From e7b6150c5d5e51b08fd12c97dac956e3a2aff175 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 3 Feb 2022 13:54:14 +0530 Subject: [PATCH 01/77] Added underscore(_) in the name to fix yml errors caused by the empty spaces in the name --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..65a6baf 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -43,7 +43,7 @@ on: jobs: - Trigger APIsec scan: + Trigger_APIsec_scan: runs-on: ubuntu-latest steps: From 2e60d03ab7a47f3c73e7a5a95e75fdc1b2d6893c Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 12:38:39 +0530 Subject: [PATCH 02/77] Zscaler IaC Action Publish --- .../properties/zscaler.properties.json | 7 +++ code-scanning/zscaler.yml | 46 +++++++++++++++++++ icons/zscaler.svg | 3 ++ 3 files changed, 56 insertions(+) create mode 100644 code-scanning/properties/zscaler.properties.json create mode 100644 code-scanning/zscaler.yml create mode 100644 icons/zscaler.svg diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler.properties.json new file mode 100644 index 0000000..784a52b --- /dev/null +++ b/code-scanning/properties/zscaler.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Zscaler IaC Scan", + "creator": "Zscaler CWP Team", + "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", + "iconName": "zscaler", + "categories": ["Code Scanning","HCL"] +} \ No newline at end of file diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler.yml new file mode 100644 index 0000000..beea601 --- /dev/null +++ b/code-scanning/zscaler.yml @@ -0,0 +1,46 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +name: Zscanner IaC Scan +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + zscaler-iac-scan: + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v2 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + id : zscaler-iac-scan + with: + #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. + #Copy the client ID and client secret key generated during the onboarding process and configure. + #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZWP Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file diff --git a/icons/zscaler.svg b/icons/zscaler.svg new file mode 100644 index 0000000..3897442 --- /dev/null +++ b/icons/zscaler.svg @@ -0,0 +1,3 @@ + + + From 5e3bc9a2fd200fc324e4bff09889cc80465d1a08 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:26:19 +0530 Subject: [PATCH 03/77] Update zscaler-iac-scan.yml --- code-scanning/{zscaler.yml => zscaler-iac-scan.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{zscaler.yml => zscaler-iac-scan.yml} (98%) diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler-iac-scan.yml similarity index 98% rename from code-scanning/zscaler.yml rename to code-scanning/zscaler-iac-scan.yml index beea601..e23a8d6 100644 --- a/code-scanning/zscaler.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -name: Zscanner IaC Scan +name: Zscaler IaC Scan on: push: branches: [ $default-branch, $protected-branches ] From 7a322529a7f2fe483452dad5b1941ca7742216e8 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:29:09 +0530 Subject: [PATCH 04/77] Update zscaler-iac-scan.properties.json --- .../{zscaler.properties.json => zscaler-iac-scan.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{zscaler.properties.json => zscaler-iac-scan.properties.json} (100%) diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json similarity index 100% rename from code-scanning/properties/zscaler.properties.json rename to code-scanning/properties/zscaler-iac-scan.properties.json From 3857754fa1839756e86ec089760bb20c7084c895 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 17:55:47 +0530 Subject: [PATCH 05/77] Update zscaler-iac-scan.properties.json --- code-scanning/properties/zscaler-iac-scan.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index 784a52b..b643037 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -1,7 +1,7 @@ { "name": "Zscaler IaC Scan", - "creator": "Zscaler CWP Team", + "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","HCL"] + "categories": ["Code Scanning","Security"] } \ No newline at end of file From 74471dae6f1a513f17bdacfdce6fd69145a5271a Mon Sep 17 00:00:00 2001 From: mvecha Date: Tue, 5 Apr 2022 13:21:24 +0530 Subject: [PATCH 06/77] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e23a8d6..a8424b7 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -16,14 +16,20 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v2 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. From 73afccbbd54778fd08596f3fbe386823dcf15901 Mon Sep 17 00:00:00 2001 From: mvecha Date: Thu, 21 Apr 2022 15:20:01 +0530 Subject: [PATCH 07/77] Addressing PR Comments from Community --- .../properties/zscaler-iac-scan.properties.json | 2 +- code-scanning/zscaler-iac-scan.yml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index b643037..274d17a 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","Security"] + "categories": ["Code Scanning"] } \ No newline at end of file diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index a8424b7..195bb57 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,6 +7,14 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. +#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues +#for further investigation. + name: Zscaler IaC Scan on: push: @@ -27,14 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: - #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. - #Copy the client ID and client secret key generated during the onboarding process and configure. - #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} #This is the user region specified during the onboarding process within the ZWP Admin Portal. @@ -47,6 +52,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file From cfa93d0eecf7f1b230986ff509814b1ab1ad0ece Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula <90408178+jragula-zs@users.noreply.github.com> Date: Thu, 21 Apr 2022 15:26:09 +0530 Subject: [PATCH 08/77] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 195bb57..c6020a5 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -12,8 +12,7 @@ #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. -#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues -#for further investigation. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. name: Zscaler IaC Scan on: @@ -54,4 +53,4 @@ jobs: if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From 1c5c0f7c8a10324929bd35cc2fb63302ca57baef Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 22 Apr 2022 19:37:39 +0000 Subject: [PATCH 09/77] fix: upgrade @actions/core from 1.2.6 to 1.6.0 Snyk has created this PR to upgrade @actions/core from 1.2.6 to 1.6.0. See this package in npm: https://www.npmjs.com/package/@actions/core See this project in Snyk: https://app.snyk.io/org/cwp-2/project/fd2218da-0d06-448b-be57-a7d3e69b0389?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr --- script/validate-data/package-lock.json | 24 ++++++++++++++++++++---- script/validate-data/package.json | 2 +- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..cf7c70a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,13 +1,24 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", "lockfileVersion": 1, "requires": true, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz", + "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==", + "requires": { + "@actions/http-client": "^1.0.11" + } + }, + "@actions/http-client": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", + "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "requires": { + "tunnel": "0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -106,6 +117,11 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..7936f4e 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.6.0", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From d14e8af6e3b15be640c45ec39df46968b03267a2 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Tue, 30 Aug 2022 21:45:04 +0530 Subject: [PATCH 10/77] Added EthicalCheck Action --- code-scanning/ethicalcheck.yml | 57 +++++++++++++++++++ .../properties/ethicalcheck.properties.json | 24 ++++++++ 2 files changed, 81 insertions(+) create mode 100644 code-scanning/ethicalcheck.yml create mode 100644 code-scanning/properties/ethicalcheck.properties.json diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml new file mode 100644 index 0000000..c089015 --- /dev/null +++ b/code-scanning/ethicalcheck.