test-conf-added

.github/workflows/maven-library-build.yml

@@ -43,7 +43,13 @@ jobs:
           mvn \
             --no-transfer-progress \
             --batch-mode ${{ inputs.mvn-options }} \
-            clean compile ${{ inputs.mvn-args }}
+            clean compile site ${{ inputs.mvn-args }}
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: bom.json
+          path: 'target/bom.json'
 
   test-coverage:
     runs-on: ubuntu-20.04
@@ -67,3 +73,19 @@ jobs:
 
       - name: Upload code coverage
         uses: codecov/codecov-action@v3
+
+  scan:
+    name: Scan with Trivy
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Trivy CLI
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb
+          sudo dpkg -i trivy_0.39.1_Linux-64bit.deb
+      - uses: actions/download-artifact@v3
+        with:
+          name: bom.json
+      - name: Run Trivy with SBOM
+        run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json

.github/workflows/maven-service-build.yml

@@ -54,3 +54,18 @@ jobs:
       - name: Upload code coverage
         uses: codecov/codecov-action@v3
 
+  scan:
+    name: Scan with Trivy
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Trivy CLI
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb
+          sudo dpkg -i trivy_0.39.1_Linux-64bit.deb
+      - uses: actions/download-artifact@v3
+        with:
+          name: bom.json
+      - name: Run Trivy with SBOM
+        run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json

.github/workflows/maven-swag-build.yml

@@ -48,8 +48,23 @@ jobs:
         run: npm run validate
 
       - name: Build server jar
-        run: mvn --batch-mode clean package -f pom.xml -P="server"
+        run: mvn --batch-mode clean package site -f pom.xml -P="server"
 
       - name: Build client jar
-        run: mvn --batch-mode clean package -f pom.xml -P="client"
+        run: mvn --batch-mode clean package site -f pom.xml -P="client"
 
+  scan:
+    name: Scan with Trivy
+    needs: bundle
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Trivy CLI
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb
+          sudo dpkg -i trivy_0.39.1_Linux-64bit.deb
+      - uses: actions/download-artifact@v3
+        with:
+          name: bom.json
+      - name: Run Trivy with SBOM
+        run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json

.github/workflows/maven-thrift-build.yml

@@ -36,5 +36,26 @@ jobs:
           echo "::set-output name=SHA_7::${GITHUB_SHA::7}"
         id: commit_info
       - name: Build package
-        run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" clean compile -f pom.xml
+        run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" clean compile site -f pom.xml
 
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: bom.json
+          path: 'target/bom.json'
+
+  scan:
+    name: Scan with Trivy
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Trivy CLI
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb
+          sudo dpkg -i trivy_0.39.1_Linux-64bit.deb
+      - uses: actions/download-artifact@v3
+        with:
+          name: bom.json
+      - name: Run Trivy with SBOM
+        run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json