ci: add CodeQL + OWASP Dependency-Check, attach SBOM and attestations to releases#7
Open
ci: add CodeQL + OWASP Dependency-Check, attach SBOM and attestations to releases#7
Conversation
… to releases - codeql.yml runs the security-and-quality query suite on push, PR, and weekly cron, uploading findings to the GitHub Security tab. - dependency-check.yml runs the OWASP SCA scan on push, PR, and weekly cron. Wired via a new "security" Maven profile that fails the build on CVSS >= 7 in runtime/compile scopes; SARIF goes to the Security tab. - release.yml now collects per-module CycloneDX SBOMs from the release:perform checkout, mints actions/attest-build-provenance for the JARs and actions/attest-sbom attestations linking each SBOM to its JAR, and attaches the SBOM JSON+XML to the GitHub Release.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR strengthens the project’s supply-chain/security posture by adding automated static analysis (CodeQL), software composition analysis (OWASP Dependency-Check), and by publishing SBOMs plus provenance/SBOM attestations as part of the release process.
Changes:
- Add a
securityMaven profile that runs OWASP Dependency-Check (including SARIF output) and fails the build on CVSS ≥ 7. - Add new GitHub Actions workflows for CodeQL and Dependency-Check, publishing findings to the GitHub Security tab.
- Enhance the release workflow to collect per-module CycloneDX SBOMs, mint provenance/SBOM attestations, and attach SBOMs to GitHub Releases.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
pom.xml |
Adds a security profile configuring OWASP Dependency-Check with SARIF/JSON/HTML output and CVSS gating. |
CHANGELOG.md |
Documents the new security workflows and release SBOM/attestation enhancements. |
.github/workflows/release.yml |
Collects SBOMs/JARs, generates attestations, and attaches SBOM assets to the GitHub Release. |
.github/workflows/dependency-check.yml |
New workflow to run Dependency-Check on push/PR/cron, upload SARIF, and publish reports as artifacts. |
.github/workflows/codeql.yml |
New workflow to run CodeQL (security-and-quality) on push/PR/cron and upload results. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…expansion
Previously the collect step emitted only ::warning:: when an expected
SBOM or JAR was absent, then `gh release create release-assets/*-cyclonedx.{json,xml}`
would receive an unexpanded glob and fail with a confusing "no such file"
error several steps later.
Now any missing artifact is an ::error:: with a path-precise message and
the step exits non-zero before attestation/release creation runs.
`github.run_id` made every workflow run create a brand-new cache entry, causing storage churn and eventual eviction of older entries. The restore-keys prefix still pulled in the prior cache, so functionally it worked, but it wasted GitHub Actions cache quota. Switch to a stable per-OS key bucketed by ISO year-week (`%G-%V`): PR/push runs within the same week share one cache entry, and the weekly cron run naturally rolls to a fresh key — refreshing the NVD feed without manual cache-busting.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Two issues with the previous configuration: 1. The dependency-check execution sat in a profile under <build><plugins> in the parent pom, which means children inherited it. Each child would invoke the `aggregate` goal during its own verify phase — redundant at best, and `aggregate` is a reactor-root goal that can fail in non- aggregator contexts. Marking the plugin <inherited>false</inherited> keeps it scoped to the parent reactor. 2. The workflow cached ~/.m2/repository AND ~/.m2/repository/org/owasp/dependency-check-data — overlapping paths, causing redundant storage and unpredictable restore semantics. Relocate the plugin's dataDirectory to ~/.cache/dependency-check-data so the NVD cache path is disjoint from the maven dependency cache.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…elease create Agent-Logs-Url: https://github.com/jcputney/magika-java/sessions/8abf5120-a490-4829-8695-8a57d7bcf491 Co-authored-by: jcputney <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
weekly cron, uploading findings to the GitHub Security tab.
cron. Wired via a new "security" Maven profile that fails the build on
CVSS >= 7 in runtime/compile scopes; SARIF goes to the Security tab.
release:perform checkout, mints actions/attest-build-provenance for the
JARs and actions/attest-sbom attestations linking each SBOM to its JAR,
and attaches the SBOM JSON+XML to the GitHub Release.