Merge branch 'main' into main
This commit is contained in:
@@ -9,7 +9,7 @@
|
||||
# and parameters, see https://github.com/anchore/scan-action. For more
|
||||
# information on Anchore's container image scanning tool Grype, see
|
||||
# https://github.com/anchore/grype
|
||||
name: Anchore Container Scan
|
||||
name: Anchore Grype vulnerability scan
|
||||
|
||||
on:
|
||||
push:
|
||||
@@ -28,20 +28,21 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v3
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
|
||||
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
|
||||
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
|
||||
- name: Run the Anchore Grype scan action
|
||||
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
|
||||
id: scan
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
acs-report-enable: true
|
||||
fail-build: false
|
||||
- name: Upload Anchore Scan Report
|
||||
fail-build: true
|
||||
severity-cutoff: critical
|
||||
- name: Upload vulnerability report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||
|
||||
@@ -46,7 +46,8 @@ permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Trigger APIsec scan:
|
||||
|
||||
Trigger_APIsec_scan:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
@@ -54,7 +55,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: APIsec scan
|
||||
uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993
|
||||
uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c
|
||||
with:
|
||||
# The APIsec username with which the scans will be executed
|
||||
apisec-username: ${{ secrets.apisec_username }}
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
|
||||
# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
|
||||
# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
|
||||
# scan customization using the full functionality and flexibility of the CLI tool.
|
||||
|
||||
# This is a basic workflow to help you get started with Using Checkmarx One Action,
|
||||
# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
|
||||
|
||||
name: Checkmarx Scan
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, reopened, synchronize]
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
jobs:
|
||||
# This workflow contains a single job called "build"
|
||||
build:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif
|
||||
|
||||
# The type of runner that the job will run on
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps represent a sequence of tasks that will be executed as part of the job
|
||||
steps:
|
||||
# This step checks out a copy of your repository.
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
# This step creates the Checkmarx One scan
|
||||
- name: Checkmarx One scan
|
||||
uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
|
||||
with:
|
||||
base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One
|
||||
cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
|
||||
cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
|
||||
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
|
||||
additional_params: --report-format sarif --output-path .
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: cx_result.sarif
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
# queries: security-extended,security-and-quality
|
||||
|
||||
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
|
||||
# If this step fails, then you should remove it and run the build manually (see below)
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@v2
|
||||
|
||||
@@ -0,0 +1,69 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
|
||||
|
||||
# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
|
||||
# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
|
||||
|
||||
# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
|
||||
|
||||
# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.
|
||||
|
||||
# How EthicalCheck works?
|
||||
# EthicalCheck functions in the following simple steps.
|
||||
# 1. Security Testing.
|
||||
# Provide your OpenAPI specification or start with a public Postman collection URL.
|
||||
# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
|
||||
# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
|
||||
|
||||
# 2. Reporting.
|
||||
# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
|
||||
# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
|
||||
|
||||
|
||||
# This is a starter workflow to help you get started with EthicalCheck Actions
|
||||
|
||||
name: EthicalCheck-Workflow
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
# Triggers the workflow on push or pull request events but only for the $default-branch branch
|
||||
# Customize trigger events based on your DevSecOps processes.
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Trigger_EthicalCheck:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: EthicalCheck Free & Automated API Security Testing Service
|
||||
uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
|
||||
with:
|
||||
# The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
|
||||
oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
|
||||
# The email address to which the penetration test report will be sent.
|
||||
email: "xxx@apisec.ai"
|
||||
sarif-result-file: "ethicalcheck-results.sarif"
|
||||
|
||||
- name: Upload sarif file to repository
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ./ethicalcheck-results.sarif
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
|
||||
#
|
||||
# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
|
||||
# you can find it in NowSecure Platform.
|
||||
#
|
||||
# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
|
||||
# <https://bit.ly/ns-git-sbom>.
|
||||
#
|
||||
# Instructions:
|
||||
#
|
||||
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
|
||||
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
|
||||
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
|
||||
#
|
||||
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
|
||||
# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
|
||||
|
||||
name: "NowSecure Mobile SBOM"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
nowsecure:
|
||||
name: NowSecure Mobile SBOM
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Build your application
|
||||
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
|
||||
|
||||
- name: NowSecure upload app
|
||||
uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
|
||||
with:
|
||||
token: ${{ secrets.NS_TOKEN }}
|
||||
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
|
||||
group_id: {{ groupId }} # Update this to your desired Platform group ID
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "Anchore Syft SBOM Scan",
|
||||
"organization": "Anchore",
|
||||
"creator": "Anchore",
|
||||
"description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile", "dependency-management"]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Anchore Container Scan",
|
||||
"creator": "Indeni Cloudrail",
|
||||
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
|
||||
"name": "Anchore Grype Vulnerability Scan",
|
||||
"creator": "Anchore",
|
||||
"description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile"]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Checkmarx",
|
||||
"creator": "Checkmarx",
|
||||
"description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.",
|
||||
"iconName": "checkmarx",
|
||||
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
|
||||
}
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"name": "CodeQL Analysis",
|
||||
"creator": "GitHub",
|
||||
"enterprise": true,
|
||||
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
|
||||
|
||||
@@ -2,10 +2,11 @@
|
||||
"name": "ESLint",
|
||||
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
|
||||
"iconName": "eslint",
|
||||
"enterprise": false,
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"JavaScript",
|
||||
"EcmaScript",
|
||||
"TypeScript"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
{
|
||||
"name": "EthicalCheck",
|
||||
"creator": "APIsec",
|
||||
"description": "EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.",
|
||||
"iconName": "apisec",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"C",
|
||||
"C#",
|
||||
"C++",
|
||||
"Go",
|
||||
"Java",
|
||||
"JavaScript",
|
||||
"Kotlin",
|
||||
"Objective C",
|
||||
"PHP",
|
||||
"Python",
|
||||
"Ruby",
|
||||
"Rust",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"TypeScript"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
"name": "NowSecure Mobile SBOM",
|
||||
"creator": "NowSecure",
|
||||
"description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
|
||||
"iconName": "nowsecure",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Kotlin",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"Objective C",
|
||||
"C",
|
||||
"C++",
|
||||
"C#",
|
||||
"Rust",
|
||||
"JavaScript",
|
||||
"TypeScript",
|
||||
"Node"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Zscaler IaC Scan",
|
||||
"creator": "Zscaler CWP",
|
||||
"description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app",
|
||||
"iconName": "zscaler",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
{
|
||||
"name": "zScan",
|
||||
"creator": "Zimperium",
|
||||
"description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ",
|
||||
"iconName": "zscan",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Kotlin",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"Objective C"
|
||||
]
|
||||
}
|
||||
@@ -1,7 +1,14 @@
|
||||
# This workflow uses actions that are not certified by GitHub. They are provided
|
||||
# by a third-party and are governed by separate terms of service, privacy
|
||||
# policy, and support documentation.
|
||||
|
||||
name: Scorecards supply-chain security
|
||||
on:
|
||||
# Only the default branch is supported.
|
||||
# For Branch-Protection check. Only the default branch is supported. See
|
||||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
|
||||
branch_protection_rule:
|
||||
# To guarantee Maintained check is occasionally updated. See
|
||||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
push:
|
||||
@@ -17,20 +24,20 @@ jobs:
|
||||
permissions:
|
||||
# Needed to upload the results to code-scanning dashboard.
|
||||
security-events: write
|
||||
# Used to receive a badge.
|
||||
# Needed to publish results and get a badge (see publish_results below).
|
||||
id-token: write
|
||||
# Needs for private repositories.
|
||||
contents: read
|
||||
actions: read
|
||||
|
||||
# Uncomment the permissions below if installing in a private repository.
|
||||
# contents: read
|
||||
# actions: read
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
|
||||
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3
|
||||
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
@@ -40,23 +47,26 @@ jobs:
|
||||
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
|
||||
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
|
||||
# Publish the results for public repositories to enable scorecard badges. For more details, see
|
||||
# https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories, `publish_results` will automatically be set to `false`, regardless
