spring-vulnerable-app/.github/workflows/build.yaml at main · arvos-dev/spring-vulnerable-app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#Workflow name
name: CI Pipeline
on:
  #Manually trigger workflow runs
  workflow_dispatch:
  #Trigger the workflow on push from the main branch
  push:
    branches:
      - main
      - 'feature/**'
  pull_request:
    branches:
      - main

env:
  APP_PORT: 8080

jobs:
  build:
    name: Arvos Dynamic Vulnerability Checker
    #Run on Ubuntu using the latest version
    runs-on: ubuntu-20.04
    #Job's steps
    steps:
      #Check-out your repository under $GITHUB_WORKSPACE, so your workflow can access it
      - uses: actions/checkout@v3
      #Set up JDK 17
      - name: Set up JDK
        uses: actions/setup-java@v3
        with:
          distribution: 'zulu'
          java-version: '17'
      #Set up Maven cache
      - name: Cache Maven dependencies
        #This action allows caching dependencies and build outputs to improve workflow execution time.
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      #Package the application
      - name: Package Application
        run: mvn -U package

      # Install ARVOS command line tool ( Dynamic vulnerability checking )
      - name: Install ARVOS
        run: pip install arvos

      # Run the application, and scan it with arvos
      - name: Run Arvos Scanner
        run : arvos scan --detach --java 17 --jar target/java-app-0.0.1-SNAPSHOT.jar --pom pom.xml --save-report csv

      # Generate some workload by hitting some endpoints
      - name: Generate Workload
        uses: ./.github/actions/retry
        with:
          retry_wait_seconds: 15
          timeout_minutes: 1
          retry_on: success
          max_attempts: 3
          command: ./workload-generator.sh

      # Stop arvos
      - name: Stop Arvos Scanner
        run : arvos --stop

      #  Print the report on the console
      - name: Produce Report
        run: |
          docker logs -f tracer
          exit $(docker inspect tracer --format "{{.State.ExitCode}}")

      # Archive the report as a csv build artifact
      - name: Archive Report
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: arvos-report
          path: ~/arvos-reports/arvos-report.csv