Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added GitHub security tab in createfixpullrequests #107

Merged
merged 28 commits into from
Aug 22, 2022
Merged

Added GitHub security tab in createfixpullrequests #107

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
863c82f
Update test.yml
omerzi Jun 28, 2022
1ce8079
Merge remote-tracking branch 'fork/dev' into dev
omerzi Jun 29, 2022
6d77eb2
Merge pull request #9 from jfrog/dev
omerzi Jul 5, 2022
d2c64d6
Added support for SARIF format as audit output
omerzi Jul 6, 2022
ee978a4
Added support for SARIF format as audit output
omerzi Jul 6, 2022
43c9ef2
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
4ab1cd1
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
a2e4627
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
b4ce434
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
dcaa944
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
9733180
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
90ccf7a
Update package.json
omerzi Jul 17, 2022
3c66b8c
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
04ca4e3
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Jul 17, 2022
b4504fb
Update createfixpullrequests_test.go
omerzi Jul 25, 2022
05ab091
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
omerzi Jul 25, 2022
bcf4ef5
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
omerzi Aug 2, 2022
4e12321
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
omerzi Aug 2, 2022
8c02893
Merge branch 'dev' of https://github.com/omerzi/frogbot into security…
omerzi Aug 3, 2022
76a4641
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Aug 3, 2022
17ee470
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
omerzi Aug 17, 2022
9216152
Code review changes
omerzi Aug 17, 2022
1dafcd6
Code review changes
omerzi Aug 17, 2022
fd59886
Code review changes
omerzi Aug 17, 2022
e76f530
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Aug 17, 2022
c479882
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
omerzi Aug 22, 2022
989501b
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
omerzi Aug 22, 2022
fdf065b
Merge remote-tracking branch 'fork/security-tab' into security-tab
omerzi Aug 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Merge branch 'dev' of https://github.com/jfrog/frogbot into security-tab
  • Loading branch information
@omerzi
omerzi committed Aug 22, 2022
commit c479882fb2c46f4b8c834f3f199a12194ab37518
30 changes: 26 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,24 @@ If new vulnerabilities are found, Frogbot adds them as a comment on the pull req
| ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/mediumSeverity.png) Medium | github.com/nats-io/nats-streaming-server | v0.21.0 | [0.24.3] | github.com/nats-io/nats-streaming-server | v0.21.0 | CVE-2022-26652 |

## Pull requests opening
Frogbot scans your Git repository and automatically opens pull requests for upgrading vulnerable dependencies to a version with a fix.
Frogbot uses [JFrog Xray](https://jfrog.com/xray/) for the scanning. The scanning is triggered following commits that are pushed to the repository. For pull requests opening, please note that GitHub and GitLab are currently supported and Bitbucket will be supported soon. Projects that use one of the following tools to download their dependencies are currently supported.

Frogbot scans your Git repository and automatically opens pull requests for upgrading vulnerable dependencies to a
version with a fix.
Frogbot uses [JFrog Xray](https://jfrog.com/xray/) for the scanning.

Frogbot uploads the scanning results under the 'Code scanning alerts' section of the repository's Security tab:

![img.png](img.png)

You can see all the vulnerable packages that Frogbot identified here:

![img_1.png](img_1.png)

**NOTE that the code scanning alerts must be enabled.**

The scanning is triggered following commits that are pushed to the repository. For pull requests opening, please note
that GitHub and GitLab are currently supported and Bitbucket will be supported soon. Projects that use one of the
following tools to download their dependencies are currently supported.

- npm
- Maven
Expand All @@ -108,16 +124,22 @@ Frogbot uses [JFrog Xray](https://jfrog.com/xray/) for the scanning. The scannin
<div id="installing-and-using-frogbot"></div>

## 🖥️ Installing and using Frogbot

### General
1. Frogbot requires a JFrog environment to scan pull requests. Don't have a JFrog environment? No problem - [Set Up a FREE JFrog Environment in the Cloud](#set-up-a-free-jfrog-environment-in-the-cloud). You'll later save the connection details (URL, username, and password) as secrets in Git.

1. Frogbot requires a JFrog environment to scan pull requests. Don't have a JFrog environment? No problem
- [Set Up a FREE JFrog Environment in the Cloud](#set-up-a-free-jfrog-environment-in-the-cloud). You'll later save
the connection details (URL, username, and password) as secrets in Git.
2. [Setting up Frogbot on GitHub repositories](#setting-up-frogbot-on-github-repositories)
3. [Setting up Frogbot on GitLab repositories](#setting-up-frogbot-on-gitlab-repositories)
4. [Setting up Frogbot on Bitbucket Server repositories](#setting-up-frogbot-on-bitbucket-server-repositories)

### Set up a FREE JFrog Environment in the cloud

Need a FREE JFrog environment in the cloud, so Frogbot can scan your pull requests?

Just run one of the following commands in your terminal, to set up an environment in less than a minute. The commands will do the following:
Just run one of the following commands in your terminal, to set up an environment in less than a minute. The commands
will do the following:

1. Install [JFrog CLI](https://www.jfrog.com/confluence/display/CLI/JFrog+CLI) on your machine.
2. Create a FREE JFrog environment in the cloud for you.
Expand Down
4 changes: 2 additions & 2 deletions commands/createfixpullrequests.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,13 @@ type CreateFixPullRequestsCmd struct {
}

func (cfp CreateFixPullRequestsCmd) Run(params *utils.FrogbotParams, client vcsclient.VcsClient) error {
//Scan the current Branch
// Scan the current Branch
scanResults, err := cfp.scan(params)
if err != nil {
return err
}

//Upload scan results to the relevant Git provider code scanning UI
// Upload scan results to the relevant Git provider code scanning UI
err = utils.UploadScanToGitProvider(scanResults, params, client)
if err != nil {
return err
Expand Down
Binary file added img.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added img_1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
You are viewing a condensed version of this merge commit. You can view the full changes here.