bitwarden-server/.github/workflows/scan.yml

name: Scan

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
      - "rc"
      - "hotfix-rc"
  pull_request_target:
    types: [opened, synchronize]

jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main

  sast:
    name: SAST scan
    runs-on: ubuntu-22.04
    needs: check-run
    permissions:
      contents: read
      pull-requests: write
      security-events: write

    steps:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}

      - name: Scan with Checkmarx
        uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # 2.0.36
        env:
          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
        with:
          project_name: ${{ github.repository }}
          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
          base_uri: https://ast.checkmarx.net/
          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
          additional_params: |
            --report-format sarif \
            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
            --output-path . ${{ env.INCREMENTAL }}

      - name: Upload Checkmarx results to GitHub
        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
        with:
          sarif_file: cx_result.sarif

  quality:
    name: Quality scan
    runs-on: ubuntu-22.04
    needs: check-run
    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: Set up JDK 17
        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
        with:
          java-version: 17
          distribution: "zulu"

      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{  github.event.pull_request.head.sha }}

      - name: Set up .NET
        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0

      - name: Install SonarCloud scanner
        run: dotnet tool install dotnet-sonarscanner -g

      - name: Scan with SonarCloud
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          dotnet-sonarscanner begin /k:"${{ github.repository_owner }}_${{ github.event.repository.name }}" \
          /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
          /d:sonar.exclusions=test/,bitwarden_license/test/ \
          /o:"${{ github.repository_owner }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \
          /d:sonar.host.url="https://sonarcloud.io"
          dotnet build
          dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`name: Scan`

			`on:`
			`workflow_dispatch:`
			`push:`
			`branches:`
			`- "main"`
			`- "rc"`
			`- "hotfix-rc"`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`pull_request_target:`
			`types: [opened, synchronize]`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00
			`jobs:`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`check-run:`
			`name: Check PR run`
			`uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main`

Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`sast:`
			`name: SAST scan`
			`runs-on: ubuntu-22.04`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`needs: check-run`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`permissions:`
Adjust scan permissions (#3931) 2024-03-27 17:35:24 +01:00			`contents: read`
			`pull-requests: write`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`security-events: write`

			`steps:`
			`- name: Check out repo`
[deps] DevOps: Update gh minor (#4945) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> 2024-10-30 16:23:50 +01:00			`uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`with:`
			`ref: ${{ github.event.pull_request.head.sha }}`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00
			`- name: Scan with Checkmarx`
[deps] DevOps: Update gh minor (#4885) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> 2024-10-17 16:42:44 +02:00			`uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # 2.0.36`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`env:`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' \|\| '' }}"`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`with:`
			`project_name: ${{ github.repository }}`
			`cx_tenant: ${{ secrets.CHECKMARX_TENANT }}`
			`base_uri: https://ast.checkmarx.net/`
			`cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}`
			`cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}`
Keep scan parameters as piped 2024-04-03 20:13:49 +02:00			`additional_params: \|`
			`--report-format sarif \`
			`--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \`
			`--output-path . ${{ env.INCREMENTAL }}`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00
			`- name: Upload Checkmarx results to GitHub`
[deps] DevOps: Update gh minor (#4945) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> 2024-10-30 16:23:50 +01:00			`uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`with:`
			`sarif_file: cx_result.sarif`

			`quality:`
			`name: Quality scan`
			`runs-on: ubuntu-22.04`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`needs: check-run`
Adjust scan permissions (#3931) 2024-03-27 17:35:24 +01:00			`permissions:`
			`contents: read`
			`pull-requests: write`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00
			`steps:`
Optimize Sonar scans (#4488) * Optimize Sonar scans * Cache 2024-07-10 19:08:28 +02:00			`- name: Set up JDK 17`
[deps] DevOps: Update gh minor (#4945) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> 2024-10-30 16:23:50 +01:00			`uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0`
Optimize Sonar scans (#4488) * Optimize Sonar scans * Cache 2024-07-10 19:08:28 +02:00			`with:`
			`java-version: 17`
			`distribution: "zulu"`

Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`- name: Check out repo`
[deps] DevOps: Update gh minor (#4945) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> 2024-10-30 16:23:50 +01:00			`uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2`
Provide full depth for Sonar scans (#3860) 2024-02-29 21:40:14 +01:00			`with:`
			`fetch-depth: 0`
Protected scanner runs (#3900) 2024-03-18 17:42:06 +01:00			`ref: ${{ github.event.pull_request.head.sha }}`
Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00
Optimize Sonar scans (#4488) * Optimize Sonar scans * Cache 2024-07-10 19:08:28 +02:00			`- name: Set up .NET`
[deps] DevOps: Update gh minor (#4945) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> 2024-10-30 16:23:50 +01:00			`uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0`
Optimize Sonar scans (#4488) * Optimize Sonar scans * Cache 2024-07-10 19:08:28 +02:00
			`- name: Install SonarCloud scanner`
			`run: dotnet tool install dotnet-sonarscanner -g`

Consolidated scanning (#3832) * Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management 2024-02-23 19:47:23 +01:00			`- name: Scan with SonarCloud`
			`env:`
			`SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}`
			`GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}`
Optimize Sonar scans (#4488) * Optimize Sonar scans * Cache 2024-07-10 19:08:28 +02:00			`run: \|`
			`dotnet-sonarscanner begin /k:"${{ github.repository_owner }}_${{ github.event.repository.name }}" \`
Explicitly specify Sonar source paths (#4516) 2024-07-16 18:01:12 +02:00			`/d:sonar.test.inclusions=test/,bitwarden_license/test/ \`
			`/d:sonar.exclusions=test/,bitwarden_license/test/ \`
Optimize Sonar scans (#4488) * Optimize Sonar scans * Cache 2024-07-10 19:08:28 +02:00			`/o:"${{ github.repository_owner }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \`
			`/d:sonar.host.url="https://sonarcloud.io"`
			`dotnet build`
			`dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"`