Skip to content

dockerfile y docker build y push #68

dockerfile y docker build y push

dockerfile y docker build y push #68

Workflow file for this run

name: Workflow
on:
push:
branches:
- feature-clase1
jobs:
SAST:
runs-on: ubuntu-24.04
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'adopt'
- name: Set Environment Variables
run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV
- name: Validate and Configure build.gradle
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -f "build.gradle" ]; then
echo "Encontró el archivo"
echo "Verificando configuracion del plugin sonar"
if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then
echo "No se encuentra Plugin configurado"
sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle
echo "Plugin de Sonarcloud acaba de ser añadido a build.gradle"
cat build.gradle
else
echo "Plugin de sonarcloud ya está configurado en build.gradle"
fi
else
echo "no se encontró archivo build.gradle"
exit 1
fi
- name: Validando existencia de proyecto en SonarCloud
id: validateProjectOnSonar
run: |
#pwd
#ls -R
set +e
echo "Siguiente"
#curl -f -X POST -u '${{ secrets.SONAR_TOKEN }}:' 'https://sonarcloud.io/api/projects/create' -d 'name=${{ github.event.repository.name }}' -d 'project=${{ github.event.repository.name }}' -d 'organization=devsecopsusach' -d 'visibility=public'
#if [ $? -ne 0 ]; then
# echo "Proyecto ya existe en Sonarcloud"
# echo "project_created=false" >> $GITHUB_ENV
#else
# echo "Proyecto ${{ github.event.repository.name }} creado exitosamente en Sonarcloud"
#
# echo "Se establece rama main como rama por defecto"
# curl -X POST -u '${{ secrets.SONAR_TOKEN }}:' 'https://sonarcloud.io/api/project_branches/rename' -d 'name=main' -d 'project=${{ github.event.repository.name }}'
# echo "project_created=true" >> $GITHUB_ENV
#fi
#set -e
# name: Validate or Create SonarCloud Project
# id: validate-project
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# REPO_NAME: ${{ github.event.repository.name }}
# run: |
# echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..."
# response=$(curl -s -o /dev/null -w "%{http_code}" -u "$SONAR_TOKEN:" \
# "https://sonarcloud.io/api/projects/search?projects=$REPO_NAME")
# if [ "$response" -ne 200 ]; then
# echo "El proyecto no existe. Creándolo en SonarCloud..."
# create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$SONAR_TOKEN:" \
# "https://sonarcloud.io/api/projects/create" \
# -d "name=$REPO_NAME" \
# -d "project=$REPO_NAME" \
# -d "organization=devsecopsusach" \
# -d "visibility=public")
# if [ "$create_response" -ne 201 ]; then
# echo "¨Proyecto creado exitosamente (HTTP $create_response)."
# fi
# echo "Estableciendo la rama main como predeterminada..."
# curl -s -f -X POST -u "$SONAR_TOKEN:" \
# "https://sonarcloud.io/api/project_branches/rename" \
# -d "name=main" \
# -d "project=$REPO_NAME"
# echo "project_created=true" >> $GITHUB_ENV
# else
# echo "El proyecto ya existe en SonarCloud."
# echo "project_created=false" >> $GITHUB_ENV
# fi
- name: Enable execution gradlew
run: |
chmod 777 gradlew
- name: Perform Initial Analysis (if Project Created)
if: env.project_created == 'true'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Realizando análisis inicial en la rama main..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=main
- name: Perform Branch Analysis
if: env.project_created == 'false'
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
BRANCH_NAME: ${{ github.ref_name }}
run: |
echo "Realizando análisis en la rama actual: $BRANCH_NAME..."
./gradlew sonarqube \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.organization=devsecopsusach \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.branch.name=${{ github.ref_name }}
- name: Validate Quality Gate
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
run: |
echo "Validando el estado del Quality Gate..."
analysisId=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/ce/component?component=$REPO_NAME" | jq -r '.current.analysisId')
qualityGateStatus=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" | jq -r '.projectStatus.status')
if [ "$qualityGateStatus" != "OK" ]; then
echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus."
echo "Verificando vulnerabilidades críticas..."
vulnerabilities=$(curl -s -u "$SONAR_TOKEN:" \
"https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" | jq -r '.total')
if [ "$vulnerabilities" -gt 0 ]; then
echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad."
#exit 1
fi
else
echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas."
fi
SCA:
needs: SAST
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build
run: |
if [ -f "build.gradle" ]; then
echo "Proyecto utiliza archivo build.gradle"
echo "Se habilita permiso de ejecución de archivo gradlew"
chmod 777 gradlew
./gradlew build
ls -R
else
echo "Otro tipo de proyecto"
fi
- name: Dependency Check
uses: dependency-check/[email protected]
env:
JAVA_HOME: /opt/jdk
id: Depcheck
with:
project: '${{ github.event.repository.name }}'
path: '.'
format: 'HTML'
args: >
--out ./reports
--failOnCVSS 7
--enableRetired
- name: Upload Test Result
uses: actions/upload-artifact@master
with:
name: Depcheck Report
path: ./reports
- name: Upload JAR
uses: actions/upload-artifact@master
with:
name: JAR
path: ${{github.workspace}}/build/libs/spring-petclinic-2.6.0.jar
DockerBuild:
needs: SCA
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Docker Login
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Download JAR
uses: actions/download-artifact@master
with:
name: JAR
path: ${{github.workspace}}
- name: Docker Build
run: |
ls -R
docker build --tag b4b4y4g4x/cursodevsecops-test:latest .
- name: Push Docker
run: |
docker push b4b4y4g4x/cursodevsecops-test:latest