Bump securego/gosec from 417a44c73be12f54ac1732daaca952f3d3a0ba9d to 40f29c8d4abf59af475a79f6aa0268c296319501 #17035
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| pull_request: | |
| branches: | |
| - 'main' | |
| - 'release/**' | |
| push: | |
| branches: | |
| - 'main' | |
| - 'release/**' | |
| tags: | |
| - 'v*' | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| env: | |
| LC_ALL: C.UTF-8 | |
| jobs: | |
| dependencies: | |
| name: Dependency Check | |
| runs-on: [self-hosted, Linux, large, ephemeral] | |
| if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 21 | |
| - name: Install JDK | |
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
| with: | |
| gradle-home-cache-includes: | | |
| caches | |
| notifications | |
| jdks | |
| dependency-check-data | |
| # write a cache on all executions to ensure the NVD data stays up-to-date | |
| cache-read-only: false | |
| - name: Vulnerability check | |
| env: | |
| NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
| run: ./gradlew dependencyCheckAggregate | |
| - name: Upload report | |
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| if: failure() | |
| with: | |
| name: dependency-check-report | |
| path: build/reports/dependency-check-report.html | |
| gosec: | |
| name: GoSec Code Scan | |
| env: | |
| GO111MODULE: on | |
| runs-on: [self-hosted, Linux, large, ephemeral] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| with: | |
| path: tmp | |
| - name: Copy hedera-mirror-rosetta to workspace root | |
| working-directory: . | |
| run: | | |
| cp -r tmp/hedera-mirror-rosetta/* . | |
| rm -fr tmp | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 21 | |
| - name: Setup GoLang | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: 1.22 | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@40f29c8d4abf59af475a79f6aa0268c296319501 # master | |
| with: | |
| args: ./... | |
| sonar: | |
| if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
| name: SonarCloud | |
| runs-on: [self-hosted, Linux, large, ephemeral] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 21 | |
| - name: Install JDK | |
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
| - name: Cache SonarCloud dependencies | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: ~/.sonar/cache | |
| key: ${{ runner.os }}-sonar | |
| restore-keys: ${{ runner.os }}-sonar | |
| - name: Execute Gradle | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: ./gradlew build sonar -x test | |
| snyk: | |
| if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
| name: Snyk Open Source | |
| runs-on: [self-hosted, Linux, large, ephemeral] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 21 | |
| - name: Install JDK | |
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
| - name: Setup Snyk | |
| run: npm install -g snyk-to-html @wcj/html-to-markdown-cli | |
| - name: Execute Snyk Test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: ./gradlew snyk-test | |
| - name: Publish Snyk Results | |
| continue-on-error: true | |
| if: ${{ !cancelled() && always() }} | |
| run: | | |
| report="build/reports/snyk-test" | |
| if [[ -f ${report}.json ]]; then | |
| snyk-to-html -i ${report}.json -o ${report}.html && \ | |
| html-to-markdown ${report}.html -o build/reports && \ | |
| cat ${report}.html.md >> $GITHUB_STEP_SUMMARY | |
| fi | |
| snyk-code: | |
| if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
| name: Snyk Code | |
| runs-on: [self-hosted, Linux, large, ephemeral] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 21 | |
| - name: Install JDK | |
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
| - name: Setup Snyk | |
| run: npm install -g snyk-to-html @wcj/html-to-markdown-cli | |
| - name: Execute Snyk Code Test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: ./gradlew snyk-code | |
| - name: Publish Snyk Results | |
| continue-on-error: true | |
| if: ${{ !cancelled() && always() }} | |
| run: | | |
| report="build/reports/snyk-code" | |
| if [[ -f ${report}.json ]]; then | |
| snyk-to-html -i ${report}.json -o ${report}.html && \ | |
| html-to-markdown ${report}.html -o build/reports && \ | |
| cat ${report}.html.md >> $GITHUB_STEP_SUMMARY | |
| fi |