From 2f2dfd3581332e1a6232e21df2a45b6cb3853ce5 Mon Sep 17 00:00:00 2001
From: Steven Xu <103658932+steven-xu-lf@users.noreply.github.com>
Date: Wed, 2 Aug 2023 13:57:02 -0400
Subject: [PATCH] added initial veracode scan pipeline (#66)

* added initial veracode scan pipeline

* changed indentation

* remove erroneous uses key

* changed pipeline steps

* changed pipeline steps back

* removed PR/push trigger, and added 3pm schedule trigger
---
 .github/workflows/veracode-scan.yml | 41 +++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/veracode-scan.yml

diff --git a/.github/workflows/veracode-scan.yml b/.github/workflows/veracode-scan.yml
new file mode 100644
index 0000000..13066e3
--- /dev/null
+++ b/.github/workflows/veracode-scan.yml
@@ -0,0 +1,41 @@
+name: Veracode scan
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  schedule:
+    - cron: '0 15 * * 6'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Set up JDK 8
+      uses: actions/setup-java@v3
+      with:
+        java-version: '8'
+        distribution: 'temurin'
+
+    - name: Build with Maven
+      run: mvn -B package -Dmaven.test.skip=true --file pom.xml
+
+    - name: Veracode Upload And Scan (Static Application Security Testing)
+      uses: veracode/veracode-uploadandscan-action@0.2.6
+      with:
+        appname: 'lf-api-client-core-java'
+        createprofile: true
+        filepath: 'target'
+        vid: '${{ secrets.VERACODE_API_ID }}'
+        vkey: '${{ secrets.VERACODE_API_KEY }}'
+
+    - name: Run Veracode Software Composition Analysis (SCA)
+      env:
+        SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
+      uses: veracode/veracode-sca@v2.1.6
+      with:
+        create-issues: false
+        allow-dirty: true
+        recursive: true
\ No newline at end of file