-
Notifications
You must be signed in to change notification settings - Fork 112
159 lines (137 loc) · 4.53 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Security
on:
pull_request:
branches: [ main, release/** ]
push:
branches: [ main, release/** ]
tags: [ v* ]
jobs:
dependencies:
name: Dependency check
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
- name: Vulnerability check
uses: gradle/gradle-build-action@v2
with:
arguments: dependencyCheckAggregate
- name: Upload report
if: failure()
uses: actions/upload-artifact@v3
with:
name: dependency-check-report
path: build/reports/dependency-check-report.html
sonar:
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
name: SonarCloud
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Install JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
- name: Cache SonarCloud dependencies
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Execute Gradle
uses: gradle/gradle-build-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
arguments: sonar -x test
snyk:
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
name: Snyk Open Source
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install JDK
uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: 17
- name: Setup Snyk
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli
- name: Execute Gradle Snyk Test
uses: gradle/gradle-build-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
arguments: snyk-test
- name: Publish Snyk Results
continue-on-error: true
if: ${{ !cancelled() && always() }}
run: |
report="build/reports/snyk-test"
if [[ -f ${report}.json ]]; then
snyk-to-html -i ${report}.json -o ${report}.html && \
html-to-markdown ${report}.html -o build/reports && \
cat ${report}.html.md >> $GITHUB_STEP_SUMMARY
fi
snyk-code:
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
name: Snyk Code
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install JDK
uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: 17
- name: Setup Snyk
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli
- name: Execute Gradle Snyk Code Test
uses: gradle/gradle-build-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
arguments: snyk-code
- name: Publish Snyk Results
continue-on-error: true
if: ${{ !cancelled() && always() }}
run: |
report="build/reports/snyk-code"
if [[ -f ${report}.json ]]; then
snyk-to-html -i ${report}.json -o ${report}.html && \
html-to-markdown ${report}.html -o build/reports && \
cat ${report}.html.md >> $GITHUB_STEP_SUMMARY
fi
snyk-monitor:
if: github.event_name == 'push' && github.ref_name == 'main'
name: Snyk Monitor
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install JDK
uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: 17
- name: Execute Gradle Snyk Monitor
uses: gradle/gradle-build-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
arguments: snyk-monitor