From 47a402d9420a80a7142ee0d5013f09fc1f8e3745 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 7 May 2024 14:15:35 +0530 Subject: [PATCH 01/86] Create docker-publish.yml --- .github/workflows/docker-publish.yml | 98 ++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 .github/workflows/docker-publish.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..a3b46b0 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,98 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + schedule: + - cron: '27 0 * * *' + push: + branches: [ "docker-pieline" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ "main" ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From a0f137a50719cd1746db886db9608691847760fd Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 7 May 2024 14:17:13 +0530 Subject: [PATCH 02/86] Create Dockerfile --- Dockerfile | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..322a237 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,43 @@ + +FROM openjdk:17 + + +ARG configurationUrl +ARG serviceId +ARG build_version_tag +ARG build_environment_tag +ARG build_service_url + +ARG stardogBaseUrl +ARG resultDb +ARG ofgDb +ARG threadPoolSize +ARG sdosClientSecret +ARG stardogClientScope +ARG zureTenantId + +ENV service_url=$build_service_url +ENV configurationUrlVar=$configurationUrl +ENV serviceIdVar=$serviceId +ENV version_tag=$build_version_tag +ENV environment_tag=$build_environment_tag + +ENV stardog_url=$stardogBaseUrl +ENV resultDbNameVar=$resultDb +ENV ofgDbName=$ofgDb +ENV threadPool_Size=$threadPoolSize +ENV sdosClientSecret=$sdosClientSecret +ENV stardogClientScope=$stardogClientScope +ENV azureTenantId=$azureTenantId + + + +RUN cd /opt && mkdir apps + +COPY ./build/libs/sdos.jar /opt/apps/sdos.jar + +CMD java -Dlog4j2.formatMsgNoLookups=true -DjvmArgs="-Xms10g -Xmx12g -Xss6g" -jar /opt/apps/sdos.jar -b $stardog_url \ + -r $resultDbNameVar -ofg $ofgDbName -id $serviceIdVar -tpSize $threadPool_Size \ + -clientSecret $sdosClientSecret -clientScope $stardogClientScope -tenantId $azureTenantId; + +EXPOSE 8080 From 7b56d0bf397b534ba56417464b00b22f885fabec Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 7 May 2024 14:42:10 +0530 Subject: [PATCH 03/86] Update docker-publish.yml --- .github/workflows/docker-publish.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index a3b46b0..f8f773e 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -6,14 +6,16 @@ name: Docker # documentation. on: - schedule: - - cron: '27 0 * * *' + # schedule: + # - cron: '27 0 * * *' push: branches: [ "docker-pieline" ] - # Publish semver tags as releases. - tags: [ 'v*.*.*' ] - pull_request: - branches: [ "main" ] + # # Publish semver tags as releases. + # tags: [ 'v*.*.*' ] + # pull_request: + # branches: [ "main" ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: env: # Use docker.io for Docker Hub if empty From 538866042b7d6599e401e5aeb1fc01ecfe8d935b Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 7 May 2024 15:07:26 +0530 Subject: [PATCH 04/86] Update main.yml --- .github/workflows/main.yml | 118 +++++++++++++++++++++++++++---------- 1 file changed, 86 insertions(+), 32 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index daf80f7..f8f773e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,46 +1,100 @@ -name: CI +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. -# Controls when the workflow will run on: - # Triggers the workflow on push or pull request events but only for the "main" branch + # schedule: + # - cron: '27 0 * * *' push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - - # Allows you to run this workflow manually from the Actions tab + branches: [ "docker-pieline" ] + # # Publish semver tags as releases. + # tags: [ 'v*.*.*' ] + # pull_request: + # branches: [ "main" ] + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: env: - SECURE_LOG_LEVEL: ${{ secrets.LOG_LEVEL_DEBUG }} - CS_REGISTRY_USER: ${{ secrets.SDIP_GITLAB_DEPLOY_USERNAME }} - CS_REGISTRY_PASSWORD: ${{ secrets.SDIP_GITLAB_DEPLOY_TOKEN }} + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "build" build: - # The type of runner that the job will run on + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v4 - - - name: Container Scanning - run: | - export SDIP_IMAGE_TAG=$GITHUB_SHA - export CS_IMAGE=$GITHUB_REPOSITORY:${SDIP_IMAGE_TAG} - gtcs scan - env: - LOG_LEVEL_DEBUG: ${{ secrets.LOG_LEVEL_DEBUG }} - SDIP_GITLAB_DEPLOY_USERNAME: ${{ secrets.SDIP_GITLAB_DEPLOY_USERNAME }} - SDIP_GITLAB_DEPLOY_TOKEN: ${{ secrets.SDIP_GITLAB_DEPLOY_TOKEN }} - SDIP_RUNNER_TAG: ${{ secrets.SDIP_RUNNER_TAG }} + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' - - name: Upload Container Scanning Report - uses: actions/upload-artifact@v2 + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: - name: container_scanning_report - path: gl-container-scanning-report.json + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From f4b8a8e16182a924009403157be275ae94eada83 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 7 May 2024 17:32:12 +0530 Subject: [PATCH 05/86] Update main.yml --- .github/workflows/main.yml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f8f773e..95af5b1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,6 +38,41 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md + - name: Setup Gradle + uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + + - name: Build with Gradle Wrapper + run: ./gradlew build + + # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). + # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. + # + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # with: + # gradle-version: '8.5' + # + # - name: Build with Gradle 8.5 + # run: gradle build + + + - uses: actions/upload-artifact@master + with: + name: jar-file + path: build/libs/sdos.jar + + - uses: actions/download-artifact@master + with: + name: jar-file + path: build/libs/sdos.jar # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer From d9e27b58bcddb4c095632b8a02352e47ec7ba15a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 8 May 2024 11:40:43 +0530 Subject: [PATCH 06/86] Update main.yml --- .github/workflows/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 95af5b1..4943f46 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -64,15 +64,15 @@ jobs: # run: gradle build - - uses: actions/upload-artifact@master - with: - name: jar-file - path: build/libs/sdos.jar + - uses: actions/upload-artifact@master + with: + name: jar-file + path: build/libs/sdos.jar - - uses: actions/download-artifact@master - with: - name: jar-file - path: build/libs/sdos.jar + - uses: actions/download-artifact@master + with: + name: jar-file + path: build/libs/sdos.jar # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer From 3d56b48f39e7af9f4592338a10aeb0f0b381b96c Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 8 May 2024 11:45:26 +0530 Subject: [PATCH 07/86] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4943f46..739ed8a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -50,7 +50,9 @@ jobs: uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - name: Build with Gradle Wrapper - run: ./gradlew build + run: | + chmod +x ./gradlew + ./gradlew build # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. From c65ca253ae87247f8123ca7d60abfa641aa12225 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 8 May 2024 13:56:13 +0530 Subject: [PATCH 08/86] Update main.yml --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 739ed8a..b35590e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,6 +38,9 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + submodules: 'true' + - name: Set up JDK 17 uses: actions/setup-java@v4 with: From e847b6238b137cd1f11240bbe18a7e15d1aad1e0 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 8 May 2024 14:44:29 +0530 Subject: [PATCH 09/86] Update main.yml --- .github/workflows/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b35590e..700a774 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,7 +9,7 @@ on: # schedule: # - cron: '27 0 * * *' push: - branches: [ "docker-pieline" ] + branches: [ "docker-pipeline" ] # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] # pull_request: @@ -40,6 +40,7 @@ jobs: uses: actions/checkout@v4 with: submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} - name: Set up JDK 17 uses: actions/setup-java@v4 From ae650d435ba58fb1df0ea538deeb9c013d9fd78e Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 8 May 2024 15:01:05 +0530 Subject: [PATCH 10/86] Update main.yml --- .github/workflows/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 700a774..5acf5be 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -73,12 +73,11 @@ jobs: - uses: actions/upload-artifact@master with: name: jar-file - path: build/libs/sdos.jar + path: build/libs - uses: actions/download-artifact@master with: name: jar-file - path: build/libs/sdos.jar # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer From 7649db1842fe8efed88d00dbec3ae566292d9742 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 9 May 2024 17:54:42 +0530 Subject: [PATCH 11/86] Update main.yml with dependency scan stage --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5acf5be..3e45e4d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -41,6 +41,8 @@ jobs: with: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 - name: Set up JDK 17 uses: actions/setup-java@v4 From 4bb9b86017f9cbeedff39169201450a095f490a9 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 11:08:13 +0530 Subject: [PATCH 12/86] Update main.yml --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3e45e4d..074e103 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,8 +12,8 @@ on: branches: [ "docker-pipeline" ] # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] - # pull_request: - # branches: [ "main" ] + pull_request: + branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: From ee85d51e8463d358bcfe09365bf7f203ad7256cf Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 11:13:28 +0530 Subject: [PATCH 13/86] Update main.yml with head ref --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 074e103..cd649cb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,6 +42,7 @@ jobs: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} - name: 'Dependency Review' + if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.ref == 'docker-pipeline' uses: actions/dependency-review-action@v4 - name: Set up JDK 17 From 988bd454495e963ca769ae0dc9126a31ef4e5e03 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 11:22:53 +0530 Subject: [PATCH 14/86] Update main.yml --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cd649cb..68dac6f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,8 +12,8 @@ on: branches: [ "docker-pipeline" ] # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] - pull_request: - branches: [ "docker-pipeline" ] + # pull_request: + # branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -42,7 +42,7 @@ jobs: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} - name: 'Dependency Review' - if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.ref == 'docker-pipeline' + if: github.event_name == 'workflow_dispatch' uses: actions/dependency-review-action@v4 - name: Set up JDK 17 From 9e6879d443c51fee6ff6d332cb1b42c20e09d94b Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 12:55:00 +0530 Subject: [PATCH 15/86] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 68dac6f..94649f3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -44,6 +44,8 @@ jobs: - name: 'Dependency Review' if: github.event_name == 'workflow_dispatch' uses: actions/dependency-review-action@v4 + with: + base-ref: 'docker-pipeline' - name: Set up JDK 17 uses: actions/setup-java@v4 From 06fc309efeb23e2764c7e07b07f73f9398e08874 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 13:08:56 +0530 Subject: [PATCH 16/86] Update main.yml with code ql --- .github/workflows/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 94649f3..a408f5c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -46,6 +46,14 @@ jobs: uses: actions/dependency-review-action@v4 with: base-ref: 'docker-pipeline' + + - uses: github/codeql-action/init@v3 + with: + languages: java, python + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + - name: Set up JDK 17 uses: actions/setup-java@v4 From 49746a33757e85b0f20e2200cb7f5feaf482287a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 13:22:58 +0530 Subject: [PATCH 17/86] Update main.yml with auto build code ql --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a408f5c..3deef9e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -50,6 +50,9 @@ jobs: - uses: github/codeql-action/init@v3 with: languages: java, python + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From 3c51b0bb9849139298f2262ca411fcffe26113b8 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 13:29:17 +0530 Subject: [PATCH 18/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3deef9e..54dfe94 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -49,7 +49,7 @@ jobs: - uses: github/codeql-action/init@v3 with: - languages: java, python + languages: java - name: Autobuild uses: github/codeql-action/autobuild@v3 From 3c4839df833bbc43ef1450cf8c0b6f93f75e98c3 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 13:41:53 +0530 Subject: [PATCH 19/86] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 54dfe94..a7c514d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -31,6 +31,7 @@ jobs: permissions: contents: read packages: write + security-events: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write From b8ccc4b654bb0df29bc630ee480d5c3ffc041e71 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 13:51:40 +0530 Subject: [PATCH 20/86] Update main.yml --- .github/workflows/main.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a7c514d..e1e9e69 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,23 +42,25 @@ jobs: with: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} - - name: 'Dependency Review' - if: github.event_name == 'workflow_dispatch' - uses: actions/dependency-review-action@v4 - with: - base-ref: 'docker-pipeline' + # - name: 'Dependency Review' + # if: github.event_name == 'workflow_dispatch' + # uses: actions/dependency-review-action@v4 + # with: + # base-ref: 'docker-pipeline' - - uses: github/codeql-action/init@v3 - with: - languages: java + # - uses: github/codeql-action/init@v3 + # with: + # languages: java - - name: Autobuild - uses: github/codeql-action/autobuild@v3 + # - name: Autobuild + # uses: github/codeql-action/autobuild@v3 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + # - name: Perform CodeQL Analysis + # uses: github/codeql-action/analyze@v3 - + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@master + - name: Set up JDK 17 uses: actions/setup-java@v4 with: From 76f2d1f9af20c29d963e2535cee728a3e32bbe43 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 14:11:34 +0530 Subject: [PATCH 21/86] Update main.yml without image sign --- .github/workflows/main.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e1e9e69..6d8b12d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -143,17 +143,17 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + # # Sign the resulting Docker image digest except on PRs. + # # This will only write to the public Rekor transparency log when the Docker + # # repository is public to avoid leaking data. If you would like to publish + # # transparency data even for private images, pass --force to cosign below. + # # https://github.com/sigstore/cosign + # - name: Sign the published Docker image + # if: ${{ github.event_name != 'pull_request' }} + # env: + # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + # TAGS: ${{ steps.meta.outputs.tags }} + # DIGEST: ${{ steps.build-and-push.outputs.digest }} + # # This step uses the identity token to provision an ephemeral certificate + # # against the sigstore community Fulcio instance. + # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From 82bd1022514d3b617f2aabf95f4f7110a5f6963d Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 14:15:40 +0530 Subject: [PATCH 22/86] Update main.yml --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6d8b12d..f0c5512 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,8 +12,8 @@ on: branches: [ "docker-pipeline" ] # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] - # pull_request: - # branches: [ "docker-pipeline" ] + pull_request: + branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: From 79d32fb8cfa4acf77debd9b1a1112992fa602f85 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 15:14:52 +0530 Subject: [PATCH 23/86] Update main.yml --- .github/workflows/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f0c5512..4bc4ba3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,6 +42,15 @@ jobs: with: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} + + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. + with: + comment-summary-in-pr: always + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # retry-on-snapshot-warnings: true # - name: 'Dependency Review' # if: github.event_name == 'workflow_dispatch' # uses: actions/dependency-review-action@v4 From f80c2650682381bf5f0c5cbf8e804e074d476892 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 19:49:33 +0530 Subject: [PATCH 24/86] Update main.yml with trivy --- .github/workflows/main.yml | 76 +++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 17 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e1e9e69..4a8bd86 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,8 +12,8 @@ on: branches: [ "docker-pipeline" ] # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] - # pull_request: - # branches: [ "docker-pipeline" ] + pull_request: + branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -22,6 +22,7 @@ env: REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} + TG: ${{ github.ref#refs/heads/ }} jobs: @@ -42,6 +43,15 @@ jobs: with: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} + + # - name: 'Dependency Review' + # uses: actions/dependency-review-action@v4 + # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. + # with: + # comment-summary-in-pr: always + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # retry-on-snapshot-warnings: true # - name: 'Dependency Review' # if: github.event_name == 'workflow_dispatch' # uses: actions/dependency-review-action@v4 @@ -58,6 +68,27 @@ jobs: # - name: Perform CodeQL Analysis # uses: github/codeql-action/analyze@v3 + - name: Run Trivy scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: repo + hide-progress: true + output: trivy.txt + + - name: Publish Trivy Output to Summary + run: | + if [[ -s trivy.txt ]]; then + { + echo "### Security Output" + echo "
Click to expand" + echo "" + echo '```terraform' + cat trivy.txt + echo '```' + echo "
" + } >> $GITHUB_STEP_SUMMARY + fi + - name: Run Codacy Analysis CLI uses: codacy/codacy-analysis-cli-action@master @@ -142,18 +173,29 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + - name: Scan image in a private registry + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + scan-type: image + format: 'github' + output: 'dependency-results.json' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + severity: "MEDIUM,HIGH,CRITICAL" + scanners: "vuln" + + # # Sign the resulting Docker image digest except on PRs. + # # This will only write to the public Rekor transparency log when the Docker + # # repository is public to avoid leaking data. If you would like to publish + # # transparency data even for private images, pass --force to cosign below. + # # https://github.com/sigstore/cosign + # - name: Sign the published Docker image + # if: ${{ github.event_name != 'pull_request' }} + # env: + # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + # TAGS: ${{ steps.meta.outputs.tags }} + # DIGEST: ${{ steps.build-and-push.outputs.digest }} + # # This step uses the identity token to provision an ephemeral certificate + # # against the sigstore community Fulcio instance. + # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From 6f702592deae068d54c33d49033b089d6f53dddf Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 19:51:33 +0530 Subject: [PATCH 25/86] Update main.yml --- .github/workflows/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4a8bd86..19c6552 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -183,8 +183,7 @@ jobs: output: 'dependency-results.json' github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT severity: "MEDIUM,HIGH,CRITICAL" - scanners: "vuln" - + scanners: "vuln" # # Sign the resulting Docker image digest except on PRs. # # This will only write to the public Rekor transparency log when the Docker # # repository is public to avoid leaking data. If you would like to publish From 08262201906c03b653e79384b82a82a9cb5e0d06 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 19:54:23 +0530 Subject: [PATCH 26/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 19c6552..1baa9e2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,7 +22,7 @@ env: REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} - TG: ${{ github.ref#refs/heads/ }} + TG: ${{ basename(github.ref) }} jobs: From 89361081f66f52aaa31d4489cd313d23d98ff02e Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 19:56:46 +0530 Subject: [PATCH 27/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1baa9e2..c4a565c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,7 +22,7 @@ env: REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} - TG: ${{ basename(github.ref) }} + TG: docker-pipeline jobs: From cd8d9da15d1d2a80efabc1acc8bec56013d7c753 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 20:11:11 +0530 Subject: [PATCH 28/86] Update main.yml --- .github/workflows/main.yml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c4a565c..869c441 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -71,23 +71,23 @@ jobs: - name: Run Trivy scanner uses: aquasecurity/trivy-action@master with: - scan-type: repo - hide-progress: true - output: trivy.txt - - - name: Publish Trivy Output to Summary - run: | - if [[ -s trivy.txt ]]; then - { - echo "### Security Output" - echo "
Click to expand" - echo "" - echo '```terraform' - cat trivy.txt - echo '```' - echo "
" - } >> $GITHUB_STEP_SUMMARY - fi + scan-type: 'repo' + # hide-progress: true + # output: trivy.txt + + # - name: Publish Trivy Output to Summary + # run: | + # if [[ -s trivy.txt ]]; then + # { + # echo "### Security Output" + # echo "
Click to expand" + # echo "" + # echo '```terraform' + # cat trivy.txt + # echo '```' + # echo "
