add wiz scan on create PR to master (SWG-14342)

ewaostrowska · ewaostrowska · commit d7f5eb25bc0f · 2025-07-14T09:26:16.000+02:00
diff --git a/.github/workflows/maven-pr-3.0.yml b/.github/workflows/maven-pr-3.0.yml
@@ -53,13 +53,14 @@ jobs:
           export MY_POM_VERSION=`mvn -Dswagger-codegen-generators-version=1.0.37 -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
           echo "POM VERSION" ${MY_POM_VERSION}
           export GENERATORS_VERSION=`sed -n 's/<swagger\-codegen\-generators\-version>\([^\s]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml`
-          export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`
+          export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`          
           echo "GENERATORS_VERSION" ${GENERATORS_VERSION}
           export GENERATORS_VERSION_PROPERTY=""
           if [[ ! $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
           then
             if [[ ! $GENERATORS_VERSION =~ ^.*SNAPSHOT$ ]];
             then
+              # check release version exists
               export GENERATORS_FOUND_JSON=`curl -s --max-time 60 --retry 15 --connect-timeout 20 https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar`
               export GENERATORS_FOUND=`echo ${GENERATORS_FOUND_JSON} | jq '.response.numFound'`
               echo "GENERATORS_FOUND" ${GENERATORS_FOUND}
@@ -80,22 +81,33 @@ jobs:
           echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV
           mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
 
-      - name: Build Docker Image
-        run: |
-          docker build -t swagger-codegen:latest .
-          docker tag swagger-codegen:latest swagger-codegen:${{ github.sha }}
-
-      - name: Set docker tag output
-        id: docker_tag
-        run: echo "tag=swagger-codegen:${{ github.sha }}" >> $GITHUB_OUTPUT
-
   scan-with-wiz:
     name: Trigger Wiz Scanning
     runs-on: ubuntu-latest
+
     needs: [ build_pr_30 ]
     if: success()
 
     steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_SB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_SB_PASSWORD }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        run: |
+          docker buildx build --load -t swagger-codegen:latest .
+
+      - name: Download Wiz CLI
+        run: curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 && chmod +x wizcli
+
       - name: Authenticate to Wiz
         run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
         env:
@@ -104,8 +116,8 @@ jobs:
 
       - name: Run wiz-cli docker image scan
         run: |
-          ./wizcli docker scan --image $TAG --policy "$POLICY" 
+          ./wizcli docker scan --image $TAG --policy "$POLICY" >
           ./wizcli docker tag --image $TAG
         env:
-          TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
+          TAG: swagger-codegen:latest
           POLICY: "SmartBear default vulnerabilities policy"
