Skip to content

fix: pom.xml to reduce vulnerabilities #277

fix: pom.xml to reduce vulnerabilities

fix: pom.xml to reduce vulnerabilities #277

Workflow file for this run

name: ScaleUp Application CI workflow
on:
push:
branches:
- '**' # Trigger on any branch push
jobs:
set-env:
name: Setup Environment
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20.15.0
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
- name: Install Node.js packages
run: npm install
- name: Cache Node Modules
uses: actions/cache@v3
with:
path: node_modules
key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
package:
name: Package App
runs-on: ubuntu-latest
needs: set-env
if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.pull_request.title, '[skip ci]') && !contains(github.event.pull_request.title, '[ci skip]')"
timeout-minutes: 10
env:
NODE_VERSION: 20.15.0
SPRING_OUTPUT_ANSI_ENABLED: DETECT
SPRING_JPA_SHOW_SQL: false
JHI_DISABLE_WEBPACK_LOGS: true
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20.15.0
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
- name: Package application
run: npm run java:jar:prod
- name: Upload Build Artifact
uses: actions/upload-artifact@v4
with:
name: packaged-application
path: |
target/*.jar
target/classes
retention-days: 1 # Retain the build artifacts for 1 day
# Push to Docker
jib-build:
name: containerize
runs-on: ubuntu-latest
needs: package
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
- name: Push to Docker registry w/o IT
run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD} -DskipTests
if: github.ref != 'refs/heads/main' || github.ref != 'refs/heads/testing-uat'
- name: Push to Docker registry w IT
run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD}
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/testing-uat'
backend-test:
name: Backend Test Stage
runs-on: ubuntu-latest
needs: package
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
- name: Run backend test
run: |
chmod +x mvnw
npm run ci:backend:test
- name: Upload Backend Test Report
uses: actions/upload-artifact@v4
with:
name: backend-test-report
path: target/surefire-reports/*.xml
retention-days: 1
frontend-test:
name: Frontend Test Stage
runs-on: ubuntu-latest
needs: package
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20.15.0
- name: Install Node.js Packages
run: npm install
- name: Run frontend test
run: npm run ci:frontend:test
- name: Upload Frontend Test Report
uses: actions/upload-artifact@v4
with:
name: jest-test-reports
path: ./target/test-results/TESTS-results-jest.xml # Adjusted to match your Jest output configuration
retention-days: 1
sonar:
name: Sonar SAST Scan
runs-on: ubuntu-latest
needs: [backend-test, frontend-test]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 1 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: 17
distribution: 'zulu' # Alternative distribution options are available.
- name: Cache SonarCloud packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
if: github.ref != 'refs/heads/main'
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup
- name: Build and analyze for main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
if: github.ref == 'refs/heads/main'
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup #-Dsonar.qualitygate.wait=true
snyk:
name: Vulnerability Scanning with Synk
needs: [backend-test, frontend-test]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: snyk.sarif
dast-scan:
name: DAST OWASP ZAP Scans
runs-on: ubuntu-latest
needs: [backend-test, frontend-test]
steps:
- uses: actions/checkout@v4
- name: Change script permission
run: |
chmod +x script/zap-script.sh
- name: ZAP scan
run: script/zap-script.sh
- name: Archive production artifacts
uses: actions/upload-artifact@v4
with:
name: zap report
path: |
./zap_baseline_report.html
retention-days: 1
deploy-to-sit:
name: Deploy to SIT
needs: jib-build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/testing-sit' # Only apply changes on sit branch
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
steps:
- name: Deploy to EC2
uses: appleboy/ssh-action@master
with:
host: ec2-52-77-34-58.ap-southeast-1.compute.amazonaws.com # Change this to SIT host
username: ubuntu
key: ${{ secrets.EC2_PRIVATE_KEY }}
port: 22
script: |
sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then
sudo docker stop scaleUp
sudo docker rm scaleUp
elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then
sudo docker rm scaleUp
fi
sudo docker run -d -p 80:80 --name scaleUp ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
deploy-to-main:
name: Deploy to Production
needs: [jib-build, dast-scan, snyk, sonar]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' # Only apply changes on main branch
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
steps:
- name: Deploy to EC2
uses: appleboy/ssh-action@master
with:
host: ec2-54-255-11-22.ap-southeast-1.compute.amazonaws.com # Change to Prod host
username: ubuntu
key: ${{ secrets.EC2_PRIVATE_KEY_PROD }}
port: 22
script: |
sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then
sudo docker stop scaleUp
sudo docker rm scaleUp
elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then
sudo docker rm scaleUp
fi
sudo docker run -d -p 80:80 --name scaleUp ${{ secrets.DOCKER_USERNAME }}/scaleup:latest