centralized sec workflows (#158)

Co-authored-by: christosservosNCIN <[email protected]>
eu-digital-identity-wallet · Feb 27, 2024 · 2d38c1f · 2d38c1f
1 parent 25225b7
commit 2d38c1f
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 121 deletions.
diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml
@@ -1,28 +1,14 @@
-name: SCA - Dependency Check
+name: SCA - Dependency Check Caller
 on:
   push:
+    branches-ignore:
+      - 'dependabot/*'
   workflow_dispatch:
 
 jobs:
- sca-dependency-check-gradle:
-    name: Build
-    runs-on:  ubuntu-latest
-    steps:
-      - name: Checkout project sources
-        uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v2
-      - name: Build with Gradle Wrapper & Run Dependency-Check
-        uses: gradle/[email protected]
-        with:
-          gradle-version: wrapper
-          arguments: dependencyCheckAnalyze 
-      - name: Upload results - SCA
-        uses: actions/upload-artifact@master
-        with:
-           name: Dependency Check Report
-           path: ${{github.workspace}}/build/reports/dependency-check-report.html
+ SCA_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sca_bt.yml@main
+      secrets:
+       NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -1,26 +1,13 @@
-name: Secret Scanning - Gitleaks
+name: Secret Scanning - Gitleaks Caller
 on:
   push:
+    branches-ignore:
+      - 'dependabot/*'
   workflow_dispatch:
-jobs:
-  Secret_Scanning:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Run Gitleaks from container
-        run: |
-            docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks 
-            docker start GL
-            docker exec GL git config --global --add safe.directory '/src'
-            docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
-        continue-on-error: true
 
-      - name: upload_artifacts   
-        uses: actions/upload-artifact@v4
-        with:
-          name: Gitleaks Artifact Upload
-          path:  ${{ github.workspace }}/gitleaks-report.json
+jobs:
+  Secret_Scanning_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/secretscanning.yml@main
+      secrets:
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -1,4 +1,4 @@
-name: SAST - SonarCloud
+name: SAST - SonarCloud (BT) Caller
 on:
   push:
     branches-ignore:
@@ -7,78 +7,10 @@ on:
   workflow_dispatch:
 
 jobs:
-  check_secret:
-    name: Check secret presence
-    runs-on: ubuntu-latest
-    steps:
-    - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi
-    env:
+   SAST_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sast_bt.yml@main
+      secrets:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-  P_WD_analysis:
-    name: SAST - SonarCloud - Push/WD analysis
-    needs: check_secret
-    runs-on:  ubuntu-latest
-    if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
-    steps:
-      - name: Checkout project sources
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 #Shallow clones should be disabled for a better relevancy of SonarCloud analysis
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - name: Cache SonarCloud packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.sonar/cache
-          key: ${{ runner.os }}-sonar
-          restore-keys: ${{ runner.os }}-sonar
-      - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v2
-      - name: setup projectkey
-        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
-      - name: Build with Gradle Wrapper & Run Sonar
-        uses: gradle/[email protected]
-        with:
-          gradle-version: wrapper
-          arguments: test jacocoTestReport sonar --info --full-stacktrace -Dsonar.organization=${{ github.repository_owner }} -Dsonar.projectKey=${{ env.PROJECTKEY }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          CI: true
-
-  PR_analysis:
-    name: SAST - SonarCloud - PR analysis
-    needs: check_secret
-    runs-on:  ubuntu-latest
-    if: (github.event_name == 'pull_request_target')
-    steps:
-      - name: Checkout project sources
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 #Shallow clones should be disabled for a better relevancy of SonarCloud analysis
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - name: Cache SonarCloud packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.sonar/cache
-          key: ${{ runner.os }}-sonar
-          restore-keys: ${{ runner.os }}-sonar
-      - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v2
-      - name: setup projectkey
-        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
-      - name: Build with Gradle Wrapper & Run Sonar
-        uses: gradle/[email protected]
-        with:
-          gradle-version: wrapper
-          arguments: sonar --info --full-stacktrace -Dsonar.organization=${{ github.repository_owner }} -Dsonar.projectKey=${{ env.PROJECTKEY }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          CI: true
+       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,5 +1,6 @@
 import org.jetbrains.dokka.DokkaConfiguration
 import org.jetbrains.dokka.gradle.DokkaTask
+import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension
 import java.net.URL
 
 object Meta {
@@ -123,3 +124,10 @@ mavenPublishing {
         }
     }
 }
+
+val nvdApiKey: String? = System.getenv("NVD_API_KEY") ?: properties["nvdApiKey"]?.toString()
+val dependencyCheckExtension = extensions.findByType(DependencyCheckExtension::class.java)
+dependencyCheckExtension?.apply {
+    formats = mutableListOf("XML", "HTML")
+    nvd.apiKey = nvdApiKey ?: ""
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,6 +1,6 @@
 [versions]
 coroutines = "1.7.3"
-dependency-check = "8.4.2"
+dependency-check = "9.0.9"
 sonarqube = "4.4.1.3373"
 kotlin = "1.9.21"
 spotless = "6.25.0"