From a095ebf48f9ddf280c691c62df8d9e329082dc66 Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Tue, 12 Mar 2024 22:01:07 -0700
Subject: [PATCH] fix(ci): analysis conditionals

---
 .github/workflows/analysis.yml | 70 ++++++++++++++++++++++++++++------
 1 file changed, 58 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
index 3c8ff7f8ce..527183244e 100644
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@@ -14,23 +14,69 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  tests-java:
-    name: Backend Tests
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
-    uses: ./.github/workflows/reusable-tests-be.yml
+  tests:
+    name: Tests
+    if: ${{ ! github.event.pull_request.draft }}
+    uses: ./.github/workflows/.tests.yml
 
-  tests-frontend:
-    name: Frontend Unit Tests
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
-    uses: ./.github/workflows/reusable-tests-fe.yml
+  codeql:
+    name: CodeQL Code Analysis
+    if: ${{ ! github.event.pull_request.draft }}
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript,java
+
+      # Autobuild failed for Java, so building manually
+      - name: Set up JDK 17 and Caching maven dependencies
+        uses: actions/setup-java@v4
+        with:
+          distribution: "temurin"
+          java-version: "17"
+          cache: "maven"
+
+      # Java builds
+      - name: Build Backend
+        working-directory: backend
+        run: ./mvnw clean package
+
+      - name: Build Legacy
+        working-directory: legacy
+        run: ./mvnw clean package
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+  trivy:
+    name: Trivy Vulnerability Scanner
+    if: ${{ ! github.event.pull_request.draft }}
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.18.0
+        with:
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          scan-type: "fs"
+          scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
 
-  repo-reports:
-    name: Repository Reports
-    uses: ./.github/workflows/reusable-tests-repo.yml
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
 
   results:
     name: Analysis Results
-    needs: [tests-java, tests-frontend, repo-reports]
+    needs: [tests, codeql, trivy]
     runs-on: ubuntu-22.04
     steps:
       - run: echo "Workflow completed successfully!"