security #229

Workflow file for this run

.github/workflows/security.yml at aa70266

	name: Security Scans

	on:
	repository_dispatch:
	types: [security]
	workflow_dispatch:
	workflow_call:

	env:
	RUN_URL: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}

	jobs:
	codedx-scans:
	name: Run CodeDx Scans
	runs-on: [self-hosted, Linux]

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Run Dependency Check Scans
	uses: dependency-check/Dependency-Check_Action@1.1.0
	with:
	project: "uikit"
	path: "."
	format: "XML"

	- name: Upload Reports to CodeDX
	run: .github/scripts/codedx-upload.sh
	env:
	CODE_DX_URL: "${{ secrets.CODE_DX_URL }}"
	CODE_DX_API_KEY: ${{ secrets.CODE_DX_API_KEY }}
	CODE_DX_PROJECT_ID: 120

	citadel-scan:
	name: Request Citadel Scan
	runs-on: [self-hosted, Linux]

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 18

	- name: Request Citadel scan
	run: .github/scripts/citadel-request.mjs

	black-duck-scans:
	name: Run Black Duck Scans
	runs-on: [self-hosted, Linux]
	strategy:
	fail-fast: false
	matrix:
	PACKAGE:
	- "cli"
	- "code-editor"
	- "core"
	- "icons"
	- "lab"
	- "shared"
	- "styles"
	- "uno-preset"
	- "viz"

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 18

	# ==========================
	# code-editor (npm package)
	# ==========================

	# Install dependencies inside each package so blackduck can scan them
	# To do this we need to remove the package.json and package-lock.json from the root
	- name: Prepare packages for Blackduck scan
	uses: lumada-common-services/gh-composite-actions@1.9.0
	with:
	command: \|
	rm -rf node_modules package.json package-lock.json && \
	cd packages/${{ matrix.PACKAGE }} && npm i

	- name: Load BlackDuck variables
	working-directory: packages/${{ matrix.PACKAGE }}
	run: \|
	echo "PROJECT_NAME=$(npm pkg get name --workspaces=false \| tr -d '""')" >> $GITHUB_ENV
	echo "PROJECT_VERSION=$(npm pkg get version --workspaces=false \| tr -d '"')" >> $GITHUB_ENV

	- name: Load blackduck project properties
	run: echo "BLACKDUCK_ARGS=$(.github/scripts/getBlackduckArgs.mjs ${{ matrix.PACKAGE }})" >> $GITHUB_ENV

	- name: Blackduck Scan
	uses: lumada-common-services/gh-composite-actions@1.9.0
	env:
	BLACKDUCK_DOCKER_USERNAME: hvservices-service-cicd
	BLACKDUCK_DOCKER_PASSWORD: ${{ secrets.ARTIFACTORY_HVSERVICES_CICD_TOKEN }}
	BlackDuck_Project_Name: "${{ env.PROJECT_NAME }}"
	BlackDuck_Source_Path: /workdir/packages
	BlackDuck_Project_Version: "${{ env.PROJECT_VERSION }}"
	BlackDuck_Api_Token: "${{ secrets.BLACKDUCK_TOKEN }}"
	BlackDuck_Url: "${{ secrets.BLACKDUCK_URL }}"
	ADDITIONAL_ARGS: "${{ env.BLACKDUCK_ARGS }}"

	notify-fail:
	name: Notify Fail
	needs: [codedx-scans, citadel-scan, black-duck-scans]
	if: failure()
	runs-on: ubuntu-latest

	steps:
	- uses: technote-space/workflow-conclusion-action@v1

	- name: Notify Fail
	uses: hbfernandes/slack-action@1.0
	env:
	SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
	CONCLUSION: ${{ env.WORKFLOW_CONCLUSION }}
	COLOR: "#C62828"
	with:
	args: \|
	{
	"channel": "ui-kit-internal",
	"attachments": [
	{
	"mrkdwn_in": ["text"],
	"color": "${{env.COLOR}}",
	"title": "Security Scans failed",
	"title_link": "${{ env.RUN_URL }}"
	}
	]
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security #229

Workflow file

security #229

Jobs

Run details

Workflow file for this run