Java CI with Maven #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time | |
| # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven | |
| name: Java CI with Maven | |
| on: | |
| #push: | |
| #branches: [ main ] | |
| #pull_request: | |
| #branches: [ main ] | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| attestations: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| java: [ '17' ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK ${{ matrix.java }} | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ matrix.java }} | |
| distribution: 'adopt' | |
| cache: maven | |
| - name: Build with Maven Wrapper | |
| run: | | |
| pwd | |
| ./mvnw -B package > app.jar | |
| # - uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v1 | |
| # outputs: | |
| # Attestation: | |
| with: | |
| subject-path: ./app.jar | |
| - name: verify jar attesttion | |
| env: | |
| GH_TOKEN: ${{secrets.GH_TOKEN}} | |
| run: | | |
| # gh attestation download app.jar -o github | |
| # wget https://github.com/saurav631/spring-petclinic/attestations/1598170/download -o sigstore.json | |
| # gh attestation verify github --owner saurav631 --bundle sigstore.json | |
| # gh attestation verify app.jar --owner saurav631 --bundle ./saurav631-spring-petclinic-attestation-1598170.sigstore.json --format=json | |
| gh attestation verify app.jar --owner saurav631 --format=json | |
| # gh attestation verify app.jar --owner saurv631 --bundle application/vnd.dev.sigstore.bundle.v0.3+json --format=json | |
| # gh attestation verify sigstore.json --owner saurav631 --format=json | |
| # - name: Set up JDK 17 | |
| # uses: actions/setup-java@v1 | |
| # with: | |
| # java-version: 17 | |
| # - name: Cache SonarQube packages | |
| # uses: actions/cache@v1 | |
| # with: | |
| # path: ~/.sonar/cache | |
| # key: ${{ runner.os }}-sonar | |
| # restore-keys: ${{ runner.os }}-sonar | |
| # - name: Cache Maven packages | |
| # uses: actions/cache@v1 | |
| # with: | |
| # path: ~/.m2 | |
| # key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| # restore-keys: ${{ runner.os }}-m2 | |
| # - name: Build and analyze | |
| # env: | |
| # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # SONAR_HOST_URL: http://20.235.200.36:9000/ | |
| # run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=PetClinic -Dsonar.projectName='PetClinic' | |
| # - name: Check SonarQube Quality Gate | |
| # run: | | |
| # sleep 10 | |
| # STATUS=$(curl -s -u ${{ secrets.SONAR_TOKEN }} "http://20.235.200.36:9000/api/qualitygates/project_status?projectKey=PetClinic" | jq -r '.projectStatus.status') | |
| # echo "Quality Gate Status: $STATUS" | |
| # if [ "$STATUS" != "OK" ]; then | |
| # echo "SonarQube Quality Gate failed" | |
| # exit 1 | |
| # fi | |
| # - name: Install & Running TruffleHog | |
| # run: | | |
| # pip install truffleHog | |
| # trufflehog git_url https://github.com/saurav631/spring-petclinic/ --repo_path . | |
| - name: Install Syft | |
| run: | | |
| curl -sSL https://github.com/anchore/syft/releases/download/v0.66.0/syft_0.66.0_linux_amd64.tar.gz | tar xz -C /usr/local/bin syft | |
| - name: Generate SBOM with Syft | |
| run: | | |
| syft dir:. -o cyclonedx-json > sbom.json | |
| ls | |
| - name: Generate SBOM attestation | |
| uses: actions/attest-sbom@v1 | |
| with: | |
| # subject-path: ./app.jar | |
| subject-path: cyclonedx-json | |
| sbom-path: ./sbom.json | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.json | |
| - name: verify SBOM attesttion | |
| env: | |
| GH_TOKEN: ${{secrets.GH_TOKEN}} | |
| run: | | |
| # gh attestation verify sbom.json --owner saurav631 --bundle ./sbom.json | |
| gh attestation verify sbom --owner saurav631 --format=json | |
| # gh attestation verify app.jar --owner saurav631 --format=json | |
| # gh attestation verify sbom.json --owner saurav631 --bundle ./saurav631-spring-petclinic-attestation-1599265.sigstore.json | |
| - name: Dependency Scanning with OWASP Dependency-Check | |
| run: | | |
| /opt/dependency-check/bin/dependency-check.sh --project my_project --out dependency-check-report --scan . | |
| - name: Upload Dependency Check Report | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: dependency-check-report | |
| path: dependency-check-report | |
| - name: Scan Docker Images for Vulnerabilities | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y docker.io | |
| sudo systemctl start docker | |
| sudo systemctl enable docker | |
| curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.36.0/trivy_0.36.0_Linux-64bit.deb -o trivy.deb | |
| sudo dpkg -i trivy.deb | |
| trivy image my_microservice:latest | |
| - name: Deploy Microservices | |
| run: | | |
| kubectl apply -f k8s/deployment.yaml |