diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 752dd99..9b6c10f 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
-- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
+- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
@@ -38,7 +38,7 @@ It is not:
**For _Code Scanning_ workflows, the workflow:**
-- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
+- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
- [ ] `name`: Name of the Code Scanning integration.
- [ ] `organization`: Name of the organization producing the Code Scanning integration.
diff --git a/automation/greetings.yml b/automation/greetings.yml
index 18ba13f..4677434 100644
--- a/automation/greetings.yml
+++ b/automation/greetings.yml
@@ -12,5 +12,5 @@ jobs:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- issue-message: 'Message that will be displayed on users first issue'
- pr-message: 'Message that will be displayed on users first pull request'
+ issue-message: "Message that will be displayed on users' first issue"
+ pr-message: "Message that will be displayed on users' first pull request"
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index 6f52d5d..a3d2eed 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -28,6 +28,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout the code
@@ -39,6 +40,7 @@ jobs:
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
+ fail-build: false
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v2
with:
diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
index 0e72a00..8966511 100644
--- a/code-scanning/dependency-review.yml
+++ b/code-scanning/dependency-review.yml
@@ -1,6 +1,6 @@
# Dependency Review Action
#
-# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json
new file mode 100644
index 0000000..bc12321
--- /dev/null
+++ b/code-scanning/properties/pyre.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pyre",
+ "creator": "Meta",
+ "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.",
+ "iconName": "pyre",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json
new file mode 100644
index 0000000..6ef5121
--- /dev/null
+++ b/code-scanning/properties/soos-dast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SOOS DAST Scan",
+ "creator": "SOOS",
+ "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.",
+ "iconName": "soos",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml
new file mode 100644
index 0000000..3c32e8b
--- /dev/null
+++ b/code-scanning/pyre.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Pyre with GitHub's
+# Code Scanning feature.
+#
+# Pyre is a performant type checker for Python compliant with
+# PEP 484. Pyre can analyze codebases with millions of lines
+# of code incrementally – providing instantaneous feedback
+# to developers as they write code.
+#
+# See https://pyre-check.org
+
+name: Pyre
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ pyre:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pyre
+ uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pyre-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index a6bde3a..539794d 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -17,9 +17,12 @@ jobs:
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
- actions: read
+ # Used to receive a badge. (Upcoming feature)
+ id-token: write
+ # Needs for private repositories.
contents: read
-
+ actions: read
+
steps:
- name: "Checkout code"
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
@@ -27,27 +30,31 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+ uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1
with:
results_file: results.sarif
results_format: sarif
- # Read-only PAT token. To create it,
- # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
- repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
- # Publish the results to enable scorecard badges. For more details, see
- # https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories, `publish_results` will automatically be set to `false`,
- # regardless of the value entered here.
+ # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecards on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+ # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+ # Publish the results for public repositories to enable scorecard badges. For more details, see
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # of the value entered here.
publish_results: true
- # Upload the results as artifacts (optional).
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
-
+
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
new file mode 100644
index 0000000..47f6c48
--- /dev/null
+++ b/code-scanning/soos-dast-scan.yml
@@ -0,0 +1,41 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
+#
+# To use this action you need to fill the following requirements:
+#
+# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
+#
+# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
+#
+
+name: "SOOS DAST Scan"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ soos:
+ permissions:
+ security-events: write # for uploading code scanning alert info
+ name: SOOS DAST Scan
+ runs-on: ubuntu-latest
+ steps:
+ - name: Run SOOS DAST Scan
+ uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6
+ with:
+ client_id: ${{ secrets.SOOS_CLIENT_ID }}
+ api_key: ${{ secrets.SOOS_API_KEY }}
+ project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository
+ scan_mode: "baseline"
+ target_url: "https://www.example.com/"
+ sarif: true # Only set to true if you want to upload the SARIF report to Github
+ gpat: ${{ secrets.SOOS_GITHUB_PAT }}
+
+
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
index 510abcd..a6a2f4e 100644
--- a/deployments/azure-kubernetes-service-helm.yml
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -120,6 +120,9 @@ jobs:
runs-on: ubuntu-latest
needs: [buildImage, createSecret]
steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
# Logs in with your Azure credentials
- name: Azure login
uses: azure/login@v1.4.3
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
index 0cf23ba..60fe536 100644
--- a/deployments/azure-kubernetes-service-kompose.yml
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -31,6 +31,12 @@
name: Build and deploy an app to AKS with Kompose
+on:
+ push:
+ branches:
+ - $default-branch
+ workflow_dispatch:
+
env:
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
CONTAINER_NAME: "your-container-name"
@@ -148,4 +154,4 @@ jobs:
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
index 14469db..d46cadb 100644
--- a/deployments/azure-kubernetes-service-kustomize.yml
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -74,9 +74,6 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- # Checks out the repository this file is in
- - uses: actions/checkout@v3
-
# Logs in with your Azure credentials
- name: Azure login
uses: azure/login@v1.4.3
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
index becfede..a40ecc2 100644
--- a/deployments/azure-staticwebapp.yml
+++ b/deployments/azure-staticwebapp.yml
@@ -28,8 +28,14 @@ env:
APP_ARTIFACT_LOCATION: "build" # location of client code build output
AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app
+permissions:
+ contents: read
+
jobs:
build_and_deploy_job:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
@@ -52,6 +58,8 @@ jobs:
###### End of Repository/Build Configurations ######
close_pull_request_job:
+ permissions:
+ contents: none
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
diff --git a/icons/pyre.svg b/icons/pyre.svg
new file mode 100644
index 0000000..2af14c0
--- /dev/null
+++ b/icons/pyre.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/soos.svg b/icons/soos.svg
new file mode 100644
index 0000000..17a31fc
--- /dev/null
+++ b/icons/soos.svg
@@ -0,0 +1,17 @@
+
+
+