" + # } >> $GITHUB_STEP_SUMMARY + # fi - name: Run Codacy Analysis CLI uses: codacy/codacy-analysis-cli-action@master @@ -177,8 +177,8 @@ jobs: - name: Scan image in a private registry uses: aquasecurity/trivy-action@master with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" - scan-type: image + image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + scan-type: 'image' format: 'github' output: 'dependency-results.json' github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT From c0231c6e71bb4650492968a2d9c086a0e1194c2c Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 10 May 2024 20:22:42 +0530 Subject: [PATCH 29/86] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 869c441..8d948ac 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -72,6 +72,7 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'repo' + github-pat: ${{ secrets.GITHUB_TOKEN }} # hide-progress: true # output: trivy.txt From 5d17e370af8b7f8d355bc716290f45b184badb68 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 14 May 2024 14:10:44 +0530 Subject: [PATCH 30/86] Update main.yml --- .github/workflows/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d948ac..04eed7b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -71,8 +71,12 @@ jobs: - name: Run Trivy scanner uses: aquasecurity/trivy-action@master with: - scan-type: 'repo' + scan-type: 'fs' github-pat: ${{ secrets.GITHUB_TOKEN }} + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' # hide-progress: true # output: trivy.txt From 7e9e0e3866ea5fe8df56113ef32b7020849cba02 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 15 May 2024 18:49:41 +0530 Subject: [PATCH 31/86] Update main.yml --- .github/workflows/main.yml | 64 ++++++++++++++++++++++++++------------ 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 04eed7b..6c1344c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,11 +52,11 @@ jobs: # fail-on-severity: moderate # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # retry-on-snapshot-warnings: true - # - name: 'Dependency Review' - # if: github.event_name == 'workflow_dispatch' - # uses: actions/dependency-review-action@v4 - # with: - # base-ref: 'docker-pipeline' + - name: 'Dependency Review' + if: github.event_name == 'workflow_dispatch' + uses: actions/dependency-review-action@v4 + with: + base-ref: 'docker-pipeline' # - uses: github/codeql-action/init@v3 # with: @@ -68,17 +68,17 @@ jobs: # - name: Perform CodeQL Analysis # uses: github/codeql-action/analyze@v3 - - name: Run Trivy scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - github-pat: ${{ secrets.GITHUB_TOKEN }} - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - # hide-progress: true - # output: trivy.txt + # - name: Run Trivy scanner + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: 'fs' + # github-pat: ${{ secrets.GITHUB_TOKEN }} + # ignore-unfixed: true + # format: 'sarif' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL' + # # hide-progress: true + # # output: trivy.txt # - name: Publish Trivy Output to Summary # run: | @@ -93,7 +93,24 @@ jobs: # echo "" # } >> $GITHUB_STEP_SUMMARY # fi - + +########################################################################## + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + ############################################## + - name: Run Codacy Analysis CLI uses: codacy/codacy-analysis-cli-action@master @@ -184,11 +201,18 @@ jobs: with: image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" scan-type: 'image' - format: 'github' - output: 'dependency-results.json' + format: 'sarif' + output: 'trivy-results-image.sarif' github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT severity: "MEDIUM,HIGH,CRITICAL" - scanners: "vuln" + scanners: "vuln" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results-image.sarif' + # # Sign the resulting Docker image digest except on PRs. # # This will only write to the public Rekor transparency log when the Docker # # repository is public to avoid leaking data. If you would like to publish From 517962f8290c577cd04e63a3979e90a11ab13900 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 15 May 2024 19:15:54 +0530 Subject: [PATCH 32/86] Update main.yml --- .github/workflows/main.yml | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6c1344c..4aa5558 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -195,23 +195,34 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - - name: Scan image in a private registry - uses: aquasecurity/trivy-action@master + + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" - scan-type: 'image' - format: 'sarif' - output: 'trivy-results-image.sarif' - github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - severity: "MEDIUM,HIGH,CRITICAL" - scanners: "vuln" + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 - if: always() with: - sarif_file: 'trivy-results-image.sarif' + sarif_file: 'trivy-results.sarif' + + # - name: Scan image in a private registry + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + # scan-type: 'image' + # format: 'sarif' + # output: 'trivy-results-image.sarif' + # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + # severity: "MEDIUM,HIGH,CRITICAL" + # scanners: "vuln" + + # # Sign the resulting Docker image digest except on PRs. # # This will only write to the public Rekor transparency log when the Docker From 232df73169ba093fa727dd0060933d30dddba2c1 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 16 May 2024 15:41:51 +0530 Subject: [PATCH 33/86] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4aa5558..c57e0ae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -33,6 +33,8 @@ jobs: contents: read packages: write security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write From 58968db7092047d5d9fcca3f21b70e87b4699a25 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 16 May 2024 20:44:16 +0530 Subject: [PATCH 34/86] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c57e0ae..60482b6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -207,6 +207,7 @@ jobs: template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + token: ${{ secrets.PAT_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From a1b39881169fa76b1ff6e6afd313fc76dbcb9251 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 16 May 2024 20:51:31 +0530 Subject: [PATCH 35/86] Update main.yml --- .github/workflows/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 60482b6..a7ddae0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -207,7 +207,8 @@ jobs: template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - token: ${{ secrets.PAT_TOKEN }} + github-pat: ${{ secrets.PAT_TOKEN }} + docker-host: ///var/run/docker.sock - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From 92e13a51705080661ffcfaf059908bb51e7b3ed9 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 13:39:58 +0530 Subject: [PATCH 36/86] Update main.yml --- .github/workflows/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a7ddae0..4f21941 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -46,6 +46,9 @@ jobs: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} + - name: validating gradlle + uses: gradle/actions/wrapper-validation@v3 + # - name: 'Dependency Review' # uses: actions/dependency-review-action@v4 # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. @@ -122,6 +125,9 @@ jobs: java-version: '17' distribution: 'temurin' + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle From dda566425971add9a8fb975e500f3552b86a7cab Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 13:48:07 +0530 Subject: [PATCH 37/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4f21941..64761fc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: read,write packages: write security-events: write actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status From 80a6f5cfd37c6b4e744674bb35c61bafc618f5e0 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 13:51:23 +0530 Subject: [PATCH 38/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 64761fc..3f2d6cc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read,write + contents: write packages: write security-events: write actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status From 28ede5dcfc11b3fbe937d9f10ce6391c644c20b7 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 15:09:16 +0530 Subject: [PATCH 39/86] Update main.yml --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3f2d6cc..3b64803 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -125,13 +125,13 @@ jobs: java-version: '17' distribution: 'temurin' - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@v3 - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 - name: Build with Gradle Wrapper run: | From e5ba3c13d1a7440e0a50ad70ddff22dcbaf39086 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 15:35:12 +0530 Subject: [PATCH 40/86] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3b64803..73ac165 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -129,9 +129,11 @@ jobs: # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + with: + gradle-version: '8.5' - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@v3 + uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - name: Build with Gradle Wrapper run: | From 1173cc02273a4ca1c5a6f1c7ab6ed8b5a6a9584b Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 15:43:56 +0530 Subject: [PATCH 41/86] Update main.yml --- .github/workflows/main.yml | 51 +++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 73ac165..4319cf0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -131,9 +131,6 @@ jobs: uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 with: gradle-version: '8.5' - - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - name: Build with Gradle Wrapper run: | @@ -207,21 +204,21 @@ jobs: cache-to: type=gha,mode=max - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - github-pat: ${{ secrets.PAT_TOKEN }} - docker-host: ///var/run/docker.sock + # - name: Run Trivy vulnerability scanner + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + # format: 'template' + # template: '@/contrib/sarif.tpl' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL,HIGH' + # github-pat: ${{ secrets.PAT_TOKEN }} + # docker-host: ///var/run/docker.sock - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results.sarif' # - name: Scan image in a private registry # uses: aquasecurity/trivy-action@master @@ -250,3 +247,23 @@ jobs: # # This step uses the identity token to provision an ephemeral certificate # # against the sigstore community Fulcio instance. # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + + dependency-submission: + + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 From 7258b52ca61290530e90e52efb0220a3ba35190d Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 16:03:23 +0530 Subject: [PATCH 42/86] Update main.yml --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4319cf0..e3fe40d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -267,3 +267,6 @@ jobs: # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + with: + # Use a particular Gradle version instead of the configured wrapper. + gradle-version: 8.5 From e3c59b5d746ea1470ef851c21fde29cac4284778 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 16:22:01 +0530 Subject: [PATCH 43/86] Update main.yml --- .github/workflows/main.yml | 87 +++++++++++++++++++++++--------------- 1 file changed, 52 insertions(+), 35 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e3fe40d..1d2bd8b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -158,6 +158,44 @@ jobs: with: name: jar-file + + dependency-submission: + + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + with: + # Use a particular Gradle version instead of the configured wrapper. + gradle-version: 8.5 + + docker-build: + + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + security-events: write + actions: read + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign @@ -204,21 +242,21 @@ jobs: cache-to: type=gha,mode=max - # - name: Run Trivy vulnerability scanner - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' - # format: 'template' - # template: '@/contrib/sarif.tpl' - # output: 'trivy-results.sarif' - # severity: 'CRITICAL,HIGH' - # github-pat: ${{ secrets.PAT_TOKEN }} - # docker-host: ///var/run/docker.sock + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + github-pat: ${{ secrets.PAT_TOKEN }} + docker-host: ///var/run/docker.sock - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' # - name: Scan image in a private registry # uses: aquasecurity/trivy-action@master @@ -249,24 +287,3 @@ jobs: # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - dependency-submission: - - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - with: - # Use a particular Gradle version instead of the configured wrapper. - gradle-version: 8.5 From 69ddfa26a241583b8bd9481ede127728922564ad Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 16:26:29 +0530 Subject: [PATCH 44/86] Update main.yml --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1d2bd8b..e183e3e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -196,6 +196,9 @@ jobs: with: java-version: '17' distribution: 'temurin' + - uses: actions/download-artifact@master + with: + name: jar-file # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign From 4a67434100aa5c854ace9eea68e332d2eb5daf45 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 16:31:21 +0530 Subject: [PATCH 45/86] Update main.yml --- .github/workflows/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e183e3e..10ccc82 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -190,15 +190,16 @@ jobs: security-events: write actions: read steps: + - uses: actions/download-artifact@master + with: + name: jar-file - uses: actions/checkout@v4 - name: Set up JDK 17 uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' - - uses: actions/download-artifact@master - with: - name: jar-file + # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign From d28c3383b5ec1dbb7b7003db482f2d1847102ad0 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 16:33:38 +0530 Subject: [PATCH 46/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 10ccc82..3a263fd 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -182,7 +182,7 @@ jobs: gradle-version: 8.5 docker-build: - + needs: build runs-on: ubuntu-latest permissions: contents: write From 89d98568720729058cfc2c7fbc42d4eeea7c7a4a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 16:50:48 +0530 Subject: [PATCH 47/86] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3a263fd..d2f9d82 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -193,6 +193,8 @@ jobs: - uses: actions/download-artifact@master with: name: jar-file + path: build/libs + - uses: actions/checkout@v4 - name: Set up JDK 17 uses: actions/setup-java@v4 From 4a9459bb0799cd2f3bdd680d812050973ddbf4f7 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 17:08:20 +0530 Subject: [PATCH 48/86] Update main.yml --- .github/workflows/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d2f9d82..640e903 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -190,10 +190,6 @@ jobs: security-events: write actions: read steps: - - uses: actions/download-artifact@master - with: - name: jar-file - path: build/libs - uses: actions/checkout@v4 - name: Set up JDK 17 @@ -202,6 +198,11 @@ jobs: java-version: '17' distribution: 'temurin' + - uses: actions/download-artifact@master + with: + name: jar-file + path: build/libs + # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign From 3e6ee20d6302218cdbeedd4c1db8e5cf70ebc20d Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 18:24:26 +0530 Subject: [PATCH 49/86] Update build.gradle --- build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle b/build.gradle index fb41f13..5616bbe 100644 --- a/build.gradle +++ b/build.gradle @@ -3,6 +3,7 @@ plugins { id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' id 'org.barfuin.gradle.jacocolog' version '3.1.0' + id 'org.gradle.github-dependency-graph-gradle-plugin' version '1.3.0' } group = 'com.scania.sdos' From d81c588ab49eb461dccdf85dae105ef8228e5759 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 18:32:47 +0530 Subject: [PATCH 50/86] Update build.gradle --- build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/build.gradle b/build.gradle index 5616bbe..fb41f13 100644 --- a/build.gradle +++ b/build.gradle @@ -3,7 +3,6 @@ plugins { id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' id 'org.barfuin.gradle.jacocolog' version '3.1.0' - id 'org.gradle.github-dependency-graph-gradle-plugin' version '1.3.0' } group = 'com.scania.sdos' From c3efa3e93aa46f60fae3afba9583e39dfde69f39 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 18:34:24 +0530 Subject: [PATCH 51/86] Update main.yml --- .github/workflows/main.yml | 43 +++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 640e903..0d7b6f5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -131,6 +131,7 @@ jobs: uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 with: gradle-version: '8.5' + dependency-graph: generate-and-submit - name: Build with Gradle Wrapper run: | @@ -159,27 +160,27 @@ jobs: name: jar-file - dependency-submission: - - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - with: - # Use a particular Gradle version instead of the configured wrapper. - gradle-version: 8.5 + # dependency-submission: + + # runs-on: ubuntu-latest + # permissions: + # contents: write + + # steps: + # - uses: actions/checkout@v4 + # - name: Set up JDK 17 + # uses: actions/setup-java@v4 + # with: + # java-version: '17' + # distribution: 'temurin' + + # # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + # - name: Generate and submit dependency graph + # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + # with: + # # Use a particular Gradle version instead of the configured wrapper. + # gradle-version: 8.5 docker-build: needs: build From dd412b2a43d1297651a77244f33e1365e015f909 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 19:06:30 +0530 Subject: [PATCH 52/86] Update main.yml --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0d7b6f5..62d4fa9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -107,7 +107,7 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL' + severity: 'CRITICAL,LOW,MEDIUM,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 @@ -257,9 +257,9 @@ jobs: format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' github-pat: ${{ secrets.PAT_TOKEN }} - docker-host: ///var/run/docker.sock + docker-host: //var/run/docker.sock - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From cf9ca5362c3842521684e7aad0cf69e59c028f35 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Mon, 20 May 2024 19:40:29 +0530 Subject: [PATCH 53/86] Update main.yml --- .github/workflows/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 62d4fa9..b26b563 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -104,10 +104,12 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'fs' - ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,LOW,MEDIUM,HIGH' + vuln-type: 'os,library' + scanners: 'vuln,secret' + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 @@ -260,6 +262,8 @@ jobs: severity: 'CRITICAL,HIGH,MEDIUM,LOW' github-pat: ${{ secrets.PAT_TOKEN }} docker-host: //var/run/docker.sock + vuln-type: 'os,library' + scanners: 'vuln,secret' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From 2c42454f5d92c0874cda5679af29427d41ace4e1 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 21 May 2024 12:46:21 +0530 Subject: [PATCH 54/86] Update main.yml --- .github/workflows/main.yml | 153 ++++++++++++++++++++++++++++++++++--- 1 file changed, 142 insertions(+), 11 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4bc4ba3..1973821 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,6 +22,7 @@ env: REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} + TG: docker-pipeline jobs: @@ -29,9 +30,11 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write packages: write security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write @@ -43,19 +46,22 @@ jobs: submodules: 'true' token: ${{ secrets.PAT_TOKEN }} - - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 - # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. - with: - comment-summary-in-pr: always - # fail-on-severity: moderate - # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later - # retry-on-snapshot-warnings: true + - name: validating gradlle + uses: gradle/actions/wrapper-validation@v3 + # - name: 'Dependency Review' - # if: github.event_name == 'workflow_dispatch' # uses: actions/dependency-review-action@v4 + # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. # with: - # base-ref: 'docker-pipeline' + # comment-summary-in-pr: always + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # retry-on-snapshot-warnings: true + - name: 'Dependency Review' + if: github.event_name == 'workflow_dispatch' + uses: actions/dependency-review-action@v4 + with: + base-ref: 'docker-pipeline' # - uses: github/codeql-action/init@v3 # with: @@ -67,6 +73,51 @@ jobs: # - name: Perform CodeQL Analysis # uses: github/codeql-action/analyze@v3 + # - name: Run Trivy scanner + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: 'fs' + # github-pat: ${{ secrets.GITHUB_TOKEN }} + # ignore-unfixed: true + # format: 'sarif' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL' + # # hide-progress: true + # # output: trivy.txt + + # - name: Publish Trivy Output to Summary + # run: | + # if [[ -s trivy.txt ]]; then + # { + # echo "### Security Output" + # echo "
Click to expand" + # echo "" + # echo '```terraform' + # cat trivy.txt + # echo '```' + # echo "
" + # } >> $GITHUB_STEP_SUMMARY + # fi + +########################################################################## + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,LOW,MEDIUM,HIGH' + vuln-type: 'os,library' + scanners: 'vuln,secret' + + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + ############################################## + - name: Run Codacy Analysis CLI uses: codacy/codacy-analysis-cli-action@master @@ -80,6 +131,9 @@ jobs: # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + with: + gradle-version: '8.5' + dependency-graph: generate-and-submit - name: Build with Gradle Wrapper run: | @@ -107,6 +161,51 @@ jobs: with: name: jar-file + + # dependency-submission: + + # runs-on: ubuntu-latest + # permissions: + # contents: write + + # steps: + # - uses: actions/checkout@v4 + # - name: Set up JDK 17 + # uses: actions/setup-java@v4 + # with: + # java-version: '17' + # distribution: 'temurin' + + # # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + # - name: Generate and submit dependency graph + # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + # with: + # # Use a particular Gradle version instead of the configured wrapper. + # gradle-version: 8.5 + + docker-build: + needs: build + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + security-events: write + actions: read + steps: + + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - uses: actions/download-artifact@master + with: + name: jar-file + path: build/libs + # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign @@ -152,6 +251,38 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + github-pat: ${{ secrets.PAT_TOKEN }} + docker-host: //var/run/docker.sock + vuln-type: 'os,library' + scanners: 'vuln,secret' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + # - name: Scan image in a private registry + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + # scan-type: 'image' + # format: 'sarif' + # output: 'trivy-results-image.sarif' + # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + # severity: "MEDIUM,HIGH,CRITICAL" + # scanners: "vuln" + + + # # Sign the resulting Docker image digest except on PRs. # # This will only write to the public Rekor transparency log when the Docker # # repository is public to avoid leaking data. If you would like to publish From 253adbae4b9cc1ee6031b739c48645c4debac086 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 21 May 2024 14:39:14 +0530 Subject: [PATCH 55/86] Update main.yml --- .github/workflows/main.yml | 52 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1973821..d115122 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -58,10 +58,10 @@ jobs: # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # retry-on-snapshot-warnings: true - name: 'Dependency Review' - if: github.event_name == 'workflow_dispatch' + # if: github.event_name == 'workflow_dispatch' uses: actions/dependency-review-action@v4 - with: - base-ref: 'docker-pipeline' + # with: + # base-ref: 'docker-pipeline' # - uses: github/codeql-action/init@v3 # with: @@ -118,8 +118,8 @@ jobs: ############################################## - - name: Run Codacy Analysis CLI - uses: codacy/codacy-analysis-cli-action@master + # - name: Run Codacy Analysis CLI + # uses: codacy/codacy-analysis-cli-action@master - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -162,27 +162,27 @@ jobs: name: jar-file - # dependency-submission: - - # runs-on: ubuntu-latest - # permissions: - # contents: write - - # steps: - # - uses: actions/checkout@v4 - # - name: Set up JDK 17 - # uses: actions/setup-java@v4 - # with: - # java-version: '17' - # distribution: 'temurin' - - # # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - # - name: Generate and submit dependency graph - # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - # with: - # # Use a particular Gradle version instead of the configured wrapper. - # gradle-version: 8.5 + dependency-submission: + + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + with: + # Use a particular Gradle version instead of the configured wrapper. + gradle-version: 8.5 docker-build: needs: build From 8ff86bc1033f7d049c8c4c3c43cfd3b36a437608 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 21 May 2024 14:50:46 +0530 Subject: [PATCH 56/86] Update main.yml --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d115122..d9e0af2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -183,6 +183,9 @@ jobs: with: # Use a particular Gradle version instead of the configured wrapper. gradle-version: 8.5 + + - name: Perform dependency review + uses: actions/dependency-review-action@v3 docker-build: needs: build From d8d444d72c9b30ccb276dbd171ce013993734518 Mon Sep 17 00:00:00 2001 From: RJAC5D Date: Tue, 21 May 2024 16:19:02 +0200 Subject: [PATCH 57/86] pushing changes for dependency vulnerability and secret scanning --- build.gradle | 10 ++++------ .../com/scania/sdos/orchestration/Rdf4jClient.java | 12 ++++++++++++ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/build.gradle b/build.gradle index fb41f13..c9fe601 100644 --- a/build.gradle +++ b/build.gradle @@ -40,13 +40,11 @@ ext['log4j2.version'] = '2.22.1' dependencies { implementation 'org.springframework.boot:spring-boot-starter-actuator' - implementation("org.springframework.boot:spring-boot-starter-web") { - exclude group: 'org.springframework', module: 'spring-web' - } + implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-web-services' implementation 'org.springframework.boot:spring-boot-starter-log4j2' runtimeOnly group: 'org.apache.logging.log4j', name: 'log4j-layout-template-json', version: '2.22.1' - implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.4.0' + implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.4.0' implementation 'io.swagger.core.v3:swagger-annotations-jakarta:2.2.20' implementation 'org.springframework:spring-web:6.1.5' @@ -55,7 +53,7 @@ dependencies { implementation 'com.lmax:disruptor:3.4.1' implementation 'org.apache.httpcomponents:httpclient:4.5.13' implementation group: 'com.predic8', name: 'soa-model-core', version: '2.0.1' - implementation 'org.restlet.jee:org.restlet.ext.json:2.4-M1' + implementation 'org.restlet.jee:org.restlet.ext.json:2.3.12' implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.9' implementation 'org.apache.groovy:groovy-xml:4.0.5' implementation 'org.apache.groovy:groovy-json:4.0.5' @@ -70,7 +68,7 @@ dependencies { implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0' implementation group: 'org.apache.shiro', name: 'shiro-core', version: '2.0.0' implementation group: 'org.json', name: 'json', version: '20240303' - implementation group: 'com.google.guava', name: 'guava', version: '33.0.0-jre' + implementation group: 'com.google.guava', name: 'guava', version: '32.0.0-jre' testImplementation 'org.junit.jupiter:junit-jupiter:5.6.0' testImplementation 'org.junit.jupiter:junit-jupiter-params:5.6.0' diff --git a/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java b/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java index c0dd476..2ad38c1 100644 --- a/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java +++ b/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java @@ -67,6 +67,18 @@ public class Rdf4jClient { private static String STARDOG_PASS = "password"; + private static String aws_session_token = "gfhvbdfdter547uthgy"; + + private static String aws_temporary_access_key_id = "12345"; + + private static String azure_function_key = "azure_function_key"; + + private static String baiducloud_api_accesskey = "baiducloud_api_accesskey"; + + private static String cratesio_api_token = "cratesio_api_token"; + + + public Rdf4jClient() { //default constructor } From 8df2a4ef402aea012a22430aaac1d0aac41c79ae Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 21 May 2024 20:41:51 +0530 Subject: [PATCH 58/86] Update main.yml --- .github/workflows/main.yml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d9e0af2..a399990 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,9 +57,9 @@ jobs: # fail-on-severity: moderate # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # retry-on-snapshot-warnings: true - - name: 'Dependency Review' - # if: github.event_name == 'workflow_dispatch' - uses: actions/dependency-review-action@v4 + # - name: 'Dependency Review' + # # if: github.event_name == 'workflow_dispatch' + # uses: actions/dependency-review-action@v4 # with: # base-ref: 'docker-pipeline' @@ -134,6 +134,7 @@ jobs: with: gradle-version: '8.5' dependency-graph: generate-and-submit + cache-disabled: true - name: Build with Gradle Wrapper run: | @@ -163,28 +164,29 @@ jobs: dependency-submission: - + needs: build runs-on: ubuntu-latest permissions: contents: write steps: - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' + # - uses: actions/checkout@v4 + # - name: Set up JDK 17 + # uses: actions/setup-java@v4 + # with: + # java-version: '17' + # distribution: 'temurin' # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - with: - # Use a particular Gradle version instead of the configured wrapper. - gradle-version: 8.5 + # - name: Generate and submit dependency graph + # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + # with: + # # Use a particular Gradle version instead of the configured wrapper. + # gradle-version: 8.5 - name: Perform dependency review + if: github.event_name == 'pull_request' uses: actions/dependency-review-action@v3 docker-build: From 16e9220a3515f878897dd771b46726604a635214 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Tue, 21 May 2024 21:07:28 +0530 Subject: [PATCH 59/86] Update main.yml --- .github/workflows/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a399990..c505e1c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -127,14 +127,20 @@ jobs: java-version: '17' distribution: 'temurin' + - name: Set up Gradle Build Action + uses: gradle/gradle-build-action@v3 + with: + dependency-graph: generate-and-submit + cache-disabled: true + # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 with: gradle-version: '8.5' - dependency-graph: generate-and-submit - cache-disabled: true + # dependency-graph: generate-and-submit + # cache-disabled: true - name: Build with Gradle Wrapper run: | From 9e111d2cef2dc4e64288863debc087a41e29f9e9 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 11:42:47 +0530 Subject: [PATCH 60/86] Update main.yml --- .github/workflows/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c505e1c..6b1bc4f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -133,14 +133,14 @@ jobs: dependency-graph: generate-and-submit cache-disabled: true - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. - # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - with: - gradle-version: '8.5' - # dependency-graph: generate-and-submit - # cache-disabled: true + # # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # with: + # gradle-version: '8.5' + # # dependency-graph: generate-and-submit + # # cache-disabled: true - name: Build with Gradle Wrapper run: | From 8fd7ce0cfac81e750d94b37b2f408b551a2b57b3 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 14:05:49 +0530 Subject: [PATCH 61/86] Update main.yml --- .github/workflows/main.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6b1bc4f..94d3fa7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -127,11 +127,15 @@ jobs: java-version: '17' distribution: 'temurin' + - name: Run chmod to make gradlew executable + run: chmod +x ./gradlew + - name: Set up Gradle Build Action uses: gradle/gradle-build-action@v3 with: dependency-graph: generate-and-submit cache-disabled: true + - run: ./gradlew build # # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. # # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md @@ -142,10 +146,8 @@ jobs: # # dependency-graph: generate-and-submit # # cache-disabled: true - - name: Build with Gradle Wrapper - run: | - chmod +x ./gradlew - ./gradlew build + # - name: Build with Gradle Wrapper + # run: ./gradlew build # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. From f10040e420dd6359a53ced34d42c48f2c8cd1e2a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 15:12:31 +0530 Subject: [PATCH 62/86] Update main.yml --- .github/workflows/main.yml | 313 ++----------------------------------- 1 file changed, 13 insertions(+), 300 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 94d3fa7..2396744 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,312 +1,25 @@ -name: Docker - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +name: Generate and save dependency graph on: - # schedule: - # - cron: '27 0 * * *' - push: - branches: [ "docker-pipeline" ] - # # Publish semver tags as releases. - # tags: [ 'v*.*.*' ] pull_request: branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - TG: docker-pipeline - +permissions: + contents: read # 'write' permission is not available jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: write - packages: write - security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - submodules: 'true' - token: ${{ secrets.PAT_TOKEN }} - - - name: validating gradlle - uses: gradle/actions/wrapper-validation@v3 - - # - name: 'Dependency Review' - # uses: actions/dependency-review-action@v4 - # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. - # with: - # comment-summary-in-pr: always - # fail-on-severity: moderate - # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later - # retry-on-snapshot-warnings: true - # - name: 'Dependency Review' - # # if: github.event_name == 'workflow_dispatch' - # uses: actions/dependency-review-action@v4 - # with: - # base-ref: 'docker-pipeline' - - # - uses: github/codeql-action/init@v3 - # with: - # languages: java - - # - name: Autobuild - # uses: github/codeql-action/autobuild@v3 - - # - name: Perform CodeQL Analysis - # uses: github/codeql-action/analyze@v3 - - # - name: Run Trivy scanner - # uses: aquasecurity/trivy-action@master - # with: - # scan-type: 'fs' - # github-pat: ${{ secrets.GITHUB_TOKEN }} - # ignore-unfixed: true - # format: 'sarif' - # output: 'trivy-results.sarif' - # severity: 'CRITICAL' - # # hide-progress: true - # # output: trivy.txt - - # - name: Publish Trivy Output to Summary - # run: | - # if [[ -s trivy.txt ]]; then - # { - # echo "### Security Output" - # echo "
Click to expand" - # echo "" - # echo '```terraform' - # cat trivy.txt - # echo '```' - # echo "
" - # } >> $GITHUB_STEP_SUMMARY - # fi - -########################################################################## - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,LOW,MEDIUM,HIGH' - vuln-type: 'os,library' - scanners: 'vuln,secret' - - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' - - ############################################## - - # - name: Run Codacy Analysis CLI - # uses: codacy/codacy-analysis-cli-action@master - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - name: Run chmod to make gradlew executable - run: chmod +x ./gradlew - - - name: Set up Gradle Build Action - uses: gradle/gradle-build-action@v3 - with: - dependency-graph: generate-and-submit - cache-disabled: true - - run: ./gradlew build - - # # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. - # # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - # with: - # gradle-version: '8.5' - # # dependency-graph: generate-and-submit - # # cache-disabled: true - - # - name: Build with Gradle Wrapper - # run: ./gradlew build - - # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). - # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. - # - # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - # with: - # gradle-version: '8.5' - # - # - name: Build with Gradle 8.5 - # run: gradle build - - - - uses: actions/upload-artifact@master - with: - name: jar-file - path: build/libs - - - uses: actions/download-artifact@master - with: - name: jar-file - - dependency-submission: - needs: build - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - # - uses: actions/checkout@v4 - # - name: Set up JDK 17 - # uses: actions/setup-java@v4 - # with: - # java-version: '17' - # distribution: 'temurin' - - # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - # - name: Generate and submit dependency graph - # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - # with: - # # Use a particular Gradle version instead of the configured wrapper. - # gradle-version: 8.5 - - - name: Perform dependency review - if: github.event_name == 'pull_request' - uses: actions/dependency-review-action@v3 - - docker-build: - needs: build runs-on: ubuntu-latest - permissions: - contents: write - packages: write - security-events: write - actions: read steps: - - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - uses: actions/download-artifact@master - with: - name: jar-file - path: build/libs - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 - with: - cosign-release: 'v2.1.1' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - github-pat: ${{ secrets.PAT_TOKEN }} - docker-host: //var/run/docker.sock - vuln-type: 'os,library' - scanners: 'vuln,secret' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' - - # - name: Scan image in a private registry - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" - # scan-type: 'image' - # format: 'sarif' - # output: 'trivy-results-image.sarif' - # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - # severity: "MEDIUM,HIGH,CRITICAL" - # scanners: "vuln" - - - - # # Sign the resulting Docker image digest except on PRs. - # # This will only write to the public Rekor transparency log when the Docker - # # repository is public to avoid leaking data. If you would like to publish - # # transparency data even for private images, pass --force to cosign below. - # # https://github.com/sigstore/cosign - # - name: Sign the published Docker image - # if: ${{ github.event_name != 'pull_request' }} - # env: - # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - # TAGS: ${{ steps.meta.outputs.tags }} - # DIGEST: ${{ steps.build-and-push.outputs.digest }} - # # This step uses the identity token to provision an ephemeral certificate - # # against the sigstore community Fulcio instance. - # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + + - name: Generate and save dependency graph + uses: gradle/actions/dependency-submission@v3 + with: + dependency-graph: generate-and-upload From cc7795fc421833ddf68d91e57a63f8aefbd285a0 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 15:21:30 +0530 Subject: [PATCH 63/86] Create dependent-workflow.yml --- .github/workflows/dependent-workflow.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/dependent-workflow.yml diff --git a/.github/workflows/dependent-workflow.yml b/.github/workflows/dependent-workflow.yml new file mode 100644 index 0000000..a2d3fdd --- /dev/null +++ b/.github/workflows/dependent-workflow.yml @@ -0,0 +1,18 @@ +name: Download and submit dependency graph + +on: + workflow_run: + workflows: ['Generate and save dependency graph'] + types: [completed] + +permissions: + contents: write + +jobs: + submit-dependency-graph: + runs-on: ubuntu-latest + steps: + - name: Download and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + with: + dependency-graph: download-and-submit # Download saved dependency-graph and submit From 0a4ed53b14ad3e97fa8e5cb049d973ab199627fa Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 15:22:34 +0530 Subject: [PATCH 64/86] Create review.yml --- .github/workflows/review.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/review.yml diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml new file mode 100644 index 0000000..3c215da --- /dev/null +++ b/.github/workflows/review.yml @@ -0,0 +1,20 @@ +name: dependency-review + +on: + pull_request: + branches: [ "docker-pipeline" ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 + with: + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 600 From 71d6c394019e5e0731cb8ba86b22fb45ec0835b1 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 15:30:02 +0530 Subject: [PATCH 65/86] Update review.yml --- .github/workflows/review.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index 3c215da..222be16 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -1,11 +1,12 @@ name: dependency-review on: - pull_request: - branches: [ "docker-pipeline" ] + # pull_request: + # branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - + workflow_run: + workflows: ['name: Download and submit dependency graph'] + types: [completed] permissions: contents: read From e6e6b1f802a63bc50f1281cce0358580ed672e18 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 15:40:34 +0530 Subject: [PATCH 66/86] Update review.yml --- .github/workflows/review.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index 222be16..2ff6805 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -1,12 +1,12 @@ name: dependency-review on: - # pull_request: - # branches: [ "docker-pipeline" ] - # Allows you to run this workflow manually from the Actions tab - workflow_run: - workflows: ['name: Download and submit dependency graph'] - types: [completed] + pull_request: + branches: [ "docker-pipeline" ] + # Allows you to run this workflow manually from the Actions tab + # workflow_run: + # workflows: ['name: Download and submit dependency graph'] + # types: [completed] permissions: contents: read From 80e0a45ec0258e8177b00a01d8db5e91e382e00c Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 15:45:58 +0530 Subject: [PATCH 67/86] Create dependabot.yml --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3e4a382 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "gradle" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From 87199ad058bf24fafff44813d3a9127b611d6346 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 16:01:44 +0530 Subject: [PATCH 68/86] Update main.yml --- .github/workflows/main.yml | 313 +++++++++++++++++++++++++++++++++++-- 1 file changed, 300 insertions(+), 13 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2396744..59629d5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,25 +1,312 @@ -name: Generate and save dependency graph +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. on: + # schedule: + # - cron: '27 0 * * *' + push: + branches: [ "docker-pipeline" ] + # # Publish semver tags as releases. + # tags: [ 'v*.*.*' ] pull_request: branches: [ "docker-pipeline" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -permissions: - contents: read # 'write' permission is not available +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + TG: docker-pipeline + jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} + + - name: validating gradlle + uses: gradle/actions/wrapper-validation@v3 + + # - name: 'Dependency Review' + # uses: actions/dependency-review-action@v4 + # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. + # with: + # comment-summary-in-pr: always + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # retry-on-snapshot-warnings: true + # - name: 'Dependency Review' + # # if: github.event_name == 'workflow_dispatch' + # uses: actions/dependency-review-action@v4 + # with: + # base-ref: 'docker-pipeline' + + # - uses: github/codeql-action/init@v3 + # with: + # languages: java + + # - name: Autobuild + # uses: github/codeql-action/autobuild@v3 + + # - name: Perform CodeQL Analysis + # uses: github/codeql-action/analyze@v3 + + # - name: Run Trivy scanner + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: 'fs' + # github-pat: ${{ secrets.GITHUB_TOKEN }} + # ignore-unfixed: true + # format: 'sarif' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL' + # # hide-progress: true + # # output: trivy.txt + + # - name: Publish Trivy Output to Summary + # run: | + # if [[ -s trivy.txt ]]; then + # { + # echo "### Security Output" + # echo "
Click to expand" + # echo "" + # echo '```terraform' + # cat trivy.txt + # echo '```' + # echo "
" + # } >> $GITHUB_STEP_SUMMARY + # fi + +########################################################################## + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,LOW,MEDIUM,HIGH' + vuln-type: 'os,library' + scanners: 'vuln,secret' + + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + ############################################## + + # - name: Run Codacy Analysis CLI + # uses: codacy/codacy-analysis-cli-action@master + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - name: Run chmod to make gradlew executable + run: chmod +x ./gradlew + + - name: Set up Gradle Build Action + uses: gradle/gradle-build-action@v3 + with: + dependency-graph: generate-and-upload + cache-disabled: true + - run: ./gradlew build + + # # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # with: + # gradle-version: '8.5' + # # dependency-graph: generate-and-submit + # # cache-disabled: true + + # - name: Build with Gradle Wrapper + # run: ./gradlew build + + # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). + # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. + # + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # with: + # gradle-version: '8.5' + # + # - name: Build with Gradle 8.5 + # run: gradle build + + + - uses: actions/upload-artifact@master + with: + name: jar-file + path: build/libs + + - uses: actions/download-artifact@master + with: + name: jar-file + + dependency-submission: + needs: build + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + # - uses: actions/checkout@v4 + # - name: Set up JDK 17 + # uses: actions/setup-java@v4 + # with: + # java-version: '17' + # distribution: 'temurin' + + # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + # with: + # # Use a particular Gradle version instead of the configured wrapper. + # gradle-version: 8.5 + + - name: Perform dependency review + if: github.event_name == 'pull_request' + uses: actions/dependency-review-action@v3 + + docker-build: + needs: build runs-on: ubuntu-latest + permissions: + contents: write + packages: write + security-events: write + actions: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 - with: - distribution: temurin - java-version: 17 - - - name: Generate and save dependency graph - uses: gradle/actions/dependency-submission@v3 - with: - dependency-graph: generate-and-upload + + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - uses: actions/download-artifact@master + with: + name: jar-file + path: build/libs + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + github-pat: ${{ secrets.PAT_TOKEN }} + docker-host: //var/run/docker.sock + vuln-type: 'os,library' + scanners: 'vuln,secret' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + # - name: Scan image in a private registry + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + # scan-type: 'image' + # format: 'sarif' + # output: 'trivy-results-image.sarif' + # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + # severity: "MEDIUM,HIGH,CRITICAL" + # scanners: "vuln" + + + + # # Sign the resulting Docker image digest except on PRs. + # # This will only write to the public Rekor transparency log when the Docker + # # repository is public to avoid leaking data. If you would like to publish + # # transparency data even for private images, pass --force to cosign below. + # # https://github.com/sigstore/cosign + # - name: Sign the published Docker image + # if: ${{ github.event_name != 'pull_request' }} + # env: + # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + # TAGS: ${{ steps.meta.outputs.tags }} + # DIGEST: ${{ steps.build-and-push.outputs.digest }} + # # This step uses the identity token to provision an ephemeral certificate + # # against the sigstore community Fulcio instance. + # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From e9dc8fbb20f5252b89e09cdac574851adebc69b9 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 16:35:13 +0530 Subject: [PATCH 69/86] Update main.yml --- .github/workflows/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 59629d5..7492db3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -129,6 +129,16 @@ jobs: - name: Run chmod to make gradlew executable run: chmod +x ./gradlew + + - name: check + run: | + ./gradlew dependencyCheckAnalyze + + - name: upload check + uses: actions/upload-artifact@v2 + with: + name: dependency-check-report + path: ${{ gihub.workspace }}/build/reports/dependency-check-report.html - name: Set up Gradle Build Action uses: gradle/gradle-build-action@v3 From 2fe8e6be0a03ff090836320702021d767a9e6acb Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 16:39:46 +0530 Subject: [PATCH 70/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7492db3..ad3c380 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -138,7 +138,7 @@ jobs: uses: actions/upload-artifact@v2 with: name: dependency-check-report - path: ${{ gihub.workspace }}/build/reports/dependency-check-report.html + path: ${{ github.workspace }}/build/reports/dependency-check-report.html - name: Set up Gradle Build Action uses: gradle/gradle-build-action@v3 From 4360b291bc547bd6dd2fcdc99272a735344c3dac Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 16:50:57 +0530 Subject: [PATCH 71/86] Update build.gradle --- build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle b/build.gradle index c9fe601..6eb1555 100644 --- a/build.gradle +++ b/build.gradle @@ -3,6 +3,7 @@ plugins { id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' id 'org.barfuin.gradle.jacocolog' version '3.1.0' + id 'org.owasp.dependencycheck' version '6.0.2' } group = 'com.scania.sdos' From 6e7613cdcc4e5afaefa8751366d9f1424b592b7d Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 18:43:17 +0530 Subject: [PATCH 72/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ad3c380..33d994c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -132,7 +132,7 @@ jobs: - name: check run: | - ./gradlew dependencyCheckAnalyze + ./gradlew dependencyCheckAnalyze --debug - name: upload check uses: actions/upload-artifact@v2 From 952f45a5b1fa35f967b4b5323b2e43346dd0abd1 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 19:41:38 +0530 Subject: [PATCH 73/86] Update main.yml --- .github/workflows/main.