Feature/request param validation #1010
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Anchore security scan | |
on: | |
push: | |
branches: | |
- develop | |
pull_request: | |
types: [opened, synchronize, reopened] | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout project | |
uses: actions/checkout@v4 | |
- name: Set up JDK 21 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
- name: Assemble project | |
run: ./gradlew assemble | |
- name: Upload jars artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: jars | |
path: | | |
api-gateway/build/libs | |
search-service/build/libs | |
subscription-service/build/libs | |
anchore: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- name: Checkout project | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Download jars artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: jars | |
path: build | |
- name: Build API Gateway local container | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./api-gateway/Dockerfile | |
tags: localbuild/api-gateway:latest-scan | |
push: false | |
load: true | |
build-args: | | |
JAR_FILE=./build/api-gateway/build/libs/api-gateway-latest-dev.jar | |
- name: Build Search Service local container | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./search-service/Dockerfile | |
tags: localbuild/search-service:latest-scan | |
push: false | |
load: true | |
build-args: | | |
JAR_FILE=./build/search-service/build/libs/search-service-latest-dev.jar | |
- name: Build Subscription Service local container | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./subscription-service/Dockerfile | |
tags: localbuild/subscription-service:latest-scan | |
push: false | |
load: true | |
build-args: | | |
JAR_FILE=./build/subscription-service/build/libs/subscription-service-latest-dev.jar | |
- name: Security Scan for API Gateway image | |
id: scan-api-gateway | |
uses: anchore/scan-action@v5 | |
with: | |
image: "localbuild/api-gateway:latest-scan" | |
severity-cutoff: critical | |
- name: Security Scan for Search Service image | |
id: scan-search-service | |
uses: anchore/scan-action@v5 | |
with: | |
image: "localbuild/search-service:latest-scan" | |
severity-cutoff: critical | |
- name: Security Scan for Subscription Service image | |
id: scan-subscription-service | |
uses: anchore/scan-action@v5 | |
with: | |
image: "localbuild/subscription-service:latest-scan" | |
severity-cutoff: critical | |
- name: Upload Anchore scan SARIF report for API Gateway | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: ${{ steps.scan-api-gateway.outputs.sarif }} | |
category: anchore-api-gateway | |
- name: Upload Anchore scan SARIF report for Search Service | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: ${{ steps.scan-search-service.outputs.sarif }} | |
category: anchore-search-service | |
- name: Upload Anchore scan SARIF report for Subscription Service | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: ${{ steps.scan-subscription-service.outputs.sarif }} | |
category: anchore-subscription-service |