diff --git a/commands/utils/email.go b/commands/utils/email.go
index 7164cc964..9d1e8b99e 100644
--- a/commands/utils/email.go
+++ b/commands/utils/email.go
@@ -6,14 +6,13 @@ import (
"github.com/jfrog/frogbot/commands/utils/outputwriter"
"github.com/jfrog/froggit-go/vcsclient"
"github.com/jfrog/froggit-go/vcsutils"
- "github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-core/v2/xray/formats"
"github.com/jordan-wright/email"
"net/smtp"
"strings"
)
-var excludedEmailAddresses = []string{"no-reply", "no_reply", "noreply", "no.reply", "frogbot"}
+var blacklistedEmailAddresses = []string{"no-reply", "no_reply", "noreply", "no.reply", "frogbot"}
type SecretsEmailDetails struct {
gitClient vcsclient.VcsClient
@@ -98,20 +97,28 @@ func getRelevantEmailReceivers(client vcsclient.VcsClient, repoOwner, repoName,
}
func getEmailReceiversFromCommits(commits []vcsclient.CommitInfo, preConfiguredEmailReceivers []string) ([]string, error) {
- emailReceivers := datastructures.MakeSet[string]()
+ emailReceivers := []string{}
for _, commit := range commits {
- if shouldExcludeEmailAddress(commit.AuthorEmail, excludedEmailAddresses) || shouldExcludeEmailAddress(commit.AuthorEmail, preConfiguredEmailReceivers) {
+ if shouldExcludeEmailAddress(commit.AuthorEmail, preConfiguredEmailReceivers) {
continue
}
- emailReceivers.Add(commit.AuthorEmail)
+ emailReceivers = append(emailReceivers, commit.AuthorEmail)
}
- return emailReceivers.ToSlice(), nil
+ return emailReceivers, nil
}
-func shouldExcludeEmailAddress(emailAddress string, excludes []string) bool {
- for _, excludedEmailAddress := range excludes {
- if strings.Contains(emailAddress, excludedEmailAddress) {
+func shouldExcludeEmailAddress(emailAddress string, preConfiguredEmailReceivers []string) bool {
+ if emailAddress == "" {
+ return true
+ }
+ for _, blackListedEmail := range blacklistedEmailAddresses {
+ if strings.Contains(emailAddress, blackListedEmail) {
+ return true
+ }
+ }
+ for _, preConfiguredEmailAddress := range preConfiguredEmailReceivers {
+ if emailAddress == preConfiguredEmailAddress {
return true
}
}
diff --git a/commands/utils/email_test.go b/commands/utils/email_test.go
index 4b01cb9da..378c04ea5 100644
--- a/commands/utils/email_test.go
+++ b/commands/utils/email_test.go
@@ -52,6 +52,7 @@ func TestGetEmailReceiversFromCommits(t *testing.T) {
{AuthorEmail: "test3@jfrog.noreply.com"},
{AuthorEmail: "test3@jfrog.no-reply.com"},
{AuthorEmail: "test3@jfrog.frogbot.com"},
+ {AuthorEmail: ""},
}
preConfiguredEmailReceivers := []string{"receiver1@jfrog.com", "receiver2@jfrog.com"}
finalEmailReceiversList, err := getEmailReceiversFromCommits(commits, preConfiguredEmailReceivers)
diff --git a/commands/utils/params.go b/commands/utils/params.go
index f7942ed9a..89b4562e7 100644
--- a/commands/utils/params.go
+++ b/commands/utils/params.go
@@ -145,8 +145,9 @@ func (s *Scan) SetEmailDetails() error {
return fmt.Errorf("failed while setting your email details. SMTP password is expected, but the %s environment variable is empty", SmtpPasswordEnv)
}
if len(s.EmailReceivers) == 0 {
- emailReceivers := getTrimmedEnv(EmailReceiversEnv)
- s.EmailReceivers = strings.Split(emailReceivers, ",")
+ if emailReceiversEnv := getTrimmedEnv(EmailReceiversEnv); emailReceiversEnv != "" {
+ s.EmailReceivers = strings.Split(emailReceiversEnv, ",")
+ }
}
return nil
}
diff --git a/docs/install-azure-pipelines.md b/docs/install-azure-pipelines.md
index a55c20999..2e992b2a1 100644
--- a/docs/install-azure-pipelines.md
+++ b/docs/install-azure-pipelines.md
@@ -198,9 +198,10 @@ To install Frogbot on Azure Repos repositories, follow these steps.
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
displayName: 'Download and Run Frogbot'
diff --git a/docs/install-bitbucket-server.md b/docs/install-bitbucket-server.md
index b36f527bc..f729f0a77 100644
--- a/docs/install-bitbucket-server.md
+++ b/docs/install-bitbucket-server.md
@@ -29,215 +29,216 @@
and **JF_ACCESS_TOKEN** instead of **JF_USER** and **JF_PASSWORD**).
- Save your Bitbucket access token as a Credential in Jenkins with the `FROGBOT_GIT_TOKEN` Credential ID.
- Create a Jenkinsfile with the below template content, and push it to the root of one of your Git repositories.
- - In the Jenkinsfile, set the values of all the mandatory variables.
- - In the Jenkinsfile, modify the code inside the `Download Frogbot` and `Scan Pull Requests` according to the Jenkins agent operating system.
- - Create a Pipeline job in Jenkins pointing to the Jenkinsfile in your Git repository.
+ - In the Jenkinsfile, set the values of all the mandatory variables.
+ - In the Jenkinsfile, modify the code inside the `Download Frogbot` and `Scan Pull Requests` according to the Jenkins agent operating system.
+ - Create a Pipeline job in Jenkins pointing to the Jenkinsfile in your Git repository.
