Merge branch 'main' into pysa
This commit is contained in:
@@ -26,7 +26,7 @@ It is not:
|
||||
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
|
||||
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
|
||||
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
|
||||
- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
|
||||
- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
|
||||
|
||||
**For _CI_ workflows, the workflow:**
|
||||
|
||||
@@ -38,7 +38,7 @@ It is not:
|
||||
|
||||
**For _Code Scanning_ workflows, the workflow:**
|
||||
|
||||
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
|
||||
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
|
||||
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
|
||||
- [ ] `name`: Name of the Code Scanning integration.
|
||||
- [ ] `organization`: Name of the organization producing the Code Scanning integration.
|
||||
|
||||
@@ -12,5 +12,5 @@ jobs:
|
||||
- uses: actions/first-interaction@v1
|
||||
with:
|
||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
issue-message: 'Message that will be displayed on users first issue'
|
||||
pr-message: 'Message that will be displayed on users first pull request'
|
||||
issue-message: "Message that will be displayed on users' first issue"
|
||||
pr-message: "Message that will be displayed on users' first pull request"
|
||||
|
||||
@@ -28,6 +28,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
@@ -39,6 +40,7 @@ jobs:
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
acs-report-enable: true
|
||||
fail-build: false
|
||||
- name: Upload Anchore Scan Report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Dependency Review Action
|
||||
#
|
||||
# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
|
||||
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
|
||||
#
|
||||
# Source repository: https://github.com/actions/dependency-review-action
|
||||
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Pyre",
|
||||
"creator": "Meta",
|
||||
"description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.",
|
||||
"iconName": "pyre",
|
||||
"categories": ["Code Scanning", "Python"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "SOOS DAST Scan",
|
||||
"creator": "SOOS",
|
||||
"description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.",
|
||||
"iconName": "soos",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Pyre with GitHub's
|
||||
# Code Scanning feature.
|
||||
#
|
||||
# Pyre is a performant type checker for Python compliant with
|
||||
# PEP 484. Pyre can analyze codebases with millions of lines
|
||||
# of code incrementally – providing instantaneous feedback
|
||||
# to developers as they write code.
|
||||
#
|
||||
# See https://pyre-check.org
|
||||
|
||||
name: Pyre
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
pyre:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
submodules: true
|
||||
|
||||
- name: Run Pyre
|
||||
uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
|
||||
with:
|
||||
# To customize these inputs:
|
||||
# See https://github.com/facebook/pyre-action#inputs
|
||||
repo-directory: './'
|
||||
requirements-path: 'requirements.txt'
|
||||
@@ -17,9 +17,12 @@ jobs:
|
||||
permissions:
|
||||
# Needed to upload the results to code-scanning dashboard.
|
||||
security-events: write
|
||||
actions: read
|
||||
# Used to receive a badge. (Upcoming feature)
|
||||
id-token: write
|
||||
# Needs for private repositories.
|
||||
contents: read
|
||||
|
||||
actions: read
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
|
||||
@@ -27,27 +30,31 @@ jobs:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
|
||||
uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
# Read-only PAT token. To create it,
|
||||
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
|
||||
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
# Publish the results to enable scorecard badges. For more details, see
|
||||
# https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories, `publish_results` will automatically be set to `false`,
|
||||
# regardless of the value entered here.
|
||||
# (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
|
||||
# - you want to enable the Branch-Protection check on a *public* repository, or
|
||||
# - you are installing Scorecards on a *private* repository
|
||||
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
|
||||
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
|
||||
# Publish the results for public repositories to enable scorecard badges. For more details, see
|
||||
# https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories, `publish_results` will automatically be set to `false`, regardless
