Map JSP stack traces to file names #6200
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Trivy Security Analysis" | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| # The branches below must be a subset of the branches above | |
| branches: [ master ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # 3.6.0 | |
| - name: Remove old artifacts | |
| run: | | |
| MVN_LOCAL_REPO=$(./mvnw help:evaluate -Dexpression=settings.localRepository -q -DforceStdout) | |
| echo "MVN_LOCAL_REPO=${MVN_LOCAL_REPO}" >> "$GITHUB_ENV" | |
| rm -rf "${MVN_LOCAL_REPO}/com/datadoghq" | |
| - name: Build and publish artifacts locally | |
| run: | | |
| GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" JAVA_HOME=$JAVA_HOME_8_X64 JAVA_8_HOME=$JAVA_HOME_8_X64 JAVA_11_HOME=$JAVA_HOME_11_X64 JAVA_17_HOME=$JAVA_HOME_17_X64 JAVA_21_HOME=$JAVA_HOME_21_X64 ./gradlew clean publishToMavenLocal --build-cache --parallel --stacktrace --no-daemon --max-workers=4 | |
| - name: Copy published artifacts | |
| run: | | |
| mkdir -p ./workspace/.trivy | |
| cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/ | |
| - name: List copied artifacts | |
| run: | | |
| ls -laR "./workspace/.trivy" | |
| - name: Run Trivy security scanner | |
| uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2 | |
| with: | |
| scan-type: rootfs | |
| scan-ref: './workspace/.trivy/' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # 2.15 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |