From 658980f080dea11eda60ca93a162b99239eebf8e Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 27 Jun 2022 20:51:38 -0700 Subject: [PATCH 01/44] Add lintr starter workflow --- code-scanning/lintr.yml | 54 ++ .../properties/lintr.properties.json | 6 + icons/lintr.svg | 679 ++++++++++++++++++ 3 files changed, 739 insertions(+) create mode 100644 code-scanning/lintr.yml create mode 100644 code-scanning/properties/lintr.properties.json create mode 100644 icons/lintr.svg diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml new file mode 100644 index 0000000..74a3b21 --- /dev/null +++ b/code-scanning/lintr.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# lintr provides static code analysis for R. +# It checks for adherence to a given style, +# identifying syntax errors and possible semantic issues, +# then reports them to you so you can take action. +# More details at https://lintr.r-lib.org/ + +name: lintr + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + lintr: + name: Run lintr scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup R + uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492 + + - name: Setup lintr + uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492 + with: + extra-packages: lintr + + - name: Run lintr + run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif") + shell: Rscript {0} + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: lintr-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/lintr.properties.json b/code-scanning/properties/lintr.properties.json new file mode 100644 index 0000000..07e9741 --- /dev/null +++ b/code-scanning/properties/lintr.properties.json @@ -0,0 +1,6 @@ +{ + "name": "lintr", + "description": "lintr provides static code analysis for R.", + "iconName": "lintr", + "categories": [ "Code Scanning", "R" ] +} \ No newline at end of file diff --git a/icons/lintr.svg b/icons/lintr.svg new file mode 100644 index 0000000..cdc40d8 --- /dev/null +++ b/icons/lintr.svg @@ -0,0 +1,679 @@ + + + + + + + + + + From 67805723f0bf3c53f17eaaea77e9cfd44d6a2417 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 00:59:05 +0000 Subject: [PATCH 02/44] update --- ci/generic-generator-ossf-slsa3-publish.yml | 63 +++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ci/generic-generator-ossf-slsa3-publish.yml diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generic-generator-ossf-slsa3-publish.yml new file mode 100644 index 0000000..f843fd1 --- /dev/null +++ b/ci/generic-generator-ossf-slsa3-publish.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject + id: hash + run: | + set -euo pipefail + + echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: read + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release \ No newline at end of file From 0f26631ba6e9900520c570d1153140b812a9e870 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:04:52 +0000 Subject: [PATCH 03/44] update --- ...h.yml => generator-generic-ossf-slsa3-publish.yml} | 0 ...nerator-generic-ossf-slsa3-publish.properties.json | 7 +++++++ icons/generator-generic-ossf-slsa3-publish.svg | 11 +++++++++++ 3 files changed, 18 insertions(+) rename ci/{generic-generator-ossf-slsa3-publish.yml => generator-generic-ossf-slsa3-publish.yml} (100%) create mode 100644 ci/properties/generator-generic-ossf-slsa3-publish.properties.json create mode 100644 icons/generator-generic-ossf-slsa3-publish.svg diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml similarity index 100% rename from ci/generic-generator-ossf-slsa3-publish.yml rename to ci/generator-generic-ossf-slsa3-publish.yml diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000..2861c3f --- /dev/null +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Generic generator", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Generate SLSA3 provenance for your existing release workflows", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration"] +} diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg new file mode 100644 index 0000000..ea77468 --- /dev/null +++ b/icons/generator-generic-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From c81201dd621f7167106925fcbb2db17b6381d430 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:06:11 +0000 Subject: [PATCH 04/44] update --- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index f843fd1..e37a3f3 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -60,4 +60,4 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" - upload-assets: true # Optional: Upload to a new release \ No newline at end of file + upload-assets: true # Optional: Upload to a new release From 19e6b35e8432c1d2915cbc9d86b12e4fcb0d1838 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:14:33 +0000 Subject: [PATCH 05/44] update --- ci/generator-generic-ossf-slsa3-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index e37a3f3..eae7431 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -21,6 +21,7 @@ permissions: read-all jobs: build: + runs-on: ubuntu-latest outputs: digests: ${{ steps.hash.outputs.digests }} From 026c540730dd5bafad6c468af4cb2176bd0327cb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 01:21:35 +0000 Subject: [PATCH 06/44] update --- ci/generator-generic-ossf-slsa3-publish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index eae7431..54c110e 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -55,9 +55,9 @@ jobs: provenance: needs: [build] permissions: - actions: read - id-token: write - contents: read + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" From 30f1eecad156ad2196177709d0d2fe8f20eb8e78 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 19 Jul 2022 15:55:40 +0000 Subject: [PATCH 07/44] update --- ci/generator-generic-ossf-slsa3-publish.