-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSecurityCodeScan-example.toml
More file actions
75 lines (64 loc) · 2.57 KB
/
SecurityCodeScan-example.toml
File metadata and controls
75 lines (64 loc) · 2.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[source-code]
relativeDirectory='' # source code directory specified by relative directory name (overrides projectFileDirectoryPatterns)
projectFileDirectoryPatterns=['*.sln','*.csproj','*.vbproj','*.fsproj'] # patterns (e.g., *.sln,*.csproj) to find source code directory by largest, first file found
[request] # (reserved for Code Dx use)
# The image name contains the Docker image that handles this scan request file.
#
imageName = "codedx/codedx-securitycodescanrunner:v1.57.0"
# The work directory stores k8s secrets, trusted CA certificates,a copy of the scan request
# file, and the exit code file. The user running the Docker image *must* have write access
# to the work directory.
#
# $workDirectory/analysis-exit-code - exit code of the shell command
# $workDirectory/ca-certificates - trusted CA certificates
# $workDirectory/config/request.toml - a copy of the scan request file
# $workDirectory/input - analysis input
# $workDirectory/workflow-secrets - workflow secrets
#
workDirectory = "/opt/codedx/securitycodescan/work"
# The shell cmd to run as the entry point for the tool.
#
shellCmd = '''
source=$(ls /opt/codedx/securitycodescan/work/input)
pwsh /opt/codedx/securitycodescan/script/SecurityCodeScan.ps1 \
"/opt/codedx/securitycodescan/work/input/$source" \
/opt/codedx/securitycodescan/work/output/securitycodescan.output \
/opt/codedx/securitycodescan/work/config/request.toml
'''
# The result file contains the tool output provided to Code Dx.
#
resultFilePath = "/opt/codedx/securitycodescan/work/output/securitycodescan.output"
# The Intelligent Orchestration security activities supported by this tool (e.g., sca, sast, dast)
#
securityActivities = ['sast']
# The list of emptyDir volumes for the tool. The /.cache and /.local are needed when not using uid 1000.
#
ephemeralVolumePaths = ["/tmp","/.cache","/.local","/.dotnet","/.nuget","/home/securitycodescan/.cache","/home/securitycodescan/.local","/home/securitycodescan/.dotnet","/home/securitycodescan/.nuget","/opt/codedx/securitycodescan/work","/opt/codedx/securitycodescan/work/output"]
[request.workflowSecurityContext]
# The pod security context for the tool.
#
podSecurityContext = '''
{
"fsGroup": 1000,
"runAsGroup": 1000,
"runAsUser": 1000,
"runAsNonRoot": true,
"seccompProfile": {
"type": "RuntimeDefault"
},
"supplementalGroups": []
}
'''
# The container security context for the tool.
#
securityContext = '''
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"readOnlyRootFilesystem": true
}
'''