Support multiple artifacts in pipeline scan

Author: veraakarthikbharadwaj

.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml

@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Verify Veracode API credentials
         id: verify_api_creds
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validateVeracodeApiCreds
           token: ${{ github.event.client_payload.token }}
@@ -43,7 +43,7 @@ jobs:
       - name: Verify Policy name
         id: verify_policy_name
         if: success()
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validatePolicyName
           token: ${{ github.event.client_payload.token }}
@@ -58,9 +58,13 @@ jobs:
           end_line: ${{ github.event.client_payload.annotationObj.end_line }}
           break_build_invalid_policy: ${{github.event.client_payload.break_build_invalid_policy }}
 
-  pipeline_scan:
-    needs: [register, validations]
+  prepare_pipeline_scan:
     runs-on: ubuntu-latest
+    needs: [register, validations]
+    name: prepare pipeline scan
+    outputs:
+      matrix_files: ${{ steps.get-files.outputs.matrix_files }} 
+
     steps:
       - name: Download artifact
         id: download-artifact
@@ -69,21 +73,71 @@ jobs:
           github-token: ${{ github.event.client_payload.token }}
           repository: ${{ github.event.client_payload.repository.full_name }}
           run-id: ${{ github.event.client_payload.run_id }}
+          name: ${{ github.event.client_payload.repository.artifact_file }}
+          path: ./veracode_artifact_directory
 
+      - name: Get list of files for matrix
+        id: get-files
+        run: |
+          files=$(ls -1 veracode_artifact_directory | jq -R . | jq -s .)
+          echo "Files for matrix: $files"
+          files=$(echo $files | jq -c .)  # Compact the JSON array to a single line
+          echo "matrix_files=$files" >> $GITHUB_OUTPUT
+        shell: bash
+
+  pipeline_scan:
+    runs-on: ubuntu-latest
+    needs: [register, validations, prepare_pipeline_scan]
+    strategy:
+      matrix:
+        file: ${{fromJson(needs.prepare_pipeline_scan.outputs.matrix_files)}}
+
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}
+          ref: ${{ github.event.client_payload.user_config.ref }}
+          token: ${{ github.event.client_payload.token }}
+        
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          github-token: ${{ github.event.client_payload.token }}
+          repository: ${{ github.event.client_payload.repository.full_name }}
+          run-id: ${{ github.event.client_payload.run_id }}
+          name: ${{ github.event.client_payload.repository.artifact_file }}
+          path: ./veracode_artifact_directory
+
+      - name: Debug Matrix Content
+        run: |
+          echo "Raw matrix files: ${{ needs.prepare_pipeline_scan.outputs.matrix_files }}"
+          echo "Current Matrix: ${{ matrix }}"
+          echo "Current File: ${{ matrix.file }}"
+
+      # run the pipeline scan action
       - name: Veracode Pipeline-Scan
+        if: always()
         id: pipeline-scan
-        uses: veracode/[email protected].16
+        uses: veracode/[email protected].17
         with:
           vid: ${{ secrets.VERACODE_API_ID }}
           vkey: ${{ secrets.VERACODE_API_KEY }}
           veracode_policy_name: ${{ github.event.client_payload.policy_name }}
-          file: ${{ github.event.client_payload.repository.artifact_file }}
+          file: ./veracode_artifact_directory/${{ matrix.file }}
           fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
-
+          summary_output: true
+          summary_output_file: ${{ strategy.job-index }}-results.txt
+          json_output: true
+          json_output_file: ${{ strategy.job-index }}-results.json
+          filtered_json_output_file: ${{ strategy.job-index }}-filtered_results.json
+          artifact_name: ${{ matrix.file }}
+          debug: 1
+    
       - name: Veracode Pipeline Results
         if: always()
         id: prepare-results
-        uses: Veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: 'preparePipelineResults'
           token: ${{ github.event.client_payload.token }}
@@ -95,73 +149,52 @@ jobs:
           fail_checks_on_policy: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
           fail_checks_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }} 
           filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}
+          filtered_results_file: ${{ strategy.job-index }}-filtered_results.json
 
