From b834eb6101a5b1812becde33cac6ba3b9832106c Mon Sep 17 00:00:00 2001 From: kerenr-jfrog Date: Mon, 19 May 2025 12:21:12 +0300 Subject: [PATCH 1/2] added Frogbot workflows for scanning repository and pull request --- .../workflows/frogbot-scan-pull-request.yml | 47 +++++++++++++++++++ .github/workflows/frogbot-scan-repository.yml | 36 ++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 .github/workflows/frogbot-scan-pull-request.yml create mode 100644 .github/workflows/frogbot-scan-repository.yml diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml new file mode 100644 index 0000000..ae580da --- /dev/null +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -0,0 +1,47 @@ +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + environment: frogbot + steps: + - uses: jfrog/frogbot@v2 + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.FROGBOT_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token is automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. + # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) + JF_SMTP_SERVER: ${{ secrets.JF_SMTP_SERVER }} + + # [Mandatory if JF_SMTP_SERVER is set] + # The username required for authenticating with the SMTP server. + JF_SMTP_USER: ${{ secrets.JF_SMTP_USER }} + + # [Mandatory if JF_SMTP_SERVER is set] + # The password associated with the username required for authentication with the SMTP server. + JF_SMTP_PASSWORD: ${{ secrets.JF_SMTP_PASSWORD }} + + # [Optional] + # List of comma separated email addresses to receive email notifications about secrets + # detected during pull request scanning. The notification is also sent to the email set + # in the committer git profile regardless of whether this variable is set or not. + JF_EMAIL_RECEIVERS: "jfs-shift-left@jfrog.com" \ No newline at end of file diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml new file mode 100644 index 0000000..634ae58 --- /dev/null +++ b/.github/workflows/frogbot-scan-repository.yml @@ -0,0 +1,36 @@ +name: "Frogbot Scan Repository" +on: + workflow_dispatch: + schedule: + # The repository will be scanned once a day at 00:00 GMT. + - cron: "0 0 * * *" +permissions: + contents: write + pull-requests: write + security-events: write +jobs: + scan-repository: + runs-on: ubuntu-latest + strategy: + matrix: + # The repository scanning will be triggered periodically on the following branches. + branch: [ "master" ] + steps: + - uses: jfrog/frogbot@v2 + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.FROGBOT_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token is automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Mandatory] + # The name of the branch on which Frogbot will perform the scan + JF_GIT_BASE_BRANCH: ${{ matrix.branch }} \ No newline at end of file From 59a2c5286adead4c628cffe6de33cb22585fb06a Mon Sep 17 00:00:00 2001 From: kerenr-jfrog Date: Wed, 4 Jun 2025 16:33:19 +0300 Subject: [PATCH 2/2] fix code review comment --- .../workflows/frogbot-scan-pull-request.yml | 21 +------------------ 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml index ae580da..771f03c 100644 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -25,23 +25,4 @@ jobs: # [Mandatory] # The GitHub token is automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # [Optional] - # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. - # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) - JF_SMTP_SERVER: ${{ secrets.JF_SMTP_SERVER }} - - # [Mandatory if JF_SMTP_SERVER is set] - # The username required for authenticating with the SMTP server. - JF_SMTP_USER: ${{ secrets.JF_SMTP_USER }} - - # [Mandatory if JF_SMTP_SERVER is set] - # The password associated with the username required for authentication with the SMTP server. - JF_SMTP_PASSWORD: ${{ secrets.JF_SMTP_PASSWORD }} - - # [Optional] - # List of comma separated email addresses to receive email notifications about secrets - # detected during pull request scanning. The notification is also sent to the email set - # in the committer git profile regardless of whether this variable is set or not. - JF_EMAIL_RECEIVERS: "jfs-shift-left@jfrog.com" \ No newline at end of file + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file