|
||||
# of the value entered here.
|
||||
publish_results: true
|
||||
|
||||
# Upload the results as artifacts (optional).
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
|
||||
#
|
||||
# To use this action you need to fill the following requirements:
|
||||
#
|
||||
# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
|
||||
#
|
||||
# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
|
||||
#
|
||||
|
||||
name: "SOOS DAST Scan"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
soos:
|
||||
permissions:
|
||||
security-events: write # for uploading code scanning alert info
|
||||
name: SOOS DAST Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Run SOOS DAST Scan
|
||||
uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6
|
||||
with:
|
||||
client_id: ${{ secrets.SOOS_CLIENT_ID }}
|
||||
api_key: ${{ secrets.SOOS_API_KEY }}
|
||||
project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository
|
||||
scan_mode: "baseline"
|
||||
target_url: "https://www.example.com/"
|
||||
sarif: true # Only set to true if you want to upload the SARIF report to Github
|
||||
gpat: ${{ secrets.SOOS_GITHUB_PAT }}
|
||||
|
||||
|
||||
@@ -120,6 +120,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [buildImage, createSecret]
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
|
||||
@@ -31,6 +31,12 @@
|
||||
|
||||
name: Build and deploy an app to AKS with Kompose
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
@@ -148,4 +154,4 @@ jobs:
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
@@ -74,9 +74,6 @@ jobs:
|
||||
id-token: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
|
||||
@@ -28,8 +28,14 @@ env:
|
||||
APP_ARTIFACT_LOCATION: "build" # location of client code build output
|
||||
AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build_and_deploy_job:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs
|
||||
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
|
||||
runs-on: ubuntu-latest
|
||||
name: Build and Deploy Job
|
||||
@@ -52,6 +58,8 @@ jobs:
|
||||
###### End of Repository/Build Configurations ######
|
||||
|
||||
close_pull_request_job:
|
||||
permissions:
|
||||
contents: none
|
||||
if: github.event_name == 'pull_request' && github.event.action == 'closed'
|
||||
runs-on: ubuntu-latest
|
||||
name: Close Pull Request Job
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 82.43 136.01"><defs><style>.cls-1{fill:#543d3b;}.cls-2{fill:url(#linear-gradient);}.cls-3{fill:url(#linear-gradient-2);}</style><linearGradient id="linear-gradient" x1="37.48" y1="110.89" x2="67.2" y2="6.42" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#feb800"/><stop offset="1" stop-color="#ff4300"/></linearGradient><linearGradient id="linear-gradient-2" x1="-4.59" y1="95.33" x2="24.09" y2="-5.5" xlink:href="#linear-gradient"/></defs><title>Asset 1</title><g id="Layer_2" data-name="Layer 2"><g id="Layer_1-2" data-name="Layer 1"><polygon class="cls-1" points="25.77 58.16 0.58 58.16 29.52 97.91 1.79 136.01 26.97 136.01 42.11 115.21 57.24 136.01 82.43 136.01 25.77 58.16"/><path class="cls-2" d="M66,21.63a24.17,24.17,0,0,1-6.82,17.5A5.94,5.94,0,0,1,57.6,38c-9.18-9.8-5.53-38-5.53-38C33.71,21.13,32.63,41,32.63,45.41c-.11,2.7.25,12.19,9.11,24L56.8,90.25l.12-.09C59.34,88.33,97,58.94,66,21.63Z"/><path class="cls-3" d="M22.41,38.65l0-.08a11.26,11.26,0,0,0-2.13-3.73l-.06-.07h0C9.46,21.85,18,9,18,9,4.52,15.63.84,27.17.07,35.51h0C-.72,47.25,3.81,51.38,7.44,52.83a11.92,11.92,0,0,0,4.21.76c5.13-.15,8.26-2.61,9.81-5.24a12.09,12.09,0,0,0,1.11-9.15C22.52,39,22.47,38.83,22.41,38.65Z"/></g></g></svg>
|
||||
|
After Width: | Height: | Size: 1.3 KiB |
@@ -0,0 +1,17 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 25.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
|
||||
viewBox="0 0 600 600" style="enable-background:new 0 0 600 600;" xml:space="preserve">
|
||||
<style type="text/css">
|
||||
.st0{fill:#FF2B55;}
|
||||
.st1{fill:#001267;}
|
||||
</style>
|
||||
<g id="Layer_2_1_">
|
||||
<g id="Layer_1-2">
|
||||
<path class="st0" d="M231.4,411.4H48v-34.6h183.4c21.2,0.1,41.2-9.6,54.4-26.1l98.6-123c19.7-24.8,49.7-39.2,81.4-39.1H552v34.6
|
||||
h-86.3c-21.2,0-41.2,9.6-54.4,26.1l-98.6,123C293,397.1,263,411.5,231.4,411.4z"/>
|
||||
<path class="st1" d="M134.3,411.4H48v-34.6h86.3c21.2,0,41.2-9.6,54.4-26.1l98.6-123c19.7-24.8,49.7-39.2,81.4-39.1H552v34.6
|
||||
H368.6c-21.2-0.1-41.2,9.6-54.4,26.1l-98.6,123C195.9,397.1,165.9,411.5,134.3,411.4z"/>
|
||||
</g>
|
||||
</g>
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 905 B |
Reference in New Issue
Block a user