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index 54c110e..feadcf2 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,10 +3,10 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps +# This workflow lets you compile your Go project using a SLSA3 compliant builder +# This workflow will generate a so-called "provenance" file describing the steps # that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. @@ -26,11 +26,13 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + # ======================================================== # # Step 1: Build your artifacts. # - # ======================================================== + # ======================================================== - name: Build artifacts run: | # These are some amazing artifacts. From aec987bfb55cb1003ba043fdd1a67426eba751e3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 1 Aug 2022 15:00:08 +0000 Subject: [PATCH 08/44] comments --- ci/generator-generic-ossf-slsa3-publish.yml | 12 +++++++----- ...erator-generic-ossf-slsa3-publish.properties.json | 4 ++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index feadcf2..c8a3544 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,9 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder -# This workflow will generate a so-called "provenance" file describing the steps -# that were performed to generate the final binary. +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements # The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. @@ -26,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + uses: actions/checkout@v3 # ======================================================== # @@ -52,7 +51,10 @@ jobs: run: | set -euo pipefail - echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "::set-output name=digests::$(sha256sum $files | base64 -w0)" provenance: needs: [build] diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json index 2861c3f..32cf63d 100644 --- a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -2,6 +2,6 @@ "name": "SLSA Generic generator", "creator": "Open Source Security Foundation (OpenSSF)", "description": "Generate SLSA3 provenance for your existing release workflows", - "iconName": "go-ossf-slsa3-publish", - "categories": ["Continuous integration"] + "iconName": "generator-generic-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"] } From 6f7030b18ad1da672b55b9ca4f6ec1abed29f7ed Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 13:32:01 +0000 Subject: [PATCH 09/44] update --- ci/generator-generic-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index c8a3544..a249449 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -25,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@v3 + - uses: actions/checkout@v3 # ======================================================== # From 2f880ea2a2c40752e91d1e0c645d3e997fef9397 Mon Sep 17 00:00:00 2001 From: omerzi Date: Sun, 28 Aug 2022 16:07:58 +0300 Subject: [PATCH 10/44] Update Frogbot permissions and Tag --- code-scanning/frogbot-scan-and-fix.yml | 3 ++- code-scanning/frogbot-scan-pr.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 56725f5..a4b1c89 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -18,6 +18,7 @@ on: permissions: contents: write pull-requests: write + security-events: write jobs: create-fix-pull-requests: runs-on: ubuntu-latest @@ -40,7 +41,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 + - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index bdc71b4..ec19d61 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@de3d42bf3a454ddf156632ae520a5ead49048416 + - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From a4af1b700b74cf840fba5cbc9502a1a3eb6a43c1 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Tue, 30 Aug 2022 10:13:31 -0400 Subject: [PATCH 11/44] branches --- .github/workflows/sync-ghes.yaml | 3 +-- code-scanning/frogbot-scan-and-fix.yml | 6 +----- deployments/alibabacloud.yml | 3 +-- deployments/aws.yml | 3 +-- deployments/azure-container-webapp.yml | 3 +-- deployments/azure-kubernetes-service-helm.yml | 3 +-- deployments/azure-kubernetes-service-kompose.yml | 3 +-- deployments/azure-kubernetes-service-kustomize.yml | 3 +-- deployments/azure-kubernetes-service.yml | 3 +-- deployments/azure-staticwebapp.yml | 6 ++---- deployments/azure-webapps-dotnet-core.yml | 3 +-- deployments/azure-webapps-java-jar.yml | 3 +-- deployments/azure-webapps-node.yml | 3 +-- deployments/azure-webapps-php.yml | 3 +-- deployments/azure-webapps-python.yml | 3 +-- deployments/google-cloudrun-docker.yml | 3 +-- deployments/google-cloudrun-source.yml | 3 +-- deployments/google.yml | 3 +-- deployments/ibm.yml | 3 +-- deployments/tencent.yml | 3 +-- deployments/terraform.yml | 3 +-- 21 files changed, 22 insertions(+), 47 deletions(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index aba7780..c8b83c9 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,8 +2,7 @@ name: Sync workflows for GHES on: push: - branches: - - main + branches: [ $default-branch ] jobs: sync: diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 56725f5..4829c8f 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -10,11 +10,7 @@ name: "Frogbot Scan and Fix" on: push: - branches: - # The scanning and creation of pull requests with fixes are triggered by pushing code to one of the these branches. - # You can edit the list of branches you wish to open fix pull requests on. - - "main" - - "master" + branches: [ $default-branch ] permissions: contents: write pull-requests: write diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index d7c27d9..9853b75 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -21,8 +21,7 @@ name: Build and Deploy to ACK on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow. env: diff --git a/deployments/aws.yml b/deployments/aws.yml index 47253bf..9585844 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -28,8 +28,7 @@ name: Deploy to Amazon ECS on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 8b69065..cc2e1dd 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -31,8 +31,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a6a2f4e..83a9163 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -34,8 +34,7 @@ name: Build and deploy an app to AKS with Helm on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 60fe536..0e76365 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kompose on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index d46cadb..1a89f3c 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -33,8 +33,7 @@ name: Build and deploy an app to AKS with Kustomize on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index d04a2ac..3e49419 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -29,8 +29,7 @@ name: Build and deploy an app to AKS on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index a40ecc2..8fe07ce 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -14,12 +14,10 @@ name: Deploy web app to Azure Static Web Apps on: push: - branches: - - $default-branch + branches: [ $default-branch ] pull_request: types: [opened, synchronize, reopened, closed] - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 0b59686..9b21895 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -26,8 +26,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 6e3df8d..60fa68c 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -26,8 +26,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 1480c92..98e72c2 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -19,8 +19,7 @@ on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 98e8dc7..4d08dbd 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -21,8 +21,7 @@ name: Build and deploy PHP app to Azure Web App on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: env: diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 50f4823..d7aa802 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -25,8 +25,7 @@ env: on: push: - branches: - - $default-branch + branches: [ $default-branch ] workflow_dispatch: permissions: diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index b8d0511..bd748f8 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -46,8 +46,7 @@ name: Build and Deploy to Cloud Run on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml index 2916b45..e6fcb52 100644 --- a/deployments/google-cloudrun-source.yml +++ b/deployments/google-cloudrun-source.yml @@ -48,8 +48,7 @@ name: Deploy to Cloud Run from Source on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id diff --git a/deployments/google.yml b/deployments/google.yml index 6150672..846452a 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -14,8 +14,7 @@ name: Build and Deploy to GKE on: push: - branches: - - $default-branch + branches: [ $default-branch ] env: PROJECT_ID: ${{ secrets.GKE_PROJECT }} diff --git a/deployments/ibm.yml b/deployments/ibm.yml index cb3080f..53a58c5 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -10,8 +10,7 @@ name: Build and Deploy to IKS on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 4e9e9f6..ba65fe5 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -17,8 +17,7 @@ name: Tencent Kubernetes Engine on: push: - branches: - - $default-branch + branches: [ $default-branch ] # Environment variables available to all jobs and steps in this workflow env: diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 53efe48..c06f685 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -46,8 +46,7 @@ name: 'Terraform' on: push: - branches: - - $default-branch + branches: [ $default-branch ] pull_request: permissions: From 2333616c7db48c45158cb0fa7eb2491a04cb3c59 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:37:44 -0500 Subject: [PATCH 12/44] Upgraded scorecard action to v2.0.0 - Upgraded scorecard action to v2.0.0 https://github.com/ossf/scorecard-action/commit/13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index e4f1d0f..38db68f 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,7 +17,7 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. (Upcoming feature) + # Used to receive a badge. id-token: write # Needs for private repositories. contents: read @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1 + uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 with: results_file: results.sarif results_format: sarif From f539d4746910e16daa46883aa5e5c9f1295aa13e Mon Sep 17 00:00:00 2001 From: David Losert Date: Fri, 9 Sep 2022 17:57:59 +0200 Subject: [PATCH 13/44] Adds Node 18 and removes Node 12 --- ci/node.js.yml | 2 +- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/webpack.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci/node.js.yml b/ci/node.js.yml index 87ef0d8..a89108d 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,7 +16,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index eda97e1..e39ddbf 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 504f22e..7606dea 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 diff --git a/ci/webpack.yml b/ci/webpack.yml index 6449fe7..0bc6406 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - node-version: [12.x, 14.x, 16.x] + node-version: [14.x, 16.x, 18.x] steps: - uses: actions/checkout@v3 From 2426779103b940fa2d7d571c75be0c06171f04e6 Mon Sep 17 00:00:00 2001 From: Eric Allard <106756852+SOOS-EAllard@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:00:01 -0400 Subject: [PATCH 14/44] Updated old instructions to add more detail --- code-scanning/soos-dast-scan.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index cf3b1b7..9b58e90 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,13 +3,18 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ +# SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# Learn more at https://soos.io/ # -# To use this action you need to fill the following requirements: +# To use this action, perform the following steps: # -# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products. # -# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# +# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # name: "SOOS DAST Scan" From 1a784af20d0eddd7900eb9f63678660cc7e546b8 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Sep 2022 17:54:12 +0530 Subject: [PATCH 15/44] Update settings.json --- script/sync-ghes/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 9648ab4..31574dc 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,13 +2,17 @@ "folders": [ "../../ci", "../../automation", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "enabledActions": [ "actions/checkout", + "actions/configure-pages", "actions/create-release", "actions/delete-package-versions", + "actions/deploy-pages", "actions/download-artifact", + "actions/jekyll-build-pages", "actions/setup-dotnet", "actions/setup-go", "actions/setup-java", @@ -16,6 +20,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", + "actions/upload-pages-artifact". "actions/upload-release-asset", "github/codeql-action" ], From e5cdae6f10e23d66ee6189deeb636921904ae535 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 13 Sep 2022 17:56:10 +0530 Subject: [PATCH 16/44] Update settings.json --- script/sync-ghes/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 31574dc..ff4857b 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -20,7 +20,7 @@ "actions/stale", "actions/starter-workflows", "actions/upload-artifact", - "actions/upload-pages-artifact". + "actions/upload-pages-artifact", "actions/upload-release-asset", "github/codeql-action" ], From cf9b6844331ef5bb238a1103f9f9d8c0434d6eb3 Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Tue, 13 Sep 2022 13:14:35 -0500 Subject: [PATCH 17/44] Updated powershell to v1.1 commit --- code-scanning/powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 1d72a9b..d78a126 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -31,7 +31,7 @@ jobs: - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f with: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. From 6763818232c8e655fbd26b92701537c5e6ecd9a5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 11:52:08 +0530 Subject: [PATCH 18/44] Update sync-ghes.yaml --- .github/workflows/sync-ghes.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index c8b83c9..5e949bb 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,6 +3,7 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] + workflow_dispatch: jobs: sync: From 864be6fc0f793382b5679b75a7b1f3ac7aaf7193 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:16:25 +0530 Subject: [PATCH 19/44] Add actions/cache to list of enabledActions --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index ff4857b..fe80c8a 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -6,6 +6,7 @@ "../../pages" ], "enabledActions": [ + "actions/cache", "actions/checkout", "actions/configure-pages", "actions/create-release", From 723f3e411d8038c90af3237d9fa76a4aad305ee5 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 12:18:02 +0530 Subject: [PATCH 20/44] Revert "Adding manual trigger to sync ghes script" --- .github/workflows/sync-ghes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..c8b83c9 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -3,7 +3,6 @@ name: Sync workflows for GHES on: push: branches: [ $default-branch ] - workflow_dispatch: jobs: sync: From 94ce275060ff31c5184c38b15269be673cb9deb0 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 15:55:59 +0530 Subject: [PATCH 21/44] Add setup-python to list of enabledActions for ghes --- script/sync-ghes/settings.json | 1 + 1 file changed, 1 insertion(+) diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index fe80c8a..41d6bcd 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -18,6 +18,7 @@ "actions/setup-go", "actions/setup-java", "actions/setup-node", + "actions/setup-python", "actions/stale", "actions/starter-workflows", "actions/upload-artifact", From 96389955e3b06980ccd373faec93c7e88bafe10c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 