Skip to content
CodeQL

Bump docker/setup-buildx-action from 3 to 4 #328

Sign in to view logs

Bump docker/setup-buildx-action from 3 to 4

Bump docker/setup-buildx-action from 3 to 4 #328

Workflow file for this run

.github/workflows/codeql.yml at 7ab70f8
name: CodeQL
on:
pull_request:
branches:
- master
- main
schedule:
- cron: '36 5 * * 4'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
language: [ 'java' ]
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
with:
languages: ${{ matrix.language }}
queries: security-extended
- uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: 21
- name: Set up Gradle
uses: gradle/actions/setup-gradle@v5
with:
gradle-version: current
gradle-home-cache-includes: |
caches
configuration-cache
- name: Pre-pull integration images
run: |
docker pull postgres:16-alpine
docker pull wiremock/wiremock:3.9.1
docker pull mcr.microsoft.com/azure-storage/azurite:3.33.0
docker pull eclipse-temurin:21-jdk
docker pull testcontainers/ryuk:0.12.0
- name: Gradle Build
run: |
gradle build cyclonedxBom -x test -x integration
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the (auto)build fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
- name: Log generated SBOM Hash
run: sha256sum build/resources/main/META-INF/sbom/application.cdx.json || true
# This ensures:
# - The SBOM is archived with the CodeQL scan output
# - It's available to download and inspect from the GitHub Actions UI
- name: Upload SBOM
if: always()
uses: actions/upload-artifact@v6
with:
name: sbom
path: build/resources/main/META-INF/sbom/application.cdx.json
DAST:
runs-on: ubuntu-latest
env:
AZURE_STORAGE_CONNECTION_STRING: ${{ vars.AZURE_STORAGE_CONNECTION_STRING }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
- uses: actions/setup-java@v5
with:
distribution: 'temurin'
java-version: 21
- name: Set up Gradle
uses: gradle/actions/setup-gradle@v5
with:
gradle-version: current
gradle-home-cache-includes: |
caches
configuration-cache
- name: Pre-pull integration images
run: |
docker pull postgres:16-alpine
docker pull wiremock/wiremock:3.9.1
docker pull mcr.microsoft.com/azure-storage/azurite:3.33.0
docker pull eclipse-temurin:21-jdk
docker pull testcontainers/ryuk:0.12.0
- name: Gradle Build
run: gradle build -x test -x integration
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: DAST - Build and run containerised app
run: |
docker compose -f docker/docker-compose.integration.yml up -d
echo "Waiting for health endpoint..."
for i in {1..30}; do
if curl -s http://localhost:8082/health > /dev/null; then
echo "App is healthy"
break
fi
echo "Waiting for app to be healthy ($i)..."
sleep 2
done
- name: Run OWASP ZAP DAST Scan
uses: zaproxy/action-baseline@v0.15.0
with:
target: "http://localhost:8082"
cmd_options: "-a -J zap_report.json -r zap_report.html"
- name: Upload ZAP HTML Report
uses: actions/upload-artifact@v6
with:
name: zap-html-report
path: zap_report.html