Merge branch 'main' into main

This commit is contained in:
Omer Zidkoni
2022-11-08 16:07:00 +02:00
committed by GitHub
54 changed files with 929 additions and 455 deletions
+10 -9
View File
@@ -9,7 +9,7 @@
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name: Anchore Container Scan
name: Anchore Grype vulnerability scan
on:
push:
@@ -28,20 +28,21 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout the code
- name: Check out the code
uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
- name: Run the Anchore Grype scan action
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
id: scan
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
fail-build: false
- name: Upload Anchore Scan Report
fail-build: true
severity-cutoff: critical
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
sarif_file: ${{ steps.scan.outputs.sarif }}
+3 -2
View File
@@ -46,7 +46,8 @@ permissions:
contents: read
jobs:
Trigger APIsec scan:
Trigger_APIsec_scan:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
@@ -54,7 +55,7 @@ jobs:
steps:
- name: APIsec scan
uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993
uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c
with:
# The APIsec username with which the scans will be executed
apisec-username: ${{ secrets.apisec_username }}
+55
View File
@@ -0,0 +1,55 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
# scan customization using the full functionality and flexibility of the CLI tool.
# This is a basic workflow to help you get started with Using Checkmarx One Action,
# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
name: Checkmarx Scan
# Controls when the workflow will run
on:
pull_request:
types: [opened, reopened, synchronize]
branches: [ $default-branch, $protected-branches ]
permissions:
contents: read
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# This step checks out a copy of your repository.
- name: Checkout repository
uses: actions/checkout@v3
# This step creates the Checkmarx One scan
- name: Checkmarx One scan
uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
with:
base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One
cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
additional_params: --report-format sarif --output-path .
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: cx_result.sarif
+1 -1
View File
@@ -53,7 +53,7 @@ jobs:
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
+69
View File
@@ -0,0 +1,69 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
# EthicalCheck provides the industrys only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
# Know your API and Applications are secure with EthicalCheck our free & automated API security testing service.
# How EthicalCheck works?
# EthicalCheck functions in the following simple steps.
# 1. Security Testing.
# Provide your OpenAPI specification or start with a public Postman collection URL.
# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
# 2. Reporting.
# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
# This is a starter workflow to help you get started with EthicalCheck Actions
name: EthicalCheck-Workflow
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the $default-branch branch
# Customize trigger events based on your DevSecOps processes.
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
contents: read
jobs:
Trigger_EthicalCheck:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: EthicalCheck Free & Automated API Security Testing Service
uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
with:
# The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
# The email address to which the penetration test report will be sent.
email: "xxx@apisec.ai"
sarif-result-file: "ethicalcheck-results.sarif"
- name: Upload sarif file to repository
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./ethicalcheck-results.sarif
