add wiz scan to the pipeline (SWG-14342)

ewaostrowska · ewaostrowska · commit 32a2236bf59c · 2025-07-08T15:21:39.000+02:00
diff --git a/.github/workflows/maven-master-pulls.yml b/.github/workflows/maven-master-pulls.yml
@@ -58,3 +58,51 @@ jobs:
             ${{ runner.os }}-maven-
       - name: Build with Maven
         run: mvn -B -U clean verify -DskipTests -Dmaven.test.skip=true -Dmaven.site.skip=true -Dmaven.javadoc.skip=true -Psamples-java8 --file pom.xml
+
+  scan-with-lacework:
+      name: Trigger LaceWork Scanning
+      runs-on: ubuntu-latest
+
+      needs: [ build ]
+      if: success()
+
+      steps:
+        - name: Trigger LaceWork Scanning using a different method
+          run: |
+            docker run -e LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME -e LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN -e LW_SCANNER_SAVE_RESULTS=true -e LW_SCANNER_DISABLE_UPDATES=false -v /var/run/docker.sock:/var/run/docker.sock lacework/lacework-inline-scanner:latest image evaluate swaggerapi/swagger-codegen-cli latest --docker-server index.docker.io --docker-username $docker_user --docker-password $docker_password  > /dev/null 2>&1
+          env:
+            LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
+            LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
+            docker_user: ${{ secrets.DOCKERHUB_SB_USERNAME}}
+            docker_password: ${{ secrets.DOCKERHUB_SB_PASSWORD}}
+
+  scan-with-wiz:
+        name: Trigger Wiz Scanning
+        runs-on: ubuntu-latest
+
+        needs: [ build ]
+        if: success()
+
+        steps:
+        - name: Login to Docker Hub
+          uses: docker/login-action@v2
+          with:
+            username: ${{ secrets.DOCKERHUB_SB_USERNAME }}
+            password: ${{ secrets.DOCKERHUB_SB_PASSWORD }}
+
+        - name: Download Wiz CLI
+          run: curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 && chmod +x wizcli
+
+        - name: Authenticate to Wiz
+          run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+          env:
+            WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
+            WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
+
+        - name: Run wiz-cli docker image scan
+          run: |
+            ./wizcli docker scan --image $TAG --policy "$POLICY"
+            ./wizcli docker tag --image $TAG
+            env:
+              TAG: swagger-api/swagger-codegen:${{ needs.build.outputs.CREATED_VERSION }}
+              POLICY: "SmartBear default vulnerabilities policy"
