From 7a584505f5655db11a8c6f01d1913bc7ab3b0a50 Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:41:48 +1300 Subject: [PATCH 01/10] Fixed misspelling of "privileged" --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 0a98861..05cb4b1 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:19:36 +0200 Subject: [PATCH 02/10] add Datree --- code-scanning/datree.yml | 44 +++++++++++++++++++ .../properties/datree.properties.json | 7 +++ icons/datree.svg | 1 + 3 files changed, 52 insertions(+) create mode 100644 code-scanning/datree.yml create mode 100644 code-scanning/properties/datree.properties.json create mode 100644 icons/datree.svg diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml new file mode 100644 index 0000000..682ab5d --- /dev/null +++ b/code-scanning/datree.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Datree policy check + continue-on-error: true + uses: hadar-co/action-datree@main + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: datree.sarif \ No newline at end of file diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json new file mode 100644 index 0000000..99e07a5 --- /dev/null +++ b/code-scanning/properties/datree.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datree", + "creator": "Datree", + "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", + "iconName": "datree", + "categories": ["Code Scanning", "YAML"] +} \ No newline at end of file diff --git a/icons/datree.svg b/icons/datree.svg new file mode 100644 index 0000000..ca986c6 --- /dev/null +++ b/icons/datree.svg @@ -0,0 +1 @@ + \ No newline at end of file From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:37:43 +0200 Subject: [PATCH 03/10] add Datree --- code-scanning/datree.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 682ab5d..df301c7 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -12,10 +12,10 @@ name: Datree on: push: - branches: [ main ] + branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [ $default-branch ] jobs: datree: From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:23:25 +0200 Subject: [PATCH 04/10] fix workflow --- code-scanning/datree.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index df301c7..44afd69 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -17,6 +17,9 @@ on: # The branches below must be a subset of the branches above branches: [ $default-branch ] +permissions: + contents: read + jobs: datree: permissions: @@ -27,7 +30,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Datree policy check continue-on-error: true - uses: hadar-co/action-datree@main + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. @@ -41,4 +44,4 @@ jobs: - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: datree.sarif \ No newline at end of file + sarif_file: datree.sarif From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:24:28 +0200 Subject: [PATCH 05/10] fix workflow --- code-scanning/properties/datree.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json index 99e07a5..b7c695c 100644 --- a/code-scanning/properties/datree.properties.json +++ b/code-scanning/properties/datree.properties.json @@ -4,4 +4,4 @@ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", "iconName": "datree", "categories": ["Code Scanning", "YAML"] -} \ No newline at end of file +} From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Thu, 8 Dec 2022 09:57:36 +0200 Subject: [PATCH 06/10] Update code-scanning/datree.yml Co-authored-by: Sampark Sharma --- code-scanning/datree.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 44afd69..2e44682 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -34,7 +34,7 @@ jobs: env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. - DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} with: # Add the path to the configuration file/s that you would like to test. # See https://github.com/datreeio/action-datree#usage for all available options. From 9e27144d52a9ebe6f2660accc372e55385044204 Mon Sep 17 00:00:00 2001 From: Florin Coada Date: Fri, 9 Dec 2022 15:35:44 +0000 Subject: [PATCH 07/10] Add explanation on which value to use to scan Kotlin and TypeScript Added comments explaining which values should be used if the user would like to scan Kotlin or TypeScript. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 3f0ecfb..002e424 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,6 +34,8 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: From 5f790e392edb9bda28c53cb73e24c08e22aac844 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Mon, 12 Dec 2022 16:44:33 -0300 Subject: [PATCH 08/10] update soos dast to latest version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 95dfd67..6a5a047 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast + uses: soos-io/soos-dast-github-action@3e71b27756f4ed77d7ad3c0ad92afddb47a40e4d # Use latest version from https://github.com/marketplace/actions/soos-dast with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From 89d867e0d8e0e6a099005135a107deee089c5a32 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Tue, 13 Dec 2022 10:30:16 +0000 Subject: [PATCH 09/10] Fix code-scanning filtering for relative paths --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a320d36..f53d220 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - (workflowProperties.enterprise === true || folder !== 'code-scanning') && + (workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 1006a379d3e0ef603884037fa614bb831b9387f6 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 13 Dec 2022 08:40:14 -0300 Subject: [PATCH 10/10] linter --- code-scanning/soos-dast-scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 9b4f470..99b9027 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -45,6 +45,4 @@ jobs: - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif - - + sarif_file: results.sarif \ No newline at end of file