14 Sep 2022 16:53:35 +0530 Subject: [PATCH 22/44] Update pull_request_template.md --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9b6c10f..0a98861 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -41,7 +41,7 @@ It is not: - [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - - [ ] `organization`: Name of the organization producing the Code Scanning integration. + - [ ] `creator`: Name of the organization/user producing the Code Scanning integration. - [ ] `description`: Short description of the Code Scanning integration. - [ ] `categories`: Array of languages supported by the Code Scanning integration. - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons). From 81fe53796f8c719d680381815cbfd359119a8460 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 14 Sep 2022 09:37:06 -0400 Subject: [PATCH 23/44] Update to scorecard-action:v2.0.3 Includes bug fixes --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 38db68f..8ca5094 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 with: results_file: results.sarif results_format: sarif From 568b096f39f842303134c2e9bc694f1298cd2b5f Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 14 Sep 2022 18:17:28 -0400 Subject: [PATCH 24/44] add actions: read to any job using upload-sarif --- code-scanning/apisec-scan.yml | 1 + code-scanning/brakeman.yml | 1 + code-scanning/checkmarx.yml | 1 + code-scanning/clj-holmes.yml | 1 + code-scanning/clj-watson.yml | 1 + code-scanning/codacy.yml | 1 + code-scanning/codescan.yml | 1 + code-scanning/contrast-scan.yml | 1 + code-scanning/eslint.yml | 1 + code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 1 + code-scanning/mobsf.yml | 1 + code-scanning/msvc.yml | 1 + code-scanning/njsscan.yml | 1 + code-scanning/ossar.yml | 1 + code-scanning/phpmd.yml | 1 + code-scanning/pmd.yml | 1 + code-scanning/powershell.yml | 1 + code-scanning/prisma.yml | 1 + code-scanning/puppet-lint.yml | 1 + code-scanning/rust-clippy.yml | 1 + code-scanning/semgrep.yml | 1 + code-scanning/snyk-container.yml | 1 + code-scanning/snyk-infrastructure.yml | 1 + code-scanning/sobelow.yml | 1 + code-scanning/sysdig-scan.yml | 1 + code-scanning/trivy.yml | 1 + code-scanning/veracode.yml | 1 + code-scanning/xanitizer.yml | 1 + 29 files changed, 29 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b751..a2dfbd2 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -49,6 +49,7 @@ jobs: Trigger APIsec scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index b04cabf..957343c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index e060654..9bdb136 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,6 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 3cfde14..4487e23 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -24,6 +24,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 2e4ab3c..76903a9 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index b74e449..7b705bd 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 92707b1..a9f1053 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 61ffd7a..4e4deb7 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 9067a7d..54b01c8 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2f554e4..3153652 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 74a3b21..350df19 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 6d2bfb8..1013749 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 863fbcb..e8dac88 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8c359b8..d766a6f 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index cbef5a2..2bd91dd 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 91f4b2d..d10ace1 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -34,6 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index a1e32c4..8115116 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index d78a126..02e5de7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 6f2031b..1a12b86 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index d41b65b..50b86db 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index e9c426a..c5f10ee 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index fae9885..b10a930 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 0fbbf87..a232c53 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a685323..3ca1035 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 21cb6e7..7d38c77 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f075a80..f9b61b9 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,6 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 63be947..f56d9e5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index b8a5b37..89d35df 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3462eaa..5724a97 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,6 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: From cb341b59ed903d36aedd3012de4d5c1f58af194c Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Fri, 16 Sep 2022 09:25:07 +0200 Subject: [PATCH 25/44] Update CodeQL to include category by default Code Scanning can accept multiple uploads for the same tool and uses the concept of category to keep results separated. If not provided explicitly, the category is computed based on a few parameters like workflow path and matrix variables. The implicit computation of the category can create confusion if users change their workflow, as we start considering the new analyses as unrelated to existing results. By making the category explicit in the workflow we hope to make the concept more prominent and reduce accidental changes. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a113b59..00ffcdb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -70,3 +70,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From cd26daf9c2098b73c9c0640acd9b27c3e34e1d44 Mon Sep 17 00:00:00 2001 From: Yoann Chaudet Date: Fri, 16 Sep 2022 15:05:57 -0700 Subject: [PATCH 26/44] Clear name conflict --- ci/{jekyll.yml => jekyll-docker.yml} | 0 .../{jekyll.properties.json => jekyll-docker.properties.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ci/{jekyll.yml => jekyll-docker.yml} (100%) rename ci/properties/{jekyll.properties.json => jekyll-docker.properties.json} (100%) diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml similarity index 100% rename from ci/jekyll.yml rename to ci/jekyll-docker.yml diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json similarity index 100% rename from ci/properties/jekyll.properties.json rename to ci/properties/jekyll-docker.properties.json From 4bb0cbfc9e46a125e1b0b39b77dd808cfee89fba Mon Sep 17 00:00:00 2001 From: Chris Patterson Date: Tue, 20 Sep 2022 10:25:45 +0530 Subject: [PATCH 27/44] Enable caching by default for docker builds. --- ci/docker-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..41253c1 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -78,6 +78,9 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker From e7e1dc203701c85e902a1122ed62af132af1c7bf Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:36:24 +0300 Subject: [PATCH 28/44] Update Frogbot's version --- code-scanning/frogbot-scan-and-fix.yml | 2 +- code-scanning/frogbot-scan-pr.yml | 2 +- starter-workflows.iml | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 starter-workflows.iml diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 6dd4b0e..0089f10 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index ec19d61..bd1a9c2 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab + - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) diff --git a/starter-workflows.iml b/starter-workflows.iml new file mode 100644 index 0000000..8021953 --- /dev/null +++ b/starter-workflows.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file From bdee68f5716734c91c3783c2d70bd246abb23cc2 Mon Sep 17 00:00:00 2001 From: omerzi Date: Tue, 20 Sep 2022 16:39:01 +0300 Subject: [PATCH 29/44] Update JFrog Frogbot's Version --- starter-workflows.iml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 starter-workflows.iml diff --git a/starter-workflows.iml b/starter-workflows.iml deleted file mode 100644 index 8021953..0000000 --- a/starter-workflows.iml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file From a50f9361bc1283eb5191ada8a0878319ecd8919e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Tue, 20 Sep 2022 20:02:09 +0300 Subject: [PATCH 30/44] chore: upgrade cosign-installer version to latest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index e88539d..d07a3f8 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.9.0' + cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 From 6b52b98767046e01d8c0543b30767b8214b85be4 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 12:46:14 +0100 Subject: [PATCH 31/44] Hide ESLint on GHES --- code-scanning/properties/eslint.properties.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json index a84646a..2a1271f 100644 --- a/code-scanning/properties/eslint.properties.json +++ b/code-scanning/properties/eslint.properties.json @@ -2,10 +2,11 @@ "name": "ESLint", "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", "iconName": "eslint", + "enterprise": false, "categories": [ "Code Scanning", "JavaScript", "EcmaScript", "TypeScript" ] -} \ No newline at end of file +} From 23737db30608c6a9c4175971df3a2d451278b955 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 15:45:41 +0100 Subject: [PATCH 32/44] Make enterprise opt-in instead of opt-out --- code-scanning/properties/codeql.properties.json | 1 + script/sync-ghes/index.ts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index ddb4627..8ee80b4 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,7 @@ { "name": "CodeQL Analysis", "creator": "GitHub", + "enterprise": true, "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"] diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 608e73d..a816109 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise !== false && + workflowProperties.enterprise === true && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From d75ca7ac2e1a53eb04fc809ac8affdf2cded060d Mon Sep 17 00:00:00 2001 From: Nick Fyson Date: Wed, 21 Sep 2022 16:04:36 +0100 Subject: [PATCH 33/44] fix trigger for ghes sync --- .github/workflows/sync-ghes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 5e949bb..26d2665 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -2,7 +2,7 @@ name: Sync workflows for GHES on: push: - branches: [ $default-branch ] + branches: [ main ] workflow_dispatch: jobs: From da2e9558af199abdd3140a07fde272cfdd257831 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Wed, 21 Sep 2022 16:00:40 +0100 Subject: [PATCH 34/44] Only use enterprise check for code-scanning folder --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a816109..a320d36 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - workflowProperties.enterprise === true && + (workflowProperties.enterprise === true || folder !