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger_EthicalCheck: + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@latest + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" + # The email address to which the penetration test report will be sent. + email: "xxx@apisec.ai" \ No newline at end of file diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json new file mode 100644 index 0000000..c0949be --- /dev/null +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -0,0 +1,24 @@ +{ + "name": "EthicalCheck", + "creator": "APIsec", + "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} From 2426779103b940fa2d7d571c75be0c06171f04e6 Mon Sep 17 00:00:00 2001 From: Eric Allard <106756852+SOOS-EAllard@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:00:01 -0400 Subject: [PATCH 11/77] Updated old instructions to add more detail --- code-scanning/soos-dast-scan.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index cf3b1b7..9b58e90 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,13 +3,18 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ +# SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# Learn more at https://soos.io/ # -# To use this action you need to fill the following requirements: +# To use this action, perform the following steps: # -# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products. # -# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# +# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # name: "SOOS DAST Scan" From 723f3e411d8038c90af3237d9fa76a4aad305ee5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:18:02 +0530 Subject: [PATCH 12/77] Revert "Adding manual trigger to sync ghes script" --- .github/workflows/sync-ghes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..c8b83c9 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,7 +3,6 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] - workflow_dispatch: jobs: sync: From 3bc0ad0b1d779b51875217d1f1c70bcdadff9bc3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Fri, 16 Sep 2022 10:51:50 +0000 Subject: [PATCH 13/77] Add pages templates to validate script --- script/validate-data/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 852f575..23c4790 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -3,7 +3,8 @@ "../../ci", "../../automation", "../../deployments", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "allowed_categories": [ { @@ -21,6 +22,10 @@ { "path": "../../code-scanning", "categories": ["Code Scanning", "Dependency review"] + }, + { + "path": "../../pages", + "categories": ["Pages"] } ] } From 95057f2418925de42fda9e1fe02c8a3a0f5f5755 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 19 Sep 2022 11:45:31 +0000 Subject: [PATCH 14/77] Update logic from unique template name to filename --- script/validate-data/index.ts | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 4bd260d..b903c3f 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,7 +7,6 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; - name: string; errors: string[]; } @@ -43,7 +42,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] - const workflow_template_names = new Set() + const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -57,8 +56,8 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); - if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -73,7 +72,6 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, - name: null, errors: [] } try { @@ -82,9 +80,6 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) - if(properties.name && properties.name.trim().length > 0) { - workflowErrors.name = properties.name - } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From 1a46538eaab360b6ee9226283a9a03cc4c1b73a9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 11:43:05 +0000 Subject: [PATCH 15/77] Keep both unique template name and filename logic --- ci/properties/jekyll-docker.properties.json | 2 +- script/validate-data/index.ts | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ci/properties/jekyll-docker.properties.json b/ci/properties/jekyll-docker.properties.json index bbe279c..7c66dba 100644 --- a/ci/properties/jekyll-docker.properties.json +++ b/ci/properties/jekyll-docker.properties.json @@ -1,5 +1,5 @@ { - "name": "Jekyll", + "name": "Jekyll using Docker image", "description": "Package a Jekyll site using the jekyll/builder Docker image.", "iconName": "jekyll", "categories": ["Continuous integration", "HTML"] diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index b903c3f..90f1760 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,6 +7,7 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; + name: string; errors: string[]; } @@ -42,6 +43,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] + const workflow_template_names = new Set() const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { @@ -56,8 +58,11 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); + if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + } if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -72,6 +77,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, + name: null, errors: [] } try { @@ -80,6 +86,9 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) + if(properties.name && properties.name.trim().length > 0) { + workflowErrors.name = properties.name + } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From af733fded0b315861e891f5aa54cb6ec54fa8d2b Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 12:51:33 +0000 Subject: [PATCH 16/77] Address comments --- script/validate-data/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 90f1760..abbdfbe 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_paths = new Set() + const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -61,7 +61,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } - if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { From a50f9361bc1283eb5191ada8a0878319ecd8919e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Tue, 20 Sep 2022 20:02:09 +0300 Subject: [PATCH 17/77] chore: upgrade cosign-installer version to latest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..d07a3f8 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.9.0' + cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From 6b52b98767046e01d8c0543b30767b8214b85be4 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 12:46:14 +0100 Subject: [PATCH 18/77] Hide ESLint on GHES --- code-scanning/properties/eslint.properties.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json index a84646a..2a1271f 100644 --- a/code-scanning/properties/eslint.properties.json +++ b/code-scanning/properties/eslint.properties.json @@ -2,10 +2,11 @@ "name": "ESLint", "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", "iconName": "eslint", + "enterprise": false, "categories": [ "Code Scanning", "JavaScript", "EcmaScript", "TypeScript" ] -} \ No newline at end of file +} From 23737db30608c6a9c4175971df3a2d451278b955 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 15:45:41 +0100 Subject: [PATCH 19/77] Make enterprise opt-in instead of opt-out --- code-scanning/properties/codeql.properties.json | 1 + script/sync-ghes/index.ts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index ddb4627..8ee80b4 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", + "enterprise": true, "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 608e73d..a816109 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise !== false && + workflowProperties.enterprise === true && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From d75ca7ac2e1a53eb04fc809ac8affdf2cded060d Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 21 Sep 2022 16:04:36 +0100 Subject: [PATCH 20/77] fix trigger for ghes sync --- .github/workflows/sync-ghes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..26d2665 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,7 +2,7 @@ name: Sync workflows for GHES on: push: - branches: [ $default-branch ] + branches: [ main ] workflow_dispatch: jobs: From da2e9558af199abdd3140a07fde272cfdd257831 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 16:00:40 +0100 Subject: [PATCH 21/77] Only use enterprise check for code-scanning folder --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a816109..a320d36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise === true && + (workflowProperties.enterprise === true || folder !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From e1512d3916167a26724d2861a9953390eb1ae2f7 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Wed, 21 Sep 2022 14:04:45 -0500 Subject: [PATCH 22/77] Add Zimperium zScan starter workflow --- .../properties/zscan.properties.json | 14 +++++ code-scanning/zscan.yml | 61 +++++++++++++++++++ icons/zscan.svg | 11 ++++ 3 files changed, 86 insertions(+) create mode 100644 code-scanning/properties/zscan.properties.json create mode 100644 code-scanning/zscan.yml create mode 100644 icons/zscan.svg diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json new file mode 100644 index 0000000..18c96d7 --- /dev/null +++ b/code-scanning/properties/zscan.properties.json @@ -0,0 +1,14 @@ +{ + "name": "zScan", + "creator": "Zimperium", + "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", + "iconName": "zScan", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C" + ] +} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml new file mode 100644 index 0000000..1ac6bbd --- /dev/null +++ b/code-scanning/zscan.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# and identifies security, privacy, and compliance-related vulnerabilities. ​ +# +# Prerequisites: ​ +# * An active Zimperium zScan account is required. If you are not an existing Zimperium +# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# +# For additional information and setup instructions +# please visit: https://github.com/Zimperium/zScanMarketplace#readme + +name: "Zimperium zScan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + zscan: + name: zScan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Execute gradle build + run: ./gradlew build # Change this to build your mobile application + + - name: Run Zimperium zScan + uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d + timeout-minutes: 60 + with: + # REPLACE: Zimperium Client Environment Name + client_env: env_string + # REPLACE: Zimperium Client ID + client_id: id_string + # REPLACE: Zimperium Client Secret + client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }} + # REPLACE: The path to an .ipa or .apk + app_file: app-release-unsigned.apk + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: Zimperium.sarif + \ No newline at end of file diff --git a/icons/zscan.svg b/icons/zscan.svg new file mode 100644 index 0000000..1dff416 --- /dev/null +++ b/icons/zscan.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 6a3b2bbd2ec26fd76e5e1eca8365eedddf483835 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Thu, 22 Sep 2022 10:46:38 -0400 Subject: [PATCH 23/77] Add pages directory to readme --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f39892f..9cf6833 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration workflows. -* [deployments](deployments): solutions for Deployment workflows. -* [automation](automation): solutions for automating workflows. -* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) +* [ci](ci): solutions for Continuous Integration workflows +* [deployments](deployments): solutions for Deployment workflows +* [automation](automation): solutions for automating workflows +* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security) +* [pages](pages): solutions for Pages workflows * [icons](icons): svg icons for the relevant template Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI). @@ -40,6 +41,14 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * monitoring * Automation * utilities +* Pages +* Hugo +* Gatsby +* Next +* Nuxt +* HTML +* JavaScript +* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From 13ad0bf0aef432c6577fcff3afcf10a492f2e907 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Fri, 23 Sep 2022 10:32:47 -0500 Subject: [PATCH 24/77] lowercase iconName in properties file --- code-scanning/properties/zscan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json index 18c96d7..6b55756 100644 --- a/code-scanning/properties/zscan.properties.json +++ b/code-scanning/properties/zscan.properties.json @@ -2,7 +2,7 @@ "name": "zScan", "creator": "Zimperium", "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", - "iconName": "zScan", + "iconName": "zscan", "categories": [ "Code Scanning", "Java", From 3f6632a2aee5450e054cc12323ff30695875d46b Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Fri, 23 Sep 2022 11:42:07 -0400 Subject: [PATCH 25/77] Remove redundant languages --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 9cf6833..fa8d351 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * Gatsby * Next * Nuxt -* HTML -* JavaScript -* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From aa0375afbf5108c17eb280bc8e9045aa57c2e78c Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Fri, 23 Sep 2022 18:04:56 -0300 Subject: [PATCH 26/77] Remove trailing whitespaces --- code-scanning/scorecards.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8ca5094..31a4fa1 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: # Needs for private repositories. contents: read actions: read - + steps: - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 @@ -41,8 +41,8 @@ jobs: # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true @@ -54,7 +54,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 From 5f2c1d104d691cc446a7c525b53476b9c4d5b333 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 13:32:49 +0000 Subject: [PATCH 27/77] Bump actions/stale from 5 to 6 Bumps [actions/stale](https://github.com/actions/stale) from 5 to 6. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c319ce1..002f30d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v5 + - uses: actions/stale@v6 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From 022ac9babb7d92b4ea5775cb0385fcc4101d2ad4 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 23 Sep 2022 08:51:24 -0400 Subject: [PATCH 28/77] Update Anchore Grype scan action workflow --- code-scanning/anchore.yml | 19 ++++++++++--------- .../properties/anchore-syft.properties.json | 2 +- .../properties/anchore.properties.json | 8 ++++---- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index a3d2eed..818fb70 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -9,7 +9,7 @@ # and parameters, see https://github.com/anchore/scan-action. For more # information on Anchore's container image scanning tool Grype, see # https://github.com/anchore/grype -name: Anchore Container Scan +name: Anchore Grype vulnerability scan on: push: @@ -28,20 +28,21 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - name: Checkout the code + - name: Check out the code uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan with: image: "localbuild/testimage:latest" - acs-report-enable: true - fail-build: false - - name: Upload Anchore Scan Report + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json index 815f8b2..aa4cb1e 100644 --- a/code-scanning/properties/anchore-syft.properties.json +++ b/code-scanning/properties/anchore-syft.properties.json @@ -1,6 +1,6 @@ { "name": "Anchore Syft SBOM Scan", - "organization": "Anchore", + "creator": "Anchore", "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile", "dependency-management"] diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json index d997da4..94634dd 100644 --- a/code-scanning/properties/anchore.properties.json +++ b/code-scanning/properties/anchore.properties.json @@ -1,7 +1,7 @@ { - "name": "Anchore Container Scan", - "creator": "Indeni Cloudrail", - "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "name": "Anchore Grype Vulnerability Scan", + "creator": "Anchore", + "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile"] -} \ No newline at end of file +} From 10798e7d81930be332a078bedadfb4d44a644016 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Tue, 27 Sep 2022 21:19:54 -0700 Subject: [PATCH 29/77] Add: Astro to starter workflows --- pages/astro.yml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 