+55
View File
@@ -0,0 +1,55 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
#
# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
# you can find it in NowSecure Platform.
#
# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
# <https://bit.ly/ns-git-sbom>.
#
# Instructions:
#
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
#
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
name: "NowSecure Mobile SBOM"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
nowsecure:
name: NowSecure Mobile SBOM
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
- name: NowSecure upload app
uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
with:
token: ${{ secrets.NS_TOKEN }}
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
group_id: {{ groupId }} # Update this to your desired Platform group ID
@@ -1,6 +1,6 @@
{
"name": "Anchore Syft SBOM Scan",
"organization": "Anchore",
"creator": "Anchore",
"description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile", "dependency-management"]
@@ -1,7 +1,7 @@
{
"name": "Anchore Container Scan",
"creator": "Indeni Cloudrail",
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
"name": "Anchore Grype Vulnerability Scan",
"creator": "Anchore",
"description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile"]
}
}
@@ -0,0 +1,7 @@
{
"name": "Checkmarx",
"creator": "Checkmarx",
"description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.",
"iconName": "checkmarx",
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
}
@@ -1,6 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
"enterprise": true,
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
@@ -2,10 +2,11 @@
"name": "ESLint",
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
"iconName": "eslint",
"enterprise": false,
"categories": [
"Code Scanning",
"JavaScript",
"EcmaScript",
"TypeScript"
]
}
}
@@ -0,0 +1,24 @@
{
"name": "EthicalCheck",
"creator": "APIsec",
"description": "EthicalCheck provides the industrys only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.",
"iconName": "apisec",
"categories": [
"Code Scanning",
"C",
"C#",
"C++",
"Go",
"Java",
"JavaScript",
"Kotlin",
"Objective C",
"PHP",
"Python",
"Ruby",
"Rust",
"Scala",
"Swift",
"TypeScript"
]
}
@@ -0,0 +1,21 @@
{
"name": "NowSecure Mobile SBOM",
"creator": "NowSecure",
"description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
"iconName": "nowsecure",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C",
"C",
"C++",
"C#",
"Rust",
"JavaScript",
"TypeScript",
"Node"
]
}
@@ -0,0 +1,7 @@
{
"name": "Zscaler IaC Scan",
"creator": "Zscaler CWP",
"description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app",
"iconName": "zscaler",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,14 @@
{
"name": "zScan",
"creator": "Zimperium",
"description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ",
"iconName": "zscan",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C"
]
}
+25 -15
View File
@@ -1,7 +1,14 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: $cron-weekly
push:
@@ -17,20 +24,20 @@ jobs:
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Used to receive a badge.
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Needs for private repositories.
contents: read
actions: read
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: "Checkout code"
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
with:
results_file: results.sarif
results_format: sarif
@@ -40,23 +47,26 @@ jobs:
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
with:
sarif_file: results.sarif
+10 -5
View File
@@ -3,13 +3,18 @@
# separate terms of service, privacy policy, and support
# documentation.
#
# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
# SOOS is the easy-to-integrate and affordable software security solution for your whole team.
# Learn more at https://soos.io/
#
# To use this action you need to fill the following requirements:
# To use this action, perform the following steps:
#
# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products.
#
# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
#
# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
#
# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
#
name: "SOOS DAST Scan"
@@ -29,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Scan
uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9
uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
+56
View File
@@ -0,0 +1,56 @@
#This workflow uses actions that are not certified by GitHub.
#They are provided by a third party and are governed by
#separate terms of service, privacy policy, and support
#documentation.
#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
#which detects security misconfigurations in IaC templates and publishes the findings
#under the code scanning alerts section within the repository.
#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process.
#Copy the client ID and client secret key generated during the onboarding process and configure.
#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
name: Zscaler IaC Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
zscaler-iac-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name : Code Checkout
uses: actions/checkout@v3
- name : Zscaler IAC Scan
uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087
id : zscaler-iac-scan
with:
client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
#This is the user region specified during the onboarding process within the ZPC Admin Portal.
region : 'US'
iac_dir : #Enter the IaC directory path from root.
iac_file : #Enter the IaC file path from root.
output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
#To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
fail_build : #Enter true/false
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
- name: Upload SARIF file
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
+61
View File
@@ -0,0 +1,61 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
# and identifies security, privacy, and compliance-related vulnerabilities.
#
# Prerequisites:
# * An active Zimperium zScan account is required. If you are not an existing Zimperium
# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
# issues and view the remediation information inside of GitHub code scanning alerts.
#
# For additional information and setup instructions
# please visit: https://github.com/Zimperium/zScanMarketplace#readme
name: "Zimperium zScan"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
permissions:
contents: read
jobs:
zscan:
name: zScan
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Execute gradle build
run: ./gradlew build # Change this to build your mobile application
- name: Run Zimperium zScan
uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d
timeout-minutes: 60
with:
# REPLACE: Zimperium Client Environment Name
client_env: env_string
# REPLACE: Zimperium Client ID
client_id: id_string
# REPLACE: Zimperium Client Secret
client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
# REPLACE: The path to an .ipa or .apk
app_file: app-release-unsigned.apk
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: Zimperium.sarif