ACS-6305 Implement SAST Pipeline Scan (#893)

ACS-6305 Implement SAST Pipeline Scan

.github/workflows/ci.yml

@@ -35,7 +35,7 @@ env:
   GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60
 
 jobs:
-  veracode:
+  veracode_sca:
     name: "Veracode - Source Clear Scan (SCA)"
     runs-on: ubuntu-latest
     if: >
@@ -52,6 +52,61 @@ jobs:
         with:
           srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
 
+  veracode_sast:
+    name: "Pipeline SAST Scan"
+    runs-on: ubuntu-latest
+    if: >
+      (github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') &&
+      !contains(github.event.head_commit.message, '[skip tests]')
+    steps:
+      - uses: actions/checkout@v3
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.34.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.34.0
+      - name: "Login to Docker Hub"
+        uses: docker/login-action@v2.1.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: "Login to Quay.io"
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          repository: "Alfresco/veracode-baseline-archive"
+          file-path: "alfresco-transform-core/alfresco-transform-core-baseline.json"
+          target: "baseline.json"
+      - name: "Build"
+        run: mvn -B -U install -DskipTests
+      - name: "Create zip"
+        run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar
+      - name: "Run SAST Scan"
+        uses: veracode/Veracode-pipeline-scan-action@v1.0.10
+        with:
+          vid: ${{ secrets.VERACODE_API_ID }}
+          vkey: ${{ secrets.VERACODE_API_KEY }}
+          file: "to-scan.zip"
+          fail_build: true
+          project_name: alfresco-transform-core
+          issue_details: true
+          veracode_policy_name: Alfresco Default
+          summary_output: true
+          summary_output_file: results.json
+          summary_display: true
+          baseline_file: baseline.json
+      - name: Upload scan result
+        if: success() || failure()
+        run: zip readable_output.zip results.json
+      - name: Upload Artifact
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: Veracode Pipeline-Scan Results (Human Readable)
+          path: readable_output.zip
+
   build_and_test:
     name: "Core & Base Snapshot deployment"
     runs-on: ubuntu-latest
@@ -146,7 +201,7 @@ jobs:
   release:
     name: "Release"
     runs-on: ubuntu-latest
-    needs: [veracode, build_and_test, all_tests_matrix]
+    needs: [veracode_sca, build_and_test, all_tests_matrix]
     if: >
       !(failure() || cancelled()) &&
       contains(github.event.head_commit.message, '[release]') &&