diff --git a/.github/dependabot.yml b/.github/dependabot.yml index eb8bc22..93e71dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ version: 2 updates: - package-ecosystem: "pip" - directory: "/examples/dependabot-alerts-example" + directory: "/examples/dependabot" schedule: interval: "daily" diff --git a/.github/workflows/cypress-evidence-example.yml b/.github/workflows/cypress-evidence-example.yml index 42e5f52..5000162 100644 --- a/.github/workflows/cypress-evidence-example.yml +++ b/.github/workflows/cypress-evidence-example.yml @@ -27,11 +27,11 @@ jobs: uses: actions/checkout@v4 with: sparse-checkout: | - examples/cypress-test-reports-example/** + examples/cypress/** sparse-checkout-cone-mode: false - name: Build and publish Docker image run: | - docker build . --file ./examples/cypress-test-reports-example/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$TAG_NAME + docker build . --file ./examples/cypress/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$TAG_NAME jf rt docker-push $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$TAG_NAME $REPO_NAME --build-name=$BUILD_NAME --build-number=$BUILD_NUMBER jf rt build-publish $BUILD_NAME $BUILD_NUMBER @@ -46,25 +46,25 @@ jobs: quiet: true wait-on: 'http://localhost:3000/app.html' wait-on-timeout: 120 - working-directory: examples/cypress-test-reports-example + working-directory: examples/cypress env: CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} continue-on-error: true - name: Merge Cypress results run: npm run merge-results - working-directory: examples/cypress-test-reports-example + working-directory: examples/cypress # This is an optional step to generate a markdown report - name: Generate optional markdown report if: env.ATTACH_OPTIONAL_MARKDOWN_TO_EVIDENCE == 'true' run: npm run generate:md - working-directory: examples/cypress-test-reports-example + working-directory: examples/cypress env: IMAGE_REF: ${{ env.REGISTRY_URL }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.TAG_NAME }} #Steps to attach evidence to the package - name: Attach evidence to the package - working-directory: examples/cypress-test-reports-example + working-directory: examples/cypress run: | jf evd create \ --package-name $IMAGE_NAME \ diff --git a/.github/workflows/dependabot-evidence-example.yml b/.github/workflows/dependabot-evidence-example.yml index 56b3182..80b41cc 100644 --- a/.github/workflows/dependabot-evidence-example.yml +++ b/.github/workflows/dependabot-evidence-example.yml @@ -28,7 +28,7 @@ jobs: uses: actions/checkout@v4 - name: Build and Push Docker Image to Artifactory run: | - docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + docker build -f ./examples/dependabot/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION # Fetch Dependabot Vulnerability Snapshot @@ -64,7 +64,7 @@ jobs: IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME") IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}') SCAN_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - python ./examples/dependabot-alerts-example/markdown_helper.py \ + python ./examples/dependabot/markdown_helper.py \ "dependabot.json" \ "dependabot_report.md" \ "$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION" \ diff --git a/.github/workflows/trivy-evidence-example.yml b/.github/workflows/trivy-evidence-example.yml index 73b315f..f193d47 100644 --- a/.github/workflows/trivy-evidence-example.yml +++ b/.github/workflows/trivy-evidence-example.yml @@ -28,7 +28,7 @@ jobs: uses: actions/checkout@v4 - name: Build and publish Docker Image to Artifactory run: | - docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + docker build . --file ./examples/trivy/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION echo "Pushing Docker Image to Artifactory" jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }} echo "Pushing Docker Image to Artifactory completed" @@ -48,7 +48,7 @@ jobs: - name: Generate optional custom markdown report if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' run: | - python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json + python ./examples/trivy/trivy_json_to_markdown_helper.py trivy-results.json # Attaching the evidence to associated package - name: Attach evidence using jfrog cli diff --git a/examples/codeql/README.md b/examples/codeql/README.md index 5e3d908..745ad69 100644 --- a/examples/codeql/README.md +++ b/examples/codeql/README.md @@ -19,36 +19,30 @@ The workflow performs CodeQL analysis on Go and JavaScript codebases, publishes - Go - JavaScript -## Workflow Steps -1. **Checkout Repository** - - Performs sparse checkout of required directories - - Only checks out the necessary CodeQL examples and queries - -2. **Setup CodeQL** - - Initializes CodeQL for the specified language - - Configures custom queries from `examples/codeql/queries/{language}` - -3. **Setup Build Environment** - - For Go: Installs Go 1.24.3 - - For JavaScript: Installs Node.js - - Configures JFrog CLI with Artifactory credentials - -4. **Run CodeQL Analysis** - - Performs CodeQL analysis for security and quality - - Generates SARIF format results - - Saves results without uploading to GitHub - -5. **Build and Publish Packages** - - For Go: - - Configures JFrog CLI for Go repository - - Publishes package to Artifactory Go repository - - For JavaScript: - - Configures JFrog CLI for npm repository - - Publishes package to Artifactory npm repository - -6. **Attach Evidence** - - Attaches CodeQL analysis results as signed evidence to the published packages - +## Workflow + +```mermaid +graph TD + A[Workflow Dispatch Trigger] --> Matrix{Language Matrix: Go or JavaScript?} + Matrix --> |Go|GoSetup[Setup JFrog CLI] + Matrix --> |JavaScript|JSSetup[Setup Jfrog CLI] + JSSetup -->JSCheckout[Checkout Repository] + GoSetup -->GoCheckout[Checkout Repository] + JSCheckout -->I[Set up CodeQL for JavaScript] + GoCheckout -->H[Set up CodeQL for Go] + H --> J[Run CodeQL Analysis for Go] + I --> K[Run CodeQL Analysis for JavaScript] + J --> L{Attach Optional Custom Markdown Report?} + K --> M{Attach Optional Custom Markdown Report?} + L -->|Yes| N[Generate Markdown Report for Go] + L -->|No| O[Skip Markdown Report for Go] + M -->|Yes| P[Generate Markdown Report for JavaScript] + M -->|No| Q[Skip Markdown Report for JavaScript] + N --> R[Attach Evidence for Go] + O --> R[Attach Evidence for Go] + P --> S[Attach Evidence for JavaScript] + Q --> S[Attach Evidence for JavaScript] +``` ## Environment Setup ### Go Package Configuration diff --git a/examples/cypress-test-reports-example/Dockerfile b/examples/cypress/Dockerfile similarity index 82% rename from examples/cypress-test-reports-example/Dockerfile rename to examples/cypress/Dockerfile index bda63ad..24296e8 100644 --- a/examples/cypress-test-reports-example/Dockerfile +++ b/examples/cypress/Dockerfile @@ -5,7 +5,7 @@ FROM node:20 WORKDIR /app # Copy package files and install dependencies -COPY examples/cypress-test-reports-example/package*.json ./ +COPY examples/cypress/package*.json ./ RUN npm install # Copy the rest of the app diff --git a/examples/cypress-test-reports-example/README.md b/examples/cypress/README.md similarity index 78% rename from examples/cypress-test-reports-example/README.md rename to examples/cypress/README.md index 45885b7..1c0551a 100644 --- a/examples/cypress-test-reports-example/README.md +++ b/examples/cypress/README.md @@ -30,23 +30,21 @@ The workflow builds a Docker image, runs Cypress tests, generates test result ev - `ATTACH_OPTIONAL_MARKDOWN_TO_EVIDENCE` - Set to `true` to attach a Markdown report as evidence - `UPLOAD_CYPRESS_REPORT_TO_CLOUD` - Set to `true` to record Cypress results to the Cypress Dashboard -## Workflow Steps - -1. **Install JFrog CLI** - - Installs the JFrog CLI using the official GitHub Action. -2. **Checkout Repository** - - Checks out the source code for the build context. -3. **Build and Publish Docker Image** - - Builds the Docker image and pushes it to Artifactory using JFrog CLI. -4. **Run Cypress Tests** - - Runs Cypress end-to-end tests, records results, and waits for the application to be available. -5. **Merge Cypress Results** - - Merges Cypress test results into a single JSON file. -6. **Generate Optional Markdown Report** - - If enabled, generates a Markdown report from the Cypress results. -7. **Attach Cypress Evidence Using JFrog CLI** - - Attaches the Cypress test results as signed evidence to the Docker image package in Artifactory. +## Workflow +```mermaid +graph TD + A[Workflow Dispatch Trigger] --> B[Setup JFrog CLI] + B --> C[Checkout Repository] + C --> D[Build and Publish Docker Image] + D --> E[Run Cypress Tests] + E --> F[Merge Cypress Results] + F --> G{Attach Optional Markdown Report?