Run security tests #1067
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run security tests | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| run_owasp_and_snyk: | |
| name: Run owasp and snyk | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Java 11 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: "11" | |
| architecture: "x64" | |
| distribution: "zulu" | |
| - name: Setup Node 16 | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "18.18.0" | |
| - name: Cache Maven packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Restore NVD database from cache | |
| uses: actions/cache/restore@v3 | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: ${{ runner.os }}-owasp-db | |
| - name: Cache Node modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Run owasp | |
| id: owasp | |
| uses: nick-fields/retry@v2 | |
| with: | |
| max_attempts: 2 | |
| # max_attempts: 5 | |
| timeout_minutes: 10 | |
| retry_wait_seconds: 1800 | |
| retry_on_exit_code: 99 | |
| command: | | |
| make owasp > >(tee owasp-output.log) 2> >(tee owasp-errors.log >&2) | |
| STATUS="${PIPESTATUS[0]}" | |
| if [ "$STATUS" != "0" ]; then | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "errors<<$EOF" >> $GITHUB_OUTPUT | |
| grep "Error:" owasp-output.log >> $GITHUB_OUTPUT | |
| cat owasp-errors.log >> $GITHUB_OUTPUT | |
| echo "$EOF" >> $GITHUB_OUTPUT | |
| if grep -q "One or more dependencies were identified with vulnerabilities" owasp-output.log; then | |
| exit $STATUS | |
| else | |
| exit 99 | |
| fi | |
| fi | |
| - name: Archive OWASP results | |
| if: always() | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: owasp-report | |
| path: target/dependency-check-report.html | |
| - name: Save NVD database to cache | |
| uses: actions/cache/save@v3 | |
| if: always() | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: ${{ runner.os }}-owasp-db | |
| - name: Run snyk | |
| id: snyk | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| make snyk | |
| - name: Report failure | |
| uses: ravsamhq/notify-slack-action@95a35215cdf7ab510d2cdd20ae94f342d212a1a1 | |
| if: ${{ failure() }} | |
| with: | |
| status: ${{ job.status }} | |
| message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}@{branch}> on <{commit_url}|{commit_sha}>\n\n${{ steps.owasp.outputs.errors }}" | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |