github.com/jfrog/frogbot/v2@v2.21.0/docs/templates/jfrog-pipelines/pipelines-pipenv.yml (about) 1 resources: 2 - name: cron_trigger 3 type: CronTrigger 4 configuration: 5 interval: "0 * * * *" # Run once an hour 6 7 - name: frogbotGitRepo 8 type: GitRepo 9 configuration: 10 gitProvider: gitIntegration 11 path: "{{.jfrog-pipelines.sourceRepository}}" 12 branches: 13 include: ^{{gitBranch}}$ 14 cloneProtocol: https 15 16 pipelines: 17 - name: Frogbot 18 steps: 19 - name: Frogbot_Scan 20 type: Bash # For Windows runner: PowerShell 21 configuration: 22 integrations: 23 - name: jfrogPlatform 24 - name: gitIntegration 25 inputResources: 26 - name: cron_trigger 27 - name: frogbotGitRepo 28 runtime: 29 type: image 30 image: 31 custom: 32 name: python 33 tag: latest 34 environmentVariables: 35 # [Mandatory] 36 # JFrog platform URL 37 JF_URL: $int_jfrogPlatform_url 38 39 # [Mandatory if JF_USER and JF_PASSWORD are not provided] 40 # JFrog access token with 'read' permissions for Xray 41 JF_ACCESS_TOKEN: $int_jfrogPlatform_accessToken 42 43 # [Mandatory for Bitbucket] 44 # Username of the git provider account 45 JF_GIT_USERNAME: "" 46 47 # [Mandatory] 48 # Git provider access token with minimal permissions according to the relevant integration type. 49 # Read more - https://www.jfrog.com/confluence/display/JFROG/Pipelines+Integrations 50 JF_GIT_TOKEN: $int_gitIntegration_token 51 52 # [Mandatory] 53 # Name of your git provider: "bitbucketServer" or "github". 54 JF_GIT_PROVIDER: "" 55 56 # [Mandatory] 57 # API endpoint to your git provider 58 JF_GIT_API_ENDPOINT: $int_gitIntegration_url 59 60 # [Mandatory] 61 # Git provider project owner. 62 JF_GIT_OWNER: "" 63 64 # [Optional] 65 # By default, the Frogbot workflows download the Frogbot executable as well as other tools 66 # needed from https://releases.jfrog.io 67 # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the 68 # executable to be downloaded from an Artifactory instance, which the machine has access to: 69 # 70 # 1. Login to the Artifactory UI, with a user which has admin credentials. 71 # 2. Create a Remote Repository with the following properties set. 72 # Under the 'Basic' tab: 73 # Package Type: Generic 74 # URL: https://releases.jfrog.io 75 # Under the 'Advanced' tab: 76 # Uncheck the 'Store Artifacts Locally' option 77 # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. 78 # JF_RELEASES_REPO: "" 79 80 # [Optional] 81 # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. 82 # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) 83 # JF_SMTP_SERVER: "" 84 85 # [Mandatory if JF_SMTP_SERVER is set] 86 # The username required for authenticating with the SMTP server. 87 # JF_SMTP_USER: "" 88 89 # [Mandatory if JF_SMTP_SERVER is set] 90 # The password associated with the username required for authentication with the SMTP server. 91 # JF_SMTP_PASSWORD: "" 92 93 # [Optional] 94 # Avoid adding extra info to pull request comments. that isn't related to the scan findings. 95 # JF_AVOID_EXTRA_MESSAGES: "TRUE" 96 97 ########################################################################### 98 ## If your project uses a 'frogbot-config.yml' file, you should define ## 99 ## the following variables inside the file, instead of here. ## 100 ########################################################################### 101 102 # [Mandatory] 103 # Git repository name 104 JF_GIT_REPO: "" 105 106 # [Mandatory] 107 # Repository branch to scan 108 JF_GIT_BASE_BRANCH: $res_frogbotGitRepo_gitRepoSourceDefaultBranch 109 110 # [Optional, default: "."] 111 # Relative path to the root of the project in the Git repository 112 # JF_WORKING_DIR: path/to/project/dir 113 114 # [Default: "*.git*;*node_modules*;*target*;*venv*;*test*"] 115 # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. 116 # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*" 117 118 # [Optional] 119 # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 120 # JF_WATCHES: <watch-1>,<watch-2>...