feat: codeql (#1309)

bcgov · Sep 7, 2023 · 5e71287 · 5e71287
1 parent 8f37fa0
commit 5e71287
Show file tree

Hide file tree

Showing 7 changed files with 116 additions and 86 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -0,0 +1,79 @@
+name: Analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    types: ["opened", "reopened", "synchronize", "ready_for_review"]
+  schedule:
+    - cron: "0 12 * * 0" # 4 AM PST = 12 PM UDT, runs sundays
+  workflow_dispatch:
+
+jobs:
+  CodeQL:
+    name: CodeQL
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        language: ["go", "java", "javascript", "python"]
+        include:
+          - language: "go"
+            working-directory: backend-go
+            build: |
+              sed -i '/^toolchain .*$/d' go.mod
+              go install github.com/swaggo/swag/cmd/swag@latest
+              CGO_ENABLED=0 GOOS=linux go build -v
+          - language: "java"
+            working-directory: backend-java
+            build: ./mvnw package -Pnative -DskipTests
+          - language: "javascript"
+          - language: "python"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        if: ${{ ! matrix.build }}
+        uses: github/codeql-action/autobuild@v2
+
+      - uses: actions/setup-java@v3
+        if: ${{ matrix.build && matrix.language == 'java' }}
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - name: Build
+        if: ${{ matrix.build }}
+        run: ${{ matrix.build }}
+        working-directory: ${{ matrix.working-directory }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
+
+  # https://github.com/marketplace/actions/aqua-security-trivy
+  trivy:
+    name: Trivy Security Scan
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          scan-type: "fs"
+          scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -2,43 +2,17 @@ name: Merge to Main
 
 on:
   workflow_run:
-    workflows: ["Pull Request Closed"]
-    types:
-      - completed
+    workflows: ["PR Closed"]
+    types: ["completed"]
   workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
 jobs:
-  codeql:
-    name: Semantic Code Analysis
-    runs-on: ubuntu-22.04
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Initialize
-        uses: github/codeql-action/init@v2
-        with:
-          languages: javascript
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
-
   deploys-test:
     name: TEST Deployments
-    needs:
-      - codeql
     environment: test
     runs-on: ubuntu-22.04
     strategy:

diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml
@@ -1,4 +1,4 @@
-name: Pull Request Closed
+name: PR Closed
 
 on:
   pull_request:
@@ -16,7 +16,7 @@ jobs:
   # Clean up OpenShift when PR closed, no conditions
   cleanup-openshift:
     name: Cleanup OpenShift
-    if: '!github.event.pull_request.head.repo.fork'
+    if: "!github.event.pull_request.head.repo.fork"
     runs-on: ubuntu-22.04
     steps:
       - name: Remove OpenShift artifacts
@@ -36,7 +36,18 @@ jobs:
       packages: write
     strategy:
       matrix:
-        package: [backend, database,database-migrations, frontend, database-migrations-py, backend-py, backend-java, backend-go, database-migrations-go]
+        package:
+          [
+            backend,
+            database,
+            database-migrations,
+            frontend,
+            database-migrations-py,
+            backend-py,
+            backend-java,
+            backend-go,
+            database-migrations-go,
+          ]
     steps:
       - uses: shrink/actions-docker-registry-tag@v3
         with:

diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -1,9 +1,10 @@
-name: Pull Request
+name: PR
 
 on:
   pull_request:
-    branches:
-      - main
+    branches: ["main"]
+  workflow_dispatch:
+
 concurrency:
   # PR open and close use the same group, allowing only one at a time
   group: pr-${{ github.workflow }}-${{ github.event.number }}

diff --git a/.github/workflows/unit-tests.yml → .github/workflows/tests.yml b/.github/workflows/unit-tests.yml → .github/workflows/tests.yml
@@ -1,24 +1,21 @@
-name: Unit Tests and Analysis
+name: Tests
 
 on:
   pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
+    types: ["opened", "reopened", "synchronize", "ready_for_review"]
   push:
-    branches:
-      - main
+    branches: ["main"]
+  schedule:
+    - cron: "0 11 * * 0" # 3 AM PST = 11 PM UDT, runs sundays
   workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  tests-java:
-    name: Quarkus API Unit Tests
+  java:
+    name: Java
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-22.04
     defaults:
@@ -38,29 +35,25 @@ jobs:
           --health-retries 5
         ports:
           - 5432:5432
-    strategy:
-      matrix:
-        distribution: ["temurin"]
-        java-version: ["17"]
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions/setup-java@v3
         with:
-          distribution: ${{ matrix.distribution }}
-          java-version: ${{ matrix.java-version }}
+          distribution: "temurin"
+          java-version: "17"
       - name: Cache local Maven repository
         uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
+
       - name: Run unit tests
         run: mvn -f pom.xml clean package
 
-  tests-python:
-    name: Python API Unit Tests
+  python:
+    name: Python
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-22.04
     defaults:
@@ -80,17 +73,12 @@ jobs:
           --health-retries 5
         ports:
           - 5432:5432
-    strategy:
-      matrix:
-        python-version: ["3.11"]
-
     steps:
       - uses: actions/checkout@v4
-
-      - name: Set up Python ${{ matrix.python-version }}
+      - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: "3.11"
 
       - name: cache poetry install
         uses: actions/cache@v3
@@ -119,8 +107,8 @@ jobs:
         run: |
           poetry run pytest
 
-  tests:
-    name: Unit Tests
+  javascript:
+    name: JavaScript
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-22.04
     services:
@@ -167,26 +155,3 @@ jobs:
             -Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info
           sonar_token: ${{ secrets[matrix.token] }}
           triggers: ${{ matrix.triggers }}
-
-  # https://github.com/marketplace/actions/aqua-security-trivy
-  trivy:
-    name: Trivy Security Scan
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
-        with:
-          format: "sarif"
-          output: "trivy-results.sarif"
-          ignore-unfixed: true
-          scan-type: "fs"
-          scanners: "vuln,secret,config"
-          severity: "CRITICAL,HIGH"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results.sarif"
diff --git a/backend-go/Dockerfile b/backend-go/Dockerfile
@@ -8,7 +8,7 @@ RUN go mod download && \
 RUN go install github.com/swaggo/swag/cmd/swag@latest
 COPY . .
 RUN swag init && swag fmt
-RUN mkdir  -p /workspace/app/target/application
+RUN mkdir -p /workspace/app/target/application
 RUN CGO_ENABLED=0 GOOS=linux go build -v -o /workspace/app/target/application ./...
 HEALTHCHECK --interval=3000s --timeout=30s CMD go version || exit 1
 

diff --git a/backend-go/backend-go b/backend-go/backend-go