Merge pull request #12 from niscy-eudiw/fix/central_sec_workflows

centralized security workflows
eu-digital-identity-wallet · Feb 26, 2024 · fb4e3f9 · fb4e3f9
2 parents da395b3 + 0bc164e
commit fb4e3f9
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 102 deletions.
diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml
@@ -1,29 +1,15 @@
-name: SCA - Dependency-Check
+name: SCA - Dependency-Check Caller
 on:
   push:
+    branches-ignore:
+      - 'dependabot/*'
   workflow_dispatch:
-
+  
 jobs:
-  Dependency_check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Depcheck Action - SCA
-        uses: dependency-check/Dependency-Check_Action@main
-        id: Depcheck
-        with:
-          project: '${{ github.repository }}'
-          path: '.'
-          format: 'HTML'
-          out: 'reports' # this is the default, no need to specify unless you wish to override it
-          args: >
-            --enableRetired
-            --enableExperimental
-      - name: Upload results - SCA
-        uses: actions/upload-artifact@master
-        with:
-           name: Depcheck report
-           path: ${{github.workspace}}/reports
+
+ SCA_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sca.yml@main
+      secrets:
+       NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -1,27 +1,14 @@
-name: Secret Scanning - Gitleaks
+name: Secret Scanning - Gitleaks Caller
 on:
   push:
+    branches-ignore:
+      - 'dependabot/*'
   workflow_dispatch:
-    
+
 jobs:
-  Secret-Scanning:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
-      - name: Run Gitleaks from container
-        run: |
-            docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks 
-            docker start GL
-            docker exec GL git config --global --add safe.directory '/src'
-            docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
-        continue-on-error: true
-
-      - name: upload_artifacts   
-        uses: actions/upload-artifact@v3
-        with:
-          name: Gitleaks Artifact Upload
-          path:  ${{ github.workspace }}/gitleaks-report.json
+  Secret_Scanning_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/secretscanning.yml@main
+      secrets:
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -1,62 +1,17 @@
-name: SAST - SonarCloud
+name: SAST - SonarCloud Caller
 on:
   push:
+    branches-ignore:
+      - 'dependabot/*'
   pull_request_target:
   workflow_dispatch:
 
 jobs:
-  check_secret:
-    name: Check secret presence
-    runs-on: ubuntu-latest
-    steps:
-    - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi
-    env:
+
+   SAST_caller:
+      uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sast_action.yml@main
+      secrets:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-  P_WD_analysis:
-    name: SAST - SonarCloud - Push/WD analysis
-    needs: check_secret
-    runs-on: ubuntu-latest
-    if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
-    steps:
-      - name: Checkout action
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - name: setup projectkey
-        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
-      - name: SonarCloud Scan - Action
-        uses: SonarSource/sonarcloud-github-action@master
-        with:
-            args: >
-                -Dsonar.organization=${{ github.repository_owner }}
-                -Dsonar.projectKey=${{ env.PROJECTKEY }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-  PR_analysis:
-    name: SAST- SonarCloud - PR analysis
-    needs: check_secret
-    runs-on: ubuntu-latest
-    if: (github.event_name == 'pull_request_target')
-    steps:
-      - name: Checkout action
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: setup projectkey
-        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
-      - name: SonarCloud Scan - Action
-        uses: SonarSource/sonarcloud-github-action@master
-        with:
-            args: >
-                -Dsonar.organization=${{ github.repository_owner }}
-                -Dsonar.projectKey=${{ env.PROJECTKEY }}
-                -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
-                -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
-                -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+       DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
+       DOJO_URL: ${{ secrets.DOJO_URL }}