Scanning (#630)

## Objective Introduces a new GitHub Actions workflow named `Scan` in the `.github/workflows/scan.yml` file. The workflow is triggered on manual dispatch, push to the `main`, `rc`, and `hotfix-rc` branches, and when a pull request is opened or synchronized. The workflow includes two jobs: `sast` and `quality`. The `sast` job runs a Static Application Security Testing (SAST) scan using Checkmarx and uploads the results to GitHub. The `quality` job runs a quality scan using SonarCloud. * [`.github/workflows/scan.yml`](diffhunk://#diff-246cd0c2f7db532638dd80a92ac011f49b3d26038983a4c0169ea8f8a5c39280R1-R71): Added a new GitHub Actions workflow named `Scan`. This workflow is triggered on manual dispatch, push to the `main`, `rc`, and `hotfix-rc` branches, and when a pull request is opened or synchronized. The workflow includes two jobs: `sast` and `quality`. The `sast` job runs a Static Application Security Testing (SAST) scan using Checkmarx and uploads the results to GitHub. The `quality` job runs a quality scan using SonarCloud. ## Before you submit - Please add **unit tests** where it makes sense to do so
bitwarden · Mar 18, 2024 · 240c434 · 240c434
1 parent 8522822
commit 240c434
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,71 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request_target:
+    types: [opened, synchronize]
+
+permissions: read-all
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
+        env:
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
+            -Dsonar.exclusions=languages/**