Run security tests #1468
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run security tests | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| run_owasp_and_snyk: | |
| name: Run owasp and snyk | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Java 11 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: "11" | |
| architecture: "x64" | |
| distribution: "zulu" | |
| - name: Setup Node 16 | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "20.17.0" | |
| - name: Cache Maven packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Restore NVD database from cache | |
| uses: actions/cache/restore@v3 | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: ${{ runner.os }}-owasp-db | |
| - name: Cache Node modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Run owasp | |
| id: owasp | |
| uses: nick-fields/retry@v3 | |
| with: | |
| max_attempts: 5 | |
| # max_attempts: 5 | |
| timeout_minutes: 10 | |
| retry_wait_seconds: 1800 | |
| retry_on_exit_code: 99 | |
| command: | | |
| mvn dependency-check:check -P owasp --batch-mode | tee owasp-output.log | |
| STATUS="${PIPESTATUS[0]}" | |
| if [ "$STATUS" != "0" ]; then | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "errors<<$EOF" >> $GITHUB_OUTPUT | |
| grep "\[ERROR\]" owasp-output.log >> $GITHUB_OUTPUT | |
| echo "$EOF" >> $GITHUB_OUTPUT | |
| if grep -q "One or more dependencies were identified with vulnerabilities" owasp-output.log; then | |
| exit $STATUS | |
| else | |
| exit 99 | |
| fi | |
| fi | |
| - name: Archive OWASP results | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: owasp-report | |
| path: target/dependency-check-report.html | |
| - name: Save NVD database to cache | |
| uses: actions/cache/save@v3 | |
| if: always() | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: ${{ runner.os }}-owasp-db | |
| - name: Run snyk | |
| id: snyk | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| make snyk | |
| - name: Report failure | |
| uses: ravsamhq/notify-slack-action@95a35215cdf7ab510d2cdd20ae94f342d212a1a1 | |
| if: ${{ failure() }} | |
| with: | |
| status: ${{ job.status }} | |
| message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}@{branch}> on <{commit_url}|{commit_sha}>\n\n${{ steps.owasp.outputs.errors }}" | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |