# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action

# Pre-requisites:
# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.

on:
  push:
    branches: [ "main" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main" ]
  schedule:
    - cron: '34 1 * * 5'

permissions:
  contents: read

name: Scan analyze workflow
jobs:
  build-and-scan:
    permissions:
        contents: read # for actions/checkout
        security-events: write # for github/codeql-action/upload-sarif
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest
    # check out project
    steps:
    - uses: actions/checkout@v4
    # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
    # -name: Build Project
    # ...
    # Scan Artifact
    - name: Contrast Scan Action
      uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
      with:
        artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
        apiKey: ${{ secrets.CONTRAST_API_KEY }}
        orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
        authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
    #Upload the results to GitHub
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output