<watch-n> 121 122 # [Optional] 123 # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects 124 # JF_PROJECT: <project-key> 125 126 # [Optional] 127 # Frogbot will download the project dependencies if they're not cached locally. To download the 128 # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no 129 # need to set this value, if it is set in the frogbot-config.yml file. 130 # JF_DEPS_REPO: "" 131 132 # [Optional, default: "FALSE"] 133 # Displays all existing vulnerabilities, including the ones that were added by the pull request. 134 # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" 135 136 # [Optional, default: "FALSE"] 137 # When adding new comments on pull requests, keep old comments that were added by previous scans. 138 # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" 139 140 # [Optional, default: "TRUE"] 141 # Fails the Frogbot task if any security issue is found. 142 # JF_FAIL: "FALSE" 143 144 # [Optional] 145 # Relative path to a Pip requirements.txt file. If not set, the python project's dependencies are determined and scanned using the project setup.py file. 146 # JF_REQUIREMENTS_FILE: "" 147 148 # [Optional] 149 # Template for the branch name generated by Frogbot when creating pull requests with fixes. 150 # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. 151 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 152 # JF_BRANCH_NAME_TEMPLATE: "'frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}'" 153 154 # [Optional] 155 # Template for the commit message generated by Frogbot when creating pull requests with fixes 156 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 157 # JF_COMMIT_MESSAGE_TEMPLATE: "'Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 158 159 # [Optional] 160 # Template for the pull request title generated by Frogbot when creating pull requests with fixes. 161 # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. 162 # JF_PULL_REQUEST_TITLE_TEMPLATE: "'[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'" 163 164 # [Optional, Default: "FALSE"] 165 # If TRUE, Frogbot creates a single pull request with all the fixes. 166 # If FALSE, Frogbot creates a separate pull request for each fix. 167 # JF_GIT_AGGREGATE_FIXES: "FALSE" 168 169 # [Optional, Default: "FALSE"] 170 # Handle vulnerabilities with fix versions only 171 # JF_FIXABLE_ONLY: "TRUE" 172 173 # [Optional] 174 # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests 175 # The following values are accepted: Low, Medium, High or Critical 176 # JF_MIN_SEVERITY: "" 177 178 # [Optional, Default: eco-system+frogbot@jfrog.com] 179 # Set the email of the commit author 180 # JF_GIT_EMAIL_AUTHOR: "" 181 182 # [Optional] 183 # List of comma separated email addresses to receive email notifications about secrets 184 # detected during pull request scanning. The notification is also sent to the email set 185 # in the committer git profile regardless of whether this variable is set or not. 186 # JF_EMAIL_RECEIVERS: "" 187 188 # [Optional] 189 # Set the list of allowed licenses 190 # The full list of licenses can be found in: 191 # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md 192 # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" 193 194 # [Optional] 195 # Add a title to pull request comments generated by Frogbot. 196 # JF_PR_COMMENT_TITLE: "" 197 198 execution: 199 onExecute: 200 - cd $res_frogbotGitRepo_resourcePath 201 - pip install pipenv 202 203 # For Linux/Mac runner: 204 - | 205 export LC_ALL=C.UTF-8 206 export LANG=C.UTF-8 207 getFrogbotScriptPath=$( [[ -z "$JF_RELEASES_REPO" ]] && echo "https://releases.jfrog.io" || echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}" ) 208 curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh 209 ./frogbot scan-all-pull-requests 210 ./frogbot scan-multiple-repositories 211 212 # For Windows runner: 213 # - | 214 # if (-not $env:JF_RELEASES_REPO) { 215 # $getFrogbotScriptPath = "https://releases.jfrog.io" 216 # } else { 217 # $getFrogbotScriptPath = "$($env:JF_URL)/artifactory/$($env:JF_RELEASES_REPO)" 218 # } 219 # 220 # $scriptUrl = "$($getFrogbotScriptPath)/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" 221 # Invoke-Expression (Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing).Content 222 # .\frogbot.exe scan-all-pull-requests 223 # .\frogbot.exe scan-multiple-repositories