Skip to content
CICD Pipeline

ci(trivy): #106 temporary only fail CI for CRITICAL vulnerabilities #70

Sign in to view logs

ci(trivy): #106 temporary only fail CI for CRITICAL vulnerabilities

ci(trivy): #106 temporary only fail CI for CRITICAL vulnerabilities #70

Workflow file for this run

.github/workflows/pipeline.yml at a2fee12
name: CICD Pipeline
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
conventional-commit-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Conventional commit check
uses: cocogitto/cocogitto-action@v3
build:
runs-on: ubuntu-latest
needs: conventional-commit-check
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
- run: ( ./gradlew build -x test )
name: "Executing build"
unit-test:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
- run: ( ./gradlew test )
name: "Executing tests"
- run: ( ./gradlew jacocoTestCoverageVerification )
name: "Code coverage"
mutation-test:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
- run: ( ./gradlew pitest )
name: "Executing mutation tests"
dependency-vulnerability-analysis:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
~/.gradle/dependency-check-data/
- run: ( ./gradlew dependencyCheckAnalyze -PUseNVDKey )
name: "Executing dependency vulnerability checks"
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
sast-code-snyk:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- name: Run Snyk to static code analysis for vulnerabilities
uses: snyk/actions/maven-3-jdk-21@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
sast-iac-trivy-hadolint:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: hadolint/[email protected]
with:
dockerfile: Dockerfile
failure-threshold: error
- name: Run Trivy vulnerability for Dockerfile
uses: aquasecurity/[email protected]
with:
scan-type: config
scan-ref: './'
exit-code: 1
trivy-config: ./config/trivy/trivy.yaml
docker-build-push:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs:
- unit-test
- mutation-test
- dependency-vulnerability-analysis
- sast-code-snyk
- sast-iac-trivy-hadolint
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: fetch-tags
run: git fetch --tags origin
shell: bash
- id: bump-version
uses: abhisheksr01/github-actions/[email protected]
with:
dry-run: true
- name: check-bump-version-output
run: |
echo "previous-version: ${{ steps.bump-version.outputs.previous-version }}"
echo "bump-version: ${{ steps.bump-version.outputs.bump-version }}"
echo "current-version: ${{ steps.bump-version.outputs.current-version }}"
echo "is-version-bumped: ${{ steps.bump-version.outputs.is-version-bumped }}"
echo "is-dryrun-version-bumped: ${{ steps.bump-version.outputs.is-dryrun-version-bumped }}"
shell: bash
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: abhisheksr01/companieshouse
context: git
tags: |
type=ref,event=pr
type=semver,pattern={{version}},prefix=v,value=${{ steps.bump-version.outputs.bump-version }}
labels: |
"org.opencontainers.image.title": "abhisheksr01/companieshouse",
"org.opencontainers.image.description": "Best practices and integrations available for Spring Boot based Microservice in a single repository with companieshouse API use case.",
"org.opencontainers.image.url": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices",
"org.opencontainers.image.source": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices",
"org.opencontainers.image.version": ${{ steps.bump-version.outputs.bump-version }},
"org.opencontainers.image.created": "2020-01-10T00:30:00.000Z",
"org.opencontainers.image.revision": ${{ github.sha }},
"org.opencontainers.image.licenses": "MIT"
- name: Build and push
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
sbom: true
provenance: true