dd-trace-java/.github/workflows/analyze-changes.yaml at master · GoodNotes/dd-trace-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Analyze changes

on:
  schedule:
    - cron: "0 20 * * *"
  workflow_dispatch:

jobs:
  codeql:
    name: Analyze changes with GitHub CodeQL
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write # Required to upload the results to the Security tab

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
        with:
          submodules: 'recursive'
      - name: Cache Gradle dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-

      - name: Initialize CodeQL
        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          languages: 'java'
          build-mode: 'manual'

      - name: Build dd-trace-java for creating the CodeQL database
        env:
          ORG_GRADLE_PROJECT_akkaRepositoryToken: ${{ secrets.AKKA_REPO_TOKEN }}
        run: |
          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
          JAVA_HOME=$JAVA_HOME_8_X64 \
          JAVA_8_HOME=$JAVA_HOME_8_X64 \
          JAVA_11_HOME=$JAVA_HOME_11_X64 \
          JAVA_17_HOME=$JAVA_HOME_17_X64 \
          JAVA_21_HOME=$JAVA_HOME_21_X64 \
          ./gradlew clean :dd-java-agent:shadowJar \
            --build-cache --parallel --stacktrace --no-daemon --max-workers=4

      - name: Perform CodeQL Analysis and upload results to GitHub Security tab
        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3

  trivy:
    name: Analyze changes with Trivy
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write # Required to upload the results to the Security tab

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
        with:
          submodules: 'recursive'

      - name: Cache Gradle dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-

      - name: Remove old artifacts
        run: |
          MVN_LOCAL_REPO=$(./mvnw help:evaluate -Dexpression=settings.localRepository -q -DforceStdout)
          echo "MVN_LOCAL_REPO=${MVN_LOCAL_REPO}" >> "$GITHUB_ENV"
          rm -rf "${MVN_LOCAL_REPO}/com/datadoghq"

      - name: Build and publish artifacts locally
        env:
          ORG_GRADLE_PROJECT_akkaRepositoryToken: ${{ secrets.AKKA_REPO_TOKEN }}
        run: |
          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
          JAVA_HOME=$JAVA_HOME_8_X64 \
          JAVA_8_HOME=$JAVA_HOME_8_X64 \
          JAVA_11_HOME=$JAVA_HOME_11_X64 \
          JAVA_17_HOME=$JAVA_HOME_17_X64 \
          JAVA_21_HOME=$JAVA_HOME_21_X64 \
          ./gradlew clean publishToMavenLocal \
            --build-cache --parallel --stacktrace --no-daemon --max-workers=4

      - name: Copy published artifacts
        run: |
          mkdir -p ./workspace/.trivy
          cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
          ls -laR "./workspace/.trivy"

      - name: Run Trivy security scanner
        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
        with:
          scan-type: rootfs
          scan-ref: './workspace/.trivy/'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          limit-severities-for-sarif: true
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Upload results to Datadog CI Static Analysis
        run: |
          wget --no-verbose https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 -O datadog-ci
          chmod +x datadog-ci
          ./datadog-ci sarif upload trivy-results.sarif --service dd-trace-java --env ci
        env:
          DD_API_KEY: ${{ secrets.DATADOG_API_KEY_PROD }}
          DD_SITE: datadoghq.com