pages/astro.yml diff --git a/pages/astro.yml b/pages/astro.yml new file mode 100644 index 0000000..01873b7 --- /dev/null +++ b/pages/astro.yml @@ -0,0 +1,51 @@ +# Sample workflow for building and deploying an Astro site to GitHub Pages +# +# To get started with Astro see: https://docs.astro.build/en/getting-started/ +# + +name: Deploy Roadmap to Pages + +on: + push: + branches: [main] + paths: # only needed when project in subfolder + - "roadmap-priorities" + - ".github/workflows/deploy-roadmap.yml" + workflow_dispatch: + +permissions: + contents: read + pages: write + id-token: write + +env: + PAT: '.' # default value when not using subfolders + # PAT: subfolder + +jobs: + build: + name: Build & Deploy + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 16 + cache-dependency-path: ${{ env.PAT }}/package-lock.json + - run: npm install && npm run build + working-directory: ${{ env.PAT }} + - uses: actions/upload-pages-artifact@v1 + with: + path: ${{ env.PAT }}/dist + + deploy: + needs: build + name: Deploy + runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 From 61aa8be81622eae19e5c240fb5e4bc9321265ce3 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Tue, 27 Sep 2022 21:22:38 -0700 Subject: [PATCH 30/77] Paths not enabled by default --- pages/astro.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 01873b7..3deef31 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -8,9 +8,10 @@ name: Deploy Roadmap to Pages on: push: branches: [main] - paths: # only needed when project in subfolder - - "roadmap-priorities" - - ".github/workflows/deploy-roadmap.yml" + # paths: + # only needed when project in subfolder + # - "subfolder" + # - ".github/workflows/astro.yml" workflow_dispatch: permissions: From 13ccf721fe833f11f32c6602733406915a5ed7f6 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Tue, 28 Jun 2022 22:02:19 -0400 Subject: [PATCH 31/77] Add NowSecure Mobile SBOM starter workflow --- code-scanning/nowsecure-mobile-sbom.yml | 55 +++++++++++++++++++ .../nowsecure-mobile-sbom.properties.json | 21 +++++++ 2 files changed, 76 insertions(+) create mode 100644 code-scanning/nowsecure-mobile-sbom.yml create mode 100644 code-scanning/properties/nowsecure-mobile-sbom.properties.json diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml new file mode 100644 index 0000000..b9cf039 --- /dev/null +++ b/code-scanning/nowsecure-mobile-sbom.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer, +# you can find it in NowSecure Platform. +# +# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Dependency graph" tab in the "Insights" pane once the action has run. + +name: "NowSecure Mobile SBOM" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + nowsecure: + name: NowSecure Mobile SBOM + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: NowSecure upload app + uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID diff --git a/code-scanning/properties/nowsecure-mobile-sbom.properties.json b/code-scanning/properties/nowsecure-mobile-sbom.properties.json new file mode 100644 index 0000000..32a7964 --- /dev/null +++ b/code-scanning/properties/nowsecure-mobile-sbom.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure Mobile SBOM", + "creator": "NowSecure", + "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} From 4193b3bdfdd9c76feecfd076d8404783221a3be2 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:32:20 +0100 Subject: [PATCH 32/77] Adding new yaml file with action example --- code-scanning/checkmarx-one.yml | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 code-scanning/checkmarx-one.yml diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml new file mode 100644 index 0000000..89dcdd6 --- /dev/null +++ b/code-scanning/checkmarx-one.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx One Action + +name: Checkmarx Scan + +# Controls when the workflow will run +on: + pull_request: + types: [opened, reopened, synchronize] + branches: [ $default-branch, $protected-branches ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # This step checks out a copy of your repository. + - name: Checkout repository + uses: actions/checkout@v2 + - name: Checkmarx scan + uses: checkmarx/ast-github-action@main + with: + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + cx_tenant: ${{ secrets.CX_TENANT }} + additional_params: --report-format sarif --output-path . + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cx_result.sarif \ No newline at end of file From b2113622be8e2b2dbf9b32aa12af30faa65e5362 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:32:56 +0100 Subject: [PATCH 33/77] Add new properties file for Checkmarx --- code-scanning/properties/checkmarx-one.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/checkmarx-one.properties.json diff --git a/code-scanning/properties/checkmarx-one.properties.json b/code-scanning/properties/checkmarx-one.properties.json new file mode 100644 index 0000000..f5ebef8 --- /dev/null +++ b/code-scanning/properties/checkmarx-one.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Checkmarx", + "creator": "Checkmarx", + "description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.", + "iconName": "checkmarx", + "categories": ["Code Scanning","code-quality", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file From 4d24769f48db2cc2d8ae87ceb69c9f5a51b32e1e Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:33:34 +0100 Subject: [PATCH 34/77] Update checkmarx.svg --- icons/checkmarx.svg | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index 6bf5ad3..ab11dad 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1,14 +1 @@ - - - - - - + From 3031cebead8b924c888e3d7b36340bdf4f9db1df Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:35:25 +0100 Subject: [PATCH 35/77] Update checkmarx.svg --- icons/checkmarx.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index ab11dad..899b3bc 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1 +1 @@ - + From 61b58c843faaf321af8150f75a667eae24e0e458 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 29 Sep 2022 15:22:03 -0700 Subject: [PATCH 36/77] Update pages/astro.yml Co-authored-by: Yoann Chaudet --- pages/astro.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 3deef31..544b93d 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -3,7 +3,7 @@ # To get started with Astro see: https://docs.astro.build/en/getting-started/ # -name: Deploy Roadmap to Pages +name: Deploy Astro site to Pages on: push: From 3c68ea5b08cbdafc0df46651c977b6d07b94d2e8 Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:32:25 +0200 Subject: [PATCH 37/77] Update dotnet-desktop.yml to use setup-dotnet@v3 --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index bd2cb2e..fd82a39 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -69,7 +69,7 @@ jobs: # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x From 94301453103b54c82be6c73f03dbbb377e95241d Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:33:07 +0200 Subject: [PATCH 38/77] Update dotnet.yml to use setup-dotnet@v3 --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index a8eccab..7465e23 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x - name: Restore dependencies From c4a90daee92b84b29c81d86edf855a258363f5d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Sep 2022 12:29:54 +0000 Subject: [PATCH 39/77] Bump @actions/core from 1.2.6 to 1.9.1 in /script/validate-data Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.2.6 to 1.9.1. - [Release notes](https://github.com/actions/toolkit/releases) - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- script/validate-data/package-lock.json | 64 +++++++++++++++++++++++--- script/validate-data/package.json | 2 +- 2 files changed, 58 insertions(+), 8 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index e660b6a..358c661 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "license": "MIT", "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" }, @@ -21,9 +21,21 @@ } }, "node_modules/@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "dependencies": { + "tunnel": "^0.0.6" + } }, "node_modules/@types/js-yaml": { "version": "3.12.4", @@ -153,6 +165,14 @@ "typescript": ">=2.7" } }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, "node_modules/typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", @@ -166,6 +186,14 @@ "node": ">=4.2.0" } }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", @@ -178,9 +206,21 @@ }, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "requires": { + "tunnel": "^0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -279,12 +319,22 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", "dev": true }, + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + }, "yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..6811f19 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From d668c4cb8b5f3382c65ebcf1624bab95329b274c Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht <15221358+pnacht@users.noreply.github.com> Date: Fri, 7 Oct 2022 14:25:58 +0000 Subject: [PATCH 40/77] Clarify comments in scorecard.yml --- code-scanning/scorecards.