add wiz scan on create PR to master (SWG-14342)

ewaostrowska · ewaostrowska · commit 8080e03ef5dd · 2025-07-14T09:20:57.000+02:00
diff --git a/.github/workflows/maven-pr-3.0.yml b/.github/workflows/maven-pr-3.0.yml
@@ -53,14 +53,13 @@ jobs:
           export MY_POM_VERSION=`mvn -Dswagger-codegen-generators-version=1.0.37 -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
           echo "POM VERSION" ${MY_POM_VERSION}
           export GENERATORS_VERSION=`sed -n 's/<swagger\-codegen\-generators\-version>\([^\s]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml`
-          export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`          
+          export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`
           echo "GENERATORS_VERSION" ${GENERATORS_VERSION}
           export GENERATORS_VERSION_PROPERTY=""
           if [[ ! $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
           then
             if [[ ! $GENERATORS_VERSION =~ ^.*SNAPSHOT$ ]];
             then
-              # check release version exists
               export GENERATORS_FOUND_JSON=`curl -s --max-time 60 --retry 15 --connect-timeout 20 https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar`
               export GENERATORS_FOUND=`echo ${GENERATORS_FOUND_JSON} | jq '.response.numFound'`
               echo "GENERATORS_FOUND" ${GENERATORS_FOUND}
@@ -81,33 +80,22 @@ jobs:
           echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV
           mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
 
+      - name: Build Docker Image
+        run: |
+          docker build -t swagger-codegen:latest .
+          docker tag swagger-codegen:latest swagger-codegen:${{ github.sha }}
+
+      - name: Set docker tag output
+        id: docker_tag
+        run: echo "tag=swagger-codegen:${{ github.sha }}" >> $GITHUB_OUTPUT
+
   scan-with-wiz:
     name: Trigger Wiz Scanning
     runs-on: ubuntu-latest
-
     needs: [ build_pr_30 ]
     if: success()
 
     steps:
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_SB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_SB_PASSWORD }}
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build Docker image
-        run: |
-          docker buildx build --load -t swagger-codegen:latest .
-
-      - name: Download Wiz CLI
-        run: curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 && chmod +x wizcli
-
       - name: Authenticate to Wiz
         run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
         env:
@@ -119,5 +107,5 @@ jobs:
           ./wizcli docker scan --image $TAG --policy "$POLICY" 
           ./wizcli docker tag --image $TAG
         env:
-          TAG: swagger-codegen:latest
+          TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
           POLICY: "SmartBear default vulnerabilities policy"
