diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6aa51f..bf4771f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,4 +24,25 @@ jobs: with: sonar-org: ahincho sonar-project-key: ahincho_nova-api-standard + secrets: inherit + + matrix: + if: github.event_name == 'pull_request' + uses: ahincho/nova-devops/.github/workflows/reusable-build-matrix.yml@main + with: + build-tool: gradle + secrets: inherit + + owasp: + if: github.event_name == 'pull_request' + uses: ahincho/nova-devops/.github/workflows/reusable-owasp-check.yml@main + with: + build-tool: gradle + secrets: inherit + + sbom: + if: github.event_name == 'pull_request' + uses: ahincho/nova-devops/.github/workflows/reusable-sbom.yml@main + with: + build-tool: gradle secrets: inherit \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts index a4317d1..8b7ca80 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -6,6 +6,8 @@ plugins { checkstyle id("net.nemerosa.versioning") version "4.0.1" id("signing") + id("org.owasp.dependencycheck") version "12.2.2" + id("org.cyclonedx.bom") version "3.2.4" } versioning { @@ -65,6 +67,14 @@ checkstyle { sourceSets = listOf(project.sourceSets.main.get()) } +dependencyCheck { + // NVD_API_KEY / NOVA_OWASP_FAIL_ON_CVSS are injected by reusable-owasp-check.yml. + // Locally (no env vars set) this defaults to "never fail" (11.0, matches plugin default) + // and an empty NVD key (slower updates, acceptable for local dev). + failBuildOnCVSS = (System.getenv("NOVA_OWASP_FAIL_ON_CVSS") ?: "11").toFloat() + nvd.apiKey = System.getenv("NVD_API_KEY") ?: "" +} + pitest { junit5PluginVersion.set("1.2.1") targetClasses.set(setOf("pe.edu.nova.java.libs.api.standard.*"))