KxSystems · cterry45 · Jan 23, 2024 · Jan 22, 2024 · Jan 22, 2024 · Jan 22, 2024
diff --git a/.github/workflows/app-sec-template.yml b/.github/workflows/app-sec-template.yml
@@ -0,0 +1,74 @@
+name: Application Security
+
+on:
+  workflow_call:
+    inputs:
+      github_ref:
+        required: true
+        type: string
+
+jobs:
+  app-sec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: get-npm-version
+        id: package-version
+        uses: martinbeentjes/[email protected]
+
+      - name: Download lcov result from test job
+        uses: actions/download-artifact@v3
+        with:
+          name: lcov
+
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarqube-scan-action@master
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        with:
+          args: >
+            -Dsonar.projectVersion=${{ steps.package-version.outputs.current-version}}
+
+      - name: Sonarqube Quality Gate Check
+        id: sonarqube-quality-gate-check
+        uses: sonarsource/sonarqube-quality-gate-action@master
+        # Force to fail step after specific time
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+
+      - name: Snyk scan for all vulnerabilities
+        uses: snyk/actions/node@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
+
+      - name: Snyk scan for high or critical vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
+        with:
+          args: --severity-threshold=high
+
+      - name: Snyk Monitor
+        uses: snyk/actions/node@master
+        if: ${{ (inputs.github_ref == 'ref/head/dev') || (inputs.github_ref == 'ref/head/main') }}
+        env:
+          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
+        with:
+          command: monitor
+          args: --target-reference=${{ inputs.github_ref }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,50 +54,7 @@ jobs:
 
   app-sec:
     needs: test
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16.x
-
-      - name: Download lcov result from test job
-        uses: actions/download-artifact@v3
-        with:
-          name: lcov
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: SonarCloud Scan
-        uses: sonarsource/sonarqube-scan-action@master
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-      - name: Sonarqube Quality Gate Check
-        id: sonarqube-quality-gate-check
-        uses: sonarsource/sonarqube-quality-gate-action@master
-        # Force to fail step after specific time
-        timeout-minutes: 5
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-      - name: Snyk scan for all vulnerabilities
-        uses: snyk/actions/node@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-
-      - name: Snyk scan for high or critical vulnerabilities
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-        with:
-          args: --severity-threshold=high
+    uses: ./.github/workflows/app-sec-template.yml
+    with:
+      github_ref: ${{ github.ref_name }}
+    secrets: inherit
diff --git a/.github/workflows/prod_release.yml b/.github/workflows/prod_release.yml
@@ -36,49 +36,11 @@ jobs:
           retention_days: 1
 
   app-sec:
-    runs-on: ubuntu-latest
     needs: build
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16.x
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: SonarCloud Scan
-        uses: sonarsource/sonarqube-scan-action@master
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-      - name: Sonarqube Quality Gate Check
-        id: sonarqube-quality-gate-check
-        uses: sonarsource/sonarqube-quality-gate-action@master
-        # Force to fail step after specific time
-        timeout-minutes: 5
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-      - name: Snyk scan for all vulnerabilities
-        uses: snyk/actions/node@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-
-      - name: Snyk scan for high or critical vulnerabilities
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-        with:
-          args: --severity-threshold=high
+    uses: ./.github/workflows/app-sec-template.yml
+    with:
+      github_ref: ${{ github.ref_name }}
+    secrets: inherit
 
   release:
     needs: app-sec

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -43,69 +43,11 @@ jobs:
           retention-days: 1
 
   app-sec:
-    runs-on: ubuntu-latest
     needs: build
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16.x
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: get-npm-version
-        id: package-version
-        uses: martinbeentjes/[email protected]
-
-      - name: Download lcov result from test job
-        uses: actions/download-artifact@v3
-        with:
-          name: lcov
-
-      - name: SonarCloud Scan
-        uses: sonarsource/sonarqube-scan-action@master
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-        with:
-          args: >
-            -Dsonar.projectVersion=${{ steps.package-version.outputs.current-version}}
-
-      - name: Sonarqube Quality Gate Check
-        id: sonarqube-quality-gate-check
-        uses: sonarsource/sonarqube-quality-gate-action@master
-        # Force to fail step after specific time
-        timeout-minutes: 5
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-      - name: Snyk scan for all vulnerabilities
-        uses: snyk/actions/node@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-
-      - name: Snyk scan for high or critical vulnerabilities
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-        with:
-          args: --severity-threshold=high
-
-      - name: Snyk Monitor
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
-        with:
-          command: monitor
-          args: --target-reference=${{ github.ref_name }}
+    uses: ./.github/workflows/app-sec-template.yml
+    with:
+      github_ref: ${{ github.ref_name }}
+    secrets: inherit
 
   release:
     runs-on: ubuntu-latest