This commit is contained in:
Noah Irwin
2022-06-20 13:03:41 +01:00
7 changed files with 718 additions and 4 deletions
+56
View File
@@ -0,0 +1,56 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# PHPMD is a spin-off project of PHP Depend and
# aims to be a PHP equivalent of the well known Java tool PMD.
# What PHPMD does is: It takes a given PHP source code base
# and look for several potential problems within that source.
# These problems can be things like:
# Possible bugs
# Suboptimal code
# Overcomplicated expressions
# Unused parameters, methods, properties
# More details at https://phpmd.org/
name: PHPMD
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
PHPMD:
name: Run PHPMD scanning
runs-on: ubuntu-latest
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup PHP
uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161
with:
coverage: none
tools: phpmd
- name: Run PHPMD
run: phpmd . sarif codesize --reportfile phpmd-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: phpmd-results.sarif
wait-for-processing: true
@@ -0,0 +1,6 @@
{
"name": "PHPMD",
"description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.",
"iconName": "phpmd",
"categories": [ "Code Scanning", "PHP" ]
}
+8 -4
View File
@@ -24,18 +24,22 @@ jobs:
soos:
permissions:
security-events: write # for uploading code scanning alert info
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: SOOS DAST Scan
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Scan
uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6
uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository
project_name: "<YOUR-PROJECT-NAME>"
scan_mode: "baseline"
target_url: "https://www.example.com/"
sarif: true # Only set to true if you want to upload the SARIF report to Github
gpat: ${{ secrets.SOOS_GITHUB_PAT }}
output_format: "sarif"
- name: Upload SOOS DAST SARIF Report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif