Skip to content

Frogbot Scan Repository #467

Frogbot Scan Repository

Frogbot Scan Repository #467

name: "Frogbot Scan Repository"
on:
workflow_dispatch:
schedule:
# The repository will be scanned once a day at 00:00 GMT.
- cron: "0 0 * * *"
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
scan-repository:
name: Scan Repository (${{ matrix.branch }} branch)
runs-on: ubuntu-latest
strategy:
matrix:
# The repository scanning will be triggered periodically on the following branches.
branch: [ "dev" ]
steps:
- name: Setup Go with cache
uses: jfrog/.github/actions/install-go-with-cache@main
- uses: jfrog/frogbot@v2
env:
JFROG_CLI_LOG_LEVEL: "DEBUG"
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.FROGBOT_URL }}
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
# JF_USER: ${{ secrets.JF_USER }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# [Mandatory]
# The GitHub token is automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Mandatory]
# The name of the branch on which Frogbot will perform the scan
JF_GIT_BASE_BRANCH: ${{ matrix.branch }}
# [Optional, default: https://api.github.com]
# API endpoint to GitHub
# JF_GIT_API_ENDPOINT: https://github.example.com
# [Optional]
# By default, the Frogbot workflows download the Frogbot executable as well as other tools
# needed from https://releases.jfrog.io
# If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
# executable to be downloaded from an Artifactory instance, which the machine has access to:
#
# 1. Login to the Artifactory UI, with a user who has admin credentials.
# 2. Create a Remote Repository with the following properties set.
# Under the 'Basic' tab:
# Package Type: Generic
# URL: https://releases.jfrog.io
# Under the 'Advanced' tab:
# Uncheck the 'Store Artifacts Locally' option
# 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
# JF_RELEASES_REPO: ""
##########################################################################
## If your project uses a 'frogbot-config.yml' file, you can define ##
## the following variables inside the file, instead of here. ##
##########################################################################
# [Optional, default: "."]
# Relative path to the root of the project in the Git repository
# JF_WORKING_DIR: path/to/project/dir
# [Optional]
# Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
# JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
# [Optional]
# JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
# JF_PROJECT: <project-key>
# [Optional, default: "TRUE"]
# Fails the Frogbot task if any security issue is found.
# JF_FAIL: "FALSE"
# [Optional]
# Frogbot will download the project dependencies, if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""
# [Optional]
# Template for the branch name generated by Frogbot when creating pull requests with fixes.
# The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
# The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
# JF_BRANCH_NAME_TEMPLATE: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
# [Optional]
# Template for the commit message generated by Frogbot when creating pull requests with fixes
# The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
# JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
# [Optional]
# Template for the pull request title generated by Frogbot when creating pull requests with fixes.
# The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
# JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
# [Optional, Default: "FALSE"]
# If TRUE, Frogbot creates a single pull request with all the fixes.
# If FALSE, Frogbot creates a separate pull request for each fix.
# JF_GIT_AGGREGATE_FIXES: "FALSE"
# [Optional, Default: "FALSE"]
# Handle vulnerabilities with fix versions only
# JF_FIXABLE_ONLY: "TRUE"
# [Optional]
# Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
# The following values are accepted: Low, Medium, High or Critical
# JF_MIN_SEVERITY: ""
# [Optional, Default: [email protected]]
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""