-
- Template
+
+ Template
- ```groovy
- // Run the job once an hour
- CRON_SETTINGS = '''* */1 * * *'''
-
- pipeline {
- agent any
-
- triggers {
- cron(CRON_SETTINGS)
- }
-
- environment {
- // [Mandatory]
- // JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
- JF_URL= credentials("JF_URL")
-
- // [Mandatory if JF_USER and JF_PASSWORD are not provided]
- // JFrog access token with 'read' permissions for Xray
- JF_ACCESS_TOKEN= credentials("JF_ACCESS_TOKEN")
-
- // [Mandatory if JF_ACCESS_TOKEN is not provided]
- // JFrog user and password with 'read' permissions for Xray
- // JF_USER= credentials("JF_USER")
- // JF_PASSWORD= credentials("JF_PASSWORD")
-
- // [Mandatory]
- // Bitbucket access token with the write repository permissions
- JF_GIT_TOKEN= credentials("FROGBOT_GIT_TOKEN")
- JF_GIT_PROVIDER= "bitbucketServer"
-
- // [Mandatory]
- // Username of the account associated with the token
- JF_GIT_USERNAME= ""
-
- // [Mandatory]
- // Bitbucket project namespace
- // Private projects should start with the prefix: "~"
- JF_GIT_OWNER= ""
-
- // [Mandatory]
- // API endpoint to Bitbucket server
- JF_GIT_API_ENDPOINT= ""
-
- // [Optional]
- // By default, the Frogbot workflows download the Frogbot executable as well as other tools
- // needed from https://releases.jfrog.io
- // If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
- // executable to be downloaded from an Artifactory instance, which the machine has access to:
- //
- // 1. Login to the Artifactory UI, with a user who has admin credentials.
- // 2. Create a Remote Repository with the following properties set.
- // Under the 'Basic' tab:
- // Package Type: Generic
- // URL: https://releases.jfrog.io
- // Under the 'Advanced' tab:
- // Uncheck the 'Store Artifacts Locally' option
- // 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
- // JF_RELEASES_REPO= ""
+ ```groovy
+ // Run the job once an hour
+ CRON_SETTINGS = '''* */1 * * *'''
+
+ pipeline {
+ agent any
+
+ triggers {
+ cron(CRON_SETTINGS)
+ }
+
+ environment {
+ // [Mandatory]
+ // JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
+ JF_URL= credentials("JF_URL")
+
+ // [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ // JFrog access token with 'read' permissions for Xray
+ JF_ACCESS_TOKEN= credentials("JF_ACCESS_TOKEN")
+
+ // [Mandatory if JF_ACCESS_TOKEN is not provided]
+ // JFrog user and password with 'read' permissions for Xray
+ // JF_USER= credentials("JF_USER")
+ // JF_PASSWORD= credentials("JF_PASSWORD")
+
+ // [Mandatory]
+ // Bitbucket access token with the write repository permissions
+ JF_GIT_TOKEN= credentials("FROGBOT_GIT_TOKEN")
+ JF_GIT_PROVIDER= "bitbucketServer"
+
+ // [Mandatory]
+ // Username of the account associated with the token
+ JF_GIT_USERNAME= ""
+
+ // [Mandatory]
+ // Bitbucket project namespace
+ // Private projects should start with the prefix: "~"
+ JF_GIT_OWNER= ""
+
+ // [Mandatory]
+ // API endpoint to Bitbucket server
+ JF_GIT_API_ENDPOINT= ""
+
+ // [Optional]
+ // By default, the Frogbot workflows download the Frogbot executable as well as other tools
+ // needed from https://releases.jfrog.io
+ // If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
+ // executable to be downloaded from an Artifactory instance, which the machine has access to:
+ //
+ // 1. Login to the Artifactory UI, with a user who has admin credentials.
+ // 2. Create a Remote Repository with the following properties set.
+ // Under the 'Basic' tab:
+ // Package Type: Generic
+ // URL: https://releases.jfrog.io
+ // Under the 'Advanced' tab:
+ // Uncheck the 'Store Artifacts Locally' option
+ // 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
+ // JF_RELEASES_REPO= ""
+
+ // [Optional]
+ // Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
+ // SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
+ // JF_SMTP_SERVER= ""
+
+ // [Mandatory if JF_SMTP_SERVER is set]
+ // The username required for authenticating with the SMTP server.
+ // JF_SMTP_USER= ""
+
+ // [Mandatory if JF_SMTP_SERVER is set]
+ // The password associated with the username required for authentication with the SMTP server.
+ // JF_SMTP_PASSWORD= ""
+
+ ///////////////////////////////////////////////////////////////////////////
+ // If your project uses a 'frogbot-config.yml' file, you should define //
+ // the following variables inside the file, instead of here. //
+ ///////////////////////////////////////////////////////////////////////////
- // [Optional]
- // Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
- // SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
- // JF_SMTP_SERVER= ""
-
- // [Mandatory if JF_SMTP_SERVER is set]
- // The username required for authenticating with the SMTP server.
- // JF_SMTP_USER= ""
-
- // [Mandatory if JF_SMTP_SERVER is set]
- // The password associated with the username required for authentication with the SMTP server.
- // JF_SMTP_PASSWORD= ""
-
- ///////////////////////////////////////////////////////////////////////////
- // If your project uses a 'frogbot-config.yml' file, you should define //
- // the following variables inside the file, instead of here. //
- ///////////////////////////////////////////////////////////////////////////
-
- // [Mandatory]
- // The name of the repository
- JF_GIT_REPO= ""
-
- // [Mandatory]
- // The name of the branch on which Frogbot will perform the scan
- JF_GIT_BASE_BRANCH= ""
-
- // [Mandatory if the two conditions below are met]
- // 1. The project uses yarn 2, NuGet, or .NET to download its dependencies
- // 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
- //
- // The command that installs the project dependencies (e.g "nuget restore")
- JF_INSTALL_DEPS_CMD= ""
-
- // [Optional, default: "."]