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 31a4fa1..1a9119f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,7 +1,10 @@ name: Scorecards supply-chain security on: - # Only the default branch is supported. + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: $cron-weekly push: @@ -17,11 +20,11 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. + # Needed to publish results and get a badge (see publish_results below). id-token: write - # Needs for private repositories. - contents: read - actions: read + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read steps: - name: "Checkout code" @@ -40,10 +43,13 @@ jobs: # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless - # of the value entered here. + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF From 493117b7055b853103d64a04bfe76998714e047f Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht <15221358+pnacht@users.noreply.github.com> Date: Fri, 7 Oct 2022 18:22:49 +0000 Subject: [PATCH 41/77] Add disclaimer requested in PR template --- code-scanning/scorecards.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 1a9119f..afd2b93 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + name: Scorecards supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See From 988cccd442c473a2a89d6793baf896c191a10002 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 10 Oct 2022 11:12:22 +0000 Subject: [PATCH 42/77] Update old documentation links --- ci/ant.yml | 2 +- ci/dotnet.yml | 3 +++ ci/go.yml | 3 +++ ci/gradle.yml | 2 +- ci/maven.yml | 2 +- ci/node.js.yml | 2 +- ci/npm-publish-github-packages.yml | 2 +- ci/npm-publish.yml | 2 +- ci/python-app.yml | 2 +- ci/python-package.yml | 2 +- ci/python-publish.yml | 2 +- ci/swift.yml | 3 +++ 12 files changed, 18 insertions(+), 9 deletions(-) diff --git a/ci/ant.yml b/ci/ant.yml index 1614664..e9dba01 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -1,5 +1,5 @@ # This workflow will build a Java project with Ant -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-ant +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-ant name: Java CI diff --git a/ci/dotnet.yml b/ci/dotnet.yml index 7465e23..f11f050 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -1,3 +1,6 @@ +# This workflow will build a .NET project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net + name: .NET on: diff --git a/ci/go.yml b/ci/go.yml index bb3ec96..4d95674 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -1,3 +1,6 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go + name: Go on: diff --git a/ci/gradle.yml b/ci/gradle.yml index 0c0f12c..2be0b58 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle name: Java CI with Gradle diff --git a/ci/maven.yml b/ci/maven.yml index 65e0dff..26bfc73 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,5 +1,5 @@ # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven name: Java CI with Maven diff --git a/ci/node.js.yml b/ci/node.js.yml index a89108d..f230593 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -1,5 +1,5 @@ # This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs name: Node.js CI diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 638ccf8..e790f4d 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -1,5 +1,5 @@ # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: Node.js Package diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index c461c85..6cdebaf 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -1,5 +1,5 @@ # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: Node.js Package diff --git a/ci/python-app.yml b/ci/python-app.yml index 4b7fa5f..9945382 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -1,5 +1,5 @@ # This workflow will install Python dependencies, run tests and lint with a single version of Python -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python name: Python application diff --git a/ci/python-package.yml b/ci/python-package.yml index 583a366..de579a3 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -1,5 +1,5 @@ # This workflow will install Python dependencies, run tests and lint with a variety of Python versions -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python name: Python package diff --git a/ci/python-publish.yml b/ci/python-publish.yml index ec70354..bdaab28 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,5 +1,5 @@ # This workflow will upload a Python Package using Twine when a release is created -# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by diff --git a/ci/swift.yml b/ci/swift.yml index 3668fc0..9d84f86 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -1,3 +1,6 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift + name: Swift on: From eaf0ed4a08ebf0cf7b2ef7ac29c1f18f0d5bf084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 14:19:44 +0000 Subject: [PATCH 43/77] Bump pozil/auto-assign-issue from 1.10.0 to 1.10.1 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 0cb9345..98f071a 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.0 + uses: pozil/auto-assign-issue@v1.10.1 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From e9fd3bc4fbab5eb36f309948b4f2b1319ceb35a6 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 10 Oct 2022 15:48:40 +0000 Subject: [PATCH 44/77] Update versions/hashes --- code-scanning/scorecards.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index afd2b93..0e159aa 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -32,12 +32,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 + uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # v2.0.4 with: results_file: results.sarif results_format: sarif @@ -51,7 +51,7 @@ jobs: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: + # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 with: name: SARIF file path: results.sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 with: sarif_file: results.sarif From 9a9cef713d58450916333470a1bd233e97c2f83e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec <83706991+abdul-hai-apisec@users.noreply.github.com> Date: Wed, 12 Oct 2022 14:21:47 +0530 Subject: [PATCH 45/77] Update ethicalcheck.yml --- code-scanning/ethicalcheck.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index c089015..4a8ad3c 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -49,9 +49,16 @@ jobs: steps: - name: EthicalCheck Free & Automated API Security Testing Service - uses: apisec-inc/ethicalcheck-action@latest + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 with: # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" # The email address to which the penetration test report will be sent. - email: "xxx@apisec.ai" \ No newline at end of file + email: "xxx@apisec.ai" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./ethicalcheck-results.sarif + From d1768edd6c32f2b7ed1b94b93e98390da3e4e3d4 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 12 Oct 2022 13:05:05 +0000 Subject: [PATCH 46/77] Remove filename check --- script/validate-data/index.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index abbdfbe..4bd260d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,6 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -59,10 +58,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) - } - if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) From 90fcb3f10e2f67fb9e90e866901f7e9173317ea3 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 12 Oct 2022 20:30:11 +0530 Subject: [PATCH 47/77] Added permissions --- code-scanning/ethicalcheck.