[PM-19821] Consolidate scan.yml and scan-ci.yml (#4969)

Co-authored-by: Matt Andreko <mandreko@bitwarden.com>
2025-12-10 20:07:59 -06:00 · 2025-04-07 21:19:29 +01:00 · 2025-04-07 21:19:29 +01:00 · acf222d151
commit acf222d151
parent 1df96fdb62
2 changed files with 11 additions and 80 deletions
--- a/.github/workflows/scan-ci.yml
+++ b/.github/workflows/scan-ci.yml
@ -1,60 +0,0 @@
-name: Scan Protected Branches On Push
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "main"
-
-jobs:
-  sast:
-    name: SAST scan
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
-        with:
-          project_name: ${{ github.repository }}
-          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
-          base_uri: https://ast.checkmarx.net/
-          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
-          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
-          additional_params: |
-            --report-format sarif \
-            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
-            --output-path .
-
-      - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
-        with:
-          sarif_file: cx_result.sarif
-
-  quality:
-    name: Quality scan
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Scan with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        with:
-          args: >
-            -Dsonar.organization=${{ github.repository_owner }}
-            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -1,7 +1,13 @@
-name: Scan Pull Requests
+name: Scan

 on:
  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "release/**"
+      - "rc"
+      - "hotfix-rc"
  pull_request_target:
    types: [opened, synchronize]

@ -23,7 +29,7 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{  github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Scan with Checkmarx
        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
@ -40,27 +46,12 @@ jobs:
            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
            --output-path . ${{ env.INCREMENTAL }}

-      - name: Get branch refs
-        id: get-branch-refs
-        env:
-          GH_TOKEN: ${{ github.token }}
-          _PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          if [[ $GITHUB_EVENT_NAME == "pull_request_target" ]]; then
-            MERGE_SHA=$(gh api /repos/$GITHUB_REPOSITORY/pulls/$_PR_NUMBER --jq .merge_commit_sha)
-            echo "SHA=$MERGE_SHA" >> $GITHUB_OUTPUT
-            echo "REF=refs/pull/$_PR_NUMBER/merge" >> $GITHUB_OUTPUT
-          else
-            echo "SHA=$GITHUB_SHA" >> $GITHUB_OUTPUT
-            echo "REF=$GITHUB_REF" >> $GITHUB_OUTPUT
-          fi
-
      - name: Upload Checkmarx results to GitHub
        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
        with:
          sarif_file: cx_result.sarif
-          sha: ${{ steps.get-branch-refs.outputs.SHA }}
-          ref: ${{ steps.get-branch-refs.outputs.REF }}
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}

  quality:
    name: Quality scan
@ -75,7 +66,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
-          ref: ${{  github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Scan with SonarCloud
        uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1