- // Relative path to the root of the project in the Git repository
- // JF_WORKING_DIR= path/to/project/dir
-
- // [Optional]
- // Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
- // JF_WATCHES= ,...
-
- // [Optional]
- // JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
- // JF_PROJECT=
-
- // [Optional, default: "FALSE"]
- // Displays all existing vulnerabilities, including the ones that were added by the pull request.
- // JF_INCLUDE_ALL_VULNERABILITIES= "TRUE"
-
- // [Optional, default: "TRUE"]
- // Fails the Frogbot task if any security issue is found.
- // JF_FAIL= "FALSE"
+ // [Mandatory]
+ // The name of the repository
+ JF_GIT_REPO= ""
- // [Optional, default: "TRUE"]
- // Relative path to a Pip requirements.txt file. If not set, the python project's dependencies are determined and scanned using the project setup.py file.
- // JF_REQUIREMENTS_FILE= ""
-
- // [Optional, Default: "TRUE"]
- // Use Gradle wrapper.
- // JF_USE_WRAPPER= "FALSE"
-
- // [Optional]
- // Frogbot will download the project dependencies if they're not cached locally. To download the
- // dependencies from a virtual repository in Artifactory set the name of the repository. There's no
- // need to set this value, if it is set in the frogbot-config.yml file.
- // JF_DEPS_REPO= ""
-
- // [Optional]
- // Template for the branch name generated by Frogbot when creating pull requests with fixes.
- // The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
- // The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- // JF_BRANCH_NAME_TEMPLATE= "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
-
- // [Optional]
- // Template for the commit message generated by Frogbot when creating pull requests with fixes
- // The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- // JF_COMMIT_MESSAGE_TEMPLATE= "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
-
- // [Optional]
- // Template for the pull request title generated by Frogbot when creating pull requests with fixes.
- // The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- // JF_PULL_REQUEST_TITLE_TEMPLATE= "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
-
- // [Optional, Default: "FALSE"]
- // If TRUE, Frogbot creates a single pull request with all the fixes.
- // If FALSE, Frogbot creates a separate pull request for each fix.
- // JF_GIT_AGGREGATE_FIXES= "FALSE"
-
- // [Optional, Default: "FALSE"]
- // Handle vulnerabilities with fix versions only
- // JF_FIXABLE_ONLY= "TRUE"
-
- // [Optional]
- // Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
- // The following values are accepted: Low, Medium, High, or Critical
- // JF_MIN_SEVERITY= ""
+ // [Mandatory]
+ // The name of the branch on which Frogbot will perform the scan
+ JF_GIT_BASE_BRANCH= ""
+
+ // [Mandatory if the two conditions below are met]
+ // 1. The project uses yarn 2, NuGet, or .NET to download its dependencies
+ // 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+ //
+ // The command that installs the project dependencies (e.g "nuget restore")
+ JF_INSTALL_DEPS_CMD= ""
+
+ // [Optional, default: "."]
+ // Relative path to the root of the project in the Git repository
+ // JF_WORKING_DIR= path/to/project/dir
+
+ // [Optional]
+ // Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
+ // JF_WATCHES= ,...
+
+ // [Optional]
+ // JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
+ // JF_PROJECT=
+
+ // [Optional, default: "FALSE"]
+ // Displays all existing vulnerabilities, including the ones that were added by the pull request.
+ // JF_INCLUDE_ALL_VULNERABILITIES= "TRUE"
+
+ // [Optional, default: "TRUE"]
+ // Fails the Frogbot task if any security issue is found.
+ // JF_FAIL= "FALSE"
+
+ // [Optional, default: "TRUE"]
+ // Relative path to a Pip requirements.txt file. If not set, the python project's dependencies are determined and scanned using the project setup.py file.
+ // JF_REQUIREMENTS_FILE= ""
- // [Optional, Default: eco-system+frogbot@jfrog.com]
- // Set the email of the commit author
- // JF_GIT_EMAIL_AUTHOR: ""
-
- // [Mandatory if JF_SMTP_SERVER is set]
- // List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- // The list should be seperated by commas.
- // JF_EMAIL_RECEIVERS: ""
- }
-
- stages {
- stage('Download Frogbot') {
- steps {
- if (env.JF_RELEASES_REPO == "") {
- // For Linux / MacOS runner:
- sh """ curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh"""
- // For Windows runner:
- // powershell """iwr https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/frogbot-windows-amd64/frogbot.exe -OutFile .\frogbot.exe"""
- } else {
- // For Linux / MacOS air-gapped environments:
- sh """ curl -fLg "${env.JF_URL}/artifactory/${env.JF_RELEASES_REPO}/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh"""
- // For Windows air-gapped environments:
- // powershell """iwr ${env.JF_URL}/artifactory/${env.JF_RELEASES_REPO}/artifactory/frogbot/v2/[RELEASE]/frogbot-windows-amd64/frogbot.exe -OutFile .\frogbot.exe"""
+ // [Optional, Default: "TRUE"]
+ // Use Gradle wrapper.
+ // JF_USE_WRAPPER= "FALSE"
+
+ // [Optional]
+ // Frogbot will download the project dependencies if they're not cached locally. To download the
+ // dependencies from a virtual repository in Artifactory set the name of the repository. There's no
+ // need to set this value, if it is set in the frogbot-config.yml file.
+ // JF_DEPS_REPO= ""
+
+ // [Optional]
+ // Template for the branch name generated by Frogbot when creating pull requests with fixes.
+ // The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
+ // The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+ // JF_BRANCH_NAME_TEMPLATE= "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
+
+ // [Optional]
+ // Template for the commit message generated by Frogbot when creating pull requests with fixes
+ // The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+ // JF_COMMIT_MESSAGE_TEMPLATE= "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
+
+ // [Optional]
+ // Template for the pull request title generated by Frogbot when creating pull requests with fixes.
+ // The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+ // JF_PULL_REQUEST_TITLE_TEMPLATE= "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
+
+ // [Optional, Default: "FALSE"]
+ // If TRUE, Frogbot creates a single pull request with all the fixes.
+ // If FALSE, Frogbot creates a separate pull request for each fix.
+ // JF_GIT_AGGREGATE_FIXES= "FALSE"
+
+ // [Optional, Default: "FALSE"]
+ // Handle vulnerabilities with fix versions only
+ // JF_FIXABLE_ONLY= "TRUE"
+
+ // [Optional]
+ // Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
+ // The following values are accepted: Low, Medium, High, or Critical
+ // JF_MIN_SEVERITY= ""
+
+ // [Optional, Default: eco-system+frogbot@jfrog.com]
+ // Set the email of the commit author
+ // JF_GIT_EMAIL_AUTHOR: ""
+
+ // [Optional]
+ // List of comma separated email addresses to receive email notifications about secrets
+ // detected during pull request scanning. The notification is also sent to the email set
+ // in the committer git profile regardless of whether this variable is set or not.
+ // JF_EMAIL_RECEIVERS: ""
+ }
+
+ stages {
+ stage('Download Frogbot') {
+ steps {
+ if (env.JF_RELEASES_REPO == "") {
+ // For Linux / MacOS runner:
+ sh """ curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh"""
+ // For Windows runner:
+ // powershell """iwr https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/frogbot-windows-amd64/frogbot.exe -OutFile .\frogbot.exe"""
+ } else {
+ // For Linux / MacOS air-gapped environments:
+ sh """ curl -fLg "${env.JF_URL}/artifactory/${env.JF_RELEASES_REPO}/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh"""
+ // For Windows air-gapped environments:
+ // powershell """iwr ${env.JF_URL}/artifactory/${env.JF_RELEASES_REPO}/artifactory/frogbot/v2/[RELEASE]/frogbot-windows-amd64/frogbot.exe -OutFile .\frogbot.exe"""
+ }
}
- }
- }
-
- stage('Scan Pull Requests') {
- steps {
- sh "./frogbot scan-all-pull-requests"
-
- // For Windows runner:
- // powershell """.\frogbot.exe scan-all-pull-requests"""
}
- }
-
- stage('Scan and Fix Repos') {
- steps {
- sh "./frogbot scan-multiple-repositories"
-
- // For Windows runner:
- // powershell """.\frogbot.exe scan-multiple-repositories"""
+
+ stage('Scan Pull Requests') {
+ steps {
+ sh "./frogbot scan-all-pull-requests"
+
+ // For Windows runner:
+ // powershell """.\frogbot.exe scan-all-pull-requests"""
+ }
+ }
+
+ stage('Scan and Fix Repos') {
+ steps {
+ sh "./frogbot scan-multiple-repositories"
+
+ // For Windows runner:
+ // powershell """.\frogbot.exe scan-multiple-repositories"""
+ }
}
}
}
- }
diff --git a/docs/install-github.md b/docs/install-github.md
index eda3d169e..b037975bd 100644
--- a/docs/install-github.md
+++ b/docs/install-github.md
@@ -27,7 +27,7 @@ Push the workflow files to the `.github/workflows` directory at the root of your
> **IMPORTANT**: The workflow files must be pushed to the target branch before Frogbot is triggered. This means that if, for example, a pull request includes the workflow files and the target branch doesn't, Frogbot will fail to run.
-### 🔎Scan pull requests
+### 🔎 Scan pull requests
Create a file named `frogbot-scan-pull-request.yml` with the content of the following template.
This will allow Frogbot to scan pull requests for security issues when the pull requests are open, and before they are merged.
@@ -91,6 +91,19 @@ jobs:
# Uncheck the 'Store Artifacts Locally' option
# 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
# JF_RELEASES_REPO: ""
+
+ # [Optional]
+ # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
+ # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
+ # JF_SMTP_SERVER: ""
+
+ # [Mandatory if JF_SMTP_SERVER is set]
+ # The username required for authenticating with the SMTP server.
+ # JF_SMTP_USER: ""
+
+ # [Mandatory if JF_SMTP_SERVER is set]
+ # The password associated with the username required for authentication with the SMTP server.
+ # JF_SMTP_PASSWORD: ""
##########################################################################
## If your project uses a 'frogbot-config.yml' file, you can define ##
@@ -143,11 +156,18 @@ jobs:
# Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
# The following values are accepted: Low, Medium, High or Critical
# JF_MIN_SEVERITY: ""
+
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
+ # JF_EMAIL_RECEIVERS: ""
+
```
-### 🛠️Scanning repository branches and fixing issues
+### 🛠️ Scanning repository branches and fixing issues
Create a file named `frogbot-scan-and-fix.yml` with the content of the following template.
This will make Frogbot open pull requests with fixes for security vulnerabilities found in the GitHub repository.
diff --git a/docs/install-gitlab.md b/docs/install-gitlab.md
index 837c862cd..43581a40f 100644
--- a/docs/install-gitlab.md
+++ b/docs/install-gitlab.md
@@ -162,9 +162,10 @@ frogbot-scan:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
script:
diff --git a/docs/templates/github-actions/frogbot-scan-pull-request.yml b/docs/templates/github-actions/frogbot-scan-pull-request.yml
deleted file mode 100644
index 7eaba610c..000000000
--- a/docs/templates/github-actions/frogbot-scan-pull-request.yml
+++ /dev/null
@@ -1,118 +0,0 @@
-name: "Frogbot Scan Pull Request"
-on:
- pull_request_target:
- types: [opened, synchronize]
-permissions:
- pull-requests: write
- contents: read
-jobs:
- scan-pull-request:
- runs-on: ubuntu-latest
- # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
- # "frogbot" GitHub environment can approve the pull request to be scanned.
