From e7b6150c5d5e51b08fd12c97dac956e3a2aff175 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Thu, 3 Feb 2022 13:54:14 +0530 Subject: [PATCH 01/22] Added underscore(_) in the name to fix yml errors caused by the empty spaces in the name --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..65a6baf 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -43,7 +43,7 @@ on: jobs: - Trigger APIsec scan: + Trigger_APIsec_scan: runs-on: ubuntu-latest steps: From 2e60d03ab7a47f3c73e7a5a95e75fdc1b2d6893c Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 12:38:39 +0530 Subject: [PATCH 02/22] Zscaler IaC Action Publish --- .../properties/zscaler.properties.json | 7 +++ code-scanning/zscaler.yml | 46 +++++++++++++++++++ icons/zscaler.svg | 3 ++ 3 files changed, 56 insertions(+) create mode 100644 code-scanning/properties/zscaler.properties.json create mode 100644 code-scanning/zscaler.yml create mode 100644 icons/zscaler.svg diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler.properties.json new file mode 100644 index 0000000..784a52b --- /dev/null +++ b/code-scanning/properties/zscaler.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Zscaler IaC Scan", + "creator": "Zscaler CWP Team", + "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", + "iconName": "zscaler", + "categories": ["Code Scanning","HCL"] +} \ No newline at end of file diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler.yml new file mode 100644 index 0000000..beea601 --- /dev/null +++ b/code-scanning/zscaler.yml @@ -0,0 +1,46 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +name: Zscanner IaC Scan +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + zscaler-iac-scan: + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v2 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + id : zscaler-iac-scan + with: + #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. + #Copy the client ID and client secret key generated during the onboarding process and configure. + #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZWP Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file diff --git a/icons/zscaler.svg b/icons/zscaler.svg new file mode 100644 index 0000000..3897442 --- /dev/null +++ b/icons/zscaler.svg @@ -0,0 +1,3 @@ + + + From 5e3bc9a2fd200fc324e4bff09889cc80465d1a08 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:26:19 +0530 Subject: [PATCH 03/22] Update zscaler-iac-scan.yml --- code-scanning/{zscaler.yml => zscaler-iac-scan.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{zscaler.yml => zscaler-iac-scan.yml} (98%) diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler-iac-scan.yml similarity index 98% rename from code-scanning/zscaler.yml rename to code-scanning/zscaler-iac-scan.yml index beea601..e23a8d6 100644 --- a/code-scanning/zscaler.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -name: Zscanner IaC Scan +name: Zscaler IaC Scan on: push: branches: [ $default-branch, $protected-branches ] From 7a322529a7f2fe483452dad5b1941ca7742216e8 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:29:09 +0530 Subject: [PATCH 04/22] Update zscaler-iac-scan.properties.json --- .../{zscaler.properties.json => zscaler-iac-scan.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{zscaler.properties.json => zscaler-iac-scan.properties.json} (100%) diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json similarity index 100% rename from code-scanning/properties/zscaler.properties.json rename to code-scanning/properties/zscaler-iac-scan.properties.json From 3857754fa1839756e86ec089760bb20c7084c895 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 17:55:47 +0530 Subject: [PATCH 05/22] Update zscaler-iac-scan.properties.json --- code-scanning/properties/zscaler-iac-scan.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index 784a52b..b643037 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -1,7 +1,7 @@ { "name": "Zscaler IaC Scan", - "creator": "Zscaler CWP Team", + "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","HCL"] + "categories": ["Code Scanning","Security"] } \ No newline at end of file From 74471dae6f1a513f17bdacfdce6fd69145a5271a Mon Sep 17 00:00:00 2001 From: mvecha Date: Tue, 5 Apr 2022 13:21:24 +0530 Subject: [PATCH 06/22] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e23a8d6..a8424b7 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -16,14 +16,20 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v2 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. From 73afccbbd54778fd08596f3fbe386823dcf15901 Mon Sep 17 00:00:00 2001 From: mvecha Date: Thu, 21 Apr 2022 15:20:01 +0530 Subject: [PATCH 07/22] Addressing PR Comments from Community --- .../properties/zscaler-iac-scan.properties.json | 2 +- code-scanning/zscaler-iac-scan.yml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index b643037..274d17a 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","Security"] + "categories": ["Code Scanning"] } \ No newline at end of file diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index a8424b7..195bb57 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,6 +7,14 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. +#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues +#for further investigation. + name: Zscaler IaC Scan on: push: @@ -27,14 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: - #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. - #Copy the client ID and client secret key generated during the onboarding process and configure. - #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} #This is the user region specified during the onboarding process within the ZWP Admin Portal. @@ -47,6 +52,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file From cfa93d0eecf7f1b230986ff509814b1ab1ad0ece Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula <90408178+jragula-zs@users.noreply.github.com> Date: Thu, 21 Apr 2022 15:26:09 +0530 Subject: [PATCH 08/22] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 195bb57..c6020a5 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -12,8 +12,7 @@ #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. -#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues -#for further investigation. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. name: Zscaler IaC Scan on: @@ -54,4 +53,4 @@ jobs: if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From 1c5c0f7c8a10324929bd35cc2fb63302ca57baef Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 22 Apr 2022 19:37:39 +0000 Subject: [PATCH 09/22] fix: upgrade @actions/core from 1.2.6 to 1.6.0 Snyk has created this PR to upgrade @actions/core from 1.2.6 to 1.6.0. See this package in npm: https://www.npmjs.com/package/@actions/core See this project in Snyk: https://app.snyk.io/org/cwp-2/project/fd2218da-0d06-448b-be57-a7d3e69b0389?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr --- script/validate-data/package-lock.json | 24 ++++++++++++++++++++---- script/validate-data/package.json | 2 +- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..cf7c70a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,13 +1,24 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", "lockfileVersion": 1, "requires": true, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz", + "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==", + "requires": { + "@actions/http-client": "^1.0.11" + } + }, + "@actions/http-client": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", + "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "requires": { + "tunnel": "0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -106,6 +117,11 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..7936f4e 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.6.0", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" } From d14e8af6e3b15be640c45ec39df46968b03267a2 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Tue, 30 Aug 2022 21:45:04 +0530 Subject: [PATCH 10/22] Added EthicalCheck Action --- code-scanning/ethicalcheck.yml | 57 +++++++++++++++++++ .../properties/ethicalcheck.properties.json | 24 ++++++++ 2 files changed, 81 insertions(+) create mode 100644 code-scanning/ethicalcheck.yml create mode 100644 code-scanning/properties/ethicalcheck.properties.json diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml new file mode 100644 index 0000000..c089015 --- /dev/null +++ b/code-scanning/ethicalcheck.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger_EthicalCheck: + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@latest + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" + # The email address to which the penetration test report will be sent. + email: "xxx@apisec.ai" \ No newline at end of file diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json new file mode 100644 index 0000000..c0949be --- /dev/null +++ b/code-scanning/properties/ethicalcheck.properties.json @@ -0,0 +1,24 @@ +{ + "name": "EthicalCheck", + "creator": "APIsec", + "description": "EthicalCheck addresses the critical need to continuously security test APIs in development and in production. EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. You develop the application and API, we bring complete and continuous security testing to you, accelerating development.Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} From 3bc0ad0b1d779b51875217d1f1c70bcdadff9bc3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Fri, 16 Sep 2022 10:51:50 +0000 Subject: [PATCH 11/22] Add pages templates to validate script --- script/validate-data/settings.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index 852f575..23c4790 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -3,7 +3,8 @@ "../../ci", "../../automation", "../../deployments", - "../../code-scanning" + "../../code-scanning", + "../../pages" ], "allowed_categories": [ { @@ -21,6 +22,10 @@ { "path": "../../code-scanning", "categories": ["Code Scanning", "Dependency review"] + }, + { + "path": "../../pages", + "categories": ["Pages"] } ] } From 95057f2418925de42fda9e1fe02c8a3a0f5f5755 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 19 Sep 2022 11:45:31 +0000 Subject: [PATCH 12/22] Update logic from unique template name to filename --- script/validate-data/index.ts | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 4bd260d..b903c3f 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,7 +7,6 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; - name: string; errors: string[]; } @@ -43,7 +42,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] - const workflow_template_names = new Set() + const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -57,8 +56,8 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); - if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -73,7 +72,6 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, - name: null, errors: [] } try { @@ -82,9 +80,6 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) - if(properties.name && properties.name.trim().length > 0) { - workflowErrors.name = properties.name - } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From 1a46538eaab360b6ee9226283a9a03cc4c1b73a9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 11:43:05 +0000 Subject: [PATCH 13/22] Keep both unique template name and filename logic --- ci/properties/jekyll-docker.properties.json | 2 +- script/validate-data/index.ts | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ci/properties/jekyll-docker.properties.json b/ci/properties/jekyll-docker.properties.json index bbe279c..7c66dba 100644 --- a/ci/properties/jekyll-docker.properties.json +++ b/ci/properties/jekyll-docker.properties.json @@ -1,5 +1,5 @@ { - "name": "Jekyll", + "name": "Jekyll using Docker image", "description": "Package a Jekyll site using the jekyll/builder Docker image.", "iconName": "jekyll", "categories": ["Continuous integration", "HTML"] diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index b903c3f..90f1760 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -7,6 +7,7 @@ import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; interface WorkflowWithErrors { id: string; + name: string; errors: string[]; } @@ -42,6 +43,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] + const workflow_template_names = new Set() const workflow_template_paths = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { @@ -56,8 +58,11 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const propertiesFilePath = join(folder, "properties", `${fileType}.properties.json`) const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); + if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) + } if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) @@ -72,6 +77,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, + name: null, errors: [] } try { @@ -80,6 +86,9 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow const propertiesFileContent = await fs.readFile(propertiesPath, "utf8") const properties: WorkflowProperties = JSON.parse(propertiesFileContent) + if(properties.name && properties.name.trim().length > 0) { + workflowErrors.name = properties.name + } let v = new validator(); const res = v.validate(properties, propertiesSchema) workflowErrors.errors = res.errors.map(e => e.toString()) From af733fded0b315861e891f5aa54cb6ec54fa8d2b Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 20 Sep 2022 12:51:33 +0000 Subject: [PATCH 14/22] Address comments --- script/validate-data/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 90f1760..abbdfbe 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,7 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_paths = new Set() + const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -61,7 +61,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } - if(workflow_template_paths.size == workflow_template_paths.add(e.name).size) { + if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { From 6a3b2bbd2ec26fd76e5e1eca8365eedddf483835 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Thu, 22 Sep 2022 10:46:38 -0400 Subject: [PATCH 15/22] Add pages directory to readme --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f39892f..9cf6833 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions. ### Directory structure -* [ci](ci): solutions for Continuous Integration workflows. -* [deployments](deployments): solutions for Deployment workflows. -* [automation](automation): solutions for automating workflows. -* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security) +* [ci](ci): solutions for Continuous Integration workflows +* [deployments](deployments): solutions for Deployment workflows +* [automation](automation): solutions for automating workflows +* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security) +* [pages](pages): solutions for Pages workflows * [icons](icons): svg icons for the relevant template Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI). @@ -40,6 +41,14 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * monitoring * Automation * utilities +* Pages +* Hugo +* Gatsby +* Next +* Nuxt +* HTML +* JavaScript +* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From 3f6632a2aee5450e054cc12323ff30695875d46b Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Fri, 23 Sep 2022 11:42:07 -0400 Subject: [PATCH 