-
Notifications
You must be signed in to change notification settings - Fork 20
166 lines (143 loc) · 5.85 KB
/
pipelineIC.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: Workflow
on:
push:
branches:
- feature-clase1
jobs:
SAST:
runs-on: ubuntu-24.04
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'adopt'
- name: Set Environment Variables
run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV
- name: Validate and Configure build.gradle
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -f "build.gradle" ]; then
echo "Encontró el archivo"
echo "Verificando configuracion del plugin sonar"
if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then
echo "No se encuentra Plugin configurado"
sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle
echo "Plugin de Sonarcloud acaba de ser añadido a build.gradle"
cat build.gradle
else
echo "Plugin de sonarcloud ya está configurado en build.gradle"
fi
else
echo "no se encontró archivo build.gradle"
exit 1
fi
- name: Validate or Create SonarCloud Project
id: validate-project
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..."
response=$(curl -s -o /dev/null -w "%{http_code}" -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/projects/search?projects=$REPO_NAME")
if [ "$response" -ne 200 ]; then
echo "El proyecto no existe. Creándolo en SonarCloud..."
create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/projects/create" \
-d "name=$REPO_NAME" \
-d "project=$REPO_NAME" \
-d "organization=devsecopsusach" \
-d "visibility=public")
if [ "$create_response" -ne 201 ]; then
echo "¨Proyecto creado exitosamente (HTTP $create_response)."
fi
echo "Estableciendo la rama main como predeterminada..."
curl -s -f -X POST -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/project_branches/rename" \
-d "name=main" \
-d "project=$REPO_NAME"
echo "project_created=true" >> $GITHUB_ENV
else
echo "El proyecto ya existe en SonarCloud."
echo "project_created=false" >> $GITHUB_ENV
fi
- name: Enable execution gradlew
run: |
chmod 777 gradlew
- name: Perform Initial Analysis (if Project Created)
if: env.project_created == 'true'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Realizando análisis inicial en la rama main..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=main
- name: Perform Branch Analysis
if: env.project_created == 'false'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
BRANCH_NAME: ${{ github.ref_name }}
run: |
echo "Realizando análisis en la rama actual: $BRANCH_NAME..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=$BRANCH_NAME
- name: Validate Quality Gate
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Validando el estado del Quality Gate..."
analysisId=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/ce/component?component=$REPO_NAME" | jq -r '.current.analysisId')
qualityGateStatus=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" | jq -r '.projectStatus.status')
if [ "$qualityGateStatus" != "OK" ]; then
echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus."
echo "Verificando vulnerabilidades críticas..."
vulnerabilities=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" | jq -r '.total')
if [ "$vulnerabilities" -gt 0 ]; then
echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad."
exit 1
fi
else
echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas."
fi
SCA:
needs: SAST
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Dependency Check
uses: dependency-check/[email protected]
env:
JAVA_HOME: /opt/jdk
id: Depcheck
with:
project: '${{ github.event.repository.name }}'
path: '.'
format: 'HTML'
args: >
--out ./reports
--failOnCVSS 7
--enableRetired
- name: Upload Test Result
uses: actions/upload-artifact@master
with:
name: Depcheck Report
path: ./reports