- environment: frogbot
- steps:
- - uses: jfrog/frogbot@v2
- env:
- # [Mandatory]
- # JFrog platform URL
- JF_URL: ${{ secrets.JF_URL }}
-
- # [Mandatory if JF_USER and JF_PASSWORD are not provided]
- # JFrog access token with 'read' permissions on Xray service
- JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
- # JF_USER: ${{ secrets.JF_USER }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog password. Must be provided with JF_USER
- # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
-
- # [Mandatory]
- # The GitHub token automatically generated for the job
- JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- # [Optional, default: https://api.github.com]
- # API endpoint to GitHub
- # JF_GIT_API_ENDPOINT: https://github.example.com
-
- # [Optional]
- # By default, the Frogbot workflows download the Frogbot executable as well as other tools
- # needed from https://releases.jfrog.io
- # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
- # executable to be downloaded from an Artifactory instance, which the machine has access to:
- #
- # 1. Login to the Artifactory UI, with a user which has admin credentials.
- # 2. Create a Remote Repository with the following properties set.
- # Under the 'Basic' tab:
- # Package Type: Generic
- # URL: https://releases.jfrog.io
- # Under the 'Advanced' tab:
- # Uncheck the 'Store Artifacts Locally' option
- # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
- # JF_RELEASES_REPO: ""
-
- # [Optional]
- # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
- # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
- # JF_SMTP_SERVER: ""
-
- # [Mandatory if JF_SMTP_SERVER is set]
- # The username required for authenticating with the SMTP server.
- # JF_SMTP_USER: ""
-
- # [Mandatory if JF_SMTP_SERVER is set]
- # The password associated with the username required for authentication with the SMTP server.
- # JF_SMTP_PASSWORD: ""
-
- ##########################################################################
- ## If your project uses a 'frogbot-config.yml' file, you can define ##
- ## the following variables inside the file, instead of here. ##
- ##########################################################################
-
- # [Optional, default: "."]
- # Relative path to the root of the project in the Git repository
- # JF_WORKING_DIR: path/to/project/dir
-
- # [Optional]
- # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
- # JF_WATCHES: ,...
-
- # [Optional]
- # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
- # JF_PROJECT:
-
- # [Optional, default: "FALSE"]
- # Displays all existing vulnerabilities, including the ones that were added by the pull request.
- # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
-
- # [Optional, default: "TRUE"]
- # Fails the Frogbot task if any security issue is found.
- # JF_FAIL: "FALSE"
-
- # [Optional]
- # Frogbot will download the project dependencies if they're not cached locally. To download the
- # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
- # need to set this value, if it is set in the frogbot-config.yml file.
- # JF_DEPS_REPO: ""
-
- # [Optional, Default: "FALSE"]
- # If TRUE, Frogbot creates a single pull request with all the fixes.
- # If FALSE, Frogbot creates a separate pull request for each fix.
- # JF_GIT_AGGREGATE_FIXES: "FALSE"
-
- # [Optional, Default: "FALSE"]
- # Handle vulnerabilities with fix versions only
- # JF_FIXABLE_ONLY: "TRUE"
-
- # [Optional]
- # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
- # The following values are accepted: Low, Medium, High or Critical
- # JF_MIN_SEVERITY: ""
-
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
- # JF_EMAIL_RECEIVERS: ""
\ No newline at end of file
diff --git a/docs/templates/github-actions/frogbot-scan-repository.yml b/docs/templates/github-actions/frogbot-scan-repository.yml
deleted file mode 100644
index ed413c370..000000000
--- a/docs/templates/github-actions/frogbot-scan-repository.yml
+++ /dev/null
@@ -1,124 +0,0 @@
-name: "Frogbot Scan Repository"
-on:
- workflow_dispatch:
- schedule:
- # The repository will be scanned once a day at 00:00 GMT.
- - cron: "0 0 * * *"
-permissions:
- contents: write
- pull-requests: write
- security-events: write
-jobs:
- scan-repository:
- runs-on: ubuntu-latest
- strategy:
- matrix:
- # The repository scanning will be triggered periodically on the following branches.
- branch: [ "dev" ]
- steps:
- - uses: actions/checkout@v3
- with:
- ref: ${{ matrix.branch }}
-
- - uses: jfrog/frogbot@v2
- env:
- # [Mandatory]
- # JFrog platform URL
- JF_URL: ${{ secrets.JF_URL }}
-
- # [Mandatory if JF_USER and JF_PASSWORD are not provided]
- # JFrog access token with 'read' permissions on Xray service
- JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
- # JF_USER: ${{ secrets.JF_USER }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog password. Must be provided with JF_USER
- # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
-
- # [Mandatory]
- # The GitHub token automatically generated for the job
- JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- # [Optional, default: https://api.github.com]
- # API endpoint to GitHub
- # JF_GIT_API_ENDPOINT: https://github.example.com
-
- # [Optional]
- # By default, the Frogbot workflows download the Frogbot executable as well as other tools
- # needed from https://releases.jfrog.io
- # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
- # executable to be downloaded from an Artifactory instance, which the machine has access to:
- #
- # 1. Login to the Artifactory UI, with a user which has admin credentials.
- # 2. Create a Remote Repository with the following properties set.
- # Under the 'Basic' tab:
- # Package Type: Generic
- # URL: https://releases.jfrog.io
- # Under the 'Advanced' tab:
- # Uncheck the 'Store Artifacts Locally' option
- # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
- # JF_RELEASES_REPO: ""
-
- ##########################################################################
- ## If your project uses a 'frogbot-config.yml' file, you can define ##
- ## the following variables inside the file, instead of here. ##
- ##########################################################################
-
- # [Optional, default: "."]
- # Relative path to the root of the project in the Git repository
- # JF_WORKING_DIR: path/to/project/dir
-
- # [Optional]
- # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
- # JF_WATCHES: ,...