|
||||
# of the value entered here.
|
||||
# Public repositories:
|
||||
# - Publish results to OpenSSF REST API for easy access by consumers
|
||||
# - Allows the repository to include the Scorecard badge.
|
||||
# - See https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories:
|
||||
# - `publish_results` will always be set to `false`, regardless
|
||||
# of the value entered here.
|
||||
publish_results: true
|
||||
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
|
||||
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
|
||||
uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -3,13 +3,18 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
|
||||
# SOOS is the easy-to-integrate and affordable software security solution for your whole team.
|
||||
# Learn more at https://soos.io/
|
||||
#
|
||||
# To use this action you need to fill the following requirements:
|
||||
# To use this action, perform the following steps:
|
||||
#
|
||||
# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
|
||||
# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products.
|
||||
#
|
||||
# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
|
||||
# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
|
||||
#
|
||||
# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
|
||||
#
|
||||
# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
|
||||
#
|
||||
|
||||
name: "SOOS DAST Scan"
|
||||
@@ -29,7 +34,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Run SOOS DAST Scan
|
||||
uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9
|
||||
uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast
|
||||
with:
|
||||
client_id: ${{ secrets.SOOS_CLIENT_ID }}
|
||||
api_key: ${{ secrets.SOOS_API_KEY }}
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
#This workflow uses actions that are not certified by GitHub.
|
||||
#They are provided by a third party and are governed by
|
||||
#separate terms of service, privacy policy, and support
|
||||
#documentation.
|
||||
|
||||
#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
|
||||
#which detects security misconfigurations in IaC templates and publishes the findings
|
||||
#under the code scanning alerts section within the repository.
|
||||
|
||||
#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process.
|
||||
#Copy the client ID and client secret key generated during the onboarding process and configure.
|
||||
#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
|
||||
|
||||
#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
|
||||
#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
|
||||
|
||||
name: Zscaler IaC Scan
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
zscaler-iac-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name : Code Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name : Zscaler IAC Scan
|
||||
uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087
|
||||
id : zscaler-iac-scan
|
||||
with:
|
||||
client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
|
||||
client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
|
||||
#This is the user region specified during the onboarding process within the ZPC Admin Portal.
|
||||
region : 'US'
|
||||
iac_dir : #Enter the IaC directory path from root.
|
||||
iac_file : #Enter the IaC file path from root.
|
||||
output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
|
||||
#To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
|
||||
fail_build : #Enter true/false
|
||||
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
|
||||
- name: Upload SARIF file
|
||||
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
|
||||
@@ -0,0 +1,61 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
|
||||
# and identifies security, privacy, and compliance-related vulnerabilities.
|
||||
#
|
||||
# Prerequisites:
|
||||
# * An active Zimperium zScan account is required. If you are not an existing Zimperium
|
||||
# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
|
||||
# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
|
||||
# issues and view the remediation information inside of GitHub code scanning alerts.
|
||||
#
|
||||
# For additional information and setup instructions
|
||||
# please visit: https://github.com/Zimperium/zScanMarketplace#readme
|
||||
|
||||
name: "Zimperium zScan"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
zscan:
|
||||
name: zScan
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Execute gradle build
|
||||
run: ./gradlew build # Change this to build your mobile application
|
||||
|
||||
- name: Run Zimperium zScan
|
||||
uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d
|
||||
timeout-minutes: 60
|
||||
with:
|
||||
# REPLACE: Zimperium Client Environment Name
|
||||
client_env: env_string
|
||||
# REPLACE: Zimperium Client ID
|
||||
client_id: id_string
|
||||
# REPLACE: Zimperium Client Secret
|
||||
client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
|
||||
# REPLACE: The path to an .ipa or .apk
|
||||
app_file: app-release-unsigned.apk
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: Zimperium.sarif
|
||||
|
||||
Reference in New Issue
Block a user