VMware Cloud Community
sundaranandhan
Contributor
Contributor
‎04-11-2021 11:06 PM

Secure coding Scans for Workflows Written in VMWare vRealize Orchestrator.

Hello All,

Has anyone ever ran secure code scanning tools against a bunch of vRO workflows before ? We are in need for the javascript code to be vetted by one of the scanning software like Coverty or Veracode.  I have tried a few opensource ones from https://owasp.org/www-community/Source_Code_Analysis_Tools# , they don't seem to work. Some of them expect a git repo and some of them needs to be linked to github/bitbucket projects. In our case, it's just a plain vRO, no vRA so no gitlab integration. I could export the workflows as a package, they seem to hide the workflow javascript code in "data" files. So wondering if anyone had to do this before and how you ended up solving this.

Thank you in advance,

Regards,

Sundar

0 Kudos
4 Replies
dtimbrohq
Contributor
Contributor
‎06-16-2022 06:49 AM

I have the same need right now, did you find a solution ? Thanks in advance.

0 Kudos
sundaranandhan
Contributor
Contributor
‎06-16-2022 08:50 PM

Hello,

We didn't find any workable solution for scanning the workflow code itself. Instead we ended up using scanning ONLY the underlying vRO plugin java code.

Regards

Sundar.

0 Kudos
imtrinity94
Enthusiast
Enthusiast
‎06-21-2022 03:57 AM

I dont know how much this will be of help. But try using vRODoc to convert your vRO actions (not wfs) to pure JS code and scan it afterwards. No vRA or Git required. Code gets saved locally. Tutorial is available here (https://bit.ly/vRODoc)  and code is available here https://github.com/imtrinity94/vRODoc.

Challenge is definitely to move your code from WFs to Actions. 


Mayank Goyal
vRO Engineer
https://www.linkedin.com/in/mayankgoyal1994/
https://cloudblogger.co.in/
Tags (1)
imtrinity94
Enthusiast
Enthusiast
‎12-12-2022 09:04 PM

Did it work for you?

Mayank Goyal
vRO Engineer
https://www.linkedin.com/in/mayankgoyal1994/
https://cloudblogger.co.in/
0 Kudos