-
- # [Optional]
- # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
- # JF_PROJECT:
-
- # [Optional, default: "TRUE"]
- # Fails the Frogbot task if any security issue is found.
- # JF_FAIL: "FALSE"
-
- # [Optional]
- # Frogbot will download the project dependencies, if they're not cached locally. To download the
- # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
- # need to set this value, if it is set in the frogbot-config.yml file.
- # JF_DEPS_REPO: ""
-
- # [Optional]
- # Template for the branch name generated by Frogbot when creating pull requests with fixes.
- # The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
- # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- # JF_BRANCH_NAME_TEMPLATE: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
-
- # [Optional]
- # Template for the commit message generated by Frogbot when creating pull requests with fixes
- # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
-
- # [Optional]
- # Template for the pull request title generated by Frogbot when creating pull requests with fixes.
- # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
-
- # [Optional, Default: "FALSE"]
- # If TRUE, Frogbot creates a single pull request with all the fixes.
- # If FALSE, Frogbot creates a separate pull request for each fix.
- # JF_GIT_AGGREGATE_FIXES: "FALSE"
-
- # [Optional, Default: "FALSE"]
- # Handle vulnerabilities with fix versions only
- # JF_FIXABLE_ONLY: "TRUE"
-
- # [Optional]
- # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
- # The following values are accepted: Low, Medium, High or Critical
- # JF_MIN_SEVERITY: ""
-
- # [Optional, Default: eco-system+frogbot@jfrog.com]
- # Set the email of the commit author
- # JF_GIT_EMAIL_AUTHOR: ""
diff --git a/docs/templates/jenkins/scan-pull-request.jenkinsfile b/docs/templates/jenkins/scan-pull-request.jenkinsfile
index b865518f4..b178fe538 100644
--- a/docs/templates/jenkins/scan-pull-request.jenkinsfile
+++ b/docs/templates/jenkins/scan-pull-request.jenkinsfile
@@ -159,9 +159,10 @@ pipeline {
// Set the email of the commit author
// JF_GIT_EMAIL_AUTHOR= ""
- // [Mandatory if JF_SMTP_SERVER is set]
- // List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- // The list should be seperated by commas.
+ // [Optional]
+ // List of comma separated email addresses to receive email notifications about secrets
+ // detected during pull request scanning. The notification is also sent to the email set
+ // in the committer git profile regardless of whether this variable is set or not.
// JF_EMAIL_RECEIVERS: ""
}
diff --git a/docs/templates/jfrog-pipelines/pipelines-dotnet.yml b/docs/templates/jfrog-pipelines/pipelines-dotnet.yml
index 969f1b8a9..014f94fac 100644
--- a/docs/templates/jfrog-pipelines/pipelines-dotnet.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-dotnet.yml
@@ -173,10 +173,12 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
+
execution:
onExecute:
- cd $res_frogbotGitRepo_resourcePath
diff --git a/docs/templates/jfrog-pipelines/pipelines-go.yml b/docs/templates/jfrog-pipelines/pipelines-go.yml
index a33c5f693..db7177200 100644
--- a/docs/templates/jfrog-pipelines/pipelines-go.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-go.yml
@@ -174,10 +174,12 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
+
execution:
onExecute:
- cd $res_frogbotGitRepo_resourcePath
diff --git a/docs/templates/jfrog-pipelines/pipelines-gradle.yml b/docs/templates/jfrog-pipelines/pipelines-gradle.yml
index 3b68d248e..654f99388 100644
--- a/docs/templates/jfrog-pipelines/pipelines-gradle.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-gradle.yml
@@ -178,10 +178,12 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
+
execution:
onExecute:
- cd $res_frogbotGitRepo_resourcePath
diff --git a/docs/templates/jfrog-pipelines/pipelines-maven.yml b/docs/templates/jfrog-pipelines/pipelines-maven.yml
index 578bb7856..091ee29c4 100644
--- a/docs/templates/jfrog-pipelines/pipelines-maven.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-maven.yml
@@ -166,10 +166,12 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
+
execution:
onExecute:
- cd $res_frogbotGitRepo_resourcePath
diff --git a/docs/templates/jfrog-pipelines/pipelines-npm.yml b/docs/templates/jfrog-pipelines/pipelines-npm.yml
index 85bf15258..bbaa1cd56 100644
--- a/docs/templates/jfrog-pipelines/pipelines-npm.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-npm.yml
@@ -189,10 +189,12 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
+
execution:
onExecute:
- cd $res_frogbotGitRepo_resourcePath
diff --git a/docs/templates/jfrog-pipelines/pipelines-pip.yml b/docs/templates/jfrog-pipelines/pipelines-pip.yml
index d864371c0..9ecc538c8 100644
--- a/docs/templates/jfrog-pipelines/pipelines-pip.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-pip.yml
@@ -177,9 +177,10 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
execution:
diff --git a/docs/templates/jfrog-pipelines/pipelines-pipenv.yml b/docs/templates/jfrog-pipelines/pipelines-pipenv.yml
index ff81d7cd5..f33db9667 100644
--- a/docs/templates/jfrog-pipelines/pipelines-pipenv.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-pipenv.yml
@@ -170,10 +170,12 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
+
execution:
onExecute:
- cd $res_frogbotGitRepo_resourcePath
diff --git a/docs/templates/jfrog-pipelines/pipelines-poetry.yml b/docs/templates/jfrog-pipelines/pipelines-poetry.yml
index f87a47156..e66a7552f 100644
--- a/docs/templates/jfrog-pipelines/pipelines-poetry.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-poetry.yml
@@ -170,9 +170,10 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
execution:
diff --git a/docs/templates/jfrog-pipelines/pipelines-yarn2.yml b/docs/templates/jfrog-pipelines/pipelines-yarn2.yml
index 3fe5f9036..a114b175b 100644
--- a/docs/templates/jfrog-pipelines/pipelines-yarn2.yml
+++ b/docs/templates/jfrog-pipelines/pipelines-yarn2.yml
@@ -173,9 +173,10 @@ pipelines:
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""
- # [Mandatory if JF_SMTP_SERVER is set]
- # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
- # The list should be seperated by commas.
