Skip to content

upload, download y docker login #11

upload, download y docker login

upload, download y docker login #11

Workflow file for this run

name: Workflow
on:
push:
branches:
- main
jobs:
SAST:
runs-on: ubuntu-24.04
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'adopt'
- name: Set Environment Variables
run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV
- name: Validate and Configure build.gradle
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -f "build.gradle" ]; then
echo "Encontró el archivo"
echo "Verificando configuracion del plugin sonar"
if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then
echo "No se encuentra Plugin configurado"
sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle
echo "Plugin de Sonarcloud acaba de ser añadido a build.gradle"
cat build.gradle
else
echo "Plugin de sonarcloud ya está configurado en build.gradle"
fi
else
echo "no se encontró archivo build.gradle"
exit 1
fi
- name: Validando existencia de proyecto en SonarCloud
id: validateProjectOnSonar
run: |
#pwd
#ls -R
set +e
curl -f -X POST -u '${{ secrets.SONAR_TOKEN }}:' 'https://sonarcloud.io/api/projects/create' -d 'name=${{ github.event.repository.name }}' -d 'project=${{ github.event.repository.name }}' -d 'organization=devsecopsusach' -d 'visibility=public'
if [ $? -ne 0 ]; then
echo "Proyecto ya existe en Sonarcloud"
echo "project_created=false" >> $GITHUB_ENV
else
echo "Proyecto ${{ github.event.repository.name }} creado exitosamente en Sonarcloud"
echo "Se establece rama main como rama por defecto"
curl -X POST -u '${{ secrets.SONAR_TOKEN }}:' 'https://sonarcloud.io/api/project_branches/rename' -d 'name=main' -d 'project=${{ github.event.repository.name }}'
echo "project_created=true" >> $GITHUB_ENV
fi
set -e
# name: Validate or Create SonarCloud Project
# id: validate-project
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# REPO_NAME: ${{ github.event.repository.name }}
# run: |
# echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..."
# response=$(curl -s -o /dev/null -w "%{http_code}" -u "$SONAR_TOKEN:" \
# "https://sonarcloud.io/api/projects/search?projects=$REPO_NAME")
# if [ "$response" -ne 200 ]; then
# echo "El proyecto no existe. Creándolo en SonarCloud..."
# create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$SONAR_TOKEN:" \
# "https://sonarcloud.io/api/projects/create" \
# -d "name=$REPO_NAME" \
# -d "project=$REPO_NAME" \
# -d "organization=devsecopsusach" \
# -d "visibility=public")
# if [ "$create_response" -ne 201 ]; then
# echo "¨Proyecto creado exitosamente (HTTP $create_response)."
# fi
# echo "Estableciendo la rama main como predeterminada..."
# curl -s -f -X POST -u "$SONAR_TOKEN:" \
# "https://sonarcloud.io/api/project_branches/rename" \
# -d "name=main" \
# -d "project=$REPO_NAME"
# echo "project_created=true" >> $GITHUB_ENV
# else
# echo "El proyecto ya existe en SonarCloud."
# echo "project_created=false" >> $GITHUB_ENV
# fi
- name: Enable execution gradlew
run: |
chmod 777 gradlew
- name: Perform Initial Analysis (if Project Created)
if: env.project_created == 'true'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Realizando análisis inicial en la rama main..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=main
- name: Perform Branch Analysis
if: env.project_created == 'false'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
BRANCH_NAME: ${{ github.ref_name }}
run: |
echo "Realizando análisis en la rama actual: $BRANCH_NAME..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=$BRANCH_NAME
- name: Validate Quality Gate
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Validando el estado del Quality Gate..."
analysisId=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/ce/component?component=$REPO_NAME" | jq -r '.current.analysisId')
qualityGateStatus=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" | jq -r '.projectStatus.status')
if [ "$qualityGateStatus" != "OK" ]; then
echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus."
echo "Verificando vulnerabilidades críticas..."
vulnerabilities=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" | jq -r '.total')
if [ "$vulnerabilities" -gt 0 ]; then
echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad."
#exit 1
fi
else
echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas."
fi
SCA:
needs: SAST
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Dependency Check
uses: dependency-check/[email protected]
env:
JAVA_HOME: /opt/jdk
id: Depcheck
with:
project: '${{ github.event.repository.name }}'
path: '.'
format: 'HTML'
args: >
--out ./reports
--failOnCVSS 7
--enableRetired
- name: Upload Test Result
uses: actions/upload-artifact@master
with:
name: Depcheck Report
path: ./reports