Vulnerability scans Workflow #247
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Vulnerability scans Workflow | |
on: | |
# WARN: secrets not available from pull_request forks | |
# | |
# same as snyk action | |
# we can't run this on PRs from forks as snyk token can't be used from forks | |
# for security reasons, prs from forks are not allowed to use/read secrets | |
# | |
# Another note: the generated sarif can be uploaded to the GitHub Code Scanning dashboard | |
# but we don't want to upload security vulns for code that is not merged yet | |
# | |
# pull_request: | |
# branches: ["dev"] | |
push: | |
branches: | |
# - "app-start-test" | |
- "dev" | |
- "next" | |
schedule: | |
# - cron: "0 0 * * 0" # every Sunday at midnight | |
- cron: "0 0 * * *" # every day at midnight | |
workflow_dispatch: {} | |
jobs: | |
vulnerability-scans: | |
concurrency: | |
# use case: for example, when someone pushes a commit to a PR, the workflow will be triggered again | |
# we want to cancel previous jobs and only run the latest one | |
# TODO: check if this is the correct group to do this | |
# github.ref is the branch name | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
# required for local testing without risking pulling the wrong image | |
TEST_TAG: gipo999/tomcat-webapp-boilerplate:test-${{ github.run_number }} | |
SHOULD_RUN: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} | |
permissions: | |
security-events: write | |
packages: read | |
issues: write | |
actions: read | |
contents: write | |
if: github.event.pull_request.draft == false | |
name: Vulnerability scans Job | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources Step | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
# setup the CI environment using a private composite action | |
- name: Setup CI environment | |
uses: ./.github/actions/ci-setup | |
# run the gradle check and build tasks | |
- name: Build with Gradle Wrapper Step | |
# buildWar runs check, test, war tasks | |
# at this point we won't know if the app will run in a container | |
# we don't check and test here. | |
# The job is delegated to check build action which runs on PR too | |
# Saves minutes, fails fast | |
run: ./gradlew war | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
# gets cache | |
- name: Setup DOCKER environment | |
uses: ./.github/actions/docker-setup | |
# test the docker container health, must be up | |
- name: Build, run and health check container | |
uses: ./.github/actions/build-run-testcontainer | |
with: | |
docker_tag: ${{ env.TEST_TAG }} | |
port_maps: "8080:8080" | |
load: true | |
push: false | |
# attack with private composite action | |
# uses zap, wapiti, nmap, snyk-container | |
- name: Attack container CI | |
uses: ./.github/actions/attack | |
id: attack | |
if: ${{ env.SHOULD_RUN && github.ref == 'refs/heads/dev' }} | |
with: | |
docker_tag: ${{ env.TEST_TAG }} | |
pat: ${{ secrets.PAT }} | |
snyk_token: ${{ secrets.SNYK_TOKEN }} | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
run_nmap: false | |
run_snyk: true | |
run_wapiti: true | |
run_zap: true | |
- name: Publish reports to GitHub Pages | |
if: ${{ env.SHOULD_RUN && github.ref == 'refs/heads/dev' }} | |
uses: ./.github/actions/gh-pages-reports | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
gh_pages_dir: "./docs/gh-pages" | |
nmap: ${{ steps.attack.outputs.nmap == 'true' }} | |
snyk: ${{ steps.attack.outputs.snyk == 'true' }} | |
wapiti: ${{ steps.attack.outputs.wapiti == 'true' }} | |
zap: ${{ steps.attack.outputs.zap == 'true' }} |