add image scan for test and publish workflows

Author: sebdebros

.github/workflows/publish.yaml

@@ -46,7 +46,25 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Build and push the Docker image
+      # Build the Docker image locally
+      - name: Build local image for scanning
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: ghcr.io/kleis-technology/cloud-assess/cloud-assess-app:scan-tmp
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/kleis-technology/cloud-assess/cloud-assess-app:scan-tmp'
+          format: 'table'
+          exit-code: '1' # Fail the pipeline if vulnerabilities are found
+          ignore-unfixed: true
+          vuln-type: 'library'
+          severity: 'CRITICAL,HIGH'
+
+      # If scan passes, Build and push the actual multi-platform images
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:

.github/workflows/test.yaml

@@ -42,3 +42,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: ./gradlew test
 
+      - name: Run Trivy vulnerability scanner (Repo scan)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs' # 'fs'
+          scan-ref: '.'
+          vuln-type: 'library'
+          ignore-unfixed: true
+          format: 'table'
+          exit-code: '1' # Fail the pipeline if vulnerabilities are found
+          severity: 'CRITICAL,HIGH'

README.md

@@ -72,6 +72,12 @@ From the root of the git repository, run
 ./gradlew build
 ```
 
+To update a library and update the gradle.lockfile
+
+```bash
+./gradlew dependencies --write-locks
+```
+
 To run the server locally
 
 ```bash

build.gradle.kts

@@ -2,7 +2,7 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
 plugins {
     id("maven-publish")
-    id("org.springframework.boot") version "3.2.4"
+    id("org.springframework.boot") version "3.5.10"
     id("io.spring.dependency-management") version "1.1.3"
     kotlin("jvm") version "1.8.22"
     kotlin("plugin.spring") version "1.8.22"
@@ -34,7 +34,6 @@ dependencies {
     implementation("ch.kleis.lcaac:core:$lcaacVersion")
     implementation("ch.kleis.lcaac:grammar:$lcaacVersion")
 
-
     implementation("org.springframework.boot:spring-boot-starter")
     implementation("org.jetbrains.kotlin:kotlin-reflect")
     implementation("org.springframework.boot:spring-boot-starter-web")
@@ -95,9 +94,19 @@ openApiGenerate {
         "EntryValueDto" to " org.cloud_assess.dto.EntryValueDto",
         "ParameterValueDto" to "org.cloud_assess.dto.ParameterValueDto",
     ))
+    // generate only the API and the DTO (and not the supporting files such as the pom.xml that has no usage and outdated libraries)
+    globalProperties.set(mapOf(
+        "apis" to "",
+        "models" to "",
+        "supportingFiles" to "ApiUtil.kt"
+    ))
 }
 
 openApiValidate {
     inputSpec.set("$rootDir/openapi/api.yaml")
     recommend.set(true)
 }
+
+dependencyLocking {
+    lockAllConfigurations()
+}