Update pipeline -jm #3

Summary
Jobs
- SAST
- SCA
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/pipelineIC.yml at 9147789

	name: SonarCloud Workflow

	on:
	push:
	branches:
	- feature-jm
	- '**'

	jobs:
	SAST:
	runs-on: ubuntu-24.04

	steps:
	- name: Checkout Code
	uses: actions/checkout@v3

	- name: Set up JDK 17
	uses: actions/setup-java@v2
	with:
	java-version: '17'
	distribution: 'adopt'

	- name: Set Environment Variables
	run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV

	#Valida y configura archivo build.gradle
	- name: Validate and Configure build.gradle
	env:
	#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }}
	run: \|
	if [ -f "build.gradle" ]; then
	echo "Archivo build.gradle encontrado."
	echo "Verificando configuración del plugin Sonar..."
	if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then
	sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle
	echo "Plugin de SonarCloud añadido a build.gradle."
	else
	echo "Plugin de SonarCloud ya esta configurado en build.gradle."
	fi
	else
	echo "No se encontró archivo build.gradle."
	exit 1
	fi

	- name: Validate or Create SonarCloud Project
	id: validate-project
	env:
	#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }}
	REPO_NAME: ${{ github.event.repository.name }}
	run: \|
	echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..."
	response=$(curl -s -o /dev/null -w "%{http_code}" -u "$SONAR_TOKEN:" \
	"https://sonarcloud.io/api/projects/search?projects=$REPO_NAME")

	if [ "$response" -ne 200 ]; then
	echo "El proyecto no existe. Creándolo en SonarCloud..."
	create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$SONAR_TOKEN:" \
	"https://sonarcloud.io/api/projects/create" \
	-d "name=$REPO_NAME" \
	-d "project=$REPO_NAME" \
	-d "organization=devsecopsusach" \
	-d "visibility=public")

	if [ "$create_response" -ne 201 ]; then
	echo "¨Proyecto creado exitosamente (HTTP $create_response)."
	fi

	echo "Estableciendo la rama main como predeterminada..."
	curl -s -f -X POST -u "$SONAR_TOKEN:" \
	"https://sonarcloud.io/api/project_branches/rename" \
	-d "name=main" \
	-d "project=$REPO_NAME"

	echo "project_created=true" >> $GITHUB_ENV
	else
	echo "El proyecto ya existe en SonarCloud."
	echo "project_created=false" >> $GITHUB_ENV
	fi

	- name: Enable execution gradlew
	run: \|
	chmod 777 gradlew

	- name: Perform Initial Analysis (if Project Created)
	if: env.project_created == 'true'
	env:
	#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }}
	REPO_NAME: ${{ github.event.repository.name }}
	run: \|
	echo "Realizando análisis inicial en la rama main..."
	./gradlew sonarqube \
	-Dsonar.projectKey=$REPO_NAME \
	-Dsonar.organization=devsecopsusach \
	-Dsonar.host.url=https://sonarcloud.io \
	-Dsonar.token=$SONAR_TOKEN \
	-Dsonar.branch.name=main

	- name: Perform Branch Analysis
	if: env.project_created == 'false'
	env:
	#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }}
	REPO_NAME: ${{ github.event.repository.name }}
	BRANCH_NAME: ${{ github.ref_name }}
	run: \|
	echo "Realizando análisis en la rama actual: $BRANCH_NAME..."
	./gradlew sonarqube \
	-Dsonar.projectKey=$REPO_NAME \
	-Dsonar.organization=devsecopsusach \
	-Dsonar.host.url=https://sonarcloud.io \
	-Dsonar.token=$SONAR_TOKEN \
	-Dsonar.branch.name=$BRANCH_NAME

	- name: Validate Quality Gate
	env:
	#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }}
	REPO_NAME: ${{ github.event.repository.name }}
	run: \|
	echo "Validando el estado del Quality Gate..."
	analysisId=$(curl -s -u "$SONAR_TOKEN:" \
	"https://sonarcloud.io/api/ce/component?component=$REPO_NAME" \| jq -r '.current.analysisId')

	qualityGateStatus=$(curl -s -u "$SONAR_TOKEN:" \
	"https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" \| jq -r '.projectStatus.status')

	if [ "$qualityGateStatus" != "OK" ]; then
	echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus."
	echo "Verificando vulnerabilidades críticas..."
	vulnerabilities=$(curl -s -u "$SONAR_TOKEN:" \
	"https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" \| jq -r '.total')

	if [ "$vulnerabilities" -gt 0 ]; then
	echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad."
	#exit 1
	fi
	fi

	echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas."

	SCA:
	needs: SAST
	runs-on: ubuntu-24.04
	steps:

	- name: Checkout code
	uses: actions/checkout@v2

	- name: Dependency Check
	uses: dependency-check/[email protected]
	env:
	JAVA_HOME: /opt/jdk
	id: Depcheck
	with:
	project: '${{ github.event.repository.name }}'
	path: '.'
	format: 'HTML'
	args: >
	--out ./reports
	--failOnCVSS 7
	--enableRetired

	- name: Upload Test Result
	uses: actions/upload-artifact@master
	with:
	name: Depcheck Report
	path: ./reports

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update pipeline -jm #3

Workflow file

Update pipeline -jm #3

Jobs

Run details

Workflow file for this run