From a52cd5a16a7422970cf0d09ddd7489c0abcd1cf3 Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Mon, 25 Apr 2022 15:02:37 +0100 Subject: [PATCH 1/4] Update setup-ruby to the latest release The default github action ruby template references this old commit which doesn't have any modern rubies https://github.com/ruby/setup-ruby/commit/473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e The fix is to update the pinned version to the latest release https://github.com/alphagov/forms-api/pull/3/commits/e3c8ad2759088a12ba9f3040d2c47c23799c8455 --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 256aa14..7daf2cc 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 0ae51b0d1063d99894068034e0f6e7de60e6ec5b Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Thu, 28 Apr 2022 10:58:56 +0100 Subject: [PATCH 2/4] fix sha --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 7daf2cc..81ea363 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 662e915c0fe85c4d078b6de037bce62ebc69fe96 Mon Sep 17 00:00:00 2001 From: Bar Hofesh Date: Thu, 28 Apr 2022 22:01:20 +0300 Subject: [PATCH 3/4] Add NeuraLegion to starter workflows (#1203) * Added Neuralegion to starter workflows * Using an action * Fixed Indentation :) * Update neuralegion.yml Co-authored-by: Bishal Prasad --- code-scanning/neuralegion.yml | 175 ++++++++++++++++++ .../properties/neuralegion.properties.json | 24 +++ icons/neuralegion.svg | 57 ++++++ 3 files changed, 256 insertions(+) create mode 100644 code-scanning/neuralegion.yml create mode 100644 code-scanning/properties/neuralegion.properties.json create mode 100644 icons/neuralegion.svg diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000..e24e14a --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000..ee64a52 --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000..0534225 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d09e57c7a386f2c92c1d0d5af960c03c79b02eb0 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Thu, 28 Apr 2022 15:22:57 -0400 Subject: [PATCH 4/4] Adding workflow for sobelow (static analysis tool for the Phoenix framework) (#1528) * Adding sobelow workflow * Removing setup-beam dependency * Updating instructions --- .../properties/sobelow.properties.json | 11 +++++ code-scanning/sobelow.yml | 40 +++++++++++++++++++ icons/sobelow.svg | 20 ++++++++++ 3 files changed, 71 insertions(+) create mode 100644 code-scanning/properties/sobelow.properties.json create mode 100644 code-scanning/sobelow.yml create mode 100644 icons/sobelow.svg diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000..163e866 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000..21cb6e7 --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000..4d243ea --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + +