diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml new file mode 100644 index 0000000..6543555 --- /dev/null +++ b/.github/actions/scan-with-blackduck/action.yml @@ -0,0 +1,62 @@ +name: Scan with BlackDuck +description: Scans the project with BlackDuck + +inputs: + blackduck_token: + description: The token to use for BlackDuck authentication + required: true + github_token: + description: The token to use for GitHub authentication + required: true + java-version: + description: The version of Java to use + default: '17' + required: false + maven-version: + description: The Maven version the build shall run with. + required: true + scan_mode: + description: The scan mode to use (FULL or RAPID) + default: 'RAPID' + required: false + +runs: + using: composite + steps: + - name: Set up Java ${{ inputs.java-version }} + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + with: + java-version: ${{ inputs.java-version }} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 + with: + maven-version: ${{ inputs.maven-version }} + + - name: Get Revision + id: get-revision + run: | + echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT + shell: bash + + - name: BlackDuck Security Scan + uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0 + with: + blackducksca_url: https://sap.blackducksoftware.com/ + blackducksca_token: ${{ inputs.blackduck_token }} + blackducksca_scan_full: ${{ inputs.scan_mode == 'FULL' }} + github_token: ${{ inputs.github_token }} + detect_args: > + --detect.project.name=sap.capire.plugin-template-emoji + --detect.project.version.name=${{ steps.get-revision.outputs.REVISION }} + --detect.included.detector.types=MAVEN + --detect.excluded.directories=**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/** + --detect.tools=DETECTOR,BINARY_SCAN + --detect.risk.report.pdf=false + --logging.level.detect=INFO + env: + BLACKDUCKSCA_TOKEN: ${{ inputs.blackduck_token }} + BLACKDUCKSCA_URL: https://sap.blackducksoftware.com/ + BLACKDUCK_API_TOKEN: ${{ inputs.blackduck_token }} diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml new file mode 100644 index 0000000..88e7f91 --- /dev/null +++ b/.github/actions/scan-with-codeql/action.yml @@ -0,0 +1,45 @@ +name: Scan with CodeQL +description: Scans the project with CodeQL + +inputs: + java-version: + description: The Java version to use for the build. + required: true + maven-version: + description: The Maven version to use for the build. + required: true + +runs: + using: composite + steps: + - name: Set up Java ${{ inputs.java-version }} + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + with: + java-version: ${{ inputs.java-version }} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 + with: + maven-version: ${{ inputs.maven-version }} + + - name: Initialize CodeQL + uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + with: + languages: java-kotlin + build-mode: manual + queries: security-extended + + - name: Install @sap/cds-dk + run: npm i -g @sap/cds-dk + shell: bash + + - name: Build Java code + run: mvn clean compile -B -ntp -Dcds.install-node.skip + shell: bash + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + with: + category: "/language:java-kotlin"