100 lines
3.0 KiB
YAML
100 lines
3.0 KiB
YAML
on:
|
||
workflow_call:
|
||
secrets:
|
||
SONARQUBE_HOST:
|
||
required: true
|
||
SONARQUBE_TOKEN:
|
||
required: true
|
||
DEPENDENCYTRACK_URL:
|
||
required: true
|
||
DEPENDENCYTRACK_API_KEY:
|
||
required: true
|
||
DEPENDENCYTRACK_PROJECT_UUID:
|
||
required: true
|
||
|
||
name: Quality Gate
|
||
jobs:
|
||
sonarqube:
|
||
name: SonarQube
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout source code
|
||
uses: actions/checkout@master
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
- name: SonarQube Scan
|
||
uses: sonarsource/sonarqube-scan-action@master
|
||
env:
|
||
SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
|
||
SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
|
||
|
||
trivy:
|
||
name: SBOM & Dependency Track
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Install Trivy
|
||
run: |
|
||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
|
||
| sh -s -- -b /usr/local/bin
|
||
trivy --version
|
||
|
||
- name: Generate SBOM
|
||
run: |
|
||
trivy fs . \
|
||
--format cyclonedx \
|
||
--output sbom.json \
|
||
--quiet
|
||
echo "✅ SBOM generated"
|
||
|
||
- name: Upload SBOM to Dependency-Track
|
||
run: |
|
||
HTTP_STATUS=$(curl --silent \
|
||
--output /tmp/dt-response.json \
|
||
--write-out "%{http_code}" \
|
||
-X POST "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/bom" \
|
||
-H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
|
||
-H "Content-Type: multipart/form-data" \
|
||
-F "project=${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}" \
|
||
-F "bom=@sbom.json")
|
||
|
||
echo "Response: $(cat /tmp/dt-response.json)"
|
||
|
||
if [ "$HTTP_STATUS" -ne 200 ]; then
|
||
echo "❌ Upload failed – HTTP Status: ${HTTP_STATUS}"
|
||
exit 1
|
||
fi
|
||
|
||
echo "✅ SBOM uploaded"
|
||
|
||
- name: Check Dependency-Track Results
|
||
run: |
|
||
echo "⏳ Wait for results..."
|
||
sleep 15
|
||
|
||
curl --silent \
|
||
"${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/metrics/project/${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}/current" \
|
||
-H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
|
||
| python3 -c "
|
||
import sys, json
|
||
d = json.load(sys.stdin)
|
||
critical = d.get('critical', 0)
|
||
high = d.get('high', 0)
|
||
medium = d.get('medium', 0)
|
||
low = d.get('low', 0)
|
||
print(f'┌─ Dependency-Track Results ────')
|
||
print(f'│ Critical : {critical}')
|
||
print(f'│ High : {high}')
|
||
print(f'│ Medium : {medium}')
|
||
print(f'│ Low : {low}')
|
||
print(f'└───────────────────────────────')
|
||
if critical > 0:
|
||
print('❌ Critical found!')
|
||
sys.exit(1)
|
||
print('✅ Passed')
|
||
" |