From 6d3354241408dfa496048be1c0baeea85b53d915 Mon Sep 17 00:00:00 2001 From: Ewa Ostrowska Date: Thu, 10 Jul 2025 19:19:50 +0200 Subject: [PATCH] add wiz scan on create PR to 3.0.0 (SWG-14342) --- .github/workflows/maven-master-pulls.yml | 19 +------------------ .github/workflows/maven-master.yml | 2 +- .github/workflows/maven-pr-3.0.yml | 22 +++++++++++++++++++++- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/.github/workflows/maven-master-pulls.yml b/.github/workflows/maven-master-pulls.yml index 104c004f794..e07cd338a50 100644 --- a/.github/workflows/maven-master-pulls.yml +++ b/.github/workflows/maven-master-pulls.yml @@ -49,21 +49,4 @@ jobs: restore-keys: | ${{ runner.os }}-maven- - name: Build with Maven - run: mvn -B -U clean verify -DskipTests -Dmaven.test.skip=true -Dmaven.site.skip=true -Dmaven.javadoc.skip=true -Psamples-java8 --file pom.xml - - scan-with-lacework: - name: Trigger LaceWork Scanning - runs-on: ubuntu-latest - - needs: [ build ] - if: success() - - steps: - - name: Trigger LaceWork Scanning using a different method - run: | - docker run -e LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME -e LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN -e LW_SCANNER_SAVE_RESULTS=true -e LW_SCANNER_DISABLE_UPDATES=false -v /var/run/docker.sock:/var/run/docker.sock lacework/lacework-inline-scanner:latest image evaluate swaggerapi/swagger-codegen-cli latest --docker-server index.docker.io --docker-username $docker_user --docker-password $docker_password > /dev/null 2>&1 - env: - LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} - LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} - docker_user: ${{ secrets.DOCKERHUB_SB_USERNAME}} - docker_password: ${{ secrets.DOCKERHUB_SB_PASSWORD}} \ No newline at end of file + run: mvn -B -U clean verify -DskipTests -Dmaven.test.skip=true -Dmaven.site.skip=true -Dmaven.javadoc.skip=true -Psamples-java8 --file pom.xml \ No newline at end of file diff --git a/.github/workflows/maven-master.yml b/.github/workflows/maven-master.yml index e42220db45b..666258ca2fa 100644 --- a/.github/workflows/maven-master.yml +++ b/.github/workflows/maven-master.yml @@ -88,7 +88,7 @@ jobs: with: java-version: ${{ matrix.java }} - name: Cache local Maven repository - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/maven-pr-3.0.yml b/.github/workflows/maven-pr-3.0.yml index 7fcaa3467de..3600bffc056 100644 --- a/.github/workflows/maven-pr-3.0.yml +++ b/.github/workflows/maven-pr-3.0.yml @@ -75,4 +75,24 @@ jobs: fi echo "GENERATORS_VERSION_PROPERTY ${GENERATORS_VERSION_PROPERTY}" echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV - mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY} \ No newline at end of file + mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY} + + - name: Download Wiz CLI + run: curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 && chmod +x wizcli + + - name: Authenticate to Wiz + run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET" + env: + WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }} + WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }} + + - name: Scan Maven build directory with Wiz + run: | + ./wizcli dir scan \ + --path . \ + --policy "$POLICY" \ + --tag repo="${{ github.repository }}" \ + --tag commit="${{ github.sha }}" \ + --tag java="${{ matrix.java }}" > /dev/null 2>&1 + env: + POLICY: "SmartBear default vulnerabilities policy" \ No newline at end of file