diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml new file mode 100644 index 0000000..696b4f8 --- /dev/null +++ b/.github/auto_assign.yml @@ -0,0 +1,17 @@ +# Set to true to add reviewers to pull requests +addReviewers: true + +# Set to true to add assignees to pull requests +addAssignees: false + +# A list of reviewers to be added to pull requests (GitHub user name) +reviewers: + - phantsure + - anuragc617 + - tiwarishub + - vsvipul + - bishal-pdmsft + +# A number of reviewers added to the pull request +# Set 0 to add all the reviewers (default: 0) +numberOfReviewers: 1 diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml new file mode 100644 index 0000000..b8406e9 --- /dev/null +++ b/.github/workflows/auto-assign-issues.yml @@ -0,0 +1,15 @@ +name: Issue assignment + +on: + issues: + types: [opened] + +jobs: + auto-assign: + runs-on: ubuntu-latest + steps: + - name: 'Auto-assign issue' + uses: pozil/auto-assign-issue@v1.4.0 + with: + assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft + numOfAssignee: 1 diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml new file mode 100644 index 0000000..4dcc612 --- /dev/null +++ b/.github/workflows/auto-assign.yml @@ -0,0 +1,10 @@ +name: 'Auto Assign' +on: + pull_request: + types: [opened, ready_for_review] + +jobs: + add-reviews: + runs-on: ubuntu-latest + steps: + - uses: kentaro-m/auto-assign-action@v1.2.1 diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index eba05f0..99fdbc5 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -11,6 +11,6 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v3 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 217078a..c319ce1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.' stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.' diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml similarity index 92% rename from .github/workflows/sync_ghes.yaml rename to .github/workflows/sync-ghes.yaml index 946218f..fb9c623 100644 --- a/.github/workflows/sync_ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -11,12 +11,12 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: '12' - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 7d5c1ee..d2ac9a5 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -10,9 +10,9 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - - uses: actions/setup-node@v2 + - uses: actions/setup-node@v3 with: node-version: "12" diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17..91153de 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..18ba13f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: diff --git a/automation/label.yml b/automation/label.yml index 5cdc45e..a8a1bd7 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -17,6 +17,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v2 + - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/automation/stale.yml b/automation/stale.yml index ff88dc0..1322eaf 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v3 + - uses: actions/stale@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' diff --git a/ci/ada.yml b/ci/ada.yml index a27902a..7e94b38 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up GNAT toolchain run: > diff --git a/ci/android.yml b/ci/android.yml index f289bd5..221fca5 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 0205d40..1614664 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/blank.yml b/ci/blank.yml index 895e5d1..607e2cf 100644 --- a/ci/blank.yml +++ b/ci/blank.yml @@ -23,7 +23,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs a single command using the runners shell - name: Run a one-line script diff --git a/ci/c-cpp.yml b/ci/c-cpp.yml index 88d1497..14d2eb9 100644 --- a/ci/c-cpp.yml +++ b/ci/c-cpp.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure - name: make diff --git a/ci/clojure.yml b/ci/clojure.yml index 098918a..a76631a 100644 --- a/ci/clojure.yml +++ b/ci/clojure.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: lein deps - name: Run tests diff --git a/ci/cmake.yml b/ci/cmake.yml index 6c858b9..6f06f75 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure CMake # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. diff --git a/ci/crystal.yml b/ci/crystal.yml index 6552afa..18cc825 100644 --- a/ci/crystal.yml +++ b/ci/crystal.yml @@ -15,7 +15,7 @@ jobs: image: crystallang/crystal steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install dependencies run: shards install - name: Run tests diff --git a/ci/d.yml b/ci/d.yml index 6086681..350eeee 100644 --- a/ci/d.yml +++ b/ci/d.yml @@ -10,13 +10,16 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: dlang-community/setup-dlang@4c99aa991ce7d19dd3064de0a4f2f6b2f152e2d7 - name: 'Build & Test' diff --git a/ci/dart.yml b/ci/dart.yml index 7486577..7bf352f 100644 --- a/ci/dart.yml +++ b/ci/dart.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Note: This workflow uses the latest stable version of the Dart SDK. # You can specify other versions if desired, see documentation here: diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml new file mode 100644 index 0000000..7056f87 --- /dev/null +++ b/ci/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/ci/deno.yml b/ci/deno.yml index 25e9e2a..2234bf6 100644 --- a/ci/deno.yml +++ b/ci/deno.yml @@ -14,13 +14,16 @@ on: pull_request: branches: [$default-branch] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - name: Setup repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Deno # uses: denoland/setup-deno@v1 diff --git a/ci/django.yml b/ci/django.yml index dbde266..79550cc 100644 --- a/ci/django.yml +++ b/ci/django.yml @@ -16,9 +16,9 @@ jobs: python-version: [3.7, 3.8, 3.9] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install Dependencies diff --git a/ci/docker-image.yml b/ci/docker-image.yml index 78532a3..cc9cd6e 100644 --- a/ci/docker-image.yml +++ b/ci/docker-image.yml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 977635a..2f68e66 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -35,15 +35,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.7.1' # Workaround: https://github.com/docker/build-push-action/issues/461 @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} @@ -90,4 +90,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index 06ce344..00a78c7 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -63,13 +63,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 # Install the .NET Core workload - name: Install .