.github/workflows/grype-scan.yml

#############################################################################
# Workflow for using Grype to scan for security issues in IRIDA dependencies
#############################################################################

name: Grype WAR security scan

on:
  pull_request: # Run on all pull requests
  push:
    branches: # Run on any push to development or main
      - development
      - main
  schedule: # Run daily on development and weekly on main
    - cron: 0 1 * * *
      branches: development
    - cron: 0 2 * * 0
      branches: main

jobs:
  war-build: # Gradle integration tests
    runs-on: ubuntu-20.04 #See pre-installed software at https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md

    steps:
      - uses: actions/checkout@v3 #Checkout the project from git
      - name: Get pnpm store directory
        id: pnpm-cache
        run: |
          echo "::set-output name=pnpm_cache_dir::$(./gradlew pnpmCacheDir -q)"
      - name: Setup pnpm cache
        uses: actions/cache@v3
        with:
          path: ${{ steps.pnpm-cache.outputs.pnpm_cache_dir }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-
      - name: Set up JDK 11 # Installs java 11
        uses: actions/setup-java@v1
        with:
          java-version: 11
      - name: Validate Gradle wrapper
        uses: gradle/wrapper-validation-action@v1
      - name: Setup Gradle
        uses: gradle/gradle-build-action@v2
      - name: Build WAR file # Build the WAR file
        id: package
        run: |
          ./gradlew clean build -xtest
      - name: Link WAR file
        run: |
          ln -s build/dist/irida-*.war irida.war
          ls -l irida.war
      - name: Scan image
        id: scan
        uses: anchore/scan-action@v3
        with:
          image: irida.war
          fail-build: false
          acs-report-enable: true
      - name: Inspect action SARIF report
        run: cat ${{ steps.scan.outputs.sarif }}
      - name: upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}