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 33d994c..a0656aa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,12 +8,12 @@ name: Docker on: # schedule: # - cron: '27 0 * * *' - push: - branches: [ "docker-pipeline" ] + # push: + # branches: [ "check" ] # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] pull_request: - branches: [ "docker-pipeline" ] + branches: [ "main" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -130,15 +130,15 @@ jobs: - name: Run chmod to make gradlew executable run: chmod +x ./gradlew - - name: check - run: | - ./gradlew dependencyCheckAnalyze --debug + # - name: check + # run: | + # ./gradlew dependencyCheckAnalyze --debug - - name: upload check - uses: actions/upload-artifact@v2 - with: - name: dependency-check-report - path: ${{ github.workspace }}/build/reports/dependency-check-report.html + # - name: upload check + # uses: actions/upload-artifact@v2 + # with: + # name: dependency-check-report + # path: ${{ github.workspace }}/build/reports/dependency-check-report.html - name: Set up Gradle Build Action uses: gradle/gradle-build-action@v3 @@ -199,9 +199,9 @@ jobs: # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - # with: - # # Use a particular Gradle version instead of the configured wrapper. - # gradle-version: 8.5 + with: + # Use a particular Gradle version instead of the configured wrapper. + gradle-version: 8.5 - name: Perform dependency review if: github.event_name == 'pull_request' From dfad827ee56a33f9ba4f3a9400d6de50ce4df0b1 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 20:11:03 +0530 Subject: [PATCH 74/86] Update main.yml --- .github/workflows/main.yml | 236 ++++++++++++++++++------------------- 1 file changed, 118 insertions(+), 118 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a0656aa..f88c637 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -188,12 +188,12 @@ jobs: contents: write steps: - # - uses: actions/checkout@v4 - # - name: Set up JDK 17 - # uses: actions/setup-java@v4 - # with: - # java-version: '17' - # distribution: 'temurin' + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md @@ -207,116 +207,116 @@ jobs: if: github.event_name == 'pull_request' uses: actions/dependency-review-action@v3 - docker-build: - needs: build - runs-on: ubuntu-latest - permissions: - contents: write - packages: write - security-events: write - actions: read - steps: - - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - uses: actions/download-artifact@master - with: - name: jar-file - path: build/libs - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 - with: - cosign-release: 'v2.1.1' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - github-pat: ${{ secrets.PAT_TOKEN }} - docker-host: //var/run/docker.sock - vuln-type: 'os,library' - scanners: 'vuln,secret' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' + # docker-build: + # needs: build + # runs-on: ubuntu-latest + # permissions: + # contents: write + # packages: write + # security-events: write + # actions: read + # steps: + + # - uses: actions/checkout@v4 + # - name: Set up JDK 17 + # uses: actions/setup-java@v4 + # with: + # java-version: '17' + # distribution: 'temurin' + + # - uses: actions/download-artifact@master + # with: + # name: jar-file + # path: build/libs + + # # Install the cosign tool except on PR + # # https://github.com/sigstore/cosign-installer + # - name: Install cosign + # if: github.event_name != 'pull_request' + # uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + # with: + # cosign-release: 'v2.1.1' + + # # Set up BuildKit Docker container builder to be able to build + # # multi-platform images and export cache + # # https://github.com/docker/setup-buildx-action + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # # Login against a Docker registry except on PR + # # https://github.com/docker/login-action + # - name: Log into registry ${{ env.REGISTRY }} + # if: github.event_name != 'pull_request' + # uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + # with: + # registry: ${{ env.REGISTRY }} + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + # # Extract metadata (tags, labels) for Docker + # # https://github.com/docker/metadata-action + # - name: Extract Docker metadata + # id: meta + # uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + # with: + # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # # Build and push Docker image with Buildx (don't push on PR) + # # https://github.com/docker/build-push-action + # - name: Build and push Docker image + # id: build-and-push + # uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + # with: + # context: . + # push: ${{ github.event_name != 'pull_request' }} + # tags: ${{ steps.meta.outputs.tags }} + # labels: ${{ steps.meta.outputs.labels }} + # cache-from: type=gha + # cache-to: type=gha,mode=max + + + # - name: Run Trivy vulnerability scanner + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + # format: 'template' + # template: '@/contrib/sarif.tpl' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL,HIGH,MEDIUM,LOW' + # github-pat: ${{ secrets.PAT_TOKEN }} + # docker-host: //var/run/docker.sock + # vuln-type: 'os,library' + # scanners: 'vuln,secret' + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results.sarif' - # - name: Scan image in a private registry - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" - # scan-type: 'image' - # format: 'sarif' - # output: 'trivy-results-image.sarif' - # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - # severity: "MEDIUM,HIGH,CRITICAL" - # scanners: "vuln" - - - - # # Sign the resulting Docker image digest except on PRs. - # # This will only write to the public Rekor transparency log when the Docker - # # repository is public to avoid leaking data. If you would like to publish - # # transparency data even for private images, pass --force to cosign below. - # # https://github.com/sigstore/cosign - # - name: Sign the published Docker image - # if: ${{ github.event_name != 'pull_request' }} - # env: - # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - # TAGS: ${{ steps.meta.outputs.tags }} - # DIGEST: ${{ steps.build-and-push.outputs.digest }} - # # This step uses the identity token to provision an ephemeral certificate - # # against the sigstore community Fulcio instance. - # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + # # - name: Scan image in a private registry + # # uses: aquasecurity/trivy-action@master + # # with: + # # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + # # scan-type: 'image' + # # format: 'sarif' + # # output: 'trivy-results-image.sarif' + # # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + # # severity: "MEDIUM,HIGH,CRITICAL" + # # scanners: "vuln" + + + + # # # Sign the resulting Docker image digest except on PRs. + # # # This will only write to the public Rekor transparency log when the Docker + # # # repository is public to avoid leaking data. If you would like to publish + # # # transparency data even for private images, pass --force to cosign below. + # # # https://github.com/sigstore/cosign + # # - name: Sign the published Docker image + # # if: ${{ github.event_name != 'pull_request' }} + # # env: + # # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + # # TAGS: ${{ steps.meta.outputs.tags }} + # # DIGEST: ${{ steps.build-and-push.outputs.digest }} + # # # This step uses the identity token to provision an ephemeral certificate + # # # against the sigstore community Fulcio instance. + # # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From d960e51dac5ee6739e23d282f3fd8780b47dff97 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Wed, 22 May 2024 20:18:22 +0530 Subject: [PATCH 75/86] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f88c637..00ce6e7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -202,6 +202,7 @@ jobs: with: # Use a particular Gradle version instead of the configured wrapper. gradle-version: 8.5 + dependency-graph: generate-and-upload - name: Perform dependency review if: github.event_name == 'pull_request' From f445be327da83339b93bc85d0a607a38aebe095b Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 23 May 2024 12:25:04 +0530 Subject: [PATCH 76/86] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 00ce6e7..045a0d9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -185,7 +185,7 @@ jobs: needs: build runs-on: ubuntu-latest permissions: - contents: write + contents: read steps: - uses: actions/checkout@v4 From 9ff361776156c72fa3baf2e33d58db89efe34b46 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 23 May 2024 13:41:39 +0530 Subject: [PATCH 77/86] Update main.yml --- .github/workflows/main.yml | 326 ++----------------------------------- 1 file changed, 13 insertions(+), 313 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 045a0d9..9c44750 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,323 +1,23 @@ -name: Docker - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +name: Generate and save dependency graph on: - # schedule: - # - cron: '27 0 * * *' - # push: - # branches: [ "check" ] - # # Publish semver tags as releases. - # tags: [ 'v*.*.*' ] pull_request: branches: [ "main" ] - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - TG: docker-pipeline +permissions: + contents: read # 'write' permission is not available jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: write - packages: write - security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - submodules: 'true' - token: ${{ secrets.PAT_TOKEN }} - - - name: validating gradlle - uses: gradle/actions/wrapper-validation@v3 - - # - name: 'Dependency Review' - # uses: actions/dependency-review-action@v4 - # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. - # with: - # comment-summary-in-pr: always - # fail-on-severity: moderate - # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later - # retry-on-snapshot-warnings: true - # - name: 'Dependency Review' - # # if: github.event_name == 'workflow_dispatch' - # uses: actions/dependency-review-action@v4 - # with: - # base-ref: 'docker-pipeline' - - # - uses: github/codeql-action/init@v3 - # with: - # languages: java - - # - name: Autobuild - # uses: github/codeql-action/autobuild@v3 - - # - name: Perform CodeQL Analysis - # uses: github/codeql-action/analyze@v3 - - # - name: Run Trivy scanner - # uses: aquasecurity/trivy-action@master - # with: - # scan-type: 'fs' - # github-pat: ${{ secrets.GITHUB_TOKEN }} - # ignore-unfixed: true - # format: 'sarif' - # output: 'trivy-results.sarif' - # severity: 'CRITICAL' - # # hide-progress: true - # # output: trivy.txt - - # - name: Publish Trivy Output to Summary - # run: | - # if [[ -s trivy.txt ]]; then - # { - # echo "### Security Output" - # echo "