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From e1512d3916167a26724d2861a9953390eb1ae2f7 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Wed, 21 Sep 2022 14:04:45 -0500 Subject: [PATCH 35/44] Add Zimperium zScan starter workflow --- .../properties/zscan.properties.json | 14 +++++ code-scanning/zscan.yml | 61 +++++++++++++++++++ icons/zscan.svg | 11 ++++ 3 files changed, 86 insertions(+) create mode 100644 code-scanning/properties/zscan.properties.json create mode 100644 code-scanning/zscan.yml create mode 100644 icons/zscan.svg diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json new file mode 100644 index 0000000..18c96d7 --- /dev/null +++ b/code-scanning/properties/zscan.properties.json @@ -0,0 +1,14 @@ +{ + "name": "zScan", + "creator": "Zimperium", + "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", + "iconName": "zScan", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C" + ] +} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml new file mode 100644 index 0000000..1ac6bbd --- /dev/null +++ b/code-scanning/zscan.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# and identifies security, privacy, and compliance-related vulnerabilities. ​ +# +# Prerequisites: ​ +# * An active Zimperium zScan account is required. If you are not an existing Zimperium +# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# +# For additional information and setup instructions +# please visit: https://github.com/Zimperium/zScanMarketplace#readme + +name: "Zimperium zScan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + zscan: + name: zScan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Execute gradle build + run: ./gradlew build # Change this to build your mobile application + + - name: Run Zimperium zScan + uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d + timeout-minutes: 60 + with: + # REPLACE: Zimperium Client Environment Name + client_env: env_string + # REPLACE: Zimperium Client ID + client_id: id_string + # REPLACE: Zimperium Client Secret + client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }} + # REPLACE: The path to an .ipa or .apk + app_file: app-release-unsigned.apk + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: Zimperium.sarif + \ No newline at end of file diff --git a/icons/zscan.svg b/icons/zscan.svg new file mode 100644 index 0000000..1dff416 --- /dev/null +++ b/icons/zscan.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + From 13ad0bf0aef432c6577fcff3afcf10a492f2e907 Mon Sep 17 00:00:00 2001 From: mthibeau73 Date: Fri, 23 Sep 2022 10:32:47 -0500 Subject: [PATCH 36/44] lowercase iconName in properties file --- code-scanning/properties/zscan.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json index 18c96d7..6b55756 100644 --- a/code-scanning/properties/zscan.properties.json +++ b/code-scanning/properties/zscan.properties.json @@ -2,7 +2,7 @@ "name": "zScan", "creator": "Zimperium", "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​", - "iconName": "zScan", + "iconName": "zscan", "categories": [ "Code Scanning", "Java", From aa0375afbf5108c17eb280bc8e9045aa57c2e78c Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Fri, 23 Sep 2022 18:04:56 -0300 Subject: [PATCH 37/44] Remove trailing whitespaces --- code-scanning/scorecards.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 8ca5094..31a4fa1 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: # Needs for private repositories. contents: read actions: read - + steps: - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 @@ -41,8 +41,8 @@ jobs: # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true @@ -54,7 +54,7 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 From 5f2c1d104d691cc446a7c525b53476b9c4d5b333 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 13:32:49 +0000 Subject: [PATCH 38/44] Bump actions/stale from 5 to 6 Bumps [actions/stale](https://github.com/actions/stale) from 5 to 6. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c319ce1..002f30d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v5 + - uses: actions/stale@v6 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' From 022ac9babb7d92b4ea5775cb0385fcc4101d2ad4 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 23 Sep 2022 08:51:24 -0400 Subject: [PATCH 39/44] Update Anchore Grype scan action workflow --- code-scanning/anchore.yml | 19 ++++++++++--------- .../properties/anchore-syft.properties.json | 2 +- .../properties/anchore.properties.json | 8 ++++---- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index a3d2eed..818fb70 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -9,7 +9,7 @@ # and parameters, see https://github.com/anchore/scan-action. For more # information on Anchore's container image scanning tool Grype, see # https://github.com/anchore/grype -name: Anchore Container Scan +name: Anchore Grype vulnerability scan on: push: @@ -28,20 +28,21 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - name: Checkout the code + - name: Check out the code uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan with: image: "localbuild/testimage:latest" - acs-report-enable: true - fail-build: false - - name: Upload Anchore Scan Report + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json index 815f8b2..aa4cb1e 100644 --- a/code-scanning/properties/anchore-syft.properties.json +++ b/code-scanning/properties/anchore-syft.properties.json @@ -1,6 +1,6 @@ { "name": "Anchore Syft SBOM Scan", - "organization": "Anchore", + "creator": "Anchore", "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile", "dependency-management"] diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json index d997da4..94634dd 100644 --- a/code-scanning/properties/anchore.properties.json +++ b/code-scanning/properties/anchore.properties.json @@ -1,7 +1,7 @@ { - "name": "Anchore Container Scan", - "creator": "Indeni Cloudrail", - "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "name": "Anchore Grype Vulnerability Scan", + "creator": "Anchore", + "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile"] -} \ No newline at end of file +} From 13ccf721fe833f11f32c6602733406915a5ed7f6 Mon Sep 17 00:00:00 2001 From: Keegan Saunders Date: Tue, 28 Jun 2022 22:02:19 -0400 Subject: [PATCH 40/44] Add NowSecure Mobile SBOM starter workflow --- code-scanning/nowsecure-mobile-sbom.yml | 55 +++++++++++++++++++ .../nowsecure-mobile-sbom.properties.json | 21 +++++++ 2 files changed, 76 insertions(+) create mode 100644 code-scanning/nowsecure-mobile-sbom.yml create mode 100644 code-scanning/properties/nowsecure-mobile-sbom.properties.json diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml new file mode 100644 index 0000000..b9cf039 --- /dev/null +++ b/code-scanning/nowsecure-mobile-sbom.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer, +# you can find it in NowSecure Platform. +# +# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Dependency graph" tab in the "Insights" pane once the action has run. + +name: "NowSecure Mobile SBOM" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + nowsecure: + name: NowSecure Mobile SBOM + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: NowSecure upload app + uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID diff --git a/code-scanning/properties/nowsecure-mobile-sbom.properties.json b/code-scanning/properties/nowsecure-mobile-sbom.properties.json new file mode 100644 index 0000000..32a7964 --- /dev/null +++ b/code-scanning/properties/nowsecure-mobile-sbom.properties.json @@ -0,0 +1,21 @@ +{ + "name": "NowSecure Mobile SBOM", + "creator": "NowSecure", + "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph", + "iconName": "nowsecure", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} From 3c68ea5b08cbdafc0df46651c977b6d07b94d2e8 Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:32:25 +0200 Subject: [PATCH 41/44] Update dotnet-desktop.yml to use setup-dotnet@v3 --- ci/dotnet-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index bd2cb2e..fd82a39 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -69,7 +69,7 @@ jobs: # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x From 94301453103b54c82be6c73f03dbbb377e95241d Mon Sep 17 00:00:00 2001 From: Ivan <98037481+IvanZosimov@users.noreply.github.com> Date: Fri, 30 Sep 2022 10:33:07 +0200 Subject: [PATCH 42/44] Update dotnet.yml to use setup-dotnet@v3 --- ci/dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/dotnet.yml b/ci/dotnet.yml index a8eccab..7465e23 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: 6.0.x - name: Restore dependencies From c4a90daee92b84b29c81d86edf855a258363f5d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Sep 2022 12:29:54 +0000 Subject: [PATCH 43/44] Bump @actions/core from 1.2.6 to 1.9.1 in /script/validate-data Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.2.6 to 1.9.1. - [Release notes](https://github.com/actions/toolkit/releases) - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- script/validate-data/package-lock.json | 64 +++++++++++++++++++++++--- script/validate-data/package.json | 2 +- 2 files changed, 58 insertions(+), 8 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index e660b6a..358c661 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "license": "MIT", "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" }, @@ -21,9 +21,21 @@ } }, "node_modules/@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "dependencies": { + "tunnel": "^0.0.6" + } }, "node_modules/@types/js-yaml": { "version": "3.12.4", @@ -153,6 +165,14 @@ "typescript": ">=2.7" } }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, "node_modules/typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", @@ -166,6 +186,14 @@ "node": ">=4.2.0" } }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", @@ -178,9 +206,21 @@ }, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz", + "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "requires": { + "tunnel": "^0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -279,12 +319,22 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==", "dev": true }, + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + }, "yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..6811f19 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.9.1", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From eaf0ed4a08ebf0cf7b2ef7ac29c1f18f0d5bf084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 14:19:44 +0000 Subject: [PATCH 44/44] Bump pozil/auto-assign-issue from 1.10.0 to 1.10.1 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 0cb9345..98f071a 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.0 + uses: pozil/auto-assign-issue@v1.10.1 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1