spring-petclinic/.github/workflows/security.yml

name: Security Scanning

on:
  push:
    branches: [ main, dev ]
  pull_request:
    branches: [ main, dev]
  schedule:
    - cron: '0 0 * * 0'  # Run weekly on Sundays

jobs:
  dependency-check:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    
    - name: Set up JDK 17
      uses: actions/setup-java@v3
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven
    
    - name: Run OWASP Dependency Check
      run: ./mvnw org.owasp:dependency-check-maven:check
    
    - name: Archive dependency check results
      uses: actions/upload-artifact@v4
      with:
        name: dependency-check-report
        path: target/dependency-check-report.html

  container-scan:
    needs: dependency-check
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    
    - name: Build Docker image
      run: docker build -t petclinic:${{ github.sha }} .
    
    - name: Scan Docker image for vulnerabilities
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: petclinic:${{ github.sha }}
        format: 'sarif'
        output: 'trivy-results.sarif'
        severity: 'CRITICAL,HIGH'
    
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: 'trivy-results.sarif'

  zap-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    
    - name: Set up JDK 17
      uses: actions/setup-java@v3
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven
    
    - name: Start application
      run: |
        ./mvnw spring-boot:run &
        echo "Waiting for application to start..."
        sleep 30        
    
    - name: ZAP Scan
      uses: zaproxy/action-baseline@v0.7.0
      with:
        target: 'http://localhost:8080'
        rules_file_name: '.zap/rules.tsv'
        cmd_options: '-a'
    
    - name: Archive ZAP results
      uses: actions/upload-artifact@v4
      with:
        name: zap-scan-results
        path: |
          zap-baseline-report.html
          zap-baseline-report.md