feat: add quality gate workflow

2026-03-20 17:25:33 +01:00
commit b7e09d4745
1 changed files with 100 additions and 0 deletions
--- a/.github/workflows/quality_gate.yaml
+++ b/.github/workflows/quality_gate.yaml
@@ -0,0 +1,100 @@
+on:
+  workflow_call:
+    secrets:
+      SONARQUBE_HOST:
+        required: true
+      SONARQUBE_TOKEN:
+        required: true
+      DEPENDENCYTRACK_URL:
+        required: true
+      DEPENDENCYTRACK_API_KEY:
+        required: true
+      DEPENDENCYTRACK_PROJECT_UUID:
+        required: true
+
+name: Quality Gate
+jobs:
+  sonarqube:
+    name: SonarQube
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@master
+      with:
+        fetch-depth: 0
+
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
+        SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+  trivy:
+    name: SBOM & Dependency Track
+    runs-on: ubuntu-latest
+ 
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+ 
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
+            | sh -s -- -b /usr/local/bin
+          trivy --version
+ 
+      - name: Generate SBOM
+        run: |
+          trivy fs . \
+            --format cyclonedx \
+            --output sbom.json \
+            --quiet
+          echo "✅ SBOM generated"
+ 
+      - name: Upload SBOM to Dependency-Track
+        run: |
+          HTTP_STATUS=$(curl --silent \
+            --output /tmp/dt-response.json \
+            --write-out "%{http_code}" \
+            -X POST "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/bom" \
+            -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
+            -H "Content-Type: multipart/form-data" \
+            -F "project=${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}" \
+            -F "bom=@sbom.json")
+ 
+          echo "Response: $(cat /tmp/dt-response.json)"
+ 
+          if [ "$HTTP_STATUS" -ne 200 ]; then
+            echo "❌ Upload failed – HTTP Status: ${HTTP_STATUS}"
+            exit 1
+          fi
+ 
+          echo "✅ SBOM uploaded"
+ 
+      - name: Check Dependency-Track Results
+        run: |
+          echo "⏳ Wait for results..."
+          sleep 15
+ 
+          curl --silent \
+            "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/metrics/project/${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}/current" \
+            -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
+            | python3 -c "
+          import sys, json
+          d = json.load(sys.stdin)
+          critical = d.get('critical', 0)
+          high     = d.get('high', 0)
+          medium   = d.get('medium', 0)
+          low      = d.get('low', 0)
+          print(f'┌─ Dependency-Track Results ────')
+          print(f'│  Critical : {critical}')
+          print(f'│  High     : {high}')
+          print(f'│  Medium   : {medium}')
+          print(f'│  Low      : {low}')
+          print(f'└───────────────────────────────')
+          if critical > 0:
+              print('❌ Critical found!')
+              sys.exit(1)
+          print('✅ Passed')
+          "