From 8e2965a20e9b50cb1599987bcb7166e928be78ba Mon Sep 17 00:00:00 2001 From: christosservosNCIN <132549511+christosservosNCIN@users.noreply.github.com> Date: Wed, 28 Feb 2024 15:23:30 +0200 Subject: [PATCH] centralized sec workflows (#99) Co-authored-by: christosservosNCIN --- .github/workflows/dependencycheck.yml | 32 ++++++++------------------- .github/workflows/gitleaks.yml | 28 +++++------------------ .github/workflows/sonar.yml | 16 ++++++++++++++ build.gradle.kts | 9 ++++++++ gradle/libs.versions.toml | 4 +++- 5 files changed, 43 insertions(+), 46 deletions(-) create mode 100644 .github/workflows/sonar.yml diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml index db90f665..863345af 100644 --- a/.github/workflows/dependencycheck.yml +++ b/.github/workflows/dependencycheck.yml @@ -1,28 +1,14 @@ -name: SCA - Dependency Check +name: SCA - Dependency Check Caller on: push: + branches-ignore: + - 'dependabot/*' workflow_dispatch: jobs: - sca-dependency-check-gradle: - name: Build - runs-on: ubuntu-latest - steps: - - name: Checkout project sources - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: '17' - - name: Validate Gradle Wrapper - uses: gradle/wrapper-validation-action@v1 - - name: Build with Gradle Wrapper & Run Dependency-Check - uses: gradle/gradle-build-action@v2.9.0 - with: - gradle-version: wrapper - arguments: dependencyCheckAnalyze - - name: Upload results - SCA - uses: actions/upload-artifact@master - with: - name: Dependency Check Report - path: ${{github.workspace}}/build/reports/dependency-check-report.html \ No newline at end of file + SCA_caller: + uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sca_bt.yml@main + secrets: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }} + DOJO_URL: ${{ secrets.DOJO_URL }} \ No newline at end of file diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 823d3120..1becf875 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -1,4 +1,4 @@ -name: Secret Scanning - Gitleaks +name: Secret Scanning - Gitleaks Caller on: push: branches-ignore: @@ -6,24 +6,8 @@ on: workflow_dispatch: jobs: - Secret_Scanning: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Run Gitleaks from container - run: | - docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks - docker start GL - docker exec GL git config --global --add safe.directory '/src' - docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json - continue-on-error: true - - - name: upload_artifacts - uses: actions/upload-artifact@v3 - with: - name: Gitleaks Artifact Upload - path: ${{ github.workspace }}/gitleaks-report.json \ No newline at end of file + Secret_Scanning_caller: + uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/secretscanning.yml@main + secrets: + DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }} + DOJO_URL: ${{ secrets.DOJO_URL }} \ No newline at end of file diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml new file mode 100644 index 00000000..15f3c12e --- /dev/null +++ b/.github/workflows/sonar.yml @@ -0,0 +1,16 @@ +name: SAST - SonarCloud (BT) Caller +on: + push: + branches-ignore: + - 'dependabot/*' + pull_request_target: + workflow_dispatch: + +jobs: + SAST_caller: + uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sast_bt.yml@main + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }} + DOJO_URL: ${{ secrets.DOJO_URL }} diff --git a/build.gradle.kts b/build.gradle.kts index c97c7b99..1943c0e3 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -1,4 +1,5 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile +import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension import org.springframework.boot.gradle.tasks.bundling.BootBuildImage import java.net.URI @@ -12,6 +13,7 @@ plugins { alias(libs.plugins.kotlin.plugin.serialization) alias(libs.plugins.spotless) alias(libs.plugins.dependency.check) + alias(libs.plugins.sonarqube) } group = "eu.europa.ec.eudi" @@ -132,3 +134,10 @@ spotless { ktlint(ktlintVersion) } } + +val nvdApiKey: String? = System.getenv("NVD_API_KEY") ?: properties["nvdApiKey"]?.toString() +val dependencyCheckExtension = extensions.findByType(DependencyCheckExtension::class.java) +dependencyCheckExtension?.apply { + formats = mutableListOf("XML", "HTML") + nvd.apiKey = nvdApiKey ?: "" +} diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index c90152d6..b046c0bf 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -14,7 +14,8 @@ nimbusJoseJwt = "9.37.3" nimbusOAuth2 = "11.9.1" eudiSdJwt = "0.2.1-SNAPSHOT" bouncyCastle = "1.77" -dependencyCheck = "8.4.2" +dependencyCheck = "9.0.9" +sonarqube = "4.4.1.3373" bootstrap = "5.3.2" qrgen = "3.0.1" @@ -42,3 +43,4 @@ kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" } kotlin-plugin-spring = { id = "org.jetbrains.kotlin.plugin.spring", version.ref = "kotlin" } kotlin-plugin-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" } dependency-check = { id = "org.owasp.dependencycheck", version.ref = "dependencyCheck" } +sonarqube = { id = "org.sonarqube", version.ref = "sonarqube" }