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 4a8ad3c..2818bc6 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -42,9 +42,14 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - +permissions: + contents: read + jobs: Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -57,8 +62,8 @@ jobs: email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 - with: + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: sarif_file: ./ethicalcheck-results.sarif From a66a1979359eb8f01c0b728469a7c62868fa9b30 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:05:01 +0100 Subject: [PATCH 48/77] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 89dcdd6..ffa8d85 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,7 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This is a basic workflow to help you get started with Using Checkmarx One Action +# This is a basic workflow to help you get started with Using Checkmarx One Action, +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html name: Checkmarx Scan @@ -24,17 +25,17 @@ jobs: steps: # This step checks out a copy of your repository. - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Checkmarx scan uses: checkmarx/ast-github-action@main with: - base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - cx_tenant: ${{ secrets.CX_TENANT }} + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: cx_result.sarif \ No newline at end of file + sarif_file: cx_result.sarif From 4076f8b8dab71a2b12de6816f8f16f2f508dcdac Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:20:46 +0100 Subject: [PATCH 49/77] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index ffa8d85..262ed55 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -14,10 +14,18 @@ on: types: [opened, reopened, synchronize] branches: [ $default-branch, $protected-branches ] +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif + # The type of runner that the job will run on runs-on: ubuntu-latest @@ -26,7 +34,8 @@ jobs: # This step checks out a copy of your repository. - name: Checkout repository uses: actions/checkout@v3 - - name: Checkmarx scan + # This step creates the Checkmarx One scan + - name: Checkmarx One scan uses: checkmarx/ast-github-action@main with: base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One From 0376d797710c37d032bd06418de4a56775c03882 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:48:51 +0100 Subject: [PATCH 50/77] Update checkmarx.svg --- icons/checkmarx.svg | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index 899b3bc..fbdc9f3 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1 +1,12 @@ - + + + + + + + + + + + + From 8048d62634872e937bf37f33028e4b4448a4d7d4 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:01:48 -0700 Subject: [PATCH 51/77] Add dependency graph Scala builds do not automatically get support for the dependency graph. This addition will upload dependency information to the dependency graph so users get Dependabot alerts. --- ci/scala.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ci/scala.yml b/ci/scala.yml index 4a3c112..a88374f 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,17 +6,24 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' - distribution: 'adopt' + distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test + # This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + - name: Upload dependency graph + uses: scalacenter/sbt-dependency-submission@v2 From 6686f7461a5ea356163d37ef11e325ab03a534bb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:08:31 -0700 Subject: [PATCH 52/77] Add disclaimer --- ci/scala.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ci/scala.yml b/ci/scala.yml index a88374f..9e78672 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Scala CI on: From 1be22cecc3906449c5014d187ad9c1e3bb1159cb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 13 Oct 2022 13:24:08 -0700 Subject: [PATCH 53/77] Add dependency graph to Maven workflows --- ci/maven.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ci/maven.yml b/ci/maven.yml index 65e0dff..d762ee9 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -1,6 +1,11 @@ # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: Java CI with Maven on: @@ -24,3 +29,7 @@ jobs: cache: maven - name: Build with Maven run: mvn -B package --file pom.xml + + # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive + - name: Update dependency graph + uses: advanced-security/maven-dependency-submission-action@v1 From 9c49b9d11c5dd12f3732b4707fde87d4753c3873 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Mon, 17 Oct 2022 08:31:16 -0400 Subject: [PATCH 54/77] Delete Gatsby, Next, and Nuxt categories https://github.com/actions/starter-workflows/pull/1762#discussion_r996963757 --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index fa8d351..7ff406f 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * utilities * Pages * Hugo -* Gatsby -* Next -* Nuxt ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From b646c9c97cd4a2e9ed23bc609e2cae25e04effb9 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Mon, 17 Oct 2022 14:24:31 +0100 Subject: [PATCH 55/77] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 262ed55..e666ddd 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,6 +3,11 @@ # separate terms of service, privacy policy, and support # documentation. +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# scan customization using the full functionality and flexibility of the CLI tool. + # This is a basic workflow to help you get started with Using Checkmarx One Action, # documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html From e5b363612e747c2961857eef5c4d66d2824a1efc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 13:53:14 +0000 Subject: [PATCH 56/77] Bump pozil/auto-assign-issue from 1.10.1 to 1.11.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.1 to 1.11.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.1...v1.11.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 98f071a..adaa8d6 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.1 + uses: pozil/auto-assign-issue@v1.11.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From 94ce36310999d6d76d8a1b23bdc1f09f5b38f6fe Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 18 Oct 2022 18:19:20 +0530 Subject: [PATCH 57/77] Update ci/swift.yml Co-authored-by: Scott Brenner --- ci/swift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/swift.yml b/ci/swift.yml index 9d84f86..91276e3 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -1,4 +1,4 @@ -# This workflow will build a golang project +# This workflow will build a Swift project # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift name: Swift From 7482e30dc1cfa91d8f20b52fc6416d6dec435652 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 20 Oct 2022 11:11:54 +0530 Subject: [PATCH 58/77] Updated the description --- code-scanning/properties/ethicalcheck.