-
Notifications
You must be signed in to change notification settings - Fork 293
181 lines (160 loc) · 6.99 KB
/
analyze-changes.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: Analyze changes
on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
# Cancel long-running jobs when a new commit is pushed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
datadog-static-analyzer:
name: Analyze changes with DataDog Static Analyzer
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # 4.1.6
with:
submodules: 'recursive'
# Run the static analysis on the staging environment to benefit from the new features not yet released
- name: Check code meets quality standards (staging)
id: datadog-static-analysis-staging
uses: DataDog/datadog-static-analyzer-github-action@c74aff158c8cc1c3e285660713bcaa5f9c6d696e # v1
with:
dd_app_key: ${{ secrets.DATADOG_APP_KEY_STAGING }}
dd_api_key: ${{ secrets.DATADOG_API_KEY_STAGING }}
dd_site: "datad0g.com"
dd_service: "dd-trace-java"
dd_env: "ci"
cpu_count: 2
enable_performance_statistics: false
codeql:
name: Analyze changes with GitHub CodeQL
# Don’t run on PR, only when pushing to master
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # Required to upload the results to the Security tab
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # 4.1.6
with:
submodules: 'recursive'
- name: Cache Gradle dependencies
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
restore-keys: |
${{ runner.os }}-gradle-
- name: Initialize CodeQL
uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
languages: 'java'
build-mode: 'manual'
- name: Build dd-trace-java for creating the CodeQL database
run: |
GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
JAVA_HOME=$JAVA_HOME_8_X64 \
JAVA_8_HOME=$JAVA_HOME_8_X64 \
JAVA_11_HOME=$JAVA_HOME_11_X64 \
JAVA_17_HOME=$JAVA_HOME_17_X64 \
JAVA_21_HOME=$JAVA_HOME_21_X64 \
./gradlew clean :dd-java-agent:shadowJar \
--build-cache --parallel --stacktrace --no-daemon --max-workers=4
- name: Perform CodeQL Analysis and upload results to GitHub Security tab
uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
# For now, CodeQL SARIF results are not supported by Datadog CI
# - name: Upload results to Datadog CI Static Analysis
# run: |
# wget --no-verbose https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 -O datadog-ci
# chmod +x datadog-ci
# ./datadog-ci sarif upload /home/runner/work/dd-trace-java/results/java.sarif --service dd-trace-java --env ci
# env:
# DD_API_KEY: ${{ secrets.DATADOG_APP_KEY_PROD }}
# DD_SITE: datadoghq.com
# For now, CodeQL SARIF results are not supported by Datadog CI
# - name: Upload results to Datadog Staging CI Static Analysis
# run: |
# ./datadog-ci sarif upload /home/runner/work/dd-trace-java/results/java.sarif --service dd-trace-java --env ci
# env:
# DD_API_KEY: ${{ secrets.DATADOG_API_KEY_STAGING }}
# DD_SITE: datad0g.com
trivy:
name: Analyze changes with Trivy
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # Required to upload the results to the Security tab
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # 4.1.6
with:
submodules: 'recursive'
- name: Cache Gradle dependencies
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
restore-keys: |
${{ runner.os }}-gradle-
- name: Remove old artifacts
run: |
MVN_LOCAL_REPO=$(./mvnw help:evaluate -Dexpression=settings.localRepository -q -DforceStdout)
echo "MVN_LOCAL_REPO=${MVN_LOCAL_REPO}" >> "$GITHUB_ENV"
rm -rf "${MVN_LOCAL_REPO}/com/datadoghq"
- name: Build and publish artifacts locally
run: |
GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
JAVA_HOME=$JAVA_HOME_8_X64 \
JAVA_8_HOME=$JAVA_HOME_8_X64 \
JAVA_11_HOME=$JAVA_HOME_11_X64 \
JAVA_17_HOME=$JAVA_HOME_17_X64 \
JAVA_21_HOME=$JAVA_HOME_21_X64 \
./gradlew clean publishToMavenLocal \
--build-cache --parallel --stacktrace --no-daemon --max-workers=4
- name: Copy published artifacts
run: |
mkdir -p ./workspace/.trivy
cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
ls -laR "./workspace/.trivy"
- name: Run Trivy security scanner
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
scan-type: rootfs
scan-ref: './workspace/.trivy/'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Upload results to Datadog CI Static Analysis
run: |
wget --no-verbose https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 -O datadog-ci
chmod +x datadog-ci
./datadog-ci sarif upload trivy-results.sarif --service dd-trace-java --env ci
env:
DD_API_KEY: ${{ secrets.DATADOG_API_KEY_PROD }}
DD_SITE: datadoghq.com
- name: Upload results to Datadog Staging CI Static Analysis
run: |
./datadog-ci sarif upload trivy-results.sarif --service dd-trace-java --env ci
env:
DD_API_KEY: ${{ secrets.DATADOG_API_KEY_STAGING }}
DD_SITE: datad0g.com