Update #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SonarCloud Workflow | |
on: | |
push: | |
branches: | |
- feature-jm | |
#- '**' | |
jobs: | |
SAST: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v3 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'adopt' | |
- name: Set Environment Variables | |
run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV | |
#Valida y configura archivo build.gradle | |
- name: Validate and Configure build.gradle | |
env: | |
#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }} | |
run: | | |
if [ -f "build.gradle" ]; then | |
echo "Archivo build.gradle encontrado." | |
echo "Verificando configuración del plugin Sonar..." | |
if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then | |
sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle | |
echo "Plugin de SonarCloud añadido a build.gradle." | |
else | |
echo "Plugin de SonarCloud ya esta configurado en build.gradle." | |
fi | |
else | |
echo "No se encontró archivo build.gradle." | |
exit 1 | |
fi | |
- name: Validate or Create SonarCloud Project | |
id: validate-project | |
env: | |
#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
run: | | |
echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..." | |
response=$(curl -s -o /dev/null -w "%{http_code}" -u "$TK_SONARCLOUD:" \ | |
"https://sonarcloud.io/api/projects/search?projects=$REPO_NAME") | |
if [ "$response" -ne 200 ]; then | |
echo "El proyecto no existe. Creándolo en SonarCloud..." | |
create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$TK_SONARCLOUD:" \ | |
"https://sonarcloud.io/api/projects/create" \ | |
-d "name=$REPO_NAME" \ | |
-d "project=$REPO_NAME" \ | |
-d "organization=devsecops-jm" \ | |
-d "visibility=public") | |
if [ "$create_response" -ne 201 ]; then | |
echo "Proyecto creado exitosamente (HTTP $create_response)." | |
fi | |
echo "Estableciendo la rama [feature-jm] [main] como predeterminada..." | |
curl -s -f -X POST -u "$TK_SONARCLOUD:" \ | |
"https://sonarcloud.io/api/project_branches/rename" \ | |
-d "name=feature-jm" \ | |
-d "project=$REPO_NAME" | |
echo "project_created=true" >> $GITHUB_ENV | |
else | |
echo "El proyecto ya existe en SonarCloud." | |
echo "project_created=false" >> $GITHUB_ENV | |
fi | |
- name: Enable execution gradlew | |
run: | | |
chmod 777 gradlew | |
- name: Perform Initial Analysis (if Project Created) | |
if: env.project_created == 'true' | |
env: | |
#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
run: | | |
echo "Realizando análisis inicial en la rama main..." | |
./gradlew sonarqube \ | |
-Dsonar.projectKey=$REPO_NAME \ | |
-Dsonar.organization=devsecops-jm \ | |
-Dsonar.host.url=https://sonarcloud.io \ | |
-Dsonar.token=$TK_SONARCLOUD \ | |
-Dsonar.branch.name=feature-jm | |
- name: Perform Branch Analysis | |
if: env.project_created == 'false' | |
env: | |
#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
BRANCH_NAME: ${{ github.ref_name }} | |
run: | | |
echo "Realizando análisis en la rama actual: $BRANCH_NAME..." | |
./gradlew sonarqube \ | |
-Dsonar.projectKey=$REPO_NAME \ | |
-Dsonar.organization=devsecops-jm \ | |
-Dsonar.host.url=https://sonarcloud.io \ | |
-Dsonar.token=$TK_SONARCLOUD \ | |
-Dsonar.branch.name=$BRANCH_NAME | |
- name: Validate Quality Gate | |
env: | |
#SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
TK_SONARCLOUD: ${{ secrets.TK_SONARCLOUD }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
run: | | |
echo "Validando el estado del Quality Gate..." | |
analysisId=$(curl -s -u "$TK_SONARCLOUD:" \ | |
"https://sonarcloud.io/api/ce/component?component=$REPO_NAME" | jq -r '.current.analysisId') | |
qualityGateStatus=$(curl -s -u "$TK_SONARCLOUD:" \ | |
"https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" | jq -r '.projectStatus.status') | |
if [ "$qualityGateStatus" != "OK" ]; then | |
echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus." | |
echo "Verificando vulnerabilidades críticas..." | |
vulnerabilities=$(curl -s -u "$TK_SONARCLOUD:" \ | |
"https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" | jq -r '.total') | |
if [ "$vulnerabilities" -gt 0 ]; then | |
echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad." | |
#exit 1 | |
fi | |
fi | |
echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas." | |
SCA: | |
needs: SAST | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Dependency Check | |
uses: dependency-check/[email protected] | |
env: | |
JAVA_HOME: /opt/jdk | |
id: Depcheck | |
with: | |
project: '${{ github.event.repository.name }}' | |
path: '.' | |
format: 'HTML' | |
args: > | |
--out ./reports | |
--failOnCVSS 7 | |
--enableRetired | |
- name: Upload Test Result | |
uses: actions/upload-artifact@master | |
with: | |
name: Depcheck Report | |
path: ./reports |