From ecb9cf8ad82305a1d14bf137e9dc9359f2bb7abe Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Tue, 25 Mar 2025 17:14:16 +0530 Subject: [PATCH 01/14] Update frogbot-scan-pull-request.yml --- .github/workflows/frogbot-scan-pull-request.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml index 771a71d7..305f1f79 100644 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -42,3 +42,18 @@ jobs: # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD # with: # oidc-provider-name: "" + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + JF_WATCHES: srs + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + #JF_PROJECT: genai + + # [Optional, default: "TRUE"] + # Fails the Frogbot task if any security issue is found. + JF_FAIL: "FALSE" + + # [Optional, default: "FALSE"] + # Displays all existing vulnerabilities, including the ones that were added by the pull request. + JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" From 467ecd77097c11fbe2c9d8c2b1edb9f3159701f3 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Sat, 3 May 2025 19:02:43 +0530 Subject: [PATCH 02/14] Set up CI with Azure Pipelines [skip ci] --- azure-pipelines.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index e53f129e..a6a12183 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -5,7 +5,19 @@ trigger: - master - +- task: ArtifactoryMaven@2 + inputs: + mavenPomFile: 'pom.xml' + goals: 'install' + artifactoryResolverService: 'adoption Artifactory' + targetResolveReleaseRepo: 'pepsico-libs-release' + targetResolveSnapshotRepo: 'pepsico-libs-snapshot' + artifactoryDeployService: 'adoption Artifactory' + targetDeployReleaseRepo: 'pepsico-libs-release' + targetDeploySnapshotRepo: 'pepsico-libs-snapshot' + collectBuildInfo: true + buildName: '$(Build.DefinitionName)' + buildNumber: '$(Build.BuildNumber)' pool: name: davidka From 9745e78db5a49995352d32096abbb4778d6dda49 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Sat, 3 May 2025 19:06:22 +0530 Subject: [PATCH 03/14] Update azure-pipelines.yml --- azure-pipelines.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index a6a12183..3e9eb8be 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -5,6 +5,11 @@ trigger: - master + +pool: + name: davidka + +steps: - task: ArtifactoryMaven@2 inputs: mavenPomFile: 'pom.xml' @@ -18,10 +23,7 @@ trigger: collectBuildInfo: true buildName: '$(Build.DefinitionName)' buildNumber: '$(Build.BuildNumber)' -pool: - name: davidka -steps: - script: echo Hello, world! displayName: 'Run a one-line script' From 29f15d61384fe73a561cf12b13816c5300f1ae91 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Sat, 3 May 2025 19:09:05 +0530 Subject: [PATCH 04/14] Delete azure-pipelines.yml --- azure-pipelines.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 azure-pipelines.yml diff --git a/azure-pipelines.yml b/azure-pipelines.yml deleted file mode 100644 index 3e9eb8be..00000000 --- a/azure-pipelines.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Starter pipeline -# Start with a minimal pipeline that you can customize to build and deploy your code. -# Add steps that build, run tests, deploy, and more: -# https://aka.ms/yaml - -trigger: -- master - -pool: - name: davidka - -steps: -- task: ArtifactoryMaven@2 - inputs: - mavenPomFile: 'pom.xml' - goals: 'install' - artifactoryResolverService: 'adoption Artifactory' - targetResolveReleaseRepo: 'pepsico-libs-release' - targetResolveSnapshotRepo: 'pepsico-libs-snapshot' - artifactoryDeployService: 'adoption Artifactory' - targetDeployReleaseRepo: 'pepsico-libs-release' - targetDeploySnapshotRepo: 'pepsico-libs-snapshot' - collectBuildInfo: true - buildName: '$(Build.DefinitionName)' - buildNumber: '$(Build.BuildNumber)' - -- script: echo Hello, world! - displayName: 'Run a one-line script' - -- script: | - echo Add other tasks to build, test, and deploy your project. - echo See https://aka.ms/yaml - displayName: 'Run a multi-line script' From 4f4c57a4fb69b75dd05c9730a1a6e522cdb9ff57 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Fri, 5 Sep 2025 21:49:26 +0530 Subject: [PATCH 05/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 6d4906d4..e4768f56 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -35,6 +35,7 @@ jobs: # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + JFROG_CLI_CA_CERT_PATH: "/builds/$CI_PROJECT_PATH/xray-root-ca.pem" # [Mandatory] # The GitHub token is automatically generated for the job From ee33677984a70226215afd1a2767c7f54656c05b Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Mon, 8 Sep 2025 21:38:27 +0530 Subject: [PATCH 06/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index e4768f56..47e1e237 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -26,7 +26,7 @@ jobs: # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + #JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD @@ -49,3 +49,5 @@ jobs: # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD # with: # oidc-provider-name: "" + with: + oidc-provider-name: "shashwathr" From 54a2c4b3bea2762276b8cbcbbad72d07281b4e58 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Mon, 8 Sep 2025 21:43:24 +0530 Subject: [PATCH 07/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 47e1e237..2b76ffe1 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -8,6 +8,7 @@ permissions: contents: write pull-requests: write security-events: write + id-token: write # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] # id-token: write jobs: From d5f36cc696c1064dfb0f3eb02a7dedc5b44ccbee Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Fri, 24 Oct 2025 11:03:22 +0530 Subject: [PATCH 08/14] Comment out JF_WATCHES in frogbot workflow Comment out JF_WATCHES variable in workflow file --- .github/workflows/frogbot-scan-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml index 305f1f79..bf84791a 100644 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -44,7 +44,7 @@ jobs: # oidc-provider-name: "" # [Optional] # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - JF_WATCHES: srs + #JF_WATCHES: srs # [Optional] # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects From c008af9950eddf4152e24a18817f7fcbb5ebf612 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Tue, 28 Oct 2025 11:27:54 +0530 Subject: [PATCH 09/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 2b76ffe1..d303128d 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -50,5 +50,5 @@ jobs: # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD # with: # oidc-provider-name: "" - with: - oidc-provider-name: "shashwathr" + #with: + # oidc-provider-name: "shashwathr" From 29767ebf5ea8870a9ebf2f456932f6225f4ef335 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Wed, 18 Feb 2026 21:47:04 +0530 Subject: [PATCH 10/14] Uncomment JF_WATCHES in frogbot-scan workflow --- .github/workflows/frogbot-scan-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml index bf84791a..305f1f79 100644 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -44,7 +44,7 @@ jobs: # oidc-provider-name: "" # [Optional] # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches - #JF_WATCHES: srs + JF_WATCHES: srs # [Optional] # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects From 500010a5063876d8263eba615a4c227196833bd3 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Wed, 18 Feb 2026 22:02:06 +0530 Subject: [PATCH 11/14] Update comment in frogbot-scan-pull-request.yml Added a note indicating that any GitHub user associated with the 'frogbot' environment can approve the pull request for scanning. --- .github/workflows/frogbot-scan-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml index 305f1f79..49eacf5f 100644 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -11,7 +11,7 @@ jobs: scan-pull-request: runs-on: ubuntu-latest # A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the - # "frogbot" GitHub environment can approve the pull request to be scanned. + # "frogbot" GitHub environment can approve the pull request to be scanned. Dummy environment: frogbot steps: - uses: jfrog/frogbot@v2 From ea8a01ef224d8d31ca45e060b5f5d60fe74dd005 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Tue, 24 Feb 2026 21:38:21 +0530 Subject: [PATCH 12/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index d303128d..cb796b47 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -45,6 +45,7 @@ jobs: # [Mandatory] # The name of the branch on which Frogbot will perform the scan JF_GIT_BASE_BRANCH: ${{ matrix.branch }} + JF_WATCHES: srs # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] # Insert to oidc-provider-name the 'Provider Name' defined in the OIDC integration configured in the JPD From a2e9c120cb497e394249f6df53ca09705b9dce97 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Tue, 24 Feb 2026 21:42:09 +0530 Subject: [PATCH 13/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index cb796b47..716b0bcd 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -8,7 +8,7 @@ permissions: contents: write pull-requests: write security-events: write - id-token: write + #id-token: write # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] # id-token: write jobs: @@ -27,7 +27,7 @@ jobs: # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - #JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD @@ -36,7 +36,7 @@ jobs: # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} - JFROG_CLI_CA_CERT_PATH: "/builds/$CI_PROJECT_PATH/xray-root-ca.pem" + #JFROG_CLI_CA_CERT_PATH: "/builds/$CI_PROJECT_PATH/xray-root-ca.pem" # [Mandatory] # The GitHub token is automatically generated for the job From f88b960f6d2556d8ce987e2b5a469d5c30f0f068 Mon Sep 17 00:00:00 2001 From: shashwathrai <113433596+shashwathrai@users.noreply.github.com> Date: Tue, 24 Feb 2026 21:47:21 +0530 Subject: [PATCH 14/14] Update frogbot-scan-repository.yml --- .github/workflows/frogbot-scan-repository.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml index 716b0bcd..50ef1f77 100644 --- a/.github/workflows/frogbot-scan-repository.yml +++ b/.github/workflows/frogbot-scan-repository.yml @@ -8,9 +8,6 @@ permissions: contents: write pull-requests: write security-events: write - #id-token: write - # [Mandatory If using OIDC authentication protocol instead of JF_ACCESS_TOKEN] - # id-token: write jobs: scan-repository: runs-on: ubuntu-latest