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x @@ -105,7 +105,7 @@ jobs: # Remove the pfx - name: Remove the pfx - run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate + run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts diff --git a/ci/dotnet.yml b/ci/dotnet.yml index c31cf68..5974d4a 100644 --- a/ci/dotnet.yml +++ b/ci/dotnet.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup .NET - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: 5.0.x - name: Restore dependencies diff --git a/ci/elixir.yml b/ci/elixir.yml index afe01be..6c76f54 100644 --- a/ci/elixir.yml +++ b/ci/elixir.yml @@ -1,31 +1,34 @@ -name: Elixir CI - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - - name: Build and test - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Set up Elixir - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f - with: - elixir-version: '1.12.3' # Define the elixir version [required] - otp-version: '24.1' # Define the OTP version [required] - - name: Restore dependencies cache - uses: actions/cache@v2 - with: - path: deps - key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} - restore-keys: ${{ runner.os }}-mix- - - name: Install dependencies - run: mix deps.get - - name: Run tests - run: mix test +name: Elixir CI + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + build: + + name: Build and test + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Elixir + uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + with: + elixir-version: '1.12.3' # Define the elixir version [required] + otp-version: '24.1' # Define the OTP version [required] + - name: Restore dependencies cache + uses: actions/cache@v3 + with: + path: deps + key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }} + restore-keys: ${{ runner.os }}-mix- + - name: Install dependencies + run: mix deps.get + - name: Run tests + run: mix test diff --git a/ci/erlang.yml b/ci/erlang.yml index 25cb893..984b83a 100644 --- a/ci/erlang.yml +++ b/ci/erlang.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: @@ -16,7 +19,7 @@ jobs: image: erlang:22.0.7 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Compile run: rebar3 compile - name: Run tests diff --git a/ci/gem-push.yml b/ci/gem-push.yml index 3dc62be..8905272 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -15,7 +15,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby 2.6 uses: actions/setup-ruby@v1 with: diff --git a/ci/go.yml b/ci/go.yml index afff652..bb3ec96 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -11,12 +11,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9fdc851..9aeb2b8 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -20,9 +20,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index fc8cf2f..4642c75 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,19 +13,22 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 + uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee with: arguments: build diff --git a/ci/haskell.yml b/ci/haskell.yml index c1d7dc7..5693f90 100644 --- a/ci/haskell.yml +++ b/ci/haskell.yml @@ -6,20 +6,23 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: actions/setup-haskell@v1 with: ghc-version: '8.10.3' cabal-version: '3.2' - name: Cache - uses: actions/cache@v1 + uses: actions/cache@v3 env: cache-name: cache-cabal with: diff --git a/ci/ios.yml b/ci/ios.yml index ab92d32..693a7d5 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` diff --git a/ci/jekyll.yml b/ci/jekyll.yml index 71920c1..6a98dea 100644 --- a/ci/jekyll.yml +++ b/ci/jekyll.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the site in the jekyll/builder container run: | docker run \ diff --git a/ci/laravel.yml b/ci/laravel.yml index 5f4e6c9..e778d7b 100644 --- a/ci/laravel.yml +++ b/ci/laravel.yml @@ -15,7 +15,7 @@ jobs: - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env run: php -r "file_exists('.env') || copy('.env.example', '.env');" - name: Install Dependencies diff --git a/ci/makefile.yml b/ci/makefile.yml index eafe622..0156944 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: configure run: ./configure diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 319f9a1..dab69fe 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -16,9 +16,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index f301fe0..65e0dff 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -15,9 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/msbuild.yml b/ci/msbuild.yml index e650e2a..c50354e 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -15,12 +15,15 @@ env: # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release +permissions: + contents: read + jobs: build: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Add MSBuild to PATH uses: microsoft/setup-msbuild@v1.0.2 diff --git a/ci/node.js.yml b/ci/node.js.yml index 8d1b9c7..87ef0d8 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -20,9 +20,9 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 8c83cb6..eda97e1 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index cc5da13..504f22e 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 09ff0b3..638ccf8 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -25,8 +25,8 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: $registry-url(npm) diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index ef8c690..c461c85 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -11,8 +11,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: npm ci @@ -22,8 +22,8 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 registry-url: https://registry.npmjs.org/ diff --git a/ci/objective-c-xcode.yml b/ci/objective-c-xcode.yml index db009b0..1373878 100644 --- a/ci/objective-c-xcode.yml +++ b/ci/objective-c-xcode.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set Default Scheme run: | scheme_list=$(xcodebuild -list -json | tr -d "\n") diff --git a/ci/php.yml b/ci/php.yml index 6acfdd1..a3bdfd7 100644 --- a/ci/php.yml +++ b/ci/php.yml @@ -6,20 +6,23 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Validate composer.json and composer.lock run: composer validate --strict - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json new file mode 100644 index 0000000..edbb086 --- /dev/null +++ b/ci/properties/datadog-synthetics.