devops-automation/.github/workflows/maven.yml at 8ef50f68d99e422605c0153fa2f90c69e1fc07cd · Java-Techie-jt/devops-automation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Maven and SCA_SAST scan with DC and FindSecBug

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  BuildWithGitHubActions:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3
    - name: Set up JDK 17
      uses: actions/setup-java@v3
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven
    - name: Build with Maven
      run: mvn -B package --file pom.xml

    - name: Download OWASP Dependency-Check
      run: |
       wget -q -O dependency-check-8.4.0-release.zip  https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.0/dependency-check-8.4.0-release.zip
       ls -l
       unzip -qq dependency-check-8.4.0-release.zip

    - name: Run OWASP Dependency-Check
      run: ./dependency-check/bin/dependency-check.sh --scan ./ --format HTML --project "Dependencychecker_DevOpsTest" --out ./report

    - name: Upload OWASP Dependency-Check Report
      uses: actions/upload-artifact@v2
      with:
        name: dependency-check-report
        path: ./report

    - name: Download FindSecBugs
      run: |
       wget -q -O findsecbugs-cli-1.12.0.zip https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.12.0/findsecbugs-cli-1.12.0.zip
       unzip -qq findsecbugs-cli-1.12.0.zip
       chmod 755 findsecbugs.sh
       chmod +x findsecbugs.sh
       ls -l


    - name: Run FindSecBugs
      run: ./findsecbugs.sh -progress -output findsecbugs-results.html -html target/*.jar

    - name: Upload FindSecBugs Report
      uses: actions/upload-artifact@v2
      with:
        name: findsecbugs-report
        path: findsecbugs-results.html

    # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
    #- name: Update dependency graph
    #  uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6