Skip to content
Back to pull request #210

[ 2º ] - Hotfix/trg-7-02: license and copyright header #596

Sign in to view logs

[ 2º ] - Hotfix/trg-7-02: license and copyright header

[ 2º ] - Hotfix/trg-7-02: license and copyright header #596

Workflow file for this run

.github/workflows/veracode-pipeline.yml at 7119cac
#################################################################################
# Catena-X - Digital Product Passport Application
#
# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA
# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
# either express or implied. See the
# License for the specific language govern in permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#################################################################################
name: Veracode Static Analysis Pipeline Scan
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main", "develop"]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
permissions:
contents: read
env:
VID: '${{ secrets.VERACODE_API_ID || secrets.ORG_VERACODE_API_ID }}'
VKEY: '${{ secrets.VERACODE_API_KEY || secrets.ORG_VERACODE_API_KEY }}'
jobs:
check-secrets:
runs-on: ubuntu-latest
outputs:
secrets-available: ${{ steps.secrets-exists.outputs.available }}
steps:
- name: Check for Secrets availability
id: secrets-exists
shell: bash
## Check if the secrets are available in the environment
## Check if the secrets are available in the environment
run: |
if [ "${{ env.VID }}" != '' ] && [ "${{ env.VKEY }}" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT;
echo "Secrets are available at this environment!"
else
echo "available=false" >> $GITHUB_OUTPUT;
echo "No secrets are available at this environment!"
fi
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
build-and-pipeline-scan:
needs: [ check-secrets ]
if: needs.check-secrets.outputs.secrets-available == 'true' ## Require that the secrets are available
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ''
- uses: actions/setup-java@v3
with:
java-version: 19
distribution: 'adopt'
- name: build
run: |
cd dpp-backend/digitalproductpass
mvn dependency:purge-local-repository clean verify
- run: zip -r veracode-scan-target.zip ./
# download the Veracode Static Analysis Pipeline scan jar
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- uses: actions/setup-java@v3
with:
java-version: 8
distribution: 'temurin'
- run: java -Dpipeline.debug=true -jar pipeline-scan.jar -p "Product-Passport-Consumer-App" --veracode_api_id "${{ env.VID }}" --veracode_api_key "${{ env.VKEY }}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
id: convert
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif