cp-case-document-knowledge-service/.github/workflows/codeql.yml at b4b98c526589899ea128044aac08a8c7d7fb4656 · hmcts/cp-case-document-knowledge-service · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: CodeQL

on:
  pull_request:
    branches:
      - master
      - main

  schedule:
    - cron: '36 5 * * 4'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
        language: [ 'java' ]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality
        with:
          languages: ${{ matrix.language }}
          queries: security-extended

      - uses: actions/setup-java@v5
        with:
          distribution: 'temurin'
          java-version: 21

      - name: Set up Gradle
        uses: gradle/actions/setup-gradle@v5
        with:
          gradle-version: current
          gradle-home-cache-includes: |
            caches
            configuration-cache

      - name: Pre-pull integration images
        run: |
          docker pull postgres:16-alpine
          docker pull wiremock/wiremock:3.9.1
          docker pull mcr.microsoft.com/azure-storage/azurite:3.33.0
          docker pull eclipse-temurin:21-jdk
          docker pull testcontainers/ryuk:0.12.0

      - name: Gradle Build
        run: |
          gradle build cyclonedxBom -x test -x integration

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
      #   If the (auto)build fails above, remove it and uncomment the following three lines.
      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{matrix.language}}"

      - name: Log generated SBOM Hash
        run: sha256sum build/resources/main/META-INF/sbom/application.cdx.json || true

        # This ensures:
        # - The SBOM is archived with the CodeQL scan output
        # - It's available to download and inspect from the GitHub Actions UI
      - name: Upload SBOM
        if: always()
        uses: actions/upload-artifact@v6
        with:
          name: sbom
          path: build/resources/main/META-INF/sbom/application.cdx.json

  DAST:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - uses: actions/setup-java@v5
        with:
          distribution: 'temurin'
          java-version: 21

      - name: Set up Gradle
        uses: gradle/actions/setup-gradle@v5
        with:
          gradle-version: current
          gradle-home-cache-includes: |
            caches
            configuration-cache

      - name: Pre-pull integration images
        run: |
          docker pull postgres:16-alpine
          docker pull wiremock/wiremock:3.9.1
          docker pull mcr.microsoft.com/azure-storage/azurite:3.33.0
          docker pull eclipse-temurin:21-jdk
          docker pull testcontainers/ryuk:0.12.0

      - name: Gradle Build
        run: gradle build -x test -x integration

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: DAST - Build and run containerised app
        run: |
          docker compose -f docker/docker-compose.integration.yml up -d

          echo "Waiting for health endpoint..."
          for i in {1..30}; do
            if curl -s http://localhost:8082/health > /dev/null; then
              echo "App is healthy"
              break
            fi
            echo "Waiting for app to be healthy ($i)..."
            sleep 2
          done

      - name: Run OWASP ZAP DAST Scan
        uses: zaproxy/action-baseline@v0.15.0
        with:
          target: "http://localhost:8082"
          cmd_options: "-a -J zap_report.json -r zap_report.html"

      - name: Upload ZAP HTML Report
        uses: actions/upload-artifact@v6
        with:
          name: zap-html-report
          path: zap_report.html