} + G -->|Yes| H[Generate Markdown Report] + G -->|No| I[Skip Markdown Report] + H --> J[Attach Evidence to Package] + I --> J[Attach Evidence to Package] +``` ## Example Usage You can trigger the workflow manually from the GitHub Actions tab. The workflow will: @@ -60,7 +58,7 @@ You can trigger the workflow manually from the GitHub Actions tab. The workflow - **Build and Push Docker Image:** ```bash - docker build . --file ./examples/cypress-test-reports-example/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$TAG_NAME + docker build . --file ./examples/cypress/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$TAG_NAME jf rt docker-push $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$TAG_NAME $REPO_NAME --build-name=$BUILD_NAME --build-number=$BUILD_NUMBER jf rt build-publish $BUILD_NAME $BUILD_NUMBER ``` diff --git a/examples/cypress-test-reports-example/cypress.config.js b/examples/cypress/cypress.config.js similarity index 83% rename from examples/cypress-test-reports-example/cypress.config.js rename to examples/cypress/cypress.config.js index 4489385..8c01e17 100644 --- a/examples/cypress-test-reports-example/cypress.config.js +++ b/examples/cypress/cypress.config.js @@ -1,7 +1,7 @@ const { defineConfig } = require("cypress"); module.exports = defineConfig({ - projectId: "cypress-test-reports-example", // Replace with your actual project ID + projectId: "cypress-example", // Replace with your actual project ID fixturesFolder: false, reporter: "mochawesome", reporterOptions: { diff --git a/examples/cypress-test-reports-example/cypress/e2e/app.cy.js b/examples/cypress/cypress/e2e/app.cy.js similarity index 100% rename from examples/cypress-test-reports-example/cypress/e2e/app.cy.js rename to examples/cypress/cypress/e2e/app.cy.js diff --git a/examples/cypress-test-reports-example/cypress/e2e/server.cy.js b/examples/cypress/cypress/e2e/server.cy.js similarity index 100% rename from examples/cypress-test-reports-example/cypress/e2e/server.cy.js rename to examples/cypress/cypress/e2e/server.cy.js diff --git a/examples/cypress-test-reports-example/cypress/screenshots/app.cy.js/App Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png b/examples/cypress/cypress/screenshots/app.cy.js/App Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png similarity index 100% rename from examples/cypress-test-reports-example/cypress/screenshots/app.cy.js/App Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png rename to examples/cypress/cypress/screenshots/app.cy.js/App Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png diff --git a/examples/cypress-test-reports-example/cypress/screenshots/server.cy.js/Server Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png b/examples/cypress/cypress/screenshots/server.cy.js/Server Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png similarity index 100% rename from examples/cypress-test-reports-example/cypress/screenshots/server.cy.js/Server Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png rename to examples/cypress/cypress/screenshots/server.cy.js/Server Homepage - Title and Error Handling Tests -- should throw an error when a non-existent input is typed into (failed).png diff --git a/examples/cypress-test-reports-example/cypress/support/commands.js b/examples/cypress/cypress/support/commands.js similarity index 100% rename from examples/cypress-test-reports-example/cypress/support/commands.js rename to examples/cypress/cypress/support/commands.js diff --git a/examples/cypress-test-reports-example/cypress/support/e2e.js b/examples/cypress/cypress/support/e2e.js similarity index 100% rename from examples/cypress-test-reports-example/cypress/support/e2e.js rename to examples/cypress/cypress/support/e2e.js diff --git a/examples/cypress-test-reports-example/package-lock.json b/examples/cypress/package-lock.json similarity index 99% rename from examples/cypress-test-reports-example/package-lock.json rename to examples/cypress/package-lock.json index 5d753f6..095e3d5 100644 --- a/examples/cypress-test-reports-example/package-lock.json +++ b/examples/cypress/package-lock.json @@ -1,11 +1,11 @@ { - "name": "cypress-test-reports-example", + "name": "cypress-example", "version": "1.0.0", "lockfileVersion": 3, "requires": true, "packages": { "": { - "name": "cypress-test-reports-example", + "name": "cypress-example", "version": "1.0.0", "license": "ISC", "dependencies": { diff --git a/examples/cypress-test-reports-example/package.json b/examples/cypress/package.json similarity index 94% rename from examples/cypress-test-reports-example/package.json rename to examples/cypress/package.json index 01a7e8b..9e4e39f 100644 --- a/examples/cypress-test-reports-example/package.json +++ b/examples/cypress/package.json @@ -1,5 +1,5 @@ { - "name": "cypress-test-reports-example", + "name": "cypress", "version": "1.0.0", "description": "", "main": "cypress.config.js", diff --git a/examples/cypress-test-reports-example/scripts/generate-report-md.js b/examples/cypress/scripts/generate-report-md.js similarity index 100% rename from examples/cypress-test-reports-example/scripts/generate-report-md.js rename to examples/cypress/scripts/generate-report-md.js diff --git a/examples/cypress-test-reports-example/src/public/app.html b/examples/cypress/src/public/app.html similarity index 100% rename from examples/cypress-test-reports-example/src/public/app.html rename to examples/cypress/src/public/app.html diff --git a/examples/cypress-test-reports-example/src/public/server.html b/examples/cypress/src/public/server.html similarity index 100% rename from examples/cypress-test-reports-example/src/public/server.html rename to examples/cypress/src/public/server.html diff --git a/examples/cypress-test-reports-example/src/server.js b/examples/cypress/src/server.js similarity index 100% rename from examples/cypress-test-reports-example/src/server.js rename to examples/cypress/src/server.js diff --git a/examples/dependabot-alerts-example/Dockerfile b/examples/dependabot/Dockerfile similarity index 67% rename from examples/dependabot-alerts-example/Dockerfile rename to examples/dependabot/Dockerfile index 083aa10..fe51350 100644 --- a/examples/dependabot-alerts-example/Dockerfile +++ b/examples/dependabot/Dockerfile @@ -2,7 +2,7 @@ FROM python:3.7-slim-buster WORKDIR /app -COPY ./examples/dependabot-alerts-example/requirements.txt . +COPY ./examples/dependabot/requirements.txt . RUN pip install --no-cache-dir -r requirements.txt diff --git a/examples/dependabot-alerts-example/README.md b/examples/dependabot/README.md similarity index 80% rename from examples/dependabot-alerts-example/README.md rename to examples/dependabot/README.md index a2cfeda..07096ba 100644 --- a/examples/dependabot-alerts-example/README.md +++ b/examples/dependabot/README.md @@ -27,22 +27,20 @@ The workflow builds a Docker image, fetches open Dependabot vulnerability alerts - `VERSION` - Image version - `BUILD_NAME` - Name for the build info -## Workflow Steps -1. **Checkout Repository** - - Checks out the source code for the build context. -2. **Setup JFrog CLI** - - Install and Setup the JFrog CLI using the official GitHub Action. -3. **Log in to Artifactory Docker Registry** - - Authenticates Docker with Artifactory for pushing the image. -4. **Set up Docker Buildx** - - Prepares Docker Buildx for advanced build and push operations. -5. **Build and Push Docker Image to Artifactory** - - Builds the Docker image using the provided Dockerfile and tags it for the Artifactory registry. - - Pushes the tagged Docker