Update SAST/SCA workflows to refactored versions (#12)

* Update SAST workflow to refactored version * Update SCA workflow with refactored version * Update project name
NordSecurity · Oct 21, 2024 · cecc8ef · cecc8ef
1 parent f39000b
commit cecc8ef
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 100 deletions.
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
@@ -12,41 +12,16 @@ on:
 
 permissions: {} # Remove permissions
 jobs:
-  authorize:
-    environment:
-      ${{(github.event_name == 'pull_request_target' &&
-      github.event.pull_request.head.repo.full_name != github.repository) &&
-      'External' || 'Internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo ✓
   sast:
-    needs: authorize
-    runs-on: sast
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
-        with:
-          ref: ${{github.event.pull_request.head.sha || github.ref}}
-          persist-credentials: 'false' #By default, actions/checkout persists GIT credentials, we do not need this
-      # Checking out SAST composite action
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
-        with:
-          persist-credentials: 'false' #By default, actions/checkout persists GIT credentials, we do not need this
-          repository: NordSecurity/sast-configs
-          ref: main
-          ssh-key: ${{ secrets.SAST_ACTION_KEY }}
-          path: .github/workflows/sast
-          # Checking out only SAST action and composite project configuration action
-          sparse-checkout: |
-            base/sast-action
-            actions/nagger-sast-action
-      - uses: ./.github/workflows/sast/actions/nagger-sast-action
-        with:
-          SAST_TEAM: ${{ secrets.SAST_TEAM }}
-          SAST_URL: ${{ secrets.SAST_URL }}
-          SAST_USERNAME: ${{ secrets.SAST_USERNAME }}
-          SAST_PASSWORD: ${{ secrets.SAST_PASSWORD }}
-          SAST_CLIENT_SECRET: ${{ secrets.SAST_CLIENT_SECRET }}
-          UNC_ACTION_KEY: ${{ secrets.UNC_ACTION_KEY }}
-          UNC_BRANCH_ENABLED: false
+    uses: NordSecurity/security-scanner-workflows/.github/workflows/sast.yml@35c715910e21a4b84949be8c8be3432f5c2911ce
+    secrets:
+      SAST_TEAM: ${{ secrets.SAST_TEAM }}
+      SAST_URL: ${{ secrets.SAST_URL }}
+      SAST_USERNAME: ${{ secrets.SAST_USERNAME }}
+      SAST_PASSWORD: ${{ secrets.SAST_PASSWORD }}
+      SAST_CLIENT_SECRET: ${{ secrets.SAST_CLIENT_SECRET }}
+      SAST_ACTION_KEY: ${{ secrets.SAST_ACTION_KEY }}
+      UNC_ACTION_KEY: ${{ secrets.UNC_ACTION_KEY }}
+    with:
+      project-action-path: nagger-sast-action
+      unc-branch-enabled: false
diff --git a/.github/workflows/sca.yml b/.github/workflows/sca.yml
@@ -8,66 +8,12 @@ on:
 
 permissions: {} # Remove permissions
 jobs:
-  authorize:
-    environment:
-      ${{(github.event_name == 'pull_request_target' &&
-      github.event.pull_request.head.repo.full_name != github.repository) &&
-      'External' || 'Internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo ✓
-  sca-full:
-    needs: authorize
-    runs-on: sca
-    if: github.event_name == 'push'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
-        with:
-          persist-credentials: 'false' #By default, actions/checkout persists GIT credentials, we do not need this
-      # Checking out SCA composite action
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
-        with:
-          persist-credentials: 'false' #By default, actions/checkout persists GIT credentials, we do not need this
-          repository: NordSecurity/sca-configs
-          ref: main
-          ssh-key: ${{ secrets.SCA_ACTION_KEY }}
-          path: .github/workflows/sca
-          # Checking out only SCA action and composite project configuration action
-          sparse-checkout: |
-            base/sca-action
-            SCA/nordsecurity-nagger-sca-action
-      - uses: ./.github/workflows/sca/SCA/nordsecurity-nagger-sca-action
-        with:
-          SCA_URL: ${{ secrets.SCA_URL }}
-          SCA_API_TOKEN: ${{ secrets.SCA_API_TOKEN }}
-          SCA_FULL_SCAN: true
-          UNC_ACTION_KEY: ${{ secrets.UNC_ACTION_KEY }}
-  sca-rapid:
-    needs: authorize
-    runs-on: sca
-    if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
-        with:
-          ref: ${{github.event.pull_request.head.sha || github.ref}}
-          persist-credentials: 'false' #By default, actions/checkout persists GIT credentials, we do not need this
-      # Checking out SCA composite action
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
-        with:
-          persist-credentials: 'false' #By default, actions/checkout persists GIT credentials, we do not need this
-          repository: NordSecurity/sca-configs
-          ref: main
-          ssh-key: ${{ secrets.SCA_ACTION_KEY }}
-          path: .github/workflows/sca
-          # Checking out only SCA action and composite project configuration action
-          sparse-checkout: |
-            base/sca-action
-            SCA/nordsecurity-nagger-sca-action
-      - uses: ./.github/workflows/sca/SCA/nordsecurity-nagger-sca-action
-        with:
-          SCA_URL: ${{ secrets.SCA_URL }}
-          SCA_API_TOKEN: ${{ secrets.SCA_API_TOKEN }}
-          SCA_FULL_SCAN: false
-          UNC_ACTION_KEY: ${{ secrets.UNC_ACTION_KEY }}
+  sca:
+    uses: NordSecurity/security-scanner-workflows/.github/workflows/sca.yml@35c715910e21a4b84949be8c8be3432f5c2911ce
+    secrets:
+      SCA_URL: ${{ secrets.SCA_URL }}
+      SCA_API_TOKEN: ${{ secrets.SCA_API_TOKEN }}
+      SCA_ACTION_KEY: ${{ secrets.SCA_ACTION_KEY }}
+      UNC_ACTION_KEY: ${{ secrets.UNC_ACTION_KEY }}
+    with:
+      project-action-path: nordsecurity-nagger-sca-action