatform_accessToken 42 43 # [Mandatory for Bitbucket] 44 # Username of the git provider account 45 JF_GIT_USERNAME: "" 46 47 # [Mandatory] 48 # Git provider access token with minimal permissions according to the relevant integration type. 49 # Read more - https://www.jfrog.com/confluence/display/JFROG/Pipelines+Integrations 50 JF_GIT_TOKEN: $int_gitIntegration_token 51 52 # [Mandatory] 53 # Name of your git provider: "bitbucketServer" or "github". 54 JF_GIT_PROVIDER: "" 55 56 # [Mandatory] 57 # API endpoint to your git provider 58 JF_GIT_API_ENDPOINT: $int_gitIntegration_url 59 60 # [Mandatory] 61 # Git provider project owner. 62 JF_GIT_OWNER: "" 63 64 # [Optional] 65 # By default, the Frogbot workflows download the Frogbot executable as well as other tools 66 # needed from https://releases.jfrog.io 67 # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the 68 # executable to be downloaded from an Artifactory instance, which the machine has access to: 69 # 70 # 1. Login to the Artifactory UI, with a user which has admin credentials. 71 # 2. Create a Remote Repository with the following properties set. 72 # Under the 'Basic' tab: 73 # Package Type: Generic 74 # URL: https://releases.jfrog.io 75 # Under the 'Advanced' tab: 76 # Uncheck the 'Store Artifacts Locally' option 77 # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. 78 # JF_RELEASES_REPO: "" 79 80 # [Optional] 81 # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. 82 # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) 83 # JF_SMTP_SERVER: "" 84 85 # [Mandatory if JF_SMTP_SERVER is set] 86 # The username required for authenticating with the SMTP server. 87 # JF_SMTP_USER: "" 88 89 # [Mandatory if JF_SMTP_SERVER is set] 90 # The password associated with the username required for authentication with the SMTP server. 91 # JF_SMTP_PASSWORD: "" 92 93 # [Optional] 94 # Avoid adding extra info to pull request comments. that isn't related to the scan findings. 95 # JF_AVOID_EXTRA_MESSAGES: "TRUE" 96 97 ########################################################################### 98 ## If your project uses a 'frogbot-config.yml' file, you should define ## 99 ## the following variables inside the file, instead of here. ## 100 ########################################################################### 101 102 # [Mandatory] 103 # Git repository name 104 JF_GIT_REPO: "" 105 106 # [Mandatory] 107 # Repository branch to scan 108 JF_GIT_BASE_BRANCH: $res_frogbotGitRepo_gitRepoSourceDefaultBranch 109 110 # [Mandatory if the two conditions below are met] 111 # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies 112 # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. 113 # 114 # The command that installs the project dependencies (e.g "nuget restore") 115 # JF_INSTALL_DEPS_CMD: "" 116 117 # [Optional, default: "."] 118 # Relative path to the root of the project in the Git repository 119 # JF_WORKING_DIR: path/to/project/dir 120 121 # [Default: "*.git*;*node_modules*;*target*;*venv*;*test*"] 122 # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. 123 # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*" 124 125 # [Optional] 126 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 127 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 128 129 # [Optional] 130 # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects 131 # JF_PROJECT: <project-key> 132 133 # [Optional, default: "FALSE"] 134 # Displays all existing vulnerabilities, including the ones that were added by the pull request. 135 # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" 136 137 # [Optional, default: "FALSE"] 138 # When adding new comments on pull requests, keep old comments that were added by previous scans. 139 # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" 140 141 # [Optional, default: "TRUE"] 142 # Fails the Frogbot task if any security issue is found. 143 # JF_FAIL: "FALSE" 144 145 # [Optional] 146 # Frogbot will download the project dependencies if they're not cached locally. To download the 147 # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no 148 # need to set this value, if it is set in the frogbot-config.yml file. 149 # JF_DEPS_REPO: "" 150 151 # [Optional, default: "."] 152 # Relative path to the project in the git repository 153 # JF_WORKING_DIR: path/to/project/dir 154 155 # [Optional] 156 # Template for the branch name generated by Frogbot when creating pull requests with fixes. 157 # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. 158 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 159 # JF_BRANCH_NAME_TEMPLATE: "'frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}'" 160 161 # [Optional] 162 # Template for the commit message generated by Frogbot when creating pull requests with fixes 163 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 164 # JF_COMMIT_MESSAGE_TEMPLATE: "'Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 165 166 # [Optional] 167 # Template for the pull request title generated by Frogbot when creating pull requests with fixes. 168 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 169 # JF_PULL_REQUEST_TITLE_TEMPLATE: "'[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 170 171 # [Optional, Default: "FALSE"] 172 # If TRUE, Frogbot creates a single pull request with all the fixes. 173 # If FALSE, Frogbot creates a separate pull request for each fix. 174 # JF_GIT_AGGREGATE_FIXES: "FALSE" 175 176 # [Optional, Default: "FALSE"] 177 # Handle vulnerabilities with fix versions only 178 # JF_FIXABLE_ONLY: "TRUE" 179 180 # [Optional] 181 # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests 182 # The following values are accepted: Low, Medium, High or Critical 183 # JF_MIN_SEVERITY: "" 184 185 # [Optional, Default: eco-system+frogbot@jfrog.com] 186 # Set the email of the commit author 187 # JF_GIT_EMAIL_AUTHOR: "" 188 189 # [Optional] 190 # List of comma separated email addresses to receive email notifications about secrets 191 # detected during pull request scanning. The notification is also sent to the email set 192 # in the committer git profile regardless of whether this variable is set or not. 193 # JF_EMAIL_RECEIVERS: "" 194 195 # [Optional] 196 # Set the list of allowed licenses 197 # The full list of licenses can be found in: 198 # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md 199 # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" 200 201 # [Optional] 202 # Add a title to pull request comments generated by Frogbot. 203 # JF_PR_COMMENT_TITLE: "" 204 205 execution: 206 onExecute: 207 - cd $res_frogbotGitRepo_resourcePath 208 # For Linux/Mac runner: 209 - | 210 getFrogbotScriptPath=$( [[ -z "$JF_RELEASES_REPO" ]] && echo "https://releases.jfrog.io" || echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}" ) 211 curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh 212 restore_cache_files npm_cache ~/.npm 213 ./frogbot scan-all-pull-requests 214 ./frogbot scan-multiple-repositories 215 add_cache_files ~/.npm npm_cache || true 216 217 # For Windows runner: 218 # - | 219 # if (-not $env:JF_RELEASES_REPO) { 220 # $getFrogbotScriptPath = "https://releases.jfrog.io" 221 # } else { 222 # $getFrogbotScriptPath = "$($env:JF_URL)/artifactory/$($env:JF_RELEASES_REPO)" 223 # } 224 # 225 # $scriptUrl = "$($getFrogbotScriptPath)/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" 226 # Invoke-Expression (Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing).Content 227 # add_cache_files "%AppData%/npm-cache" npm_cache || true 228 # .\frogbot.exe scan-all-pull-requests 229 # .\frogbot.exe scan-multiple-repositories 230