Skip to content

SAST y SCA

SAST y SCA #1

Workflow file for this run

name: SonarCloud Workflow
on:
push:
branches:
- main
- '**'
jobs:
SAST:
runs-on: ubuntu-24.04
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'adopt'
- name: Set Environment Variables
run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV
#Valida y configura archivo build.gradle
- name: Validate and Configure build.gradle
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -f "build.gradle" ]; then
echo "Archivo build.gradle encontrado."
echo "Verificando configuración del plugin Sonar..."
if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then
sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle
echo "Plugin de SonarCloud añadido a build.gradle."
else
echo "Plugin de SonarCloud ya esta configurado en build.gradle."
fi
else
echo "No se encontró archivo build.gradle."
exit 1
fi
- name: Validate or Create SonarCloud Project
id: validate-project
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..."
response=$(curl -s -o /dev/null -w "%{http_code}" -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/projects/search?projects=$REPO_NAME")
if [ "$response" -ne 200 ]; then
echo "El proyecto no existe. Creándolo en SonarCloud..."
create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/projects/create" \
-d "name=$REPO_NAME" \
-d "project=$REPO_NAME" \
-d "organization=devsecopsusach" \
-d "visibility=public")
if [ "$create_response" -ne 201 ]; then
echo "¨Proyecto creado exitosamente (HTTP $create_response)."
fi
echo "Estableciendo la rama main como predeterminada..."
curl -s -f -X POST -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/project_branches/rename" \
-d "name=main" \
-d "project=$REPO_NAME"
echo "project_created=true" >> $GITHUB_ENV
else
echo "El proyecto ya existe en SonarCloud."
echo "project_created=false" >> $GITHUB_ENV
fi
- name: Enable execution gradlew
run: |
chmod 777 gradlew
- name: Perform Initial Analysis (if Project Created)
if: env.project_created == 'true'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Realizando análisis inicial en la rama main..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=main
- name: Perform Branch Analysis
if: env.project_created == 'false'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
BRANCH_NAME: ${{ github.ref_name }}
run: |
echo "Realizando análisis en la rama actual: $BRANCH_NAME..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=$BRANCH_NAME
- name: Validate Quality Gate
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Validando el estado del Quality Gate..."
analysisId=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/ce/component?component=$REPO_NAME" | jq -r '.current.analysisId')
qualityGateStatus=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" | jq -r '.projectStatus.status')
if [ "$qualityGateStatus" != "OK" ]; then
echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus."
echo "Verificando vulnerabilidades críticas..."
vulnerabilities=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" | jq -r '.total')
if [ "$vulnerabilities" -gt 0 ]; then
echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad."
#exit 1
fi
fi
echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas."
SCA:
needs: SAST
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Dependency Check
uses: dependency-check/[email protected]
env:
JAVA_HOME: /opt/jdk
id: Depcheck
with:
project: '${{ github.event.repository.name }}'
path: '.'
format: 'HTML'
args: >
--out ./reports
--failOnCVSS 7
--enableRetired
- name: Upload Test Result
uses: actions/upload-artifact@master
with:
name: Depcheck Report
path: ./reports