From 81fe53796f8c719d680381815cbfd359119a8460 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 14 Sep 2022 09:37:06 -0400 Subject: [PATCH 1/3] Update to scorecard-action:v2.0.3 Includes bug fixes --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 38db68f..8ca5094 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@13ec8c77e8a5dae7e0a0d47bde3e3004df15d34f # tag=v2.0.0 + uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3 with: results_file: results.sarif results_format: sarif From 568b096f39f842303134c2e9bc694f1298cd2b5f Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 14 Sep 2022 18:17:28 -0400 Subject: [PATCH 2/3] add actions: read to any job using upload-sarif --- code-scanning/apisec-scan.yml | 1 + code-scanning/brakeman.yml | 1 + code-scanning/checkmarx.yml | 1 + code-scanning/clj-holmes.yml | 1 + code-scanning/clj-watson.yml | 1 + code-scanning/codacy.yml | 1 + code-scanning/codescan.yml | 1 + code-scanning/contrast-scan.yml | 1 + code-scanning/eslint.yml | 1 + code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 1 + code-scanning/mobsf.yml | 1 + code-scanning/msvc.yml | 1 + code-scanning/njsscan.yml | 1 + code-scanning/ossar.yml | 1 + code-scanning/phpmd.yml | 1 + code-scanning/pmd.yml | 1 + code-scanning/powershell.yml | 1 + code-scanning/prisma.yml | 1 + code-scanning/puppet-lint.yml | 1 + code-scanning/rust-clippy.yml | 1 + code-scanning/semgrep.yml | 1 + code-scanning/snyk-container.yml | 1 + code-scanning/snyk-infrastructure.yml | 1 + code-scanning/sobelow.yml | 1 + code-scanning/sysdig-scan.yml | 1 + code-scanning/trivy.yml | 1 + code-scanning/veracode.yml | 1 + code-scanning/xanitizer.yml | 1 + 29 files changed, 29 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b751..a2dfbd2 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -49,6 +49,7 @@ jobs: Trigger APIsec scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index b04cabf..957343c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index e060654..9bdb136 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,6 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 3cfde14..4487e23 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -24,6 +24,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 2e4ab3c..76903a9 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index b74e449..7b705bd 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 92707b1..a9f1053 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 61ffd7a..4e4deb7 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 9067a7d..54b01c8 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2f554e4..3153652 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 74a3b21..350df19 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 6d2bfb8..1013749 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 863fbcb..e8dac88 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8c359b8..d766a6f 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index cbef5a2..2bd91dd 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 91f4b2d..d10ace1 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -34,6 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index a1e32c4..8115116 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,6 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index d78a126..02e5de7 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 6f2031b..1a12b86 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index d41b65b..50b86db 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index e9c426a..c5f10ee 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index fae9885..b10a930 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 0fbbf87..a232c53 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,6 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a685323..3ca1035 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,6 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 21cb6e7..7d38c77 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f075a80..f9b61b9 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,6 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 63be947..f56d9e5 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index b8a5b37..89d35df 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 3462eaa..5724a97 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,6 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: From cb341b59ed903d36aedd3012de4d5c1f58af194c Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Fri, 16 Sep 2022 09:25:07 +0200 Subject: [PATCH 3/3] Update CodeQL to include category by default Code Scanning can accept multiple uploads for the same tool and uses the concept of category to keep results separated. If not provided explicitly, the category is computed based on a few parameters like workflow path and matrix variables. The implicit computation of the category can create confusion if users change their workflow, as we start considering the new analyses as unrelated to existing results. By making the category explicit in the workflow we hope to make the concept more prominent and reduce accidental changes. --- code-scanning/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index a113b59..00ffcdb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -70,3 +70,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}"