CloudBees action: Scan with Coverity on Polaris SAST

2 minute read

Use this action to perform static application security testing (SAST) on a repository with the Coverity on Polaris scanner from Black Duck. You can also use the action output as a quality gate for the next step or job in your workflow.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

server-url

String

Yes

The Coverity on Polaris server URL.

api-token

String

Yes

The Coverity on Polaris API token.

ref

String

Yes

Specify the ref to be checked out and archived.

Outputs

Table 2. Output details
Output name Data type Description

critical-count

String

The number of Critical security findings discovered during the scan.

very-high-count

String

The number of Very high security findings discovered during the scan.

high-count

String

The number of High security findings discovered during the scan.

medium-count

String

The number of Medium security findings discovered during the scan.

low-count

String

The number of Low security findings discovered during the scan.

Usage examples

Basic example

The following is a basic example of using the action:

- name: Scan with Coverity on Polaris uses: cloudbees-io/coverity-polaris-sast-scan-code@v1 with: server-url: ${{ vars.COVERITY_POLARIS_SERVER_URL }} api-token: ${{ secrets.COVERITY_POLARIS_TOKEN }} ref: main

Using the action output

Access the output values in downstream steps and jobs using the outputs context.

Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:

${{steps.<action_step_ID>.outputs.<severity>}}

The following example uses the action output in a downstream step of the same job:

name: my-workflow kind: workflow apiVersion: automation.cloudbees.io/v1alpha1 on: push: branches: - main permissions: scm-token-own: read scm-token-org: read id-token: write jobs: coverity-polaris-scan-job: steps: - name: check out source code uses: cloudbees-io/checkout@v1 - id: coverity-polaris-step name: coverity polaris scan uses: cloudbees-io/coverity-polaris-sast-scan-code@v1 with: server-url: ${{ vars.COVERITY_POLARIS_SERVER_URL }} api-token: ${{ secrets.COVERITY_POLARIS_TOKEN }} ref: main - name: source dir examine uses: docker://golang:1.20.3-alpine3.17 shell: sh run: | ls -latR /cloudbees/workspace - id: print-outputs-from-coverity-polaris-step name: print outputs from upstream coverity-polaris step uses: docker://alpine:latest run: | #printing all outputs echo "Outputs from upstream coverity-polaris step:" echo "Critical count: ${{steps.coverity-polaris-step.outputs.critical-count}}" echo "Very high count: ${{steps.coverity-polaris-step.outputs.very-high-count}}" echo "High count: ${{steps.coverity-polaris-step.outputs.high-count}}" echo "Medium count: ${{steps.coverity-polaris-step.outputs.medium-count}}" echo "Low count: ${{steps.coverity-polaris-step.outputs.low-count}}"

The following example uses the action output in a downstream job:

name: my-workflow kind: workflow apiVersion: automation.cloudbees.io/v1alpha1 on: push: branches: - main permissions: scm-token-own: read scm-token-org: read id-token: write jobs: job1: outputs: coverity-polaris-job-output-critical: ${{ steps.coverity-polaris-step.outputs.critical-count }} coverity-polaris-job-output-very-high: ${{ steps.coverity-polaris-step.outputs.very-high-count }} coverity-polaris-job-output-high: ${{ steps.coverity-polaris-step.outputs.high-count }} coverity-polaris-job-output-medium: ${{ steps.coverity-polaris-step.outputs.medium-count }} coverity-polaris-job-output-low: ${{ steps.coverity-polaris-step.outputs.low-count }} steps: - name: check out source code uses: cloudbees-io/checkout@v1 with: repository: my-gh-repo-org/my-repo ref: main token: ${{ secrets.GIT_PAT }} - id: coverity-polaris-step name: coverity polaris scan uses: cloudbees-io/coverity-polaris-sast-scan-code@v1 with: server-url: ${{ vars.COVERITY_POLARIS_SERVER_URL }} api-token: ${{ secrets.COVERITY_POLARIS_TOKEN }} ref: main job2: needs: job1 steps: - id: print-outputs-from-job1 name: print outputs from upstream job1 uses: docker://alpine:latest run: | # Printing all outputs echo "Outputs from upstream coverity-polaris job:" echo "Critical count: ${{ needs.job1.outputs.coverity-polaris-job-output-critical }}" echo "Very high count: ${{ needs.job1.outputs.coverity-polaris-job-output-very-high }}" echo "High count: ${{ needs.job1.outputs.coverity-polaris-job-output-high }}" echo "Medium count: ${{ needs.job1.outputs.coverity-polaris-job-output-medium }}" echo "Low count: ${{ needs.job1.outputs.coverity-polaris-job-output-low }}"