mirror of
https://github.com/spring-projects/spring-petclinic.git
synced 2025-04-24 19:32:48 +00:00
98 lines
No EOL
2.5 KiB
YAML
98 lines
No EOL
2.5 KiB
YAML
name: Security Scanning
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, dev ]
|
|
pull_request:
|
|
branches: [ main, dev]
|
|
schedule:
|
|
- cron: '0 0 * * 0' # Run weekly on Sundays
|
|
|
|
jobs:
|
|
dependency-check:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v3
|
|
with:
|
|
java-version: '17'
|
|
distribution: 'temurin'
|
|
cache: maven
|
|
|
|
- name: Cache OWASP Dependency-Check data
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.m2/repository/org/owasp/dependency-check-data
|
|
key: ${{ runner.os }}-dependency-check-${{ hashFiles('**/pom.xml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-dependency-check-
|
|
|
|
- name: Run OWASP Dependency Check
|
|
run: ./mvnw org.owasp:dependency-check-maven:check
|
|
|
|
- name: Archive dependency check results
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: dependency-check-report
|
|
path: target/dependency-check-report.html
|
|
|
|
container-scan:
|
|
needs: dependency-check
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Build Docker image
|
|
run: docker build -t petclinic:${{ github.sha }} .
|
|
|
|
- name: Scan Docker image for vulnerabilities
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: petclinic:${{ github.sha }}
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Upload Trivy scan results
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
zap-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v3
|
|
with:
|
|
java-version: '17'
|
|
distribution: 'temurin'
|
|
cache: maven
|
|
|
|
- name: Start application
|
|
run: |
|
|
./mvnw spring-boot:run &
|
|
echo "Waiting for application to start..."
|
|
sleep 30
|
|
|
|
- name: ZAP Scan
|
|
uses: zaproxy/action-baseline@v0.7.0
|
|
with:
|
|
target: 'http://localhost:8080'
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
|
|
rules_file_name: '.zap/rules.tsv'
|
|
cmd_options: '-a'
|
|
allow_issue_writing: false
|
|
fail_action: false
|
|
docker_options: '-u zap'
|
|
|
|
- name: Archive ZAP results
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: zap-scan-results
|
|
path: |
|
|
zap-baseline-report.html
|
|
zap-baseline-report.md |