-  code-scanning-alert:
-    needs: pipeline_scan
-    runs-on: ubuntu-latest
-    if: ${{ github.event.client_payload.user_config.create_code_scanning_alert && always() }}
-    name: Create code scanning alerts
-    steps:
-      - name: Get scan results
-        uses: actions/download-artifact@v4
-        with:
-          name: "Veracode Pipeline-Scan Results - Mitigated findings"
-
-      - name: Convert pipeline scan output to SARIF format for Java language
-        if: ${{ github.event.client_payload.repository.language == 'Java' }}
-        uses: Veracode/[email protected]
+      - name: Convert pipeline scan output to SARIF format
+        if: ${{ github.event.client_payload.user_config.create_code_scanning_alert && always() }}
+        uses: Veracode/[email protected]
         with:
-          pipeline-results-json: filtered_results.json
+          pipeline-results-json: mitigated_${{ strategy.job-index }}-filtered_results.json
           output-results-sarif: veracode-results.sarif
           repo_owner: ${{ github.event.client_payload.repository.owner }}
           repo_name: ${{ github.event.client_payload.repository.name }}
           commitSHA: ${{ github.event.client_payload.sha }}
           ref: ${{ github.event.client_payload.user_config.ref }}
           githubToken: ${{ github.event.client_payload.token }}
-          source-base-path-1: 'com/:src/main/java/com/'
-          source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF'
 
-      - name: Convert pipeline scan output to SARIF format for non Java language
-        if: ${{ github.event.client_payload.repository.language != 'Java' }}
-        uses: Veracode/veracode-pipeline-scan-results-to-sarif@v2.0.3
+      - name: Create flaws as issues
+        if: ${{ github.event.client_payload.user_config.create_issue && always() }}
+        uses: veracode/veracode-flaws-to-issues@v2.2.25
         with:
-          pipeline-results-json: filtered_results.json
-          output-results-sarif: veracode-results.sarif
-          repo_owner: ${{ github.event.client_payload.repository.owner }}
-          repo_name: ${{ github.event.client_payload.repository.name }}
-          commitSHA: ${{ github.event.client_payload.sha }}
-          ref: ${{ github.event.client_payload.user_config.ref }}
-          githubToken: ${{ github.event.client_payload.token }}
-
-  create-issues:
-    needs: pipeline_scan
-    runs-on: ubuntu-latest
-    if: ${{ github.event.client_payload.user_config.create_issue && always() }}
-    name: Create issues
-    steps:
-      - name: Get scan results
-        uses: actions/download-artifact@v4
-        with:
-          name: 'Veracode Pipeline-Scan Results - Mitigated findings'
-
-      - name: Create flaws as issues for Java language
-        if: ${{ github.event.client_payload.repository.language == 'Java' }}
-        uses: veracode/[email protected]
-        with:
-          scan-results-json: 'filtered_results.json'
+          scan-results-json: mitigated_${{ strategy.job-index }}-filtered_results.json
           repo_owner: ${{ github.event.client_payload.repository.owner }}
           github-token: ${{ github.event.client_payload.token }}
           repo_name: ${{ github.event.client_payload.repository.name }}
           commitHash:  ${{ github.event.client_payload.sha }}
-          source_base_path_1: 'com/:src/main/java/com/'
-          source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF'
 
-      - name: Create flaws as issues for non Java language
-        if: ${{ github.event.client_payload.repository.language != 'Java' }}
-        uses: veracode/[email protected]
-        with:
-          scan-results-json: 'filtered_results.json'
-          repo_owner: ${{ github.event.client_payload.repository.owner }}
-          github-token: ${{ github.event.client_payload.token }}
-          repo_name: ${{ github.event.client_payload.repository.name }}
-          commitHash:  ${{ github.event.client_payload.sha }}
+  update-checks-status:
+    runs-on: ubuntu-latest
+    needs: pipeline_scan
+    if: always()
+    steps:
+      - name: Update cxheck
+        id: update_check_status
+        shell: bash
+        run: |
+          # Convert JSON string to a proper format for jq processing
+          echo '${{ toJSON(needs) }}' | jq -c 'to_entries[]' | while read -r job; do
+            status=$(echo "$job" | jq -r '.value.result')
+            if [ "$status" = "success" ]; then
+              echo "Job scuccess no need to update"
+              success_count=$((success_count + 1))
+            elif [ "$status" = "failure" ]; then
+              echo "Jobs failed - need checks update"
+              echo '{"status": "completed", "conclusion": "failure"}' > payload.txt
+              curl -X PATCH \
+                -H "Authorization: Bearer ${{ github.event.client_payload.token }}" \
+                -H "Accept: application/vnd.github+json" \
+                https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \
+                -d @"payload.txt"
+            fi
+          done

.github/workflows/binary-ready-veracode-sast-policy-scan.yml

@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Verify Veracode API credentials
         id: verify_api_creds
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validateVeracodeApiCreds
           token: ${{ github.event.client_payload.token }}
@@ -43,7 +43,7 @@ jobs:
       - name: Verify Policy name
         id: verify_policy_name
         if: success()
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validatePolicyName
           token: ${{ github.event.client_payload.token }}
@@ -69,6 +69,8 @@ jobs:
           github-token: ${{ github.event.client_payload.token }}
           repository: ${{ github.event.client_payload.repository.full_name }}
           run-id: ${{ github.event.client_payload.run_id }}
+          name: ${{ github.event.client_payload.repository.artifact_file }}
+          path: ./veracode_artifact_directory
 
       - name: Veracode Upload and Scan Action Step
         uses: veracode/[email protected]
@@ -79,16 +81,16 @@ jobs:
           appname: ${{ github.event.client_payload.user_config.profile_name }}
           createprofile: true
           version: '${{ github.run_id }}'
-          filepath: ${{ github.event.client_payload.repository.artifact_file }}
+          filepath: ./veracode_artifact_directory/
           # include: ${{ github.event.client_payload.modules_to_scan }}
           policy: ${{ github.event.client_payload.policy_name }}
-          scantimeout: 15
+          scantimeout: 30
           failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
 
       - name: Veracode Policy Results
         id: prepare-results
         if: always()
-        uses: Veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: 'preparePolicyResults'
           token: ${{ github.event.client_payload.token }}
@@ -107,7 +109,7 @@ jobs:
     if: ${{ github.event.client_payload.user_config.sandbox_scan.execute_remove_sandbox_action && always() }}
     name: Remove Sandbox
     steps:
-      - uses: veracode/[email protected].5
+      - uses: veracode/[email protected].6
         with:
           action: 'removeSandbox'
           vid: ${{ secrets.VERACODE_API_ID }}
@@ -127,24 +129,8 @@ jobs:
           name: policy-flaws
           path: /tmp
 
-      - name: Convert policy scan output to SARIF format for Java language
-        if: ${{ github.event.client_payload.repository.language == 'Java' }}
-        uses: Veracode/[email protected]
-        with:
-          scan-type: policy
-          results-json: '/tmp/policy_flaws.json'
-          output-results-sarif: veracode-results.sarif
-          repo_owner: ${{ github.event.client_payload.repository.owner }}
-          repo_name: ${{ github.event.client_payload.repository.name }}
-          commitSHA: ${{ github.event.client_payload.sha }}
-          ref: ${{ github.event.client_payload.user_config.ref }}
-          githubToken: ${{ github.event.client_payload.token }}
-          source-base-path-1: 'com/:src/main/java/com/'
-          source-base-path-2: 'WEB-INF:src/main/webapp/WEB-INF'
-
-      - name: Convert policy scan output to SARIF format for non Java language
-        if: ${{ github.event.client_payload.repository.language != 'Java' }}
-        uses: Veracode/[email protected]
+      - name: Convert policy scan output to SARIF format
+        uses: Veracode/[email protected]
         with:
           scan-type: policy
           results-json: '/tmp/policy_flaws.json'
@@ -167,24 +153,11 @@ jobs:
           name: 'policy-flaws'
           path: /tmp
 
