dd-trace-java/.github/workflows/analyze-changes.yaml at 1d156baeddd7bd31cb4575005dc3b6cc33d3bb49 · DataDog/dd-trace-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Analyze changes

on:
  push:
    branches: [ master ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ master ]

# Cancel long-running jobs when a new commit is pushed
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  codeql:
    name: Analyze changes with GitHub CodeQL
    # Don’t run on PR, only when pushing to master
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write # Required to upload the results to the Security tab

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
        with:
          submodules: 'recursive'

      - name: Cache Gradle dependencies
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-

      - name: Initialize CodeQL
        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
        with:
          languages: 'java'
          build-mode: 'manual'

      - name: Build dd-trace-java for creating the CodeQL database
        run: |
          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
          JAVA_HOME=$JAVA_HOME_8_X64 \
          JAVA_8_HOME=$JAVA_HOME_8_X64 \
          JAVA_11_HOME=$JAVA_HOME_11_X64 \
          JAVA_17_HOME=$JAVA_HOME_17_X64 \
          JAVA_21_HOME=$JAVA_HOME_21_X64 \
          ./gradlew clean :dd-java-agent:shadowJar \
            --build-cache --parallel --stacktrace --no-daemon --max-workers=4

      - name: Perform CodeQL Analysis and upload results to GitHub Security tab
        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0

  trivy:
    name: Analyze changes with Trivy
    # Don’t run on PR, only when pushing to master
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write # Required to upload the results to the Security tab

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
        with:
          submodules: 'recursive'

      - name: Cache Gradle dependencies
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-

      - name: Remove old artifacts
        run: |
          MVN_LOCAL_REPO=$(./mvnw help:evaluate -Dexpression=settings.localRepository -q -DforceStdout)
          echo "MVN_LOCAL_REPO=${MVN_LOCAL_REPO}" >> "$GITHUB_ENV"
          rm -rf "${MVN_LOCAL_REPO}/com/datadoghq"

      - name: Build and publish artifacts locally
        run: |
          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
          JAVA_HOME=$JAVA_HOME_8_X64 \
          JAVA_8_HOME=$JAVA_HOME_8_X64 \
          JAVA_11_HOME=$JAVA_HOME_11_X64 \
          JAVA_17_HOME=$JAVA_HOME_17_X64 \
          JAVA_21_HOME=$JAVA_HOME_21_X64 \
          ./gradlew clean publishToMavenLocal \
            --build-cache --parallel --stacktrace --no-daemon --max-workers=4

      - name: Copy published artifacts
        run: |
          mkdir -p ./workspace/.trivy
          cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
          ls -laR "./workspace/.trivy"

      - name: Run Trivy security scanner
        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
        with:
          scan-type: rootfs
          scan-ref: './workspace/.trivy/'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          limit-severities-for-sarif: true
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Upload results to Datadog CI Static Analysis
        run: |
          wget --no-verbose https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 -O datadog-ci
          chmod +x datadog-ci
          ./datadog-ci sarif upload trivy-results.sarif --service dd-trace-java --env ci
        env:
          DD_API_KEY: ${{ secrets.DATADOG_API_KEY_PROD }}
          DD_SITE: datadoghq.com