Update pom.xml

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/" # Location of your pom.xml file
+    schedule:
+      interval: "weekly" # Check for updates weekly
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    target-branch: "main"
+    rebase-strategy: "auto"
+    assignees:
+      - "Prakash-Poatan"
+    reviewers:
+      - "Prakash-Poatan"
+    labels:
+      - "dependencies"
+      - "automated"
+    ignore:
+      - dependency-name: "guava"

.github/workflows/depecheck_test.yml

@@ -0,0 +1,28 @@
+
+on: [push]
+
+jobs:
+  depchecktest:
+    runs-on: ubuntu-latest
+    name: depecheck_test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Build project with Maven
+        run: mvn clean install
+      - name: Depcheck
+        uses: dependency-check/Dependency-Check_Action@main
+        id: Depcheck
+        with:
+          project: 'test'
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # this is the default, no need to specify unless you wish to override it
+          args: >
+            --failOnCVSS 7
+            --enableRetired
+      - name: Upload Test results
+        uses: actions/upload-artifact@master
+        with:
+           name: Depcheck report
+           path: ${{github.workspace}}/reports

.github/workflows/docker-image3.yml

@@ -0,0 +1,18 @@
+name: Docker Image CI 3
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

.gitignore

@@ -15,6 +15,7 @@
 *.iws
 *.iml
 *.ipr
+*.txt
 
 ### NetBeans ###
 /nbproject/private/
@@ -23,3 +24,4 @@
 /dist/
 /nbdist/
 /.nb-gradle/
+/assets/

Dockerfile

@@ -1,5 +1,5 @@
 FROM openjdk:13-alpine
-
+# do build volumes
 VOLUME /tmp
 COPY target/*.jar app.jar
 

LICENSE

@@ -186,13 +186,10 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
-
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,

README.md

@@ -1,17 +1,4 @@
-# How to build a DevSecOps Pipeline in GitHub
+# DevSecOps Pipeline in GitHub Actions
 This repository shows you how to build up an enterprise-ready DevSecOps Pipeline with GitHub. 
-It is part of your video series on how to build a DevSecOps Pipeline with GitHub and GitLab.
+It utilises the SCA, SAST, DAST scans with different open source tools such as snyk, dependency check, trivy and Github advanced security configurations such as Dependabot with specific and general rules, CodeQL analysis , Secrets scan, secret protection, push protection and othersfor creating a secure CI and CD workflow during build into main branch on every change.
 
-Here is the link to the blog-post: https://www.romanoroth.com/post/gitlab-vs-github-devsecops
-
-- GitHub: DevSecOps: Part 1/12: What is GitHub? The fundamental concepts of a DevSecOps pipeline. https://youtu.be/_m5KYEi1ThA
-- GitHub: DevSecOps: Part 2/12: Introduction to GitHub https://youtu.be/6ZdxXDu8ZDA 
-- GitHub: DevSecOps: Part 3/12: Learn How to use SCA (Software Composition Analysis) https://youtu.be/xM3elerxjYo
-- GitHub: DevSecOps: Part 4/12: How to ensure License Compliance? https://youtu.be/l7IBh2xkDcQ
-- GitHub: DevSecOps: Part 5/12: Protect your Apps with Static Application Security Testing (SAST) https://youtu.be/p4xS2X5KsNk
-- GitHub: DevSecOps: Part 6/12: How to use Container Scanning https://youtu.be/_ZeKh3GcbgU
-- GitHub: DevSecOps: Part 7/12: How to find secrets in your own code with Secret Scanning https://youtu.be/k-uuPTLNXGM 
-- Coming Soon
-
-
-Link to the GitLab repository: https://gitlab.com/romano_roth/gitlabdevsecopspipeline

mvnw

@@ -9,7 +9,6 @@
 # with the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
-#
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

pom.xml

@@ -35,7 +35,24 @@
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-core</artifactId>
+			<version>2.14.1</version>
+		</dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-api</artifactId>
+			<version>2.14.1</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.velocity</groupId>
+			<artifactId>velocity</artifactId>
+			<version>1.7</version>
+		</dependency>
 	</dependencies>
+
 
 	<build>
 		<plugins>

src/main/java/com/example/demo/controller/Controller.java

@@ -19,7 +19,7 @@ public class Controller {
     // these are for secret detection
     private final static String username="User1";
     private final static String password="password";
-    private final static String pwd="password2";
+    private final static String pwd="password@2";
 
     private final static String pwdtest="pwd_Test22";
     //use pwd pwd_BlaTest24
@@ -32,7 +32,7 @@ public class Controller {
 	//use pwd pwd_BlaTest25
 
     private final String idForCloud = "AKIAIOSFODNN7EXAMPLE";
-    private final String valueForCloud = "wJalrXUtnFEMI/K7MDENG/bPxRfiCY78ZWn/7";
+    private final String valueForCloud = "wJalrXUtnFEMI/K7MDENG/bPxRfiCY78ZWn/72";
 
     private final static String pwdPropertyName="prop.password";