From 6a69f367db79af78686fc3d2560c28ea29573acc Mon Sep 17 00:00:00 2001 From: eric sciple Date: Tue, 2 Mar 2021 19:59:19 -0600 Subject: [PATCH 1/6] Update starter workflows to specify permissions --- automation/greetings.yml | 3 +++ automation/label.yml | 3 +++ automation/stale.yml | 3 +++ ci/docker-publish.yml | 4 ++++ ci/gem-push.yml | 3 +++ ci/gradle-publish.yml | 3 +++ ci/maven-publish.yml | 3 +++ ci/npm-publish.yml | 3 +++ code-scanning/codeql.yml | 3 +++ code-scanning/kubesec.yml | 3 +++ code-scanning/mayhem-for-api.yml | 3 +++ code-scanning/synopsys-io.yml | 3 +++ code-scanning/tfsec.yml | 3 +++ 13 files changed, 40 insertions(+) diff --git a/automation/greetings.yml b/automation/greetings.yml index ebb00a0..ee1cb11 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -5,6 +5,9 @@ on: [pull_request, issues] jobs: greeting: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/first-interaction@v1 with: diff --git a/automation/label.yml b/automation/label.yml index 7c724a6..5cdc45e 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -12,6 +12,9 @@ jobs: label: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@v2 diff --git a/automation/stale.yml b/automation/stale.yml index b671fc0..30c3dd9 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -8,6 +8,9 @@ jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v3 diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 76756db..ba69744 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -44,6 +44,10 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v2 diff --git a/ci/gem-push.yml b/ci/gem-push.yml index a1edfbc..3dc62be 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -10,6 +10,9 @@ jobs: build: name: Build + Publish runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index ef99e13..a74a1ce 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index c3f4855..18dd937 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 1b4952d..8462902 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -35,6 +35,9 @@ jobs: publish-gpr: needs: build runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d88fe52..99299d6 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,9 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + contents: read + security-events: write strategy: fail-fast: false diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 8d3d0eb..2d528a5 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -18,6 +18,9 @@ jobs: lint: name: Kubesec runs-on: ubuntu-20.04 + permissions: + contents: read + security-events: write steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 1601ff5..d084e3a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -37,6 +37,9 @@ jobs: name: Mayhem for API # Mayhem for API runs on linux, mac and windows runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - uses: actions/checkout@v2 diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 9b5a080..7e0aa09 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -18,6 +18,9 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout repository diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 05879a1..006c985 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -17,6 +17,9 @@ jobs: tfsec: name: Run tfsec sarif report runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Clone repo From 2678356764ad3e52573c1cbbf702a56dce2715b9 Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Thu, 22 Apr 2021 01:41:31 +0300 Subject: [PATCH 2/6] Add psscriptanalyzer code scanning --- code-scanning/powershell.yml | 42 +++++++++++++++++++ .../properties/powershell.properties.json | 7 ++++ icons/powershell.svg | 30 +++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 code-scanning/powershell.yml create mode 100644 code-scanning/properties/powershell.properties.json create mode 100644 icons/powershell.svg diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml new file mode 100644 index 0000000..dfbf452 --- /dev/null +++ b/code-scanning/powershell.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/properties/powershell.properties.json b/code-scanning/properties/powershell.properties.json new file mode 100644 index 0000000..98a5a78 --- /dev/null +++ b/code-scanning/properties/powershell.properties.json @@ -0,0 +1,7 @@ +{ + "name": "PSScriptAnalyzer", + "creator": "Microsoft", + "description": "A static code checker for PowerShell modules and scripts. PSScriptAnalyzer checks the quality of PowerShell code by running a set of rules.", + "iconName": "powershell", + "categories": ["Code Scanning", "PowerShell"] +} \ No newline at end of file diff --git a/icons/powershell.svg b/icons/powershell.svg new file mode 100644 index 0000000..54c4d89 --- /dev/null +++ b/icons/powershell.svg @@ -0,0 +1,30 @@ + + + Artboard 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From ccfd55f9c81f7a10066689e83526d0a2ddcde722 Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Thu, 22 Apr 2021 01:51:14 +0300 Subject: [PATCH 3/6] Updated creator field --- code-scanning/properties/powershell.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/powershell.properties.json b/code-scanning/properties/powershell.properties.json index 98a5a78..95420ae 100644 --- a/code-scanning/properties/powershell.properties.json +++ b/code-scanning/properties/powershell.properties.json @@ -1,6 +1,6 @@ { "name": "PSScriptAnalyzer", - "creator": "Microsoft", + "creator": "Microsoft Corporation", "description": "A static code checker for PowerShell modules and scripts. PSScriptAnalyzer checks the quality of PowerShell code by running a set of rules.", "iconName": "powershell", "categories": ["Code Scanning", "PowerShell"] From a0512d36da4f7d2155aaeea8c59a19399a18dbbe Mon Sep 17 00:00:00 2001 From: eric sciple Date: Fri, 23 Apr 2021 14:06:00 -0500 Subject: [PATCH 4/6] include actions:read for all code scanning workflows --- code-scanning/codeql.yml | 1 + code-scanning/kubesec.yml | 1 + code-scanning/mayhem-for-api.yml | 1 + code-scanning/synopsys-io.yml | 1 + code-scanning/tfsec.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 99299d6..b32675e 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -25,6 +25,7 @@ jobs: name: Analyze runs-on: ubuntu-latest permissions: + actions: read contents: read security-events: write diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 2d528a5..1cad70c 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -19,6 +19,7 @@ jobs: name: Kubesec runs-on: ubuntu-20.04 permissions: + actions: read contents: read security-events: write steps: diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index d084e3a..0aab0b4 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -38,6 +38,7 @@ jobs: # Mayhem for API runs on linux, mac and windows runs-on: ubuntu-latest permissions: + actions: read contents: read security-events: write steps: diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 7e0aa09..0c1ff16 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -19,6 +19,7 @@ jobs: name: Analyze runs-on: ubuntu-latest permissions: + actions: read contents: read security-events: write diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 006c985..51c5639 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -18,6 +18,7 @@ jobs: name: Run tfsec sarif report runs-on: ubuntu-latest permissions: + actions: read contents: read security-events: write From 120036944ad5188becaf77cd54042838d290aeb2 Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Mon, 26 Apr 2021 11:04:15 +0300 Subject: [PATCH 5/6] Updated Powershell Icon --- icons/powershell.svg | 57 ++++++++++++++++++++++---------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/icons/powershell.svg b/icons/powershell.svg index 54c4d89..ec01c8c 100644 --- a/icons/powershell.svg +++ b/icons/powershell.svg @@ -1,30 +1,29 @@ - - - Artboard 1 - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + \ No newline at end of file From 8ce9196a32834dd16d8b00084d96103aa3a41150 Mon Sep 17 00:00:00 2001 From: Shivam Mathur Date: Tue, 27 Apr 2021 22:42:11 +0530 Subject: [PATCH 6/6] Update shivammathur/setup-php in laravel.yml (#886) --- ci/laravel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/laravel.yml b/ci/laravel.yml index d54921e..5f4e6c9 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: shivammathur/setup-php@b7d1d9c9a92d8d8463ce36d7f60da34d461724f8 + - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - uses: actions/checkout@v2