Merge pull request #2 from vishalhcl-5960/ASA-9151

v2 - v4

README.md

@@ -65,28 +65,27 @@ If you don't have an account, register on [HCL AppScan on Cloud (ASoC)](https://
 | application_id | The ID of the application in ASoC. |
 
 # Optional Inputs
-| Name | Description | Default Value | Available options |
-|    :---   |    :---    |    :---    |    :---    |
-| scan_name | The name of the scan created in ASoC. | The GitHub repository name + GITHUB SHA |  |
-| scan_type | The type of the scan | staging | staging, production |
-| dynamic_scan_type | Choose between dast or upload. DAST will require you to specify starting URL and login, while upload will only require you to specify a .scan or .scant file | dast | dast, upload |
-| scan_or_scant_file |(applicable only if **dynamic_scan_type** = upload) Provide the path to the .scan or .scant file here| |  |
-| starting_URL|(applicable only if **dynamic_scan_type** = dast)The starting URL of the DAST scan|https://demo.testfire.net?mode=demo ||
-|optimization|Level of test optimization|Fast|NoOptimization, Fast, Faster, Fastest|
-|network|Set the type of network, if this is set to private, you must have AppScan Presence created in advance|public|public, private|
-|presence_id|(applicable only if network = private)|||
-|login_method|(applicable only if **dynamic_scan_type** = dast)Login Method of the scan, none: no authentication required for the application, userpass: basic username/password authentication, recorded: you will provide a recorded login sequence dast.config file |none|none, userpass, or recorded|
-|login_user|(applicable only if **login_method** = userpass) Type the username used for logging into the application|||
-|login_password|(applicable only if **login_method** = userpass) Type the password used logging into the application|||
-|login_sequence_file|Provide a path to the Login Traffic File data. Supported file type: DAST.CONFIG: AppScan Activity Recorder file|||
-|email_notification|Send email notification uponn scan completion|false|true,false|
-| personal_scan | Make this a [personal scan](https://help.hcltechsw.com/appscan/ASoC/appseccloud_scans_personal.html). | false | true, false|
-|wait_for_analysis|If set to true, the job will suspend and wait until DAST scan is complete before finishing the job| true| true, false|
-|wait_for_analysis_timeout_minutes|(applicable only if **wait_for_analysis** = true) Maximum duration in minutes before the job will no longer wait and proceeds to complete, default is 360 (6 hours)|360||
-|fail_for_noncompliance|If **fail_for_noncompliance** is true, fail the job if any non-compliant issues are found in the scan|false|true, false|
-|fail_by_severity|If **fail_by_severity** is set to true, failure_threshold must also be set. This will fail the job if any issues equal to or higher (more severe) than **failure_threshold** are found in the scan|false|false|
-|failure_threshold|(applicable only if **failure_threshold** = true) Set the severity level that indicates a failure. Lesser severities will not be considered a failure. For example, if **failure_threshold** is set to Medium, Informational and/or Low severity issues will not cause a failure. Medium, High, and/or Critical issues will cause a failure.|High|Informational, Low, Medium, High, Critical|
-|ephemeral_presence|If set to true, a temp instance of AppScan Presence will be deployed in the runner and will be used for the scan. When enabled, this will force **wait_for_analysis** to true and **network** to private regardless of user settings | false| true, false|
+| Name                                   | Description | Default Value                          | Available options |
+|:---------------------------------------|    :---    |:---------------------------------------|    :---    |
+| scan_name                              | The name of the scan created in ASoC. | The GitHub repository name + GITHUB SHA | |                                        |
+| dynamic_scan_type                      | Choose between dast or upload. DAST will require you to specify starting URL and login, while upload will only require you to specify a .scan or .scant file | dast                                   | dast, upload |
+| scan_or_scant_file                     |(applicable only if **dynamic_scan_type** = upload) Provide the path to the .scan or .scant file here|                                        | |
+| starting_URL                           |(applicable only if **dynamic_scan_type** = dast)The starting URL of the DAST scan| https://demo.testfire.net?mode=demo    ||
+| optimization                           |Level of test optimization| Fast                                   |NoOptimization, Fast, Faster, Fastest|
+| network                                |Set the type of network, if this is set to private, you must have AppScan Presence created in advance| public                                 |public, private|
+| presence_id                            |(applicable only if network = private)|||
+| login_method                           |(applicable only if **dynamic_scan_type** = dast)Login Method of the scan, none: no authentication required for the application, userpass: basic username/password authentication, recorded: you will provide a recorded login sequence dast.config file | none                                   |none, userpass, or recorded|
+| login_user                             |(applicable only if **login_method** = userpass) Type the username used for logging into the application|||
+| login_password                         |(applicable only if **login_method** = userpass) Type the password used logging into the application|||
+| login_sequence_file                    |Provide a path to the Login Traffic File data. Supported file type: DAST.CONFIG: AppScan Activity Recorder file|||
+| email_notification                     |Send email notification uponn scan completion| false                                  |true,false|
+| personal_scan                          | Make this a [personal scan](https://help.hcltechsw.com/appscan/ASoC/appseccloud_scans_personal.html). | false                                  | true, false|
+| wait_for_analysis                      |If set to true, the job will suspend and wait until DAST scan is complete before finishing the job| true                                   | true, false|
+| wait_for_analysis_timeout_minutes      |(applicable only if **wait_for_analysis** = true) Maximum duration in minutes before the job will no longer wait and proceeds to complete, default is 360 (6 hours)| 360                                    ||
+| fail_for_noncompliance                 |If **fail_for_noncompliance** is true, fail the job if any non-compliant issues are found in the scan| false                                  |true, false|
+| fail_by_severity                       |If **fail_by_severity** is set to true, failure_threshold must also be set. This will fail the job if any issues equal to or higher (more severe) than **failure_threshold** are found in the scan| false                                  |false|
+| failure_threshold                      |(applicable only if **failure_threshold** = true) Set the severity level that indicates a failure. Lesser severities will not be considered a failure. For example, if **failure_threshold** is set to Medium, Informational and/or Low severity issues will not cause a failure. Medium, High, and/or Critical issues will cause a failure.| High                                   |Informational, Low, Medium, High, Critical|
+| ephemeral_presence                     | If set to true, a temp instance of AppScan Presence will be deployed in the runner and will be used for the scan. When enabled, this will force **wait_for_analysis** to true and **network** to private regardless of user settings                                                                                                      | false                                  | true, false                              |
 
