Update build.yml #66
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Maven Build + Contrast CodeSec | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| branches: [ master ] | |
| jobs: | |
| build_and_test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| fetch-depth: '0' | |
| - uses: actions/setup-java@v2 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '8' | |
| cache: 'maven' | |
| - name: Build with Maven | |
| run: mvn -B package -DskipTests --file pom.xml | |
| # this is borked right now because dep-scan-action has master/5.1 instead of -5.1 in the docker image name. There's a PR. | |
| - uses: AppThreat/dep-scan-action@v3 | |
| with: | |
| src: /github/workspace | |
| report_file: /github/workspace/reports/depscan.json | |
| profile: generic | |
| # Must equal "I have sponsored OWASP-dep-scan." for action to run. Required. | |
| thank_you: "I have sponsored OWASP-dep-scan." | |
| env: | |
| VDB_HOME: ${{ github.workspace }}/db | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # - uses: AppThreat/dep-scan-action@master | |
| # with: | |
| # thank_you: "I have sponsored OWASP-dep-scan." | |
| # env: | |
| # VDB_HOME: ${{ github.workspace }}/db | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # - uses: actions/upload-artifact@v4 | |
| # with: | |
| # name: reports | |
| # path: reports | |
| # Run Contrast SCA to analyze security open source libraries | |
| - name: Contrast SCA Action | |
| if: always() | |
| uses: Contrast-Security-OSS/contrast-sca-action@main | |
| with: | |
| apiKey: ${{ secrets.CONTRAST_API_KEY }} | |
| orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} | |
| authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} | |
| filePath: pom.xml | |
| severity: medium | |
| fail: true | |
| # Run Contrast Scan to analyze security of project code | |
| - name: Contrast Scan Action | |
| if: always() | |
| uses: Contrast-Security-OSS/contrastscan-action@main | |
| with: | |
| artifact: /home/runner/work/spring-petclinic/spring-petclinic/target/spring-petclinic-1.5.1.jar | |
| apiKey: ${{ secrets.CONTRAST_API_KEY }} | |
| orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} | |
| authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} | |
| severity: medium | |
| fail: true | |
| # Upload vulnerabilities into GitHub Security Tab of the repo | |
| - name: Upload Contrast Security Results to GitHub Dashboard | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: results.sarif | |