centralized sec workflows (#99)

Co-authored-by: christosservosNCIN <cservos@netcompany.com>
eu-digital-identity-wallet · Feb 28, 2024 · 8e2965a · 8e2965a
1 parent dcde629
commit 8e2965a
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 46 deletions.
diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml
@@ -1,28 +1,14 @@
-name: SCA - Dependency Check
+name: SCA - Dependency Check Caller
 on:
   push:
+    branches-ignore:
+      - 'dependabot/*'
   workflow_dispatch:
 
 jobs:
- sca-dependency-check-gradle:
-    name: Build
-    runs-on:  ubuntu-latest
-    steps:
-      - name: Checkout project sources
-        uses: actions/checkout@v4
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v1
-      - name: Build with Gradle Wrapper & Run Dependency-Check
-        uses: gradle/gradle-build-action@v2.9.0
-        with:
-          gradle-version: wrapper
-          arguments: dependencyCheckAnalyze 
-      - name: Upload results - SCA
-        uses: actions/upload-artifact@master
-        with:
-           name: Dependency Check Report
-           path: ${{github.workspace}}/build/reports/dependency-check-report.html
+ SCA_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sca_bt.yml@main
+      secrets:
+       NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -1,29 +1,13 @@
-name: Secret Scanning - Gitleaks
+name: Secret Scanning - Gitleaks Caller
 on:
   push:
     branches-ignore:
       - 'dependabot/*'
   workflow_dispatch:
 
 jobs:
-  Secret_Scanning:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Run Gitleaks from container
-        run: |
-            docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks 
-            docker start GL
-            docker exec GL git config --global --add safe.directory '/src'
-            docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
-        continue-on-error: true
-
-      - name: upload_artifacts   
-        uses: actions/upload-artifact@v3
-        with:
-          name: Gitleaks Artifact Upload
-          path:  ${{ github.workspace }}/gitleaks-report.json
+  Secret_Scanning_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/secretscanning.yml@main
+      secrets:
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -0,0 +1,16 @@
+name: SAST - SonarCloud (BT) Caller
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/*'
+  pull_request_target:
+  workflow_dispatch:
+
+jobs:
+   SAST_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sast_bt.yml@main
+      secrets:
+       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,4 +1,5 @@
 import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension
 import org.springframework.boot.gradle.tasks.bundling.BootBuildImage
 import java.net.URI
 
@@ -12,6 +13,7 @@ plugins {
     alias(libs.plugins.kotlin.plugin.serialization)
     alias(libs.plugins.spotless)
     alias(libs.plugins.dependency.check)
+    alias(libs.plugins.sonarqube)
 }
 
 group = "eu.europa.ec.eudi"
@@ -132,3 +134,10 @@ spotless {
         ktlint(ktlintVersion)
     }
 }
+
+val nvdApiKey: String? = System.getenv("NVD_API_KEY") ?: properties["nvdApiKey"]?.toString()
+val dependencyCheckExtension = extensions.findByType(DependencyCheckExtension::class.java)
+dependencyCheckExtension?.apply {
+    formats = mutableListOf("XML", "HTML")
+    nvd.apiKey = nvdApiKey ?: ""
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -14,7 +14,8 @@ nimbusJoseJwt = "9.37.3"
 nimbusOAuth2 = "11.9.1"
 eudiSdJwt = "0.2.1-SNAPSHOT"
 bouncyCastle = "1.77"
-dependencyCheck = "8.4.2"
+dependencyCheck = "9.0.9"
+sonarqube = "4.4.1.3373"
 bootstrap = "5.3.2"
 qrgen = "3.0.1"
 
@@ -42,3 +43,4 @@ kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }
 kotlin-plugin-spring = { id = "org.jetbrains.kotlin.plugin.spring", version.ref = "kotlin" }
 kotlin-plugin-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 dependency-check = { id = "org.owasp.dependencycheck", version.ref = "dependencyCheck" }
+sonarqube = { id = "org.sonarqube", version.ref = "sonarqube" }