This document provides step-by-step instructions to configure GitGuardian, Snyk, and SonarCloud for the Apache Commons CSV project.
Three security tools have been integrated:
- GitGuardian - Secrets detection (API keys, tokens, passwords)
- Snyk - Dependency vulnerability scanning (CVEs in Maven dependencies)
- SonarCloud - Code quality and security analysis (vulnerabilities, code smells, security hotspots)
- Scans commits for exposed secrets (API keys, tokens, credentials)
- Prevents accidental secret leaks
- Free for public repositories
- Go to https://www.gitguardian.com/
- Click "Sign up" and select "Continue with GitHub"
- Install the GitGuardian GitHub App on your repository
- Grant permissions to
mahdiabirez/commons-csv - Done! GitGuardian will automatically scan new commits
- Go to https://dashboard.gitguardian.com/
- Sign up or log in
- Navigate to: Settings → API → Personal Access Token
- Click "Create Token" with "Scan" permission
- Copy the token
- Go to your GitHub repo: https://github.com/mahdiabirez/commons-csv/settings/secrets/actions
- Click "New repository secret"
- Name:
GITGUARDIAN_API_KEY - Value: Paste your token
- Click "Add secret"
- Push a commit and check: https://github.com/mahdiabirez/commons-csv/actions
- Look for "GitGuardian Secrets Scan" workflow
- Scans Maven dependencies for known vulnerabilities (CVEs)
- Provides upgrade recommendations
- Free for open source projects
-
Get your Snyk token:
- Go to https://app.snyk.io/
- Log in to your Snyk account
- Navigate to: Account Settings (click your name → Account settings)
- Scroll to "API Token" section
- Click "Show" and copy your token (starts with "snyk-...")
-
Add token to GitHub:
- Go to: https://github.com/mahdiabirez/commons-csv/settings/secrets/actions
- Click "New repository secret"
- Name:
SNYK_TOKEN - Value: Paste your Snyk token
- Click "Add secret"
-
Connect Snyk to GitHub (Optional - for dashboard):
- In Snyk dashboard: https://app.snyk.io/
- Click "Add project"
- Select "GitHub"
- Find and import
mahdiabirez/commons-csv - This enables the Snyk web dashboard
- Push a commit and check: https://github.com/mahdiabirez/commons-csv/actions
- Look for "Snyk Security Scan" workflow
- Check results in: https://github.com/mahdiabirez/commons-csv/security/code-scanning
- Analyzes code quality and security
- Detects bugs, vulnerabilities, code smells
- Tracks technical debt
- Free for public repositories
-
Import project to SonarCloud:
- Go to https://sonarcloud.io/
- Log in with GitHub
- Click "+" (top right) → "Analyze new project"
- Select
mahdiabirez/commons-csv - Click "Set Up"
- Choose "With GitHub Actions"
-
Get SonarCloud token:
- In SonarCloud setup wizard, copy the token provided
- OR go to: Account → Security → Generate Tokens
- Generate a token with name "GitHub Actions"
-
Add token to GitHub:
- Go to: https://github.com/mahdiabirez/commons-csv/settings/secrets/actions
- Click "New repository secret"
- Name:
SONAR_TOKEN - Value: Paste your SonarCloud token
- Click "Add secret"
-
Verify Organization and Project Key:
- In
pom.xml, these properties are configured:<sonar.organization>mahdiabirez</sonar.organization> <sonar.projectKey>mahdiabirez_commons-csv</sonar.projectKey>
- If your SonarCloud organization is different, update these values
- To check: Look at the URL in SonarCloud (e.g., sonarcloud.io/organizations/YOUR-ORG)
- In
- Push a commit and check: https://github.com/mahdiabirez/commons-csv/actions
- Look for "SonarCloud Analysis" workflow
- View results at: https://sonarcloud.io/project/overview?id=mahdiabirez_commons-csv
| Secret Name | Source | Required For |
|---|---|---|
GITGUARDIAN_API_KEY |
https://dashboard.gitguardian.com/api | GitGuardian workflow |
SNYK_TOKEN |
https://app.snyk.io/account | Snyk workflow |
SONAR_TOKEN |
https://sonarcloud.io/account/security | SonarCloud workflow |
.github/workflows/gitguardian.yml- GitGuardian secrets scanning.github/workflows/snyk.yml- Snyk dependency scanning.github/workflows/sonarcloud.yml- SonarCloud code analysispom.xml- Updated with SonarCloud properties
# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth
# Scan dependencies
snyk test
# Scan and fix vulnerabilities
snyk test --all-projects# Run analysis locally (requires SONAR_TOKEN environment variable)
mvn clean verify sonar:sonar \
-Dsonar.projectKey=mahdiabirez_commons-csv \
-Dsonar.organization=mahdiabirez \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.login=$SONAR_TOKEN- GitHub Actions: https://github.com/mahdiabirez/commons-csv/actions
- GitGuardian Dashboard: https://dashboard.gitguardian.com/
- GitHub Security Tab: https://github.com/mahdiabirez/commons-csv/security/code-scanning
- Snyk Dashboard: https://app.snyk.io/
- Results show CVE IDs, severity, and fix recommendations
- SonarCloud Dashboard: https://sonarcloud.io/project/overview?id=mahdiabirez_commons-csv
- Shows:
- Bugs
- Vulnerabilities
- Security Hotspots
- Code Smells
- Code Coverage
- Duplication
- Update
<sonar.organization>inpom.xmlwith your actual SonarCloud organization name - Check: https://sonarcloud.io/account/organizations
- Verify
SNYK_TOKENsecret is correctly set - Token must start with
snyk- - Generate a new token if needed: https://app.snyk.io/account
- If using GitHub App method, no secret is needed
- If using API key method, verify
GITGUARDIAN_API_KEYsecret is set - Check workflow permissions in: https://github.com/mahdiabirez/commons-csv/settings/actions
- Ensure Java 21 is being used (configured in workflows)
- Check if dependencies resolve correctly
- Run
mvn clean installlocally to verify
- Push this commit to trigger all workflows
- Wait for workflows to complete (5-10 minutes)
- Review security findings:
- GitGuardian: Check for any exposed secrets
- Snyk: Review CVEs in dependencies
- SonarCloud: Analyze security hotspots and vulnerabilities
- Document findings in PROJECT_PROGRESS.md
- Create remediation plan for high-severity issues
For your dependability analysis report, include:
- Number of vulnerabilities found by each tool
- Severity breakdown (Critical/High/Medium/Low)
- Top 5 security issues and remediation strategies
- Code quality metrics from SonarCloud
- Screenshots of dashboard results
- Comparison with industry standards
All three tools provide comprehensive reports suitable for academic documentation.