testolvc/gist:e3a4b5124fd9ee0c843cc7bfa0a3f57f

## gistfile1.txt
name: Static Scans

on:
  #push: # not on push for the training (just manual)
  workflow_dispatch: # to allow running manually

permissions:
  contents: read


jobs:

  sast-scans:
    name: SAST Scans
    runs-on: ubuntu-latest

    steps:

      - name: Checkout Sources
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          java-version: 11
          distribution: 'temurin'

      - name: Setup Maven Dependency Cache
        uses: actions/cache@v4
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-

      - name: Build with Maven
        run: mvn clean install


      # ======================================================


      - name: Generate CycloneDX SBOM
        run: mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom # outputs to target/bom.json and/or bom.xml

      - name: Upload SBOM as Artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom-cyclonedx.json
          path: target/bom.json


      # ======================================================


      - name: Grype Dependency Scanner (Report)
        id: scan
        uses: anchore/scan-action@be7a22da4f22dde446c4c4c099887ff5b256526c
        with:
          path: "."
          fail-build: false # to always generate the report, then again a scan that might fail

      - name: Upload Grype SARIF Results
        uses: actions/upload-artifact@v4
        with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
          name: grype-scan-results.sarif
          path: ${{ steps.scan.outputs.sarif }}


      # ======================================================


      - name: Download SpotBugs CLI + FindSecBugs Rule Pack
        run: |
          wget -O spotbugs.tgz https://github.com/spotbugs/spotbugs/releases/download/4.9.3/spotbugs-4.9.3.tgz
          tar -xzf spotbugs.tgz
          mv spotbugs-*/ spotbugs/

          wget -O findsecbugs.jar https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/1.12.0/findsecbugs-plugin-1.12.0.jar
          mv findsecbugs.jar spotbugs/plugin/.

      - name: Run SpotBugs CLI (SARIF)
        run: |
          spotbugs/bin/spotbugs -sarif:/tmp/raw-spotbugs-output.txt -effort:max -low -auxclasspath lib:target/classes target/classes > /tmp/raw-spotbugs-output.txt
          grep -A100000 '{"version"' /tmp/raw-spotbugs-output.txt > /tmp/spotbugs-results.sarif

      - name: Upload SpotBugs SARIF Results
        uses: actions/upload-artifact@v4
        with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
          name: spotbugs-scan-results.sarif
          path: /tmp/spotbugs-results.sarif


      # ======================================================


      - name: Hadolint Dockerfile Linter
        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf
        with:
          dockerfile: Dockerfile
          recursive: true
          no-fail: true
          format: sarif

      - name: Write HADOLINT_RESULTS to SARIF file
        run: echo "$HADOLINT_RESULTS" > /tmp/hadolint-results.sarif
        env:
          HADOLINT_RESULTS: ${{ env.HADOLINT_RESULTS }}

      - name: Upload Hadolint SARIF Results
        uses: actions/upload-artifact@v4
        with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
          name: hadolint-scan-results.sarif
          path: /tmp/hadolint-results.sarif


      # ======================================================


      - name: Create empty ".truffleignore" in case it doesn't exist
        run: touch .truffleignore

      - name: "Secret Scan with Trufflehog"
        uses: trufflesecurity/trufflehog@ad258d848807ac956c978b391895800cb4237c1a
        continue-on-error: true # adjust on your needs to automatically fail or move to a separate workflow if needed
        with: # exclusions in .truffleignore file
          # Repository path
          path: ./
          # Start scanning from here (usually main branch)
          base: ${{ github.head_ref }}
          # Scan commits until here (usually dev branch)
          #head: # optional
          # Extra args to be passed to the trufflehog CLI
          extra_args: --exclude-paths=.truffleignore --no-verification


  # ======================================================


  semgrep-scan:
    name: Semgrep Scans
    runs-on: ubuntu-latest
    container:
      # Official Docker image with Semgrep installed
      image: returntocorp/semgrep@sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694
    permissions:
      # required for all workflows
      security-events: write
      # only required for workflows in private repositories
      actions: read
      contents: read


    steps:

      - name: Checkout Sources
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Run Semgrep using selected rules (metrics off)
        run: |
          semgrep scan --sarif --config auto . --output /tmp/semgrep-results.sarif || true

      - name: Upload Semgrep SARIF Results
        uses: actions/upload-artifact@v4
        with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
          name: semgrep-scan-results.sarif
          path: /tmp/semgrep-results.sarif


  # ======================================================


  collect-sarif-results: # Use github/codeql-action/upload-sarif action instead (when either public repo or CodeQL enabled in enterprise commercial repo)
    name: Collect Results
    runs-on: ubuntu-latest
    needs:
      - sast-scans
      - semgrep-scan

    steps:

      - name: Download all SARIF artifacts
        uses: actions/download-artifact@v4
        with:
          path: sarif-input

      - name: List downloaded SARIFs
        if: false # Just used for debugging
        run: |
          pwd
          find sarif-input -type f

      - name: Install sarif-tools and convert SARIF to HTML
        run: | # Bonus idea: use "sarif trend" or "sarif diff" to compare results
          pip install sarif-tools
          sarif summary sarif-input
          sarif html -o /tmp/summary.html sarif-input

      - name: Upload SARIF HTML Report
        uses: actions/upload-artifact@v4
        with:
          name: summary.html
          path: /tmp/summary.html


      # ======================================================


      - name: Write SBOM Summary to GitHub Step Summary
        run: | # Bonus idea: use "curl" to post to you local Dependency-Track instance
          echo "### 📦 SBOM Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          jq -r '.components[] | "- \(.name) \(.version) → \(.licenses[0].license.id // "Unknown")"' sarif-input/sbom-cyclonedx.json/bom.json >> $GITHUB_STEP_SUMMARY
	name: Static Scans

	on:
	#push: # not on push for the training (just manual)
	workflow_dispatch: # to allow running manually

	permissions:
	contents: read


	jobs:

	sast-scans:
	name: SAST Scans
	runs-on: ubuntu-latest

	steps:

	- name: Checkout Sources
	uses: actions/checkout@v4
	with:
	persist-credentials: false

	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: 11
	distribution: 'temurin'

	- name: Setup Maven Dependency Cache
	uses: actions/cache@v4
	with:
	path: ~/.m2/repository
	key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
	restore-keys: \|
	${{ runner.os }}-maven-

	- name: Build with Maven
	run: mvn clean install




	# ======================================================


	- name: Generate CycloneDX SBOM
	run: mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom # outputs to target/bom.json and/or bom.xml

	- name: Upload SBOM as Artifact
	uses: actions/upload-artifact@v4
	with:
	name: sbom-cyclonedx.json
	path: target/bom.json




	# ======================================================


	- name: Grype Dependency Scanner (Report)
	id: scan
	uses: anchore/scan-action@be7a22da4f22dde446c4c4c099887ff5b256526c
	with:
	path: "."
	fail-build: false # to always generate the report, then again a scan that might fail

	- name: Upload Grype SARIF Results
	uses: actions/upload-artifact@v4
	with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
	name: grype-scan-results.sarif
	path: ${{ steps.scan.outputs.sarif }}



	# ======================================================



	- name: Download SpotBugs CLI + FindSecBugs Rule Pack
	run: \|
	wget -O spotbugs.tgz https://github.com/spotbugs/spotbugs/releases/download/4.9.3/spotbugs-4.9.3.tgz
	tar -xzf spotbugs.tgz
	mv spotbugs-*/ spotbugs/

	wget -O findsecbugs.jar https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/1.12.0/findsecbugs-plugin-1.12.0.jar
	mv findsecbugs.jar spotbugs/plugin/.

	- name: Run SpotBugs CLI (SARIF)
	run: \|
	spotbugs/bin/spotbugs -sarif:/tmp/raw-spotbugs-output.txt -effort:max -low -auxclasspath lib:target/classes target/classes > /tmp/raw-spotbugs-output.txt
	grep -A100000 '{"version"' /tmp/raw-spotbugs-output.txt > /tmp/spotbugs-results.sarif

	- name: Upload SpotBugs SARIF Results
	uses: actions/upload-artifact@v4
	with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
	name: spotbugs-scan-results.sarif
	path: /tmp/spotbugs-results.sarif




	# ======================================================



	- name: Hadolint Dockerfile Linter
	uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf
	with:
	dockerfile: Dockerfile
	recursive: true
	no-fail: true
	format: sarif

	- name: Write HADOLINT_RESULTS to SARIF file
	run: echo "$HADOLINT_RESULTS" > /tmp/hadolint-results.sarif
	env:
	HADOLINT_RESULTS: ${{ env.HADOLINT_RESULTS }}

	- name: Upload Hadolint SARIF Results
	uses: actions/upload-artifact@v4
	with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
	name: hadolint-scan-results.sarif
	path: /tmp/hadolint-results.sarif




	# ======================================================


	- name: Create empty ".truffleignore" in case it doesn't exist
	run: touch .truffleignore

	- name: "Secret Scan with Trufflehog"
	uses: trufflesecurity/trufflehog@ad258d848807ac956c978b391895800cb4237c1a
	continue-on-error: true # adjust on your needs to automatically fail or move to a separate workflow if needed
	with: # exclusions in .truffleignore file
	# Repository path
	path: ./
	# Start scanning from here (usually main branch)
	base: ${{ github.head_ref }}
	# Scan commits until here (usually dev branch)
	#head: # optional
	# Extra args to be passed to the trufflehog CLI
	extra_args: --exclude-paths=.truffleignore --no-verification




	# ======================================================


	semgrep-scan:
	name: Semgrep Scans
	runs-on: ubuntu-latest
	container:
	# Official Docker image with Semgrep installed
	image: returntocorp/semgrep@sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694
	permissions:
	# required for all workflows
	security-events: write
	# only required for workflows in private repositories
	actions: read
	contents: read


	steps:

	- name: Checkout Sources
	uses: actions/checkout@v4
	with:
	persist-credentials: false

	- name: Run Semgrep using selected rules (metrics off)
	run: \|
	semgrep scan --sarif --config auto . --output /tmp/semgrep-results.sarif \|\| true

	- name: Upload Semgrep SARIF Results
	uses: actions/upload-artifact@v4
	with: # Yep, you can open this file in your IDE: Just drag and drop it into IntelliJ IDEA or Visual Studio Code
	name: semgrep-scan-results.sarif
	path: /tmp/semgrep-results.sarif





	# ======================================================


	collect-sarif-results: # Use github/codeql-action/upload-sarif action instead (when either public repo or CodeQL enabled in enterprise commercial repo)
	name: Collect Results
	runs-on: ubuntu-latest
	needs:
	- sast-scans
	- semgrep-scan

	steps:

	- name: Download all SARIF artifacts
	uses: actions/download-artifact@v4
	with:
	path: sarif-input

	- name: List downloaded SARIFs
	if: false # Just used for debugging
	run: \|
	pwd
	find sarif-input -type f

	- name: Install sarif-tools and convert SARIF to HTML
	run: \| # Bonus idea: use "sarif trend" or "sarif diff" to compare results
	pip install sarif-tools
	sarif summary sarif-input
	sarif html -o /tmp/summary.html sarif-input

	- name: Upload SARIF HTML Report
	uses: actions/upload-artifact@v4
	with:
	name: summary.html
	path: /tmp/summary.html




	# ======================================================


	- name: Write SBOM Summary to GitHub Step Summary
	run: \| # Bonus idea: use "curl" to post to you local Dependency-Track instance
	echo "### 📦 SBOM Summary" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	jq -r '.components[] \| "- \(.name) \(.version) → \(.licenses[0].license.id // "Unknown")"' sarif-input/sbom-cyclonedx.json/bom.json >> $GITHUB_STEP_SUMMARY
No results found