diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml new file mode 100644 index 0000000..68e4672 --- /dev/null +++ b/code-scanning/appknox.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 7304e83..b0aaeb3 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -33,9 +33,11 @@ jobs: - name: Install ESLint run: | npm install eslint@8.10.0 - npm install @microsoft/eslint-formatter-sarif@2.1.7 + npm install @microsoft/eslint-formatter-sarif@3.1.0 - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx @@ -47,4 +49,4 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml new file mode 100644 index 0000000..4ff7ef7 --- /dev/null +++ b/code-scanning/jfrog-sast.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# JFrog SAST performs 1st party source code security analysis +# For more information, see +# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast + +name: "JFrog SAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + +env: + # [Mandatory] + # JFrog platform URL and access token for + # a JFrog platform instance with active + # JFrog Advanced Security subscription + JF_URL: ${{ secrets.JF_URL }} + JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Install and configure JFrog CLI + run: | + npm install -g jfrog-cli-v2-jf + echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin + + - name: Run JFrog SAST + run: | + jf audit --sast --format=sarif > jfrog_sast.sarif + + + - name: Upload output to generate autofix + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: jfrog_sast.sarif \ No newline at end of file diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json new file mode 100644 index 0000000..8e8b1f2 --- /dev/null +++ b/code-scanning/properties/appknox.properties.json @@ -0,0 +1,21 @@ +{ + "name": "Appknox", + "creator": "Appknox", + "description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language", + "iconName": "appknox", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json new file mode 100644 index 0000000..7ffa897 --- /dev/null +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -0,0 +1,16 @@ +{ + "name": "JFrog SAST", + "description": "Scan for security vulnerabilities in source code using JFrog SAST", + "iconName": "frogbot", + "categories": + [ + "Code Scanning", + "security", + "python", + "java", + "javascript", + "typescript", + "go" + ], + "creator": "JFrog" +} \ No newline at end of file diff --git a/icons/appknox.svg b/icons/appknox.svg new file mode 100644 index 0000000..36148e7 --- /dev/null +++ b/icons/appknox.svg @@ -0,0 +1,10 @@ + + + + + + + + + +