+ # [Optional]
+ # List of comma separated email addresses to receive email notifications about secrets
+ # detected during pull request scanning. The notification is also sent to the email set
+ # in the committer git profile regardless of whether this variable is set or not.
# JF_EMAIL_RECEIVERS: ""
execution:
diff --git a/starter-workflows/README.md b/starter-workflows/README.md
deleted file mode 100644
index 39c118e34..000000000
--- a/starter-workflows/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-## GitHub Starter Workflows for Frogbot
-
-This directory includes the code for Frogbot's Code Scanning GitHub templates.
-Currently two templates are supported:
-
-1. Frogbot Scan Pull Request - which allows editing and then adding the frogbot-scan-pr.yml workflow.
-2. Frogbot Scan and Fix - which allows editing and then adding the forgbot-fix.yml workflow.
-
-To start using Starter-Workflows, please refer to
-the [Using starter workflows GitHub documentation.](https://docs.github.com/en/actions/using-workflows/using-starter-workflows)
-
-Whenever you make any changes to files in this directory, you should update them in the following repository as well, so
-that they become public.
-https://github.com/actions/starter-workflows/tree/main/code-scanning
\ No newline at end of file
diff --git a/starter-workflows/code-scanning/frogbot-scan-and-fix.yml b/starter-workflows/code-scanning/frogbot-scan-and-fix.yml
deleted file mode 100644
index dfebe40ab..000000000
--- a/starter-workflows/code-scanning/frogbot-scan-and-fix.yml
+++ /dev/null
@@ -1,140 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-# Frogbot Scan and Fix does the following:
-# Automatically creates pull requests with fixes for vulnerable project dependencies.
-# Uses JFrog Xray to scan the project.
-# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
-
-# The structure of some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
-
-name: "Frogbot Scan and Fix"
-on:
- schedule:
- # The repository will be scanned once a day at 00:00 GMT.
- - cron: "0 0 * * *"
-permissions:
- contents: write
- pull-requests: write
- security-events: write
-jobs:
- scan-repository:
- runs-on: ubuntu-latest
- strategy:
- matrix:
- # The repository scanning will be triggered periodically on the following branches.
- branch: [ "dev" ]
- steps:
- - uses: actions/checkout@v3
- with:
- ref: ${{ matrix.branch }}
-
- # IMPORTANT:
- # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
- # 2. The structure of some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
-
- - uses: jfrog/frogbot@b03f17265a90e238f6c5fa6ab010357d56615381
- env:
- # [Mandatory]
- # JFrog platform URL
- JF_URL: ${{ secrets.JF_URL }}
-
- # [Mandatory if JF_USER and JF_PASSWORD are not provided]
- # JFrog access token with 'read' permissions on Xray service
- JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
- # JF_USER: ${{ secrets.JF_USER }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog password. Must be provided with JF_USER
- # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
-
- # [Mandatory]
- # The GitHub token automatically generated for the job
- JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- # [Optional]
- # By default, the Frogbot workflows download the Frogbot executable as well as other tools
- # needed from https://releases.jfrog.io
- # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
- # executable to be downloaded from an Artifactory instance, which the machine has access to:
- #
- # 1. Login to the Artifactory UI, with a user which has admin credentials.
- # 2. Create a Remote Repository with the following properties set.
- # Under the 'Basic' tab:
- # Package Type: Generic
- # URL: https://releases.jfrog.io
- # Under the 'Advanced' tab:
- # Uncheck the 'Store Artifacts Locally' option
- # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
- # JF_RELEASES_REPO: ""
-
- ##########################################################################
- ## If you project uses a 'frogbot-config.yml' file, you can define ##
- ## the following variables inside the file, instead of here. ##
- ##########################################################################
-
- # [Mandatory if the two conditions below are met]
- # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies
- # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
- #
- # The command that installs the project dependencies (e.g "nuget restore")
- # JF_INSTALL_DEPS_CMD: ""
-
- # [Optional, default: "."]
- # Relative path to the root of the project in the Git repository
- # JF_WORKING_DIR: path/to/project/dir
-
- # [Optional]
- # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
- # JF_WATCHES: ,...
-
- # [Optional]
- # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
- # JF_PROJECT:
-
- # [Optional, default: "FALSE"]
- # Displays all existing vulnerabilities, including the ones that were added by the pull request.
- # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
-
- # [Optional, default: "TRUE"]
- # Fails the Frogbot task if any security issue is found.
- # JF_FAIL: "FALSE"
-
- # [Optional]
- # Frogbot will download the project dependencies, if they're not cached locally. To download the
- # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
- # need to set this value, if it is set in the frogbot-config.yml file.
- # JF_DEPS_REPO: ""
-
- # [Optional]
- # Relative path to a Pip requirements.txt file. If not set, the python project's dependencies are determined and scanned using the project setup.py file.
- # JF_REQUIREMENTS_FILE: ""
-
- # [Optional, Default: "TRUE"]
- # Use Gradle wrapper.
- # JF_USE_WRAPPER: "FALSE"
-
- # [Optional]
- # Template for the branch name generated by Frogbot when creating pull requests with fixes.
- # The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
- # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- # JF_BRANCH_NAME_TEMPLATE: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
-
- # [Optional]
- # Template for the commit message generated by Frogbot when creating pull requests with fixes
- # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
-
- # [Optional]
- # Template for the pull request title generated by Frogbot when creating pull requests with fixes.
- # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
- # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
-
- # [Optional, Default: "FALSE"]
- # If TRUE, Frogbot creates a single pull request with all the fixes.
- # If FALSE, Frogbot creates a separate pull request for each fix.
- # JF_GIT_AGGREGATE_FIXES: "FALSE"
diff --git a/starter-workflows/code-scanning/frogbot-scan-pr.yml b/starter-workflows/code-scanning/frogbot-scan-pr.yml
deleted file mode 100644
index c72c7ded3..000000000
--- a/starter-workflows/code-scanning/frogbot-scan-pr.yml
+++ /dev/null
@@ -1,118 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-# Frogbot Scan Pull Request does the following:
-# Automatically scans new pull requests for security vulnerabilities.
-# Uses JFrog Xray to scan the project.
-# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
-
-# The structure of some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
-
-name: "Frogbot Scan Pull Request"
-on:
- pull_request_target:
- types: [ opened, synchronize ]
-permissions:
- pull-requests: write
- contents: read
-jobs:
- scan-pull-request:
- runs-on: ubuntu-latest
- # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
- # "frogbot" GitHub environment can approve the pull request to be scanned.
- # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
- environment: frogbot
- steps:
- # IMPORTANT:
- # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
- # 2. The structure of some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
-
- - uses: jfrog/frogbot@b03f17265a90e238f6c5fa6ab010357d56615381
- env:
- # [Mandatory]
- # JFrog platform URL
- JF_URL: ${{ secrets.JF_URL }}
-
- # [Mandatory if JF_USER and JF_PASSWORD are not provided]
- # JFrog access token with 'read' permissions on Xray service
- JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
- # JF_USER: ${{ secrets.JF_USER }}
-
- # [Mandatory if JF_ACCESS_TOKEN is not provided]
- # JFrog password. Must be provided with JF_USER
- # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
-
- # [Mandatory]
- # The GitHub token automatically generated for the job
- JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- # [Optional]
- # By default, the Frogbot workflows download the Frogbot executable as well as other tools
- # needed from https://releases.jfrog.io
- # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
- # executable to be downloaded from an Artifactory instance, which the machine has access to:
- #
- # 1. Login to the Artifactory UI, with a user which has admin credentials.
- # 2. Create a Remote Repository with the following properties set.
- # Under the 'Basic' tab:
- # Package Type: Generic
- # URL: https://releases.jfrog.io
- # Under the 'Advanced' tab:
- # Uncheck the 'Store Artifacts Locally' option
- # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
- # JF_RELEASES_REPO: ""
-
- #######################################################################
- ## If you project uses a 'frogbot-config.yml' file, you can define ##
- ## the following variables inside the file, instead of here. ##
- #######################################################################
-
- # [Mandatory if the two conditions below are met]
- # 1. The project uses yarn 2, NuGet or .NET to download its dependencies
- # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
- #
- # The command that installs the project dependencies (e.g "nuget restore")
- # JF_INSTALL_DEPS_CMD: ""
-
- # [Optional, default: "."]
- # Relative path to the root of the project in the Git repository
- # JF_WORKING_DIR: path/to/project/dir
-
- # [Optional]
- # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
- # JF_WATCHES: ,...
-
- # [Optional]
- # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
- # JF_PROJECT:
-
- # [Optional, default: "FALSE"]
- # Displays all existing vulnerabilities, including the ones that were added by the pull request.
- # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
-
- # [Optional, default: "TRUE"]
- # Fails the Frogbot task if any security issue is found.
- # JF_FAIL: "FALSE"
-
- # [Optional]
- # Frogbot will download the project dependencies, if they're not cached locally. To download the
- # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
- # need to set this value, if it is set in the frogbot-config.yml file.
- # JF_DEPS_REPO: ""
-
- # [Optional]
- # Relative path to a Pip requirements.txt file. If not set, the python project's dependencies are determined and scanned using the project setup.py file.
- # JF_REQUIREMENTS_FILE: ""
-
- # [Optional, Default: "TRUE"]
- # Use Gradle wrapper.
- # JF_USE_WRAPPER: "FALSE"
-
- # [Optional, Default: "FALSE"]
- # If TRUE, Frogbot creates a single pull request with all the fixes.
- # If FALSE, Frogbot creates a separate pull request for each fix.
- # JF_GIT_AGGREGATE_FIXES: "FALSE"
diff --git a/starter-workflows/code-scanning/properties/frogbot-scan-and-fix.properties.json b/starter-workflows/code-scanning/properties/frogbot-scan-and-fix.properties.json
deleted file mode 100644
index 1898ff35a..000000000
--- a/starter-workflows/code-scanning/properties/frogbot-scan-and-fix.properties.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
- "name": "Frogbot Scan and Fix",
- "description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
- "iconName": "frogbot",
- "categories": [
- "Code Scanning",
- "Go Module",
- "Maven POM",
- "NPM Config",
- "Gradle",
- "C#",
- "Python"
- ],
- "organization": "JFrog"
-}
diff --git a/starter-workflows/code-scanning/properties/frogbot-scan-pr.properties.json b/starter-workflows/code-scanning/properties/frogbot-scan-pr.properties.json
deleted file mode 100644
index 8fefa01ab..000000000
--- a/starter-workflows/code-scanning/properties/frogbot-scan-pr.properties.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
- "name": "Frogbot Scan Pull Request",
- "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
- "iconName": "frogbot",
- "categories": [
- "Code Scanning",
- "Go Module",
- "Maven POM",
- "NPM Config",
- "Gradle",
- "C#",
- "Python"
- ],
- "organization": "JFrog"
-}
diff --git a/starter-workflows/icons/frogbot.svg b/starter-workflows/icons/frogbot.svg
deleted file mode 100644
index 95de1626f..000000000
--- a/starter-workflows/icons/frogbot.svg
+++ /dev/null
@@ -1,43 +0,0 @@
-