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json index c0949be..8728ca7 100644 --- a/code-scanning/properties/ethicalcheck.properties.json +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -1,7 +1,7 @@ { "name": "EthicalCheck", "creator": "APIsec", - "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "description": "EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.", "iconName": "apisec", "categories": [ "Code Scanning", From cef3397932c8d0fa8bf0b0d10b0e662d6d3208a9 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 20 Oct 2022 15:14:03 +0100 Subject: [PATCH 59/77] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index e666ddd..d85c0c5 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -41,7 +41,7 @@ jobs: uses: actions/checkout@v3 # This step creates the Checkmarx One scan - name: Checkmarx One scan - uses: checkmarx/ast-github-action@main + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc with: base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e From a95c4f68c84a608cd51d3e85b7516945d61cc69a Mon Sep 17 00:00:00 2001 From: Oliver King Date: Thu, 20 Oct 2022 15:06:21 -0400 Subject: [PATCH 60/77] update aks workflows to latest versions --- deployments/azure-kubernetes-service-helm.yml | 151 +++++++----------- .../azure-kubernetes-service-kompose.yml | 145 ++++++----------- .../azure-kubernetes-service-kustomize.yml | 141 ++++++---------- deployments/azure-kubernetes-service.yml | 129 +++++---------- 4 files changed, 197 insertions(+), 369 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 83a9163..86582e7 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -34,7 +36,7 @@ name: Build and deploy an app to AKS with Helm on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -42,7 +44,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" CHART_PATH: "your-chart-path" CHART_OVERRIDE_PATH: "your-chart-override-path" @@ -53,63 +54,21 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + # Checks out the repository this file is in + - uses: actions/checkout@v3 - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . deploy: permissions: @@ -117,45 +76,43 @@ jobs: contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Runs Helm to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "helm" + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: "latest" + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0e76365..a0e6bdd 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -33,7 +35,7 @@ name: Build and deploy an app to AKS with Kompose on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -41,7 +43,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: @@ -51,106 +52,62 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - deploy: permissions: actions: read contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Runs Kompose to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'kompose' - dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} - kompose-version: 'latest' - id: bake + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kompose" + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: "latest" + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 1a89f3c..6c87057 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -1,14 +1,16 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these +# 1. Set the following secrets in your repository (instructions for getting these # https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID @@ -33,7 +35,7 @@ name: Build and deploy an app to AKS with Kustomize on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -41,7 +43,6 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" KUSTOMIZE_PATH: "your-kustomize-path" jobs: @@ -51,106 +52,62 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - deploy: permissions: actions: read contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} - # Runs Kustomize to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.1 - with: - renderEngine: 'kustomize' - kustomizationPath: ${{ env.KUSTOMIZE_PATH }} - kubectl-version: latest - id: bake + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kustomize" + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index 3e49419..f0b2b38 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -1,9 +1,11 @@ # This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code # # This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster # For instructions see: # - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal # - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters # - https://github.com/Azure/aks-create-action # # To configure this workflow: @@ -29,7 +31,7 @@ name: Build and deploy an app to AKS on: push: - branches: [ $default-branch ] + branches: [$default-branch] workflow_dispatch: env: @@ -37,8 +39,7 @@ env: CONTAINER_NAME: "your-container-name" RESOURCE_GROUP: "your-resource-group" CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' + DEPLOYMENT_MANIFEST_PATH: "your-deployment-manifest-path" jobs: buildImage: @@ -47,63 +48,21 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + # Checks out the repository this file is in + - uses: actions/checkout@v3 - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . deploy: permissions: @@ -111,33 +70,31 @@ jobs: contents: read id-token: write runs-on: ubuntu-latest - needs: [buildImage, createSecret] + needs: [buildImage] steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} + # Checks out the repository this file is in + - uses: actions/checkout@v3 - # Deploys application based on given manifest file - - name: Deploys application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Deploys application based on given manifest file + - name: Deploys application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} From 4367f77de0ebfc8e0bfd31a369320d5d57610c51 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:06:10 -0700 Subject: [PATCH 61/77] add: concurrency and default branch ref --- pages/astro.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 544b93d..b3ef351 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -2,25 +2,29 @@ # # To get started with Astro see: https://docs.astro.build/en/getting-started/ # - name: Deploy Astro site to Pages on: + # Runs on pushes targeting the default branch push: - branches: [main] - # paths: - # only needed when project in subfolder - # - "subfolder" - # - ".github/workflows/astro.yml" + branches: [$default-branch] + + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read pages: write id-token: write +# Allow one concurrent deployment +concurrency: + group: "pages" + cancel-in-progress: true + env: - PAT: '.' # default value when not using subfolders + PAT: "." # default value when not using subfolders # PAT: subfolder jobs: From a2272ea794367d19ee4866bc1620fc318693778a Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:10:14 -0700 Subject: [PATCH 62/77] update: rename subfolder path to avoid confusion --- pages/astro.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index b3ef351..13d209b 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -24,24 +24,24 @@ concurrency: cancel-in-progress: true env: - PAT: "." # default value when not using subfolders - # PAT: subfolder + BUILD_PATH: "." # default value when not using subfolders + # BUILD_PATH: subfolder jobs: build: - name: Build & Deploy + name: Build runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: 16 - cache-dependency-path: ${{ env.PAT }}/package-lock.json + cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - run: npm install && npm run build - working-directory: ${{ env.PAT }} + working-directory: ${{ env.BUILD_PATH }} - uses: actions/upload-pages-artifact@v1 with: - path: ${{ env.PAT }}/dist + path: ${{ env.BUILD_PATH }}/dist deploy: needs: build From e05fb5453707149f64da79b7755479a06dd6137a Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Thu, 20 Oct 2022 16:30:54 -0700 Subject: [PATCH 63/77] minor tweaks for consistency with other templates --- pages/astro.yml | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 13d209b..1d4ec5f 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -32,10 +32,30 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Checkout + uses: actions/checkout@v3 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "::set-output name=manager::yarn" + echo "::set-output name=command::install" + echo "::set-output name=runner::yarn" + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "::set-output name=manager::npm" + echo "::set-output name=command::ci" + echo "::set-output name=runner::npx --no-install" + exit 0 + else + echo "Unable to determine packager manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v3 with: - node-version: 16 + node-version: "16" + cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - run: npm install && npm run build working-directory: ${{ env.BUILD_PATH }} @@ -44,12 +64,12 @@ jobs: path: ${{ env.BUILD_PATH }}/dist deploy: - needs: build - name: Deploy - runs-on: ubuntu-latest environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} + needs: build + runs-on: ubuntu-latest + name: Deploy steps: - name: Deploy to GitHub Pages id: deployment From 03afd8292058dd5860870efad5c27295dd1fc67d Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:22:18 -0700 Subject: [PATCH 64/77] Update to latest commit sha --- ci/maven.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/maven.yml b/ci/maven.yml index d762ee9..4a8d107 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -32,4 +32,4 @@ jobs: # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@v1 + uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 From cf8803940451b743087390d37a4bd1db62503efb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:22:49 -0700 Subject: [PATCH 65/77] Add optional marking --- ci/maven.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/maven.yml b/ci/maven.yml index 4a8d107..31fb19f 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -29,7 +29,7 @@ jobs: cache: maven - name: Build with Maven run: mvn -B package --file pom.xml - - # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive + + # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive - name: Update dependency graph uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6 From c1444385ea259d1d65245650e32286eb22ea1341 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 24 Oct 2022 15:24:40 -0700 Subject: [PATCH 66/77] Mark optional and use commit SHA --- ci/scala.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/scala.yml b/ci/scala.yml index 9e78672..14ba966 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -29,6 +29,6 @@ jobs: cache: 'sbt' - name: Run tests run: sbt test - # This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + # Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository - name: Upload dependency graph - uses: scalacenter/sbt-dependency-submission@v2 + uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91 From ee5b05445ac5bdd8c014232489d3215d22e0ddf8 Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula Date: Tue, 25 Oct 2022 16:32:52 +0530 Subject: [PATCH 67/77] update zscaler iac scan version --- code-scanning/zscaler-iac-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index c6020a5..e880bdf 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. #Copy the client ID and client secret key generated during the onboarding process and configure. #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). @@ -36,12 +36,12 @@ jobs: - name : Code Checkout uses: actions/checkout@v3 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc + uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 id : zscaler-iac-scan with: client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} - #This is the user region specified during the onboarding process within the ZWP Admin Portal. + #This is the user region specified during the onboarding process within the ZPC Admin Portal. region : 'US' iac_dir : #Enter the IaC directory path from root. iac_file : #Enter the IaC file path from root. From 65cfd09f0d556e4bcaf18ed7555c5af1cdce91d3 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Wed, 26 Oct 2022 16:05:53 -0300 Subject: [PATCH 68/77] update soos dast to latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c48..0b982d3 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 81a4ed37489870ca8016e5d64aaee8aa1c0c2f03 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Wed, 26 Oct 2022 16:10:52 -0300 Subject: [PATCH 69/77] comment about latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 0b982d3..825f573 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db + uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From c36348cbc69edcc1766b7c5927c5ceaa3a9d902c Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Wed, 26 Oct 2022 23:28:17 +0000 Subject: [PATCH 70/77] Add Go to code scanning autobuild comment --- code-scanning/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 00ffcdb..34c5de7 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -53,7 +53,7 @@ jobs: # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 From ae7e197e30022cb4359c3d686798ca03f042a42b Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Wed, 26 Oct 2022 19:19:46 -0700 Subject: [PATCH 71/77] add: astro icon --- icons/astro.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/astro.svg diff --git a/icons/astro.svg b/icons/astro.svg new file mode 100644 index 0000000..ff9dd54 --- /dev/null +++ b/icons/astro.svg @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + + + + From 57f76cbb16a75bd7c17ce270e67a667e0d083676 Mon Sep 17 00:00:00 2001 From: Adrian Mato Date: Wed, 26 Oct 2022 19:21:14 -0700 Subject: [PATCH 72/77] add: astro properties --- pages/properties/astro.properties.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 pages/properties/astro.properties.json diff --git a/pages/properties/astro.properties.json b/pages/properties/astro.properties.json new file mode 100644 index 0000000..bc7db05 --- /dev/null +++ b/pages/properties/astro.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Astro", + "description": "Deploy an Astro site.", + "iconName": "astro", + "categories": ["Pages", "Astro"] +} From b56cd5718e3a1f4ab9c35471b8a7fd4db9569fbf Mon Sep 17 00:00:00 2001 From: Mohammed Asif <87167426+asifadn9@users.noreply.github.com> Date: Thu, 27 Oct 2022 16:59:58 +0530 Subject: [PATCH 73/77] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b751..fc09be3 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -53,7 +53,7 @@ jobs: steps: - name: APIsec scan - uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 + uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} From 21885a7e846d33a4d2393c8916620a383e20a189 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Thu, 27 Oct 2022 13:22:19 +0000 Subject: [PATCH 74/77] Update scorecard-action to 2.0.6 --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 0e159aa..11e305f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # v2.0.4 + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 with: results_file: results.sarif results_format: sarif From 7714a42d7a7f9901b9ea6589b98c906a544beb13 Mon Sep 17 00:00:00 2001 From: Luca Casonato Date: Mon, 31 Oct 2022 14:15:11 +0100 Subject: [PATCH 75/77] Update denoland/setup-deno workflow This updates the version of the denoland/setup-deno action used in ci/deno.yml starter workflow to a version that uses node16, to remove the warning about node12 workflows being deprecated. The version updated to is the latest released version, v1.1.1: https://github.com/denoland/setup-deno/releases/tag/v1.1.1 --- ci/deno.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/deno.yml b/ci/deno.yml index 2234bf6..5ee940d 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow will install Deno then run Deno lint and test. +# This workflow will install Deno then run `deno lint` and `deno test`. # For more information see: https://github.com/denoland/setup-deno name: Deno @@ -27,7 +27,7 @@ jobs: - name: Setup Deno # uses: denoland/setup-deno@v1 - uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366 + uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54 with: deno-version: v1.x @@ -39,4 +39,4 @@ jobs: run: deno lint - name: Run tests - run: deno test -A --unstable + run: deno test -A From 84381b5f5ca76d70f5041ab1b484b4e8bf267c7b Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 3 Nov 2022 17:29:01 +0000 Subject: [PATCH 76/77] Update checkmarx-one.properties.json --- code-scanning/properties/checkmarx-one.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/checkmarx-one.properties.json b/code-scanning/properties/checkmarx-one.properties.json index f5ebef8..c1b2eea 100644 --- a/code-scanning/properties/checkmarx-one.properties.json +++ b/code-scanning/properties/checkmarx-one.properties.json @@ -3,5 +3,5 @@ "creator": "Checkmarx", "description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.", "iconName": "checkmarx", - "categories": ["Code Scanning","code-quality", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] -} \ No newline at end of file + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} From ad25137ca3ada5e5c710879bb33862cb3f6c9edd Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Mon, 7 Nov 2022 10:21:52 -0600 Subject: [PATCH 77/77] Update checkmarx.svg --- icons/checkmarx.svg | 81 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 71 insertions(+), 10 deletions(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index fbdc9f3..7c5b4d9 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1,12 +1,73 @@ - - - + + - - - - - - - + + + + + + + + + + + + + +