Skip to content

Vulnerability scans Workflow #287

Vulnerability scans Workflow

Vulnerability scans Workflow #287

name: Vulnerability scans Workflow
on:
# WARN: secrets not available from pull_request forks
#
# same as snyk action
# we can't run this on PRs from forks as snyk token can't be used from forks
# for security reasons, prs from forks are not allowed to use/read secrets
#
# Another note: the generated sarif can be uploaded to the GitHub Code Scanning dashboard
# but we don't want to upload security vulns for code that is not merged yet
#
# pull_request:
# branches: ["dev"]
push:
branches:
# - "app-start-test"
- "dev"
- "next"
schedule:
# - cron: "0 0 * * 0" # every Sunday at midnight
- cron: "0 0 * * *" # every day at midnight
workflow_dispatch: {}
jobs:
vulnerability-scans:
concurrency:
# use case: for example, when someone pushes a commit to a PR, the workflow will be triggered again
# we want to cancel previous jobs and only run the latest one
# TODO: check if this is the correct group to do this
# github.ref is the branch name
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
# required for local testing without risking pulling the wrong image
TEST_TAG: gipo999/tomcat-webapp-boilerplate:test-${{ github.run_number }}
SHOULD_RUN: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
permissions:
security-events: write
packages: read
issues: write
actions: read
contents: write
if: github.event.pull_request.draft == false
name: Vulnerability scans Job
runs-on: ubuntu-latest
steps:
- name: Checkout sources Step
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
# setup the CI environment using a private composite action
- name: Setup CI environment
uses: ./.github/actions/ci-setup
# run the gradle check and build tasks
- name: Build with Gradle Wrapper Step
# buildWar runs check, test, war tasks
# at this point we won't know if the app will run in a container
# we don't check and test here.
# The job is delegated to check build action which runs on PR too
# Saves minutes, fails fast
run: ./gradlew war
- name: Upload coverage to Codecov
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
# gets cache
- name: Setup DOCKER environment
uses: ./.github/actions/docker-setup
# test the docker container health, must be up
- name: Build, run and health check container
uses: ./.github/actions/build-run-testcontainer
with:
docker_tag: ${{ env.TEST_TAG }}
port_maps: "8080:8080"
load: true
push: false
# attack with private composite action
# uses zap, wapiti, nmap, snyk-container
- name: Attack container CI
uses: ./.github/actions/attack
id: attack
if: ${{ env.SHOULD_RUN && github.ref == 'refs/heads/dev' }}
with:
docker_tag: ${{ env.TEST_TAG }}
pat: ${{ secrets.PAT }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
run_nmap: false
run_snyk: true
run_wapiti: true
run_zap: true
- name: Publish reports to GitHub Pages
if: ${{ env.SHOULD_RUN && github.ref == 'refs/heads/dev' }}
uses: ./.github/actions/gh-pages-reports
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
gh_pages_dir: "./docs/gh-pages"
nmap: ${{ steps.attack.outputs.nmap == 'true' }}
snyk: ${{ steps.attack.outputs.snyk == 'true' }}
wapiti: ${{ steps.attack.outputs.wapiti == 'true' }}
zap: ${{ steps.attack.outputs.zap == 'true' }}