github.com/jfrog/frogbot/v2@v2.21.0/docs/templates/jfrog-pipelines/pipelines-pip.yml (about) 1 resources: 2 - name: cron_trigger 3 type: CronTrigger 4 configuration: 5 interval: "0 * * * *" # Run once an hour 6 7 - name: frogbotGitRepo 8 type: GitRepo 9 configuration: 10 gitProvider: gitIntegration 11 path: "{{.jfrog-pipelines.sourceRepository}}" 12 branches: 13 include: ^{{gitBranch}}$ 14 cloneProtocol: https 15 16 pipelines: 17 - name: Frogbot 18 steps: 19 - name: Frogbot_Scan 20 type: Bash # For Windows runner: PowerShell 21 configuration: 22 integrations: 23 - name: jfrogPlatform 24 - name: gitIntegration 25 inputResources: 26 - name: cron_trigger 27 - name: frogbotGitRepo 28 runtime: 29 type: image 30 image: 31 custom: 32 name: python 33 tag: latest 34 environmentVariables: 35 # [Mandatory if the two conditions below are met] 36 # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies 37 # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. 38 # 39 # The command that installs the project dependencies (e.g "nuget restore") 40 # JF_INSTALL_DEPS_CMD: "" 41 42 # [Mandatory] 43 # JFrog platform URL 44 JF_URL: $int_jfrogPlatform_url 45 46 # [Mandatory if JF_USER and JF_PASSWORD are not provided] 47 # JFrog access token with 'read' permissions for Xray 48 JF_ACCESS_TOKEN: $int_jfrogPlatform_accessToken 49 50 # [Mandatory for Bitbucket] 51 # Username of the git provider account 52 JF_GIT_USERNAME: "" 53 54 # [Mandatory] 55 # Git provider access token with minimal permissions according to the relevant integration type. 56 # Read more - https://www.jfrog.com/confluence/display/JFROG/Pipelines+Integrations 57 JF_GIT_TOKEN: $int_gitIntegration_token 58 59 # [Mandatory] 60 # Name of your git provider: "bitbucketServer" or "github". 61 JF_GIT_PROVIDER: "" 62 63 # [Mandatory] 64 # API endpoint to your git provider 65 JF_GIT_API_ENDPOINT: $int_gitIntegration_url 66 67 # [Mandatory] 68 # Git provider project owner. 69 JF_GIT_OWNER: "" 70 71 # [Optional] 72 # By default, the Frogbot workflows download the Frogbot executable as well as other tools 73 # needed from https://releases.jfrog.io 74 # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the 75 # executable to be downloaded from an Artifactory instance, which the machine has access to: 76 # 77 # 1. Login to the Artifactory UI, with a user which has admin credentials. 78 # 2. Create a Remote Repository with the following properties set. 79 # Under the 'Basic' tab: 80 # Package Type: Generic 81 # URL: https://releases.jfrog.io 82 # Under the 'Advanced' tab: 83 # Uncheck the 'Store Artifacts Locally' option 84 # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. 85 # JF_RELEASES_REPO: "" 86 87 # [Optional] 88 # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. 89 # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) 90 # JF_SMTP_SERVER: "" 91 92 # [Mandatory if JF_SMTP_SERVER is set] 93 # The username required for authenticating with the SMTP server. 94 # JF_SMTP_USER: "" 95 96 # [Mandatory if JF_SMTP_SERVER is set] 97 # The password associated with the username required for authentication with the SMTP server. 98 # JF_SMTP_PASSWORD: "" 99 100 # [Optional] 101 # Avoid adding extra info to pull request comments. that isn't related to the scan findings. 102 # JF_AVOID_EXTRA_MESSAGES: "TRUE" 103 104 ########################################################################### 105 ## If your project uses a 'frogbot-config.yml' file, you should define ## 106 ## the following variables inside the file, instead of here. ## 107 ########################################################################### 108 109 # [Mandatory] 110 # Git repository name 111 JF_GIT_REPO: "" 112 113 # [Mandatory] 114 # Repository branch to scan 115 JF_GIT_BASE_BRANCH: $res_frogbotGitRepo_gitRepoSourceDefaultBranch 116 117 # [Optional] 118 # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects 119 # JF_PROJECT: <project-key> 120 121 # [Optional] 122 # Frogbot will download the project dependencies if they're not cached locally. To download the 123 # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no 124 # need to set this value, if it is set in the frogbot-config.yml file. 125 # JF_DEPS_REPO: "" 126 127 # [Optional, default: "."] 128 # Relative path to the project in the git repository 129 # JF_WORKING_DIR: path/to/project/dir 130 131 # [Default: "*.git*;*node_modules*;*target*;*venv*;*test*"] 132 # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. 133 # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*" 134 135 # [Optional] 136 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 137 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 138 139 # [Optional, default: "FALSE"] 140 # Displays all existing vulnerabilities, including the ones that were added by the pull request. 141 # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" 142 143 # [Optional, default: "FALSE"] 144 # When adding new comments on pull requests, keep old comments that were added by previous scans. 145 # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" 146 147 # [Optional, default: "TRUE"] 148 # Fails the Frogbot task if any security issue is found. 149 # JF_FAIL: "FALSE" 150 151 # [Optional] 152 # Pip requirements.txt file path 153 # JF_REQUIREMENTS_FILE: "" 154 155 # [Optional] 156 # Template for the branch name generated by Frogbot when creating pull requests with fixes. 157 # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. 158 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 159 # JF_BRANCH_NAME_TEMPLATE: "'frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}'" 160 161 # [Optional] 162 # Template for the commit message generated by Frogbot when creating pull requests with fixes 163 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 164 # JF_COMMIT_MESSAGE_TEMPLATE: "'Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 165 166 # [Optional] 167 # Template for the pull request title generated by Frogbot when creating pull requests with fixes. 168 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 169 # JF_PULL_REQUEST_TITLE_TEMPLATE: "'[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 170 171 # [Optional, Default: "FALSE"] 172 # If TRUE, Frogbot creates a single pull request with all the fixes. 173 # If FALSE, Frogbot creates a separate pull request for each fix. 174 # JF_GIT_AGGREGATE_FIXES: "FALSE" 175 176 # [Optional, Default: "FALSE"] 177 # Handle vulnerabilities with fix versions only 178 # JF_FIXABLE_ONLY: "TRUE" 179 180 # [Optional] 181 # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests 182 # The following values are accepted: Low, Medium, High or Critical 183 # JF_MIN_SEVERITY: "" 184 185 # [Optional, Default: eco-system+frogbot@jfrog.com] 186 # Set the email of the commit author 187 # JF_GIT_EMAIL_AUTHOR: "" 188 189 # [Optional] 190 # List of comma separated email addresses to receive email notifications about secrets 191 # detected during pull request scanning. The notification is also sent to the email set 192 # in the committer git profile regardless of whether this variable is set or not. 193 # JF_EMAIL_RECEIVERS: "" 194 195 # [Optional] 196 # Set the list of allowed licenses 197 # The full list of licenses can be found in: 198 # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md 199 # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" 200 201 # [Optional] 202 # Add a title to pull request comments generated by Frogbot. 203 # JF_PR_COMMENT_TITLE: "" 204 205 execution: 206 onExecute: 207 - cd $res_frogbotGitRepo_resourcePath 208 # For Linux/Mac runner: 209 # For Linux/Mac runner: 210 - | 211 getFrogbotScriptPath=$( [[ -z "$JF_RELEASES_REPO" ]] && echo "https://releases.jfrog.io" || echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}" ) 212 curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh 213 ./frogbot scan-all-pull-requests 214 ./frogbot scan-multiple-repositories 215 216 # For Windows runner: 217 # - | 218 # if (-not $env:JF_RELEASES_REPO) { 219 # $getFrogbotScriptPath = "https://releases.jfrog.io" 220 # } else { 221 # $getFrogbotScriptPath = "$($env:JF_URL)/artifactory/$($env:JF_RELEASES_REPO)" 222 # } 223 # 224 # $scriptUrl = "$($getFrogbotScriptPath)/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" 225 # Invoke-Expression (Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing).Content 226 # .\frogbot.exe scan-all-pull-requests 227 # .\frogbot.exe scan-multiple-repositories