Merge pull request #296 from alma/feature/ecom-2212-sonarcloud-config…

…uration Feature/ecom 2212 sonarcloud configuration
alma · Dec 2, 2024 · 88b66f3 · 88b66f3
2 parents 0ebf80e + ab383bc
commit 88b66f3
Show file tree

Hide file tree

Showing 9 changed files with 308 additions and 239 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,27 @@
+# This file is for unifying the coding style for different editors and IDEs
+# editorconfig.org
+
+# WordPress Coding Standards
+# https://make.wordpress.org/core/handbook/coding-standards/
+
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+tab_width = 4
+indent_style = tab
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.txt]
+trim_trailing_whitespace = false
+
+[*.{md,json,yml}]
+trim_trailing_whitespace = false
+indent_style = space
+indent_size = 2
+
+[*.json]
+indent_style = tab
diff --git a/.github/workflows/aqua.yml b/.github/workflows/aqua.yml
@@ -1,4 +1,5 @@
 name: Aqua
+
 on:
   pull_request:
     branches:
@@ -7,25 +8,43 @@ on:
 
 jobs:
   aqua:
-    name: Aqua scanner
-    runs-on: ubuntu-22.04
+    name: Code scanning
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          show-progress: false
+
+      - name: Authenticate to Google Cloud
+        id: gcloud-auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: access_token
+          workload_identity_provider: projects/699052769907/locations/global/workloadIdentityPools/github-identity-pool-shared/providers/github-identity-provider-shared  # yamllint disable-line
+          service_account: github-gar-alma-woocommerce-ga@lyrical-carver-335213.iam.gserviceaccount.com
+
+      - name: Authenticate to Artifact Registry
+        uses: docker/login-action@v3
+        with:
+          registry: europe-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.gcloud-auth.outputs.access_token }}
 
       - name: Run Aqua scanner
         uses: docker://aquasec/aqua-scanner
-        with:
-          args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .
-          # To customize which severities add the following flag: --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          # To enable SAST scanning, add: --sast
-          # To enable reachability scanning, add: --reachability
-          # To enable npm/dotnet non-lock file scanning, add: --package-json / --dotnet-proj
         env:
           AQUA_KEY: ${{ secrets.AQUA_KEY }}
           AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
           GITHUB_TOKEN: ${{ github.token }}
           AQUA_URL: https://api.eu-1.supply-chain.cloud.aquasec.com
           CSPM_URL: https://eu-1.api.cloudsploit.com
-          TRIVY_RUN_AS_PLUGIN: "aqua"
-          # For http/https proxy configuration add env vars: HTTP_PROXY/HTTPS_PROXY, CA-CRET (path to CA certificate)
+          TRIVY_RUN_AS_PLUGIN: aqua
+          TRIVY_DB_REPOSITORY: europe-docker.pkg.dev/lyrical-carver-335213/aquasec/trivy-db:2
+        with:
+          args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,7 +12,18 @@ on:
   workflow_dispatch: ~
 
 jobs:
-
+  sonarcloud:
+    name: SonarQube Cloud
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: SonarQube Cloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   lint:
     name: Lint code
     runs-on: ubuntu-22.04

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -23,13 +23,13 @@ repos:
         name: PHP and WordPress coding standards Fixer test
         language: system
         entry: ./bin/coding-standard-fixer.sh
-        stages: [commit]
+        stages: [pre-commit]
 
       - id: coding-standard
         name: Check the PHP and WordPress coding standards
         language: system
         entry: ./bin/coding-standard.sh
-        stages: [commit]
+        stages: [pre-commit]
 
   # - repo: https://github.com/returntocorp/semgrep
   #   rev: v1.75.0

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG PHP_VERSION
+ARG PHP_VERSION=latest
 
 FROM composer:2 AS composer
 FROM php:${PHP_VERSION}

diff --git a/Dockerfile.legacy b/Dockerfile.legacy
@@ -12,15 +12,15 @@ ENV DEBIAN_FRONTEND=noninteractive
      sed -i s/stretch-updates/stretch/g /etc/apt/sources.list
 
 # Install dependencies
-RUN apt update && \
-    apt install -y --no-install-recommends \
+RUN apt update \
+    && apt install -y --no-install-recommends \
     git \
-    zip \
-    unzip \
     rsync \
+    unzip \
+    zip \
     && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
+    apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
 
 # Create non-root user
 RUN useradd -u ${UID} -ms /bin/bash phpuser

diff --git a/sonar-project.properties b/sonar-project.properties
@@ -0,0 +1,15 @@
+# General setup
+sonar.projectKey=alma_alma-woocommerce-gateway
+sonar.organization=almapay
+# This is the name and version displayed in the SonarCloud UI.
+sonar.projectName=alma-woocommerce-gateway
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+sonar.sources=src/
+sonar.exclusions=src/.composer/**,src/.subversion/**,src/assets/widget/**,src/bin/**,src/build/**,src/languages/**,src/vendor/**,src/.phpcs.xml.dist,src/.phpunit.result.cache,src/phpcs.xml,src/phpunit.xml.dist,src/phpcs.xml
+# Test folders
+sonar.tests=src/tests/
+sonar.test.inclusions=src/tests/**/*
+# Encoding of the source code. Default is default system encoding
+sonar.sourceEncoding=UTF-8
+# Exclude files from coverage
+sonar.coverage.exclusions=src/tests/**/*