Run security tests #1027
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run security tests | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| run_owasp_and_snyk: | |
| name: Run owasp and snyk | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Java 11 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: "11" | |
| architecture: "x64" | |
| distribution: "zulu" | |
| - name: Setup Node 16 | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "18.18.0" | |
| - name: Cache Maven packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Restore NVD database from cache | |
| uses: actions/cache/restore@v3 | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: ${{ runner.os }}-owasp-db | |
| - name: Cache Node modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Run owasp | |
| id: owasp | |
| uses: nick-fields/retry@v2 | |
| with: | |
| max_attempts: 5 | |
| timeout_minutes: 10 | |
| retry_wait_seconds: 1800 | |
| retry_on_exit_code: 99 | |
| command: | | |
| make owasp | tee owasp-output.log | |
| STATUS="${PIPESTATUS[0]}" | |
| if [ "$STATUS" != "0" ]; then | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "errors<<$EOF" >> $GITHUB_OUTPUT | |
| grep -i error owasp-output.log >> $GITHUB_OUTPUT | |
| echo "$EOF" >> $GITHUB_OUTPUT | |
| if grep -q "One or more dependencies were identified with vulnerabilities" owasp-output.log; then | |
| exit $STATUS | |
| else | |
| exit 99 | |
| fi | |
| fi | |
| - name: Archive OWASP results | |
| if: always() | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: owasp-report | |
| path: target/dependency-check-report.html | |
| - name: Save NVD database to cache | |
| uses: actions/cache/save@v3 | |
| if: always() | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: ${{ runner.os }}-owasp-db | |
| - name: Run snyk | |
| id: snyk | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| make snyk | |
| - name: Report failure | |
| uses: ravsamhq/notify-slack-action@95a35215cdf7ab510d2cdd20ae94f342d212a1a1 | |
| if: ${{ failure() }} | |
| with: | |
| status: ${{ job.status }} | |
| message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}@{branch}> on <{commit_url}|{commit_sha}>\n\n${{ steps.owasp.outputs.errors }}" | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |