.github/workflows/security.yml

name: Security

on:
  pull_request:
    branches: [main, release/**]
  push:
    branches: [main, release/**]
    tags: [v*]

jobs:
  dependencies:
    name: Dependency check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install JDK
        uses: actions/setup-java@v4
        with:
          distribution: "temurin"
          java-version: 21

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Vulnerability check
        run: ./gradlew dependencyCheckAggregate

      - name: Upload report
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: dependency-check-report
          path: build/reports/dependency-check-report.html

  gosec:
    env:
      GO111MODULE: on
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          path: tmp

      - name: Copy hedera-mirror-rosetta to workspace root
        working-directory: .
        run: |
          cp -r tmp/hedera-mirror-rosetta/* .
          rm -fr tmp

      - name: Run Gosec Security Scanner
        uses: securego/gosec@v2.19.0
        with:
          args: ./...

  sonar:
    if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
    name: SonarCloud
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

      - name: Install JDK
        uses: actions/setup-java@v4
        with:
          distribution: "temurin"
          java-version: 21

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Cache SonarCloud dependencies
        uses: actions/cache@v4
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar

      - name: Execute Gradle
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: ./gradlew build sonar -x test

  snyk:
    if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
    name: Snyk Open Source
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install JDK
        uses: actions/setup-java@v4
        with:
          distribution: "temurin"
          java-version: 21

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Setup Snyk
        run: npm install -g snyk-to-html @wcj/html-to-markdown-cli

      - name: Execute Snyk Test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: ./gradlew snyk-test

      - name: Publish Snyk Results
        continue-on-error: true
        if: ${{ !cancelled() && always() }}
        run: |
          report="build/reports/snyk-test"
          if [[ -f ${report}.json ]]; then
            snyk-to-html -i ${report}.json -o ${report}.html && \
            html-to-markdown ${report}.html -o build/reports && \
            cat ${report}.html.md >> $GITHUB_STEP_SUMMARY
          fi

  snyk-code:
    if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
    name: Snyk Code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install JDK
        uses: actions/setup-java@v4
        with:
          distribution: "temurin"
          java-version: 21

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Setup Snyk
        run: npm install -g snyk-to-html @wcj/html-to-markdown-cli

      - name: Execute Snyk Code Test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: ./gradlew snyk-code

      - name: Publish Snyk Results
        continue-on-error: true
        if: ${{ !cancelled() && always() }}
        run: |
          report="build/reports/snyk-code"
          if [[ -f ${report}.json ]]; then
            snyk-to-html -i ${report}.json -o ${report}.html && \
            html-to-markdown ${report}.html -o build/reports && \
            cat ${report}.html.md >> $GITHUB_STEP_SUMMARY
          fi

  snyk-monitor:
    if: github.event_name == 'push' && github.ref_name == 'main'
    name: Snyk Monitor
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install JDK
        uses: actions/setup-java@v4
        with:
          distribution: "temurin"
          java-version: 21

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Execute Snyk Monitor
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: ./gradlew snyk-monitor