-      - name: Create flaws as issues for Java language
-        if: ${{ github.event.client_payload.repository.language == 'Java' }}
-        uses: veracode/[email protected]
-        with:
-          scan-results-json: '/tmp/policy_flaws.json'
-          repo_owner: ${{ github.event.client_payload.repository.owner }}
-          github-token: ${{ github.event.client_payload.token }}
-          repo_name: ${{ github.event.client_payload.repository.name }}
-          commitHash: ${{ github.event.client_payload.sha }}
-          source_base_path_1: 'com/:src/main/java/com/'
-          source_base_path_2: 'WEB-INF:src/main/webapp/WEB-INF'
-
-      - name: Create flaws as issues for non Java language
-        if: ${{ github.event.client_payload.repository.language != 'Java' }}
-        uses: veracode/[email protected]
+      - name: Create flaws as issues
+        uses: veracode/[email protected]
         with:
           scan-results-json: '/tmp/policy_flaws.json'
           repo_owner: ${{ github.event.client_payload.repository.owner }}
           github-token: ${{ github.event.client_payload.token }}
           repo_name: ${{ github.event.client_payload.repository.name }}
-          commitHash: ${{ github.event.client_payload.sha }}
+          commitHash: ${{ github.event.client_payload.sha }}

.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml

@@ -21,6 +21,8 @@ jobs:
           github-token: ${{ github.event.client_payload.token }}
           repository: ${{ github.event.client_payload.repository.full_name }}
           run-id: ${{ github.event.client_payload.run_id }}
+          name: ${{ github.event.client_payload.repository.artifact_file }}
+          path: ./veracode_artifact_directory
 
       - name: Veracode Upload and Scan Action Step
         id: upload_and_scan
@@ -30,10 +32,10 @@ jobs:
           createprofile: true
           policy: ${{ github.event.client_payload.policy_name }}
           version: '${{ github.run_id }}'
-          filepath: ${{ github.event.client_payload.repository.artifact_file }}
+          filepath: ./veracode_artifact_directory/
           vid: '${{ secrets.VERACODE_API_ID }}'
           vkey: '${{ secrets.VERACODE_API_KEY }}'
           createsandbox: true
           sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }}
           # include: ${{ github.event.client_payload.modules_to_scan }}
-          failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
+          failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}

.github/workflows/template-register.yaml

@@ -14,7 +14,7 @@ jobs:
     steps:
     - name: Register build
       id: register-build
-      uses: veracode/[email protected].5
+      uses: veracode/[email protected].6
       with:
         action: registerBuild
         token: ${{ github.event.client_payload.token }}

.github/workflows/veracode-code-analysis.yml

@@ -52,7 +52,7 @@ jobs:
     steps:
       - name: Verify Veracode API credentials
         id: verify_api_creds
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validateVeracodeApiCreds
           token: ${{ github.event.client_payload.token }}
@@ -65,7 +65,7 @@ jobs:
       - name: Verify Policy name
         id: verify_policy_name
         if: success()
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validatePolicyName
           token: ${{ github.event.client_payload.token }}

.github/workflows/veracode-iac-secrets-scan.yml

@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Verify Veracode API credentials
         id: verify_api_creds
-        uses: veracode/[email protected].5
+        uses: veracode/[email protected].6
         with:
           action: validateVeracodeApiCreds
           token: ${{ github.event.client_payload.token }}