added initial veracode scan pipeline (#66)

* added initial veracode scan pipeline

* changed indentation

* remove erroneous uses key

* changed pipeline steps

* changed pipeline steps back

* removed PR/push trigger, and added 3pm schedule trigger

.github/workflows/veracode-scan.yml

@@ -0,0 +1,41 @@
+name: Veracode scan
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  schedule:
+    - cron: '0 15 * * 6'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Set up JDK 8
+      uses: actions/setup-java@v3
+      with:
+        java-version: '8'
+        distribution: 'temurin'
+
+    - name: Build with Maven
+      run: mvn -B package -Dmaven.test.skip=true --file pom.xml
+
+    - name: Veracode Upload And Scan (Static Application Security Testing)
+      uses: veracode/[email protected]
+      with:
+        appname: 'lf-api-client-core-java'
+        createprofile: true
+        filepath: 'target'
+        vid: '${{ secrets.VERACODE_API_ID }}'
+        vkey: '${{ secrets.VERACODE_API_KEY }}'
+
+    - name: Run Veracode Software Composition Analysis (SCA)
+      env:
+        SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
+      uses: veracode/[email protected]
+      with:
+        create-issues: false
+        allow-dirty: true
+        recursive: true