Click to expand" - # echo "" - # echo '```terraform' - # cat trivy.txt - # echo '```' - # echo "
" - # } >> $GITHUB_STEP_SUMMARY - # fi - -########################################################################## - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,LOW,MEDIUM,HIGH' - vuln-type: 'os,library' - scanners: 'vuln,secret' - - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' - - ############################################## - - # - name: Run Codacy Analysis CLI - # uses: codacy/codacy-analysis-cli-action@master - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - name: Run chmod to make gradlew executable - run: chmod +x ./gradlew - - # - name: check - # run: | - # ./gradlew dependencyCheckAnalyze --debug - - # - name: upload check - # uses: actions/upload-artifact@v2 - # with: - # name: dependency-check-report - # path: ${{ github.workspace }}/build/reports/dependency-check-report.html - - - name: Set up Gradle Build Action - uses: gradle/gradle-build-action@v3 - with: - dependency-graph: generate-and-upload - cache-disabled: true - - run: ./gradlew build - - # # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. - # # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - # with: - # gradle-version: '8.5' - # # dependency-graph: generate-and-submit - # # cache-disabled: true - - # - name: Build with Gradle Wrapper - # run: ./gradlew build - - # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). - # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. - # - # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - # with: - # gradle-version: '8.5' - # - # - name: Build with Gradle 8.5 - # run: gradle build - - - - uses: actions/upload-artifact@master - with: - name: jar-file - path: build/libs - - - uses: actions/download-artifact@master - with: - name: jar-file - - dependency-submission: - needs: build runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - with: - # Use a particular Gradle version instead of the configured wrapper. - gradle-version: 8.5 - dependency-graph: generate-and-upload - - - name: Perform dependency review - if: github.event_name == 'pull_request' - uses: actions/dependency-review-action@v3 - - # docker-build: - # needs: build - # runs-on: ubuntu-latest - # permissions: - # contents: write - # packages: write - # security-events: write - # actions: read - # steps: - - # - uses: actions/checkout@v4 - # - name: Set up JDK 17 - # uses: actions/setup-java@v4 - # with: - # java-version: '17' - # distribution: 'temurin' - - # - uses: actions/download-artifact@master - # with: - # name: jar-file - # path: build/libs - - # # Install the cosign tool except on PR - # # https://github.com/sigstore/cosign-installer - # - name: Install cosign - # if: github.event_name != 'pull_request' - # uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 - # with: - # cosign-release: 'v2.1.1' - - # # Set up BuildKit Docker container builder to be able to build - # # multi-platform images and export cache - # # https://github.com/docker/setup-buildx-action - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # # Login against a Docker registry except on PR - # # https://github.com/docker/login-action - # - name: Log into registry ${{ env.REGISTRY }} - # if: github.event_name != 'pull_request' - # uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - # with: - # registry: ${{ env.REGISTRY }} - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # # Extract metadata (tags, labels) for Docker - # # https://github.com/docker/metadata-action - # - name: Extract Docker metadata - # id: meta - # uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - # with: - # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # # Build and push Docker image with Buildx (don't push on PR) - # # https://github.com/docker/build-push-action - # - name: Build and push Docker image - # id: build-and-push - # uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - # with: - # context: . - # push: ${{ github.event_name != 'pull_request' }} - # tags: ${{ steps.meta.outputs.tags }} - # labels: ${{ steps.meta.outputs.labels }} - # cache-from: type=gha - # cache-to: type=gha,mode=max - - - # - name: Run Trivy vulnerability scanner - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' - # format: 'template' - # template: '@/contrib/sarif.tpl' - # output: 'trivy-results.sarif' - # severity: 'CRITICAL,HIGH,MEDIUM,LOW' - # github-pat: ${{ secrets.PAT_TOKEN }} - # docker-host: //var/run/docker.sock - # vuln-type: 'os,library' - # scanners: 'vuln,secret' - - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' - - # # - name: Scan image in a private registry - # # uses: aquasecurity/trivy-action@master - # # with: - # # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" - # # scan-type: 'image' - # # format: 'sarif' - # # output: 'trivy-results-image.sarif' - # # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - # # severity: "MEDIUM,HIGH,CRITICAL" - # # scanners: "vuln" - - - - # # # Sign the resulting Docker image digest except on PRs. - # # # This will only write to the public Rekor transparency log when the Docker - # # # repository is public to avoid leaking data. If you would like to publish - # # # transparency data even for private images, pass --force to cosign below. - # # # https://github.com/sigstore/cosign - # # - name: Sign the published Docker image - # # if: ${{ github.event_name != 'pull_request' }} - # # env: - # # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - # # TAGS: ${{ steps.meta.outputs.tags }} - # # DIGEST: ${{ steps.build-and-push.outputs.digest }} - # # # This step uses the identity token to provision an ephemeral certificate - # # # against the sigstore community Fulcio instance. - # # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + + - name: Generate and save dependency graph + uses: gradle/actions/dependency-submission@v3 + with: + dependency-graph: generate-and-upload From d2fab06160094ae5be6614da7d74403849fb7997 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 23 May 2024 13:55:11 +0530 Subject: [PATCH 78/86] Update review.yml --- .github/workflows/review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index 2ff6805..3ef1aef 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -2,7 +2,7 @@ name: dependency-review on: pull_request: - branches: [ "docker-pipeline" ] + branches: [ "main" ] # Allows you to run this workflow manually from the Actions tab # workflow_run: # workflows: ['name: Download and submit dependency graph'] From 32a4efba963026a78e0d7c74edd8f98ead9f2ff0 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 23 May 2024 18:16:25 +0530 Subject: [PATCH 79/86] Update main.yml From b01791ab38a21a103553615ce413bda20b0de2b0 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 23 May 2024 18:16:49 +0530 Subject: [PATCH 80/86] Update dependent-workflow.yml From 47668604a2dd63c11428cada39ca7161b68ace4a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Thu, 23 May 2024 18:17:13 +0530 Subject: [PATCH 81/86] Update review.yml --- .github/workflows/review.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index 3ef1aef..ed2e2d1 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -2,11 +2,7 @@ name: dependency-review on: pull_request: - branches: [ "main" ] - # Allows you to run this workflow manually from the Actions tab - # workflow_run: - # workflows: ['name: Download and submit dependency graph'] - # types: [completed] + permissions: contents: read From 483f530c87f990b38ae91bc7fc75b9078b3e377a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 24 May 2024 12:42:41 +0530 Subject: [PATCH 82/86] Update main.yml --- .github/workflows/main.yml | 50 ++++++++++++++++++++++++++------------ 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9c44750..f70a78c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,23 +1,43 @@ -name: Generate and save dependency graph +name: Run Gradle Build on: + push: + branches: [ "main" ] pull_request: branches: [ "main" ] -permissions: - contents: read # 'write' permission is not available - jobs: - dependency-submission: + build: + runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 - with: - distribution: temurin - java-version: 17 - - - name: Generate and save dependency graph - uses: gradle/actions/dependency-submission@v3 - with: - dependency-graph: generate-and-upload + - name: Checkout + uses: actions/checkout@v3 + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + + + - name: Set up Gradle Build Action + uses: gradle/gradle-build-action@v3 + with: + dependency-graph: generate-and-submit + cache-disabled: true + + - name: Build and test with Gradle + run: ./gradlew build + + + submit-and-review: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + needs: build + + steps: + + - name: 'Dependency Review' + if: github.event_name == 'pull_request' + uses: actions/dependency-review-action@v3 From 46f9cd8501f8e8168e755f73fc25c21e728dad20 Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 24 May 2024 12:46:12 +0530 Subject: [PATCH 83/86] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f70a78c..c9ee56b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,7 +28,9 @@ jobs: cache-disabled: true - name: Build and test with Gradle - run: ./gradlew build + run: | + chmod +x ./gradlew + ./gradlew build submit-and-review: From cce5750926f822b5784651bb66729cada0d93f2f Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 24 May 2024 12:49:32 +0530 Subject: [PATCH 84/86] Update main.yml --- .github/workflows/main.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c9ee56b..bbe8582 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,11 +13,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/checkout@v4 with: - java-version: '11' + submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' distribution: 'temurin' From 0ab2650759c2a619f27f057d56d0a3f8633f880d Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 24 May 2024 13:03:47 +0530 Subject: [PATCH 85/86] Update main.yml --- .github/workflows/main.yml | 42 ++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bbe8582..b22ebbe 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,49 +1,51 @@ name: Run Gradle Build - on: push: branches: [ "main" ] pull_request: branches: [ "main" ] - jobs: build: - runs-on: ubuntu-latest - steps: - name: Checkout uses: actions/checkout@v4 with: submodules: 'true' - token: ${{ secrets.PAT_TOKEN }} - + token: ${{ secrets.PAT_TOKEN }} - name: Set up JDK 17 uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' + - name: Setup Gradle + uses: gradle/actions/setup-gradle@v3 + - name: Build with Gradle + run: ./gradlew build - - name: Set up Gradle Build Action - uses: gradle/gradle-build-action@v3 - with: - dependency-graph: generate-and-submit - cache-disabled: true - - - name: Build and test with Gradle - run: | - chmod +x ./gradlew - ./gradlew build - - + dependency-submission: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + submit-and-review: runs-on: ubuntu-latest if: github.event_name == 'pull_request' needs: build - steps: - - name: 'Dependency Review' if: github.event_name == 'pull_request' uses: actions/dependency-review-action@v3 From 875dbaf63bcf237bd2ec22852edd5e73b5b1b49a Mon Sep 17 00:00:00 2001 From: iamSrikantheppa <169036673+iamSrikantheppa@users.noreply.github.com> Date: Fri, 24 May 2024 13:14:56 +0530 Subject: [PATCH 86/86] Update main.yml --- .github/workflows/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b22ebbe..02314ae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,8 +21,9 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 - name: Build with Gradle - run: ./gradlew build - + run: | + chmod +x ./gradlew + ./gradlew build dependency-submission: runs-on: ubuntu-latest