feat: split sonarqube and trivy in 2 workflows

2026-03-20 18:00:19 +01:00
parent b7e09d4745
commit e5fa2269f3
2 changed files with 26 additions and 21 deletions
--- a/.github/workflows/trivy_fs.yaml
+++ b/.github/workflows/trivy_fs.yaml
@@ -0,0 +1,80 @@
+on:
+  workflow_call:
+    secrets:
+      DEPENDENCYTRACK_URL:
+        required: true
+      DEPENDENCYTRACK_API_KEY:
+        required: true
+      DEPENDENCYTRACK_PROJECT_UUID:
+        required: true
+
+name: Trivy
+jobs:
+  trivy:
+    name: SBOM & Dependency Track
+    runs-on: ubuntu-latest
+ 
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+ 
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
+            | sh -s -- -b /usr/local/bin
+          trivy --version
+ 
+      - name: Generate SBOM
+        run: |
+          trivy fs . \
+            --format cyclonedx \
+            --output sbom.json \
+            --quiet
+          echo "✅ SBOM generated"
+ 
+      - name: Upload SBOM to Dependency-Track
+        run: |
+          HTTP_STATUS=$(curl --silent \
+            --output /tmp/dt-response.json \
+            --write-out "%{http_code}" \
+            -X POST "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/bom" \
+            -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
+            -H "Content-Type: multipart/form-data" \
+            -F "project=${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}" \
+            -F "bom=@sbom.json")
+ 
+          echo "Response: $(cat /tmp/dt-response.json)"
+ 
+          if [ "$HTTP_STATUS" -ne 200 ]; then
+            echo "❌ Upload failed – HTTP Status: ${HTTP_STATUS}"
+            exit 1
+          fi
+ 
+          echo "✅ SBOM uploaded"
+ 
+      - name: Check Dependency-Track Results
+        run: |
+          echo "⏳ Wait for results..."
+          sleep 15
+ 
+          curl --silent \
+            "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/metrics/project/${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}/current" \
+            -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
+            | python3 -c "
+          import sys, json
+          d = json.load(sys.stdin)
+          critical = d.get('critical', 0)
+          high     = d.get('high', 0)
+          medium   = d.get('medium', 0)
+          low      = d.get('low', 0)
+          print(f'┌─ Dependency-Track Results ────')
+          print(f'│  Critical : {critical}')
+          print(f'│  High     : {high}')
+          print(f'│  Medium   : {medium}')
+          print(f'│  Low      : {low}')
+          print(f'└───────────────────────────────')
+          if critical > 0:
+              print('❌ Critical found!')
+              sys.exit(1)
+          print('✅ Passed')
+          "