github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/credentialdiggerScan.yaml (about) 1 metadata: 2 name: credentialdiggerScan 3 description: Scan a repository on GitHub with Credential Digger 4 longDescription: | 5 This step allows you to scan a repository on Github using Credential Digger. 6 7 It can for example be used for DevSecOps scenarios to verify the source code does not contain hard-coded credentials before being merged or released for production. 8 It supports several scan flavors, i.e., full scans of a repo, scan of a snapshot, or scan of a pull request. 9 spec: 10 inputs: 11 secrets: 12 - name: githubTokenCredentialsId 13 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 14 type: jenkins 15 params: 16 - name: repository 17 aliases: 18 - name: githubRepo 19 description: URL of the GitHub repository (was name, but we need the url). In case it's missing, use the URL of the current repository. 20 scope: 21 - PARAMETERS 22 - STAGES 23 - STEPS 24 type: string 25 mandatory: false 26 - name: snapshot 27 description: If set, scan the snapshot of the repository at this commit_id/branch. 28 scope: 29 - PARAMETERS 30 - STAGES 31 - STEPS 32 type: string 33 mandatory: false 34 - name: prNumber 35 description: If set, scan the pull request open with this number. 36 scope: 37 - PARAMETERS 38 - STAGES 39 - STEPS 40 type: int 41 mandatory: false 42 - name: exportAll 43 type: bool 44 description: Export all the findings, i.e., including non-leaks. 45 scope: 46 - PARAMETERS 47 - STAGES 48 - STEPS 49 default: false 50 - name: apiUrl 51 aliases: 52 - name: githubApiUrl 53 description: Set the GitHub API url. Needed for scanning a pull request. 54 scope: 55 - GENERAL 56 - PARAMETERS 57 - STAGES 58 - STEPS 59 type: string 60 default: https://api.github.com 61 mandatory: true 62 - name: debug 63 aliases: 64 - name: verbose 65 description: Execute the scans in debug mode (i.e., print logs). 66 scope: 67 - GENERAL 68 - PARAMETERS 69 - STAGES 70 - STEPS 71 type: bool 72 default: false 73 - name: rulesDownloadUrl 74 type: string 75 description: URL where to download custom rules. The file published at this URL must be formatted as the default ruleset https://raw.githubusercontent.com/SAP/credential-digger/main/ui/backend/rules.yml 76 scope: 77 - PARAMETERS 78 - STAGES 79 - STEPS 80 mandatory: false 81 - name: models 82 description: Machine learning models to automatically verify the findings. 83 scope: 84 - PARAMETERS 85 - STAGES 86 - STEPS 87 type: "[]string" 88 - name: token 89 aliases: 90 - name: githubToken 91 - name: access_token 92 description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line 93 scope: 94 - GENERAL 95 - PARAMETERS 96 - STAGES 97 - STEPS 98 type: string 99 mandatory: true 100 secret: true 101 resourceRef: 102 - name: githubTokenCredentialsId 103 type: secret 104 - type: vaultSecret 105 default: github 106 name: githubVaultSecretName 107 - name: rulesFile 108 type: string 109 description: Name of the rules file used locally within the step. If a remote files for rules is declared as `rulesDownloadUrl`, the stashed file is ignored. If you change the file's name make sure your stashing configuration also reflects this. 110 mandatory: false 111 scope: 112 - PARAMETERS 113 - STAGES 114 - STEPS 115 default: inputs/rules.yml 116 outputs: 117 resources: 118 - name: report 119 type: report 120 params: 121 - filePattern: "**/report*.csv" 122 type: credentialdigger-report 123 containers: 124 - image: "credentialdigger.int.repositories.cloud.sap/credential_digger:4.9.2"