forked from contrast-community/spring-petclinic
-
Notifications
You must be signed in to change notification settings - Fork 4
84 lines (69 loc) · 2.46 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Maven Build + Contrast CodeSec
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build_and_test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: '0'
- uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '8'
cache: 'maven'
- name: Build with Maven
run: mvn -B package -DskipTests --file pom.xml
# this is borked right now because dep-scan-action has master/5.1 instead of -5.1 in the docker image name. There's a PR.
- uses: AppThreat/dep-scan-action@v3
with:
src: /github/workspace
report_file: /github/workspace/reports/depscan.json
profile: generic
# Must equal "I have sponsored OWASP-dep-scan." for action to run. Required.
thank_you: "I have sponsored OWASP-dep-scan."
env:
VDB_HOME: ${{ github.workspace }}/db
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# - uses: AppThreat/dep-scan-action@master
# with:
# thank_you: "I have sponsored OWASP-dep-scan."
# env:
# VDB_HOME: ${{ github.workspace }}/db
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# - uses: actions/upload-artifact@v4
# with:
# name: reports
# path: reports
# Run Contrast SCA to analyze security open source libraries
- name: Contrast SCA Action
if: always()
uses: Contrast-Security-OSS/contrast-sca-action@main
with:
apiKey: ${{ secrets.CONTRAST_API_KEY }}
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
filePath: pom.xml
severity: medium
fail: true
# Run Contrast Scan to analyze security of project code
- name: Contrast Scan Action
if: always()
uses: Contrast-Security-OSS/contrastscan-action@main
with:
artifact: /home/runner/work/spring-petclinic/spring-petclinic/target/spring-petclinic-1.5.1.jar
apiKey: ${{ secrets.CONTRAST_API_KEY }}
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
severity: medium
fail: true
# Upload vulnerabilities into GitHub Security Tab of the repo
- name: Upload Contrast Security Results to GitHub Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif