From 900a0204646df69c0d0d535eab4c8ef5a151abc6 Mon Sep 17 00:00:00 2001 From: fredster33 <64927044+fredster33@users.noreply.github.com> Date: Fri, 13 Aug 2021 17:09:48 -0700 Subject: [PATCH 01/22] Fix typo --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..fed28b7 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users first issue' - pr-message: 'Message that will be displayed on users first pull request' + issue-message: 'Message that will be displayed on users' first issue' + pr-message: 'Message that will be displayed on users' first pull request' From 5d03c86e2615ba04a2dcb4ec2ed2cd659eecdb98 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 4 Feb 2022 10:42:13 +0530 Subject: [PATCH 02/22] Added token permission for deployments/azure-staticwebapp.yml --- deployments/azure-staticwebapp.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..5430f04 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job From 1100f4c7e825065833089b4f25cb045226bf4bbc Mon Sep 17 00:00:00 2001 From: fredster33 Date: Sat, 14 May 2022 07:24:17 -0700 Subject: [PATCH 03/22] Escape to pass tests --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 1138ea8..562838f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users' first issue' - pr-message: 'Message that will be displayed on users' first pull request' + issue-message: 'Message that will be displayed on users\' first issue' + pr-message: 'Message that will be displayed on users\' first pull request' From a3f4ca426faa51fdc07d753951ef8aa85bfb635a Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Mon, 16 May 2022 13:44:34 -0700 Subject: [PATCH 04/22] Fixing typo in dependency-review-action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..8966511 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement From bed5e488cf5db12055b60ea905d8f90c59ea3c56 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 18:28:59 -0400 Subject: [PATCH 05/22] Fix link to `code-scanning` directory Changed https://github.com/actions/starter-workflows/tree/main/ci to https://github.com/actions/starter-workflows/tree/main/code-scanning --- .github/pull_request_template.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 752dd99..9b6c10f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. From fb28da064123bacb1ab14fe88c947dcf1c20aa82 Mon Sep 17 00:00:00 2001 From: fredster33 Date: Fri, 20 May 2022 16:55:27 -0700 Subject: [PATCH 06/22] Fix escaping --- automation/greetings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index 562838f..4677434 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: 'Message that will be displayed on users\' first issue' - pr-message: 'Message that will be displayed on users\' first pull request' + issue-message: "Message that will be displayed on users' first issue" + pr-message: "Message that will be displayed on users' first pull request" From 9f02725cf7ad47bd29fde61950948648c5abe693 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Sat, 21 May 2022 11:13:24 +0530 Subject: [PATCH 07/22] Fix the missing `on` trigger for AKS Kompose --- deployments/azure-kubernetes-service-kompose.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0cf23ba..60fe536 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -31,6 +31,12 @@ name: Build and deploy an app to AKS with Kompose +on: + push: + branches: + - $default-branch + workflow_dispatch: + env: AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" CONTAINER_NAME: "your-container-name" @@ -148,4 +154,4 @@ jobs: images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + ${{ env.IMAGE_PULL_SECRET_NAME }} From ea7d7777b6893c6401b777663973a51be35b74c4 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:47:39 -0400 Subject: [PATCH 08/22] added checkout step to helm starter workflow --- deployments/azure-kubernetes-service-helm.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 510abcd..a6a2f4e 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -120,6 +120,9 @@ jobs: runs-on: ubuntu-latest needs: [buildImage, createSecret] steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From 2be3a09ccb9a825bd8bfed4d2e67a00fadf21648 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya Date: Mon, 23 May 2022 14:59:13 -0400 Subject: [PATCH 09/22] removed unnecessary checkout from kustomize create-secret step --- deployments/azure-kubernetes-service-kustomize.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 14469db..d46cadb 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -74,9 +74,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 From a4fc6b086e1052d83b7b3a6bae14aca6c055d20a Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Tue, 24 May 2022 16:52:04 -0300 Subject: [PATCH 10/22] SOOS DAST starter action submission --- .../properties/soos-dast-scan.properties.json | 8 ++++ code-scanning/soos-dast-scan.yml | 41 +++++++++++++++++++ icons/soos.svg | 17 ++++++++ 3 files changed, 66 insertions(+) create mode 100644 code-scanning/properties/soos-dast-scan.properties.json create mode 100644 code-scanning/soos-dast-scan.yml create mode 100644 icons/soos.svg diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json new file mode 100644 index 0000000..b2834df --- /dev/null +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -0,0 +1,8 @@ +{ + "name": "SOOS DAST Scan", + "creator": "SOOS", + "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "iconName": "soos", + "categories": ["Code Scanning"] + } + \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml new file mode 100644 index 0000000..a16ed9e --- /dev/null +++ b/code-scanning/soos-dast-scan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# +# To use this action you need to fill the following requirements: +# +# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product). +# +# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload) +# + +name: "SOOS DAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +jobs: + soos: + permissions: + security-events: write # for uploading code scanning alert info + name: SOOS DAST Scan + runs-on: ubuntu-latest + steps: + - name: Run SOOS DAST Scan + uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + scan_mode: "baseline" + target_url: "https://www.example.com/" + sarif: true # Only set to true if you want to upload the SARIF report to Github + gpat: ${{ secrets.SOOS_GITHUB_PAT }} + + diff --git a/icons/soos.svg b/icons/soos.svg new file mode 100644 index 0000000..17a31fc --- /dev/null +++ b/icons/soos.svg @@ -0,0 +1,17 @@ + + + + + + + + + + + From a80536a617f6eb6cf9f1c398f5f163c24ec03e21 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:46:58 +0000 Subject: [PATCH 11/22] Scorecard v1.1.0 hash bump --- code-scanning/scorecards.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index a6bde3a..846988e 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -17,37 +17,43 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write actions: read contents: read - + steps: - name: "Checkout code" - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 + uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 From 866ad3b83c8b7a0f0730c2a7ce908c46784c8a74 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 26 May 2022 14:50:13 +0000 Subject: [PATCH 12/22] updates --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 846988e..28fb7f3 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -24,7 +24,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif From e2e966c9107306a40bf07c880a1259514ccfab66 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Fri, 27 May 2022 09:36:07 -0300 Subject: [PATCH 13/22] couple fixes from review --- code-scanning/properties/soos-dast-scan.properties.json | 5 ++--- code-scanning/soos-dast-scan.yml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json index b2834df..6ef5121 100644 --- a/code-scanning/properties/soos-dast-scan.properties.json +++ b/code-scanning/properties/soos-dast-scan.properties.json @@ -1,8 +1,7 @@ { "name": "SOOS DAST Scan", "creator": "SOOS", - "description": "Integrate dynamic application security testing (DAST) and API security testing into your CI pipeline with StackHawk", + "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.", "iconName": "soos", "categories": ["Code Scanning"] - } - \ No newline at end of file +} \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index a16ed9e..75fe9ed 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. # -# SOOS is the easy-to-integrate software security solution for your whole team we currently, learn more at https://soos.io/ +# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/ # # To use this action you need to fill the following requirements: # @@ -32,7 +32,7 @@ jobs: with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: "DAST-GitHub-Action-Test" # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository scan_mode: "baseline" target_url: "https://www.example.com/" sarif: true # Only set to true if you want to upload the SARIF report to Github From b9fbda1e7dcc2e8bc9899b02573484620eea0325 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:11:28 +0200 Subject: [PATCH 14/22] Add actions read permission The CodeQL Action requires this permission to collect information of the workflow run. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..5c19cc3 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # for github/codeql-action/upload-sarif to get Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 77df908268e8577f2b7955bbc9d27b46a316aae8 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:16:42 +0200 Subject: [PATCH 15/22] Set `fail-build` property to false Whenever a security issue is found the `scan action` fails the build and the step, which causes the workflow to fail before uploading the results to Code Scanning. This change turns the error into a warning. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..b0e542e 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -39,6 +39,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: From 27f5b1e9fdf42fe0686ccb89a2926a08c5ca9abe Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 12:28:16 +0200 Subject: [PATCH 16/22] Add descriptive comment The `actions: read` permission is only required when the workflow is executed in a private repository. --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 5c19cc3..2753147 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # for github/codeql-action/upload-sarif to get Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository runs-on: ubuntu-latest steps: - name: Checkout the code From 477f6af84e7a702f1832787f81445d0c2bc33010 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 14:19:53 +0200 Subject: [PATCH 17/22] Shorten the comment The comment is shortened by removing the URL to the documentation. Co-authored-by: Sampark Sharma --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2753147..4fbc9f0 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 978c3bbb41242ad164fb5c43b4fdd3353056addc Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 09:15:10 -0700 Subject: [PATCH 18/22] Update scorecards.yml --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 28fb7f3..6135414 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -29,7 +29,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@5c8bc69dc88b65c66584e07611df79d3579b0377 # v1.1.0 + uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1 with: results_file: results.sarif results_format: sarif From 74b6f422559f3c58f4adee47ffbefc98d22548e1 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 10:50:44 -0700 Subject: [PATCH 19/22] Update scorecards.yml --- code-scanning/scorecards.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 6135414..eed834b 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,6 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write - actions: read contents: read steps: From 74408a5287eb771031d02d73dbe14ed23ec90a41 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 1 Jun 2022 11:00:27 -0700 Subject: [PATCH 20/22] Update scorecards.yml --- code-scanning/scorecards.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index eed834b..539794d 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -19,7 +19,9 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write + # Needs for private repositories. contents: read + actions: read steps: - name: "Checkout code" From d33aefde62c5125d69e76f4dfc04aed7a0b28a12 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez <92373106+SOOS-JAlvarez@users.noreply.github.com> Date: Thu, 2 Jun 2022 12:12:22 -0300 Subject: [PATCH 21/22] updated action version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 75fe9ed..47f6c48 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@c32a9d22e9af91ccace86aa7e76673b89c6256fd + uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From eda5a46a9546396c96ef0e05ad1840c0fbe2e060 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Tue, 17 May 2022 19:00:28 -0400 Subject: [PATCH 22/22] Add Pyre starter workflow --- code-scanning/properties/pyre.properties.json | 7 +++ code-scanning/pyre.yml | 46 +++++++++++++++++++ icons/pyre.svg | 1 + 3 files changed, 54 insertions(+) create mode 100644 code-scanning/properties/pyre.properties.json create mode 100644 code-scanning/pyre.yml create mode 100644 icons/pyre.svg diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000..bc12321 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000..3c32e8b --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000..2af14c0 --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file