chore: [SRTP-114] create pipeline ci (#22)

pagopa · Nov 25, 2024 · 351d5da · 351d5da
1 parent 7467729
commit 351d5da
Show file tree

Hide file tree

Showing 4 changed files with 191 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,54 @@
+name: Continuous Integration
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - edited
+      - synchronize
+#    paths:
+#      - 'src/*'
+
+jobs:
+  scan-sonar:
+    runs-on: ubuntu-22.04
+    environment: ci
+
+    steps:
+      - name: "Checkout the source code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: "Set up JDK 21"
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
+        with:
+          java-version: 21
+          distribution: temurin
+
+      - name: "Cache Gradle packages"
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
+          restore-keys: ${{ runner.os }}-gradle
+
+      - name: "Cache SonarCloud packages"
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+
+      - name: "Build and analyze"
+        run: ./gradlew build jacocoTestReport sonar --info
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  scan-cve:
+    uses: ./.github/workflows/scan-cve.yml
+    secrets: inherit
diff --git a/.github/workflows/scan-cve.yml b/.github/workflows/scan-cve.yml
@@ -0,0 +1,76 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Trivy tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.
+name: Container Scan
+
+on:
+  workflow_call:
+  schedule:
+    - cron: '00 07 * * *'
+
+permissions:
+  contents: read
+
+env:
+  DOCKERFILE: src/main/docker/Dockerfile
+
+jobs:
+  BuildAndScan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    outputs:
+        CVE_CRITICAL: ${{env.CVE_CRITICAL}}
+        CVE_HIGH: ${{env.CVE_HIGH}}
+        CVE_MEDIUM: ${{env.CVE_MEDIUM}}
+    steps:
+      - name: "Checkout the code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      - name: "Build the Docker image"
+        run: docker build . --file ${{ env.DOCKERFILE }} --target cve --tag localbuild/testimage:latest
+
+      - name: "Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled"
+        id: scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          image-ref: "localbuild/testimage:latest"
+          format: 'sarif'
+          output: 'results.sarif'
+
+      - name: "Upload Anchore Scan Report"
+        uses: github/codeql-action/upload-sarif@cbe18979603527f12c7871a6eb04833ecf1548c7 # CodeQL Bundle v2.19.3
+        with:
+          sarif_file: 'results.sarif'
+
+      - name: "CVE Description escaped extraction and print"
+        run: |
+          SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
+          echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
+          echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
+          echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
+          
+          echo $SCAN_RESULTS
+
+      - name: "Fails if CVE HIGH or CRITICAL are detected"
+        id: cve-threshold
+        if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
+        run: exit 1
+
+  SendSlackNotification:
+    needs: BuildAndScan
+    uses: ./.github/workflows/send-notification.yml
+    if: github.event_name == 'schedule' && needs.BuildAndScan.steps.cve-threshold.outcome == 'failure'
+    with:
+      CVE_CRITICAL: ${{needs.BuildAndScan.outputs.CVE_CRITICAL}}
+      CVE_HIGH: ${{needs.BuildAndScan.outputs.CVE_HIGH}}
+      CVE_MEDIUM: ${{needs.BuildAndScan.outputs.CVE_MEDIUM}}
+    secrets: inherit
+
diff --git a/.github/workflows/send-notification.yml b/.github/workflows/send-notification.yml
@@ -0,0 +1,40 @@
+name: "Send notification"
+
+on:
+  workflow_call:
+    inputs:
+      CVE_CRITICAL:
+        required: true
+        type: string
+      CVE_HIGH:
+        required: true
+        type: string
+      CVE_MEDIUM:
+        required: true
+        type: string
+    secrets:
+      CVE_SCAN_SLACK_WEBHOOK:
+        required: true
+
+jobs:
+  Notify:
+    name: Notify Slack
+    runs-on: ubuntu-latest
+    environment: cstar-d-weu-rtp
+    steps:
+      - name: Send notification to Slack
+        id: slack
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02dz #v2.0.0
+        with:
+          webhook: ${{ secrets.CVE_SCAN_SLACK_WEBHOOK }}
+          webhook-type: incoming-webhook
+          payload: |
+            blocks:
+              - type: "header"
+                text:
+                  type: "plain_text"
+                  text: "[ ${{ github.event.repository.name }} ]"
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: " `CRITICAL` : *${{ inputs.CVE_CRITICAL }}*\n\n`HIGH` : *${{ inputs.CVE_HIGH }}*\n\n`MEDIUM` : *${{ inputs.CVE_MEDIUM }}*\n\n<https://github.com/${{ github.repository }}/security/code-scanning |See details on GitHub>"
diff --git a/build.gradle b/build.gradle
@@ -4,6 +4,8 @@ plugins {
 	id 'io.spring.dependency-management' version '1.1.6'
 	id 'org.graalvm.buildtools.native' version '0.10.3'
 	id("org.openapi.generator") version "7.5.0"
+	id "org.sonarqube" version "6.0.0.5145"
+	id 'jacoco'
 }
 
 group = 'it.gov.pagopa'
@@ -96,3 +98,22 @@ openApiGenerate {
         "zoned-date-time" : "java.time.ZonedDateTime"
     ])
 }
+
+test {
+	finalizedBy jacocoTestReport // report is always generated after tests run
+}
+
+jacocoTestReport {
+	dependsOn test
+	reports {
+		xml.required = true
+	}
+}
+
+sonarqube {
+	properties {
+		property 'sonar.host.url', 'https://sonarcloud.io'
+		property 'sonar.organization', 'pagopa'
+		property 'sonar.projectKey', 'pagopa_rtp-activator'
+	}
+}