image to the Artifactory Docker registry using JFrog CLI. -8. **Fetch Dependabot Vulnerability Snapshot** - - Fetchs the snapshot of open Dependabot vulnerability alerts for the repository and outputs the results in JSON format. -9. **Create Dependabot Evidence Using JFrog CLI** - - Attaches the Dependabot vulnerability snapshot as signed evidence to the Docker image package in Artifactory. +## Workflow + +```mermaid +graph TD + A[Workflow Dispatch Trigger] --> B[Setup JFrog CLI] + B --> C[Checkout Code] + C --> D[Build and Push Docker Image to Artifactory] + D --> E[Fetch Dependabot Vulnerability Snapshot] + E --> F{Attach Optional Custom Markdown Report?} + F -->|Yes| G[Generate Custom Markdown Report] + F -->|No| H[Skip Markdown Report] + G --> I[Attach Evidence to Package] + H --> I[Attach Evidence to Package] +``` ## Example Dependabot Vulnerability Alert Data @@ -62,7 +60,7 @@ The Fetch Dependabot Vulnerability Snapshot step retrieves Dependabot alerts and - **Build and Push Docker Image to Artifactory** ```bash - docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + docker build -f ./examples/dependabot/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION ``` - **Fetch Dependabot Vulnerability Snapshot** diff --git a/examples/dependabot-alerts-example/markdown_helper.py b/examples/dependabot/markdown_helper.py similarity index 100% rename from examples/dependabot-alerts-example/markdown_helper.py rename to examples/dependabot/markdown_helper.py diff --git a/examples/dependabot-alerts-example/requirements.txt b/examples/dependabot/requirements.txt similarity index 100% rename from examples/dependabot-alerts-example/requirements.txt rename to examples/dependabot/requirements.txt diff --git a/examples/trivy-verify-example/Dockerfile b/examples/trivy/Dockerfile similarity index 100% rename from examples/trivy-verify-example/Dockerfile rename to examples/trivy/Dockerfile diff --git a/examples/trivy-verify-example/README.md b/examples/trivy/README.md similarity index 71% rename from examples/trivy-verify-example/README.md rename to examples/trivy/README.md index 79f1092..52f3d97 100644 --- a/examples/trivy-verify-example/README.md +++ b/examples/trivy/README.md @@ -25,25 +25,20 @@ scanning in your CI/CD pipeline. - `REGISTRY_DOMAIN` - Docker registry domain -## Workflow Steps - -1. **Install JFrog CLI** - - Installs the JFrog CLI using the official GitHub Action. -2. **Checkout Repository** - - Checks out the source code for the build context. -3. **Build Docker Image** - - Builds the Docker image using the provided Dockerfile and tags it for the Artifactory registry. -4. **Run Trivy Security Scan** - - Scans the built Docker image for vulnerabilities using Trivy and outputs the results in JSON format. -5. **Generate Custom Markdown For Trivy Results** - - (Optional) Converts the Trivy JSON scan results to markdown format for better readability using a python script - with predefined static markdown template. -6. **Push Docker Image to Artifactory** - - Pushes the tagged Docker image to the Artifactory Docker registry using JFrog CLI. -7. **Publish Build Info** - - Publishes build information to Artifactory for traceability. -8. **Attach Trivy Evidence Using JFrog CLI** - - Attaches the Trivy scan results as signed evidence to the Docker image package in Artifactory. +## Workflow + +```mermaid +graph TD + A[Workflow Dispatch Trigger] --> B[Setup JFrog CLI] + B --> C[Checkout Repository] + C --> D[Build and Publish Docker Image to Artifactory] + D --> E[Run Trivy Vulnerability Scan] + E --> F{Attach Optional Custom Markdown Report?} + F -->|Yes| G[Generate Custom Markdown Report] + F -->|No| H[Skip Markdown Report] + G --> I[Attach Evidence to Package] + H --> I[Attach Evidence to Package] +``` ## Example Usage diff --git a/examples/trivy-verify-example/trivy_json_to_markdown_helper.py b/examples/trivy/trivy_json_to_markdown_helper.py similarity index 100% rename from examples/trivy-verify-example/trivy_json_to_markdown_helper.py rename to examples/trivy/trivy_json_to_markdown_helper.py