diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 000000000..4e91b8459 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,52 @@ +name: Security Scan + +on: + workflow_dispatch: + push: + branches: + - java-security + +jobs: + build-and-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + + - name: Set up JDK 8 + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 + with: + java-version: 8 + + - name: Cache Maven packages + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + + - name: Build JAR + run: mvn --errors package -DskipTests -pl databricks-sdk-java + + - name: Checkout scanner + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + repository: databricks-eng/gh-action-scan + path: .scan + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Run security scan + run: | + chmod +x .scan/scan.sh + .scan/scan.sh \ + --artifact-path databricks-sdk-java/target/ \ + --artifact-name databricks-sdk-java \ + --output-dir ./scan-results + + - name: Upload scan results + if: ${{ !cancelled() }} + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: security-scan-results + path: ./scan-results/ + if-no-files-found: warn