16/22] Remove redundant languages --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 9cf6833..fa8d351 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * Gatsby * Next * Nuxt -* HTML -* JavaScript -* CSS ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From eaf0ed4a08ebf0cf7b2ef7ac29c1f18f0d5bf084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 14:19:44 +0000 Subject: [PATCH 17/22] Bump pozil/auto-assign-issue from 1.10.0 to 1.10.1 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 0cb9345..98f071a 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.0 + uses: pozil/auto-assign-issue@v1.10.1 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1 From 9a9cef713d58450916333470a1bd233e97c2f83e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec <83706991+abdul-hai-apisec@users.noreply.github.com> Date: Wed, 12 Oct 2022 14:21:47 +0530 Subject: [PATCH 18/22] Update ethicalcheck.yml --- code-scanning/ethicalcheck.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index c089015..4a8ad3c 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -49,9 +49,16 @@ jobs: steps: - name: EthicalCheck Free & Automated API Security Testing Service - uses: apisec-inc/ethicalcheck-action@latest + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 with: # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" # The email address to which the penetration test report will be sent. - email: "xxx@apisec.ai" \ No newline at end of file + email: "xxx@apisec.ai" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./ethicalcheck-results.sarif + From d1768edd6c32f2b7ed1b94b93e98390da3e4e3d4 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Wed, 12 Oct 2022 13:05:05 +0000 Subject: [PATCH 19/22] Remove filename check --- script/validate-data/index.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index abbdfbe..4bd260d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -44,7 +44,6 @@ const propertiesSchema = { async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() - const workflow_template_file_names = new Set() for (const folder of folders) { const dir = await fs.readdir(folder, { withFileTypes: true, @@ -59,10 +58,7 @@ async function checkWorkflows(folders: string[], allowed_categories: object[]): const workflowWithErrors = await checkWorkflow(workflowFilePath, propertiesFilePath, allowed_categories); if(workflowWithErrors.name && workflow_template_names.size == workflow_template_names.add(workflowWithErrors.name).size) { - workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) - } - if(workflow_template_file_names.size == workflow_template_file_names.add(e.name).size) { - workflowWithErrors.errors.push(`Workflow template with filename "${e.name}" already exists`) + workflowWithErrors.errors.push(`Workflow template name "${workflowWithErrors.name}" already exists`) } if (workflowWithErrors.errors.length > 0) { result.push(workflowWithErrors) From 90fcb3f10e2f67fb9e90e866901f7e9173317ea3 Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 12 Oct 2022 20:30:11 +0530 Subject: [PATCH 20/22] Added permissions --- code-scanning/ethicalcheck.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 4a8ad3c..2818bc6 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -42,9 +42,14 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - +permissions: + contents: read + jobs: Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -57,8 +62,8 @@ jobs: email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 - with: + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v2 + with: sarif_file: ./ethicalcheck-results.sarif From 9c49b9d11c5dd12f3732b4707fde87d4753c3873 Mon Sep 17 00:00:00 2001 From: Nick McCurdy Date: Mon, 17 Oct 2022 08:31:16 -0400 Subject: [PATCH 21/22] Delete Gatsby, Next, and Nuxt categories https://github.com/actions/starter-workflows/pull/1762#discussion_r996963757 --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index fa8d351..7ff406f 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,6 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`. * utilities * Pages * Hugo -* Gatsby -* Next -* Nuxt ### Variables These variables can be placed in the starter workflow and will be substituted as detailed below: From e5b363612e747c2961857eef5c4d66d2824a1efc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 13:53:14 +0000 Subject: [PATCH 22/22] Bump pozil/auto-assign-issue from 1.10.1 to 1.11.0 Bumps [pozil/auto-assign-issue](https://github.com/pozil/auto-assign-issue) from 1.10.1 to 1.11.0. - [Release notes](https://github.com/pozil/auto-assign-issue/releases) - [Commits](https://github.com/pozil/auto-assign-issue/compare/v1.10.1...v1.11.0) --- updated-dependencies: - dependency-name: pozil/auto-assign-issue dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-assign-issues.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index 98f071a..adaa8d6 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Auto-assign issue' - uses: pozil/auto-assign-issue@v1.10.1 + uses: pozil/auto-assign-issue@v1.11.0 with: assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft numOfAssignee: 1