 # Example 1 - DAST scan with basic username and password login method, using the public network
 ```yaml
@@ -98,15 +97,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run ASoC DAST Scan
-        uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.5
+        uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.6
         with:
           baseurl:  https://cloud.appscan.com
           asoc_key: ${{secrets.ASOC_KEY}}
           asoc_secret: ${{secrets.ASOC_SECRET}}
           application_id: acd3ef50-6276-461d-8514-abc6e7113577
-          scan_type: 'staging'
           dynamic_scan_type: dast
           starting_URL: 'https://demo.testfire.net?mode=demo'
           login_method: userpass
@@ -115,7 +113,7 @@ jobs:
           network: public
           fail_for_noncompliance: false
           wait_for_analysis: true
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         name: Upload HCL AppScan HTML Report to Github Artifacts
         with:
           name: AppScan Security Scan HTML Report 
@@ -133,22 +131,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run ASoC DAST Scan
-        uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.5
+        uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.6
         with:
           baseurl:  https://cloud.appscan.com
           asoc_key: ${{secrets.ASOC_KEY}}
           asoc_secret: ${{secrets.ASOC_SECRET}}
           application_id: acd3ef50-6276-461d-8514-abc6e7113577
-          scan_type: 'staging'
           dynamic_scan_type: upload
           scan_or_scant_file: 'altoro.scant'
           network: private
           presence_id: f185efda-67bf-ed11-ba76-14cb65723612
           fail_for_noncompliance: false
           wait_for_analysis: true
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         name: Upload HCL AppScan HTML Report to Github Artifacts
         with:
           name: AppScan Security Scan HTML Report 
@@ -165,20 +162,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run ASoC DAST Scan
-        uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.5
+        uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.6
 
         with:
           baseurl:  https://cloud.appscan.com
           asoc_key: ${{secrets.ASOC_KEY}}
           asoc_secret: ${{secrets.ASOC_SECRET}}
           application_id: acd3ef50-6276-461d-8514-abc6e7113577
-          scan_type: 'staging'
           dynamic_scan_type: dast
           starting_URL: 'https://demo.testfire.net'
           ephemeral_presence: true
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         name: Upload HCL AppScan HTML Report to Github Artifacts
         with:
           name: AppScan Security Scan HTML Report 

action.yml

@@ -1,4 +1,4 @@
-# Copyright 2023 HCL America
+# Copyright 2023, 2024 HCL America
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -34,10 +34,10 @@ inputs:
   scan_name:
     description: 'The name of the scan created in ASoC.'
     required: false
-  scan_type:
-    description: 'The type of scan - staging or production'
-    required: false
-    default: 'staging'
+  #scan_type:
+  # description: 'The type of scan - staging or production'
+  # required: false
+  # default: 'staging'
 
   #dast or scan file
   dynamic_scan_type: 
@@ -93,7 +93,7 @@ inputs:
 
   #misc settings
   email_notification:
-    description: 'Send email notification uponn scan completion'
+    description: 'Send email notification upon scan completion'
     required: false
     default: 'false'
 
@@ -132,7 +132,7 @@ inputs:
     default: 'High'
 
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'main.js'
   post: 'cancelJob.js'
   post-if: cancelled()