android/.github/workflows/scan-ci.yml

name: Scan Protected Branches On Push

on:
  workflow_dispatch:
  push:
    branches:
      - "main"

jobs:
  sast:
    name: SAST scan
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      security-events: write
      id-token: write

    steps:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
        with:
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Get Azure Key Vault secrets
        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: gh-org-bitwarden
          secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"

      - name: Log out from Azure
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Scan with Checkmarx
        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
        with:
          project_name: ${{ github.repository }}
          cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
          base_uri: https://ast.checkmarx.net/
          cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
          cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
          additional_params: |
            --report-format sarif \
            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
            --output-path .

      - name: Upload Checkmarx results to GitHub
        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
        with:
          sarif_file: cx_result.sarif

  quality:
    name: Quality scan
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      id-token: write

    steps:

      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
        with:
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Get Azure Key Vault secrets
        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: gh-org-bitwarden
          secrets: "SONAR-TOKEN"

      - name: Log out from Azure
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Scan with SonarCloud
        uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
        env:
          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
        with:
          args: >
            -Dsonar.organization=${{ github.repository_owner }}
            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}