Merge pull request #1199 from acpcreation/main

feat: Added Sonatype SCA Scan to project
finos · Dec 3, 2024 · 87cf242 · 87cf242
2 parents 3e61205 + c7131ca
commit 87cf242
Showing 1 changed file with 53 additions and 16 deletions.
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -6,6 +6,13 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+
+env:
+  SonatypeUrl: "https://finos.sonatype.app/platform/"
+  SonatypeAppId: "morphir-elm"
+  SonatypeScanTarget: "."
+  ExcludeDirectory: "**/docs/ **/.*'"
+
 jobs:
   # building project
   build:
@@ -48,28 +55,58 @@ jobs:
       - name: Running Test
         run: npm test
 
-  # CVE scanning
-  cvescan:
-    name: CVE Scanning
-    runs-on: ubuntu-latest
-    needs: [build]
-    strategy:
-      matrix:
-        node-version: [18.x]
-    steps:
-      - uses: actions/checkout@v4
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+      ###########################
+      ## Sonatype SCA Scanning ##
+      ###########################
+      - name: Sonatype Lifecycle SCA Scan
+        if: github.repository_owner == 'finos'
+        id: evaluate
+        uses: sonatype/actions/evaluate@v1
         with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm ci
-      - run: npx --yes auditjs ossi --whitelist allow-list.json
+          iq-server-url: ${{ env.SonatypeUrl }}
+          username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
+          password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
+          application-id: ${{ env.SonatypeAppId }}
+          stage: "build"
+          scan-targets: ${{ env.SonatypeScanTarget }}
+          module-exclude: ${{ env.ExcludeDirectory }}
+
+      - name: Save Sonatype SBOM
+        uses: sonatype/actions/fetch-sbom@v1
+        if: always() && steps.evaluate.outputs.scan-id
+        with:
+          iq-server-url: ${{ env.SonatypeUrl }}
+          username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
+          password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
+          application-id: ${{ env.SonatypeAppId }}
+          scan-id: ${{ steps.evaluate.outputs.scan-id }}
+          sbom-standard: spdx
+          sbom-version: 2.3
+          artifact-name: ${{ env.SonatypeAppId }}-bom
+
+  # CVE scanning
+  # cvescan:
+  #   name: CVE Scanning
+  #   runs-on: ubuntu-latest
+  #   needs: [build]
+  #   strategy:
+  #     matrix:
+  #       node-version: [18.x]
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - name: Use Node.js ${{ matrix.node-version }}
+  #       uses: actions/setup-node@v4
+  #       with:
+  #         node-version: ${{ matrix.node-version }}
+  #     - run: npm ci
+  #     - run: npx --yes auditjs ossi --whitelist allow-list.json
 
   # Semgrep static code analysis
   semgrep:
     name: Semgrep
     runs-on: ubuntu-latest
-    needs: [cvescan]
+    # needs: [cvescan]
+    needs: [build]
     container:
       # A Docker image with Semgrep installed. Don't change this.
       image: returntocorp/semgrep