From 78b4411eaa4582d2c2425a321d16fcedc71b58b1 Mon Sep 17 00:00:00 2001
From: Taofeeqib <taofeeq.ibrahim@hellofresh.com>
Date: Thu, 9 Nov 2023 14:11:23 +0100
Subject: [PATCH] APPSEC-618 Enabling SonarQube Source Code Scanning Capability

---
 .github/assets/sonar-project.properties | 11 +++++++
 .github/workflows/code_scanning.yaml    | 44 +++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 .github/assets/sonar-project.properties
 create mode 100644 .github/workflows/code_scanning.yaml

diff --git a/.github/assets/sonar-project.properties b/.github/assets/sonar-project.properties
new file mode 100644
index 0000000..2e37b80
--- /dev/null
+++ b/.github/assets/sonar-project.properties
@@ -0,0 +1,11 @@
+
+sonar.sources=.
+sonar.language=php
+sonar.exclusions=.github/**,**ci/**,**/*.sql,**/*.md,**/*.yml,**/*.xml,**/*.json,**/*.lock,**/*.dist
+sonar.projectKey=com.hellofresh:engine
+sonar.links.homepage=https://github.com/hellofresh/engine
+sonar.links.issue=https://github.com/hellofresh/engine/issues
+sonar.links.ci=https://github.com/hellofresh/engine/actions
+sonar.links.scm=https://github.com/hellofresh/engine.git
+sonar.scm.provider=git
+sonar.sourceEncoding=UTF-8
\ No newline at end of file
diff --git a/.github/workflows/code_scanning.yaml b/.github/workflows/code_scanning.yaml
new file mode 100644
index 0000000..9d2e0a6
--- /dev/null
+++ b/.github/workflows/code_scanning.yaml
@@ -0,0 +1,44 @@
+---
+name: "PR: Code Scanning"
+
+on: 
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '30 4 * * 6'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  analyze:
+    name: scanning
+    runs-on: [ self-hosted, default ]
+    timeout-minutes: 15
+    steps:
+      - name: Import Secrets
+        id: vault-secrets
+        uses: hellofresh/jetstream-ci-scripts/actions/vault@master
+        with:
+          shared-secrets: |
+            common/data/defaults GITHUB_TOKEN | GITHUB_TOKEN;
+            common/data/defaults SONAR_TOKEN | SONAR_TOKEN ;
+
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: SonarQube Scan
+        uses: hellofresh/jetstream-ci-scripts/actions/sonar-scanner@master
+        env:
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_HOST_URL: "https://sonarqube.tools-k8s.hellofresh.io"
+        with:
+          args: >
+            -Dsonar.php.coverage.reportPaths=./coverage.xml
+            -Dproject.settings=./.github/assets/sonar-project.properties
+            -Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}
\ No newline at end of file