add wiz scan on create PR to master (SWG-14342)

ewaostrowska · ewaostrowska · commit 7c7097780032 · 2025-07-11T11:36:34.000+02:00
diff --git a/.github/workflows/maven-master-pulls.yml b/.github/workflows/maven-master-pulls.yml
@@ -13,17 +13,13 @@ jobs:
         java: [ 11 ]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v1
         with:
           java-version: ${{ matrix.java }}
-          distribution: temurin
-          server-id: central
-          server-username: MAVEN_USERNAME
-          server-password: MAVEN_PASSWORD
       - name: Cache local Maven repository
-        uses: actions/cache@v4
+        uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -40,21 +36,58 @@ jobs:
         java: [ 8 ]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v1
         with:
           java-version: ${{ matrix.java }}
-          distribution: temurin
-          server-id: central
-          server-username: MAVEN_USERNAME
-          server-password: MAVEN_PASSWORD
       - name: Cache local Maven repository
-        uses: actions/cache@v4
+        uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
       - name: Build with Maven
         run: mvn -B -U clean verify -DskipTests -Dmaven.test.skip=true -Dmaven.site.skip=true -Dmaven.javadoc.skip=true -Psamples-java8 --file pom.xml
+
+  scan-with-wiz:
+    name: Trigger Wiz Scanning
+    runs-on: ubuntu-latest
+
+    needs: [ build ]
+    if: success()
+
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_SB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_SB_PASSWORD }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        run: |
+          docker buildx build --load -t swaggerapi/swagger-codegen-cli:latest .
+
+      - name: Download Wiz CLI
+        run: curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 && chmod +x wizcli
+
+      - name: Authenticate to Wiz
+        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+        env:
+          WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
+          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
+
+      - name: Run wiz-cli docker image scan
+        run: |
+          ./wizcli docker scan --image $TAG --policy "$POLICY" > /dev/null 2>&1
+          ./wizcli docker tag --image $TAG > /dev/null 2>&1
+        env:
+          TAG: swaggerapi/swagger-codegen-cli:latest
+          POLICY: "SmartBear default vulnerabilities policy"
