cfpb · PatrickGoRaft · Nov 13, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/.github/workflows/cve-scan-pr.yml b/.github/workflows/cve-scan-pr.yml
@@ -0,0 +1,51 @@
+name: HMDA PR CVE Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  hmda-platform-cve-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@v4
+
+      - name: Build Docker image of HMDA platform
+        run: |
+          env JAVA_OPTS="-Xss256m -Xmx4096m" sbt "project hmda-platform" dockerPublishLocalSkipTests
+        continue-on-error: false
+
+      - name: Tag and name Docker image
+        run: docker tag hmda/hmda-platform:latest pr-cve-scan:latest
+
+      - name: Set up Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Install Grype
+        run: |
+          brew install grype
+
+      - name: Run Grype scan
+        run: |
+          grype pr-cve-scan:latest > grype-report.txt
+
+      - name: Upload Grype report to artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: cve-report
+          path: |
+            grype-report.txt
+
+      - name: Post comment with report link
+        uses: thollander/actions-comment-pull-request@v3
+        with:
+          message: CVE scan report generated by Grype are available. Check the Actions tab to download the reports.
+
+      - name: Remove Docker image
+        run: |
+          docker rmi pr-cve-scan:latest
diff --git a/.github/workflows/unit-test.yml → .github/workflows/unit-test.yaml b/.github/workflows/unit-test.yml → .github/workflows/unit-test.yaml
@@ -63,64 +63,64 @@ jobs:
           fi
 
   common_tests:
-      runs-on: ubuntu-latest
-
-      steps:
-        - name: Checkout
-          uses: actions/checkout@v4
-
-        - name: Setup JDK
-          uses: actions/setup-java@v4
-          with:
-            java-version: '11'
-            distribution: 'adopt'
-
-        - name: Run common Tests
-          run: |
-            sbt "project common" "testOnly -- -l actions-ignore" 2>&1 | tee -a log-file
-          continue-on-error: true
-
-        - name: Check Test Results
-          run: |
-            if [ $(grep 'All tests passed.' log-file | wc -l) -ne 1 ]; then
-              echo "One or more projects had failures. Please review the logs."
-              exit 1
-            else
-              echo "All tests passed."
-              exit 0
-            fi
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup JDK
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'adopt'
+
+      - name: Run common Tests
+        run: |
+          sbt "project common" "testOnly -- -l actions-ignore" 2>&1 | tee -a log-file
+        continue-on-error: true
+
+      - name: Check Test Results
+        run: |
+          if [ $(grep 'All tests passed.' log-file | wc -l) -ne 1 ]; then
+            echo "One or more projects had failures. Please review the logs."
+            exit 1
+          else
+            echo "All tests passed."
+            exit 0
+          fi
 
   data_browser_tests:
-        runs-on: ubuntu-latest
-
-        steps:
-          - name: Checkout
-            uses: actions/checkout@v4
-
-          - name: Setup JDK
-            uses: actions/setup-java@v4
-            with:
-              java-version: '11'
-              distribution: 'adopt'
-
-          - name: Run data-browser Tests
-            run: |
-              sbt "project data-browser" "testOnly -- -l actions-ignore" 2>&1 | tee -a log-file
-            continue-on-error: true
-
-          - name: Check Test Results
-            run: |
-              if [ $(grep 'All tests passed.' log-file | wc -l) -ne 1 ]; then
-                echo "One or more projects had failures. Please review the logs."
-                exit 1
-              else
-                echo "All tests passed."
-                exit 0
-              fi
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup JDK
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'adopt'
+
+      - name: Run data-browser Tests
+        run: |
+          sbt "project data-browser" "testOnly -- -l actions-ignore" 2>&1 | tee -a log-file
+        continue-on-error: true
+
+      - name: Check Test Results
+        run: |
+          if [ $(grep 'All tests passed.' log-file | wc -l) -ne 1 ]; then
+            echo "One or more projects had failures. Please review the logs."
+            exit 1
+          else
+            echo "All tests passed."
+            exit 0
+          fi
 
   hmda_analytics_tests:
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -367,4 +367,4 @@ jobs:
           else
             echo "All tests passed."
             exit 0
-          fi
+          fi