Skip to content

chore: Added trufflehog secret scanning tool #1358

chore: Added trufflehog secret scanning tool

chore: Added trufflehog secret scanning tool #1358

Workflow file for this run

name: IRS build
on:
workflow_dispatch: # Trigger manually
pull_request:
paths-ignore:
- '**/*.md'
- '**/*.txt'
- 'charts/**'
- '.config/**'
- 'docs/**'
- '!docs/src/api/**'
- 'local/**'
- 'CHANGELOG.md'
push:
branches:
- main
tags:
- '**'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Cache maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build with Maven
run: |
mvn clean verify --batch-mode
check_sonar_configured:
runs-on: ubuntu-latest
steps:
- name: check_sonar_configured
run: |
echo "Checking if sonar is configured: ${{ env.SONAR_CONFIGURED }}"
env:
SONAR_CONFIGURED: ${{ secrets.SONAR_TOKEN != '' && secrets.SONAR_PROJECT_KEY != '' && secrets.SONAR_ORGANIZATION != '' }}
outputs:
sonar_configured: ${{ env.SONAR_CONFIGURED }}
analyze_with_Sonar:
needs: [check_sonar_configured]
# No need to run if we cannot use the sonar token
if: >-
needs.check_sonar_configured.outputs.sonar_configured == 'true'
&& (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
&& github.actor != 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of sonar analysis
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Cache maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Cache SonarCloud packages
uses: actions/cache@v4
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Analyze with Sonar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
mvn --batch-mode --update-snapshots verify \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} \
-Dcheckstyle.skip -Dpmd.skip=true
build_images:
env:
IMAGE_NAMESPACE: tractusx
IMAGE_NAME: irs-api
TARGET_PLATFORMS: "linux/amd64" # add 'linux/arm64' once the upgrade to JDK 21 is done
runs-on: ubuntu-latest
outputs:
image-tag: ${{ steps.version.outputs.image_tag }}
steps:
- uses: actions/checkout@v4
# Needed to create multi-platform image
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Needed to create multi-platform image
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# Create SemVer or ref tags dependent of trigger event
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# Automatically prepare image tags; See action docs for more examples.
# semver patter will generate tags like these for example :1 :1.2 :1.2.3
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,prefix=,format=long
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
- name: DockerHub login
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
# Use existing DockerHub credentials present as secrets
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
# Needed to create multi-platform image
platforms: ${{ env.TARGET_PLATFORMS }}
# Build image for verification purposes on every trigger event. Only push if event is not a PR
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# https://github.com/peter-evans/dockerhub-description
- name: Update Docker Hub description
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
readme-filepath: ./DOCKER_NOTICE.md
trigger-trivy-image-scan:
if: github.event_name != 'pull_request'
needs:
- build_images
uses: ./.github/workflows/trivy-docker-hub-scan.yml