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datadog Synthetics", + "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", + "creator": "Datadog", + "iconName": "datadog", + "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] +} diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json index 49b29a4..7a2c18a 100644 --- a/ci/properties/rubyonrails.properties.json +++ b/ci/properties/rubyonrails.properties.json @@ -1,5 +1,5 @@ { - "name": "Ruby on Rails continuous integration", + "name": "Ruby on Rails", "description": "Build, lint, and test a Rails application", "iconName": "rails", "categories": ["Continuous integration", "Ruby", "Rails"] diff --git a/ci/pylint.yml b/ci/pylint.yml index 7b555fe..383e65c 100644 --- a/ci/pylint.yml +++ b/ci/pylint.yml @@ -9,9 +9,9 @@ jobs: matrix: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-app.yml b/ci/python-app.yml index 2cfc2a3..4b7fa5f 100644 --- a/ci/python-app.yml +++ b/ci/python-app.yml @@ -9,15 +9,18 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: "3.10" - name: Install dependencies diff --git a/ci/python-package-conda.yml b/ci/python-package-conda.yml index 9bd6d2b..57940bd 100644 --- a/ci/python-package-conda.yml +++ b/ci/python-package-conda.yml @@ -9,9 +9,9 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python 3.10 - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.10 - name: Add conda to system path diff --git a/ci/python-package.yml b/ci/python-package.yml index b0a63cf..583a366 100644 --- a/ci/python-package.yml +++ b/ci/python-package.yml @@ -19,9 +19,9 @@ jobs: python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/ci/python-publish.yml b/ci/python-publish.yml index 3bfabfc..ec70354 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,15 +12,18 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: '3.x' - name: Install dependencies diff --git a/ci/r.yml b/ci/r.yml index 305c2cf..68f02d7 100644 --- a/ci/r.yml +++ b/ci/r.yml @@ -14,6 +14,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: macos-latest @@ -22,7 +25,7 @@ jobs: r-version: ['3.6.3', '4.1.1'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up R ${{ matrix.r-version }} uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a with: diff --git a/ci/ruby.yml b/ci/ruby.yml index f6ae1e3..81ea363 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: test: @@ -22,12 +25,12 @@ jobs: ruby-version: ['2.6', '2.7', '3.0'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Ruby # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index b7b3624..2ad891f 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -27,7 +27,7 @@ jobs: DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Add or replace dependency steps here - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install Ruby and gems uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92 with: diff --git a/ci/rust.yml b/ci/rust.yml index 6c82c61..d51f1af 100644 --- a/ci/rust.yml +++ b/ci/rust.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: cargo build --verbose - name: Run tests diff --git a/ci/scala.yml b/ci/scala.yml index af6b2ed..c985f74 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -6,15 +6,18 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' diff --git a/ci/super-linter.yml b/ci/super-linter.yml index bebd82d..275b34f 100644 --- a/ci/super-linter.yml +++ b/ci/super-linter.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/ci/swift.yml b/ci/swift.yml index df062b5..3668fc0 100644 --- a/ci/swift.yml +++ b/ci/swift.yml @@ -12,7 +12,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build run: swift build -v - name: Run tests diff --git a/ci/symfony.yml b/ci/symfony.yml index 7d1ca74..d1ac71a 100644 --- a/ci/symfony.yml +++ b/ci/symfony.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: symfony-tests: runs-on: ubuntu-latest @@ -16,12 +19,12 @@ jobs: - uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28 with: php-version: '8.0' - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Copy .env.test.local run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');" - name: Cache Composer packages id: composer-cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: vendor key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} diff --git a/ci/webpack.yml b/ci/webpack.yml index 8edb34f..6449fe7 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -15,10 +15,10 @@ jobs: node-version: [12.x, 14.x, 16.x] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index fcca708..6f52d5d 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled @@ -40,6 +40,6 @@ jobs: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 4737d06..5a9b751 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -64,6 +64,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index d0b25ac..155208f 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -30,7 +30,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Customize the ruby version depending on your needs - name: Setup Ruby @@ -52,6 +52,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index d012bce..297cae0 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -34,7 +34,7 @@ jobs: # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 @@ -49,6 +49,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml new file mode 100644 index 0000000..4150cbb --- /dev/null +++ b/code-scanning/clj-holmes.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true \ No newline at end of file diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000..2e4ab3c --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 00e270a..4a0cd73 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 4892930..b74e449 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -35,7 +35,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI @@ -55,6 +55,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 57b4b69..a113b59 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,37 +34,39 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - #- run: | - # make bootstrap - # make release + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 5886843..92707b1 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -17,14 +17,20 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Cache files - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ~/.sonar @@ -37,6 +43,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: codescan.sarif diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index e8e2447..07cd73a 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -43,7 +43,7 @@ jobs: security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml new file mode 100644 index 0000000..0e72a00 --- /dev/null +++ b/code-scanning/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v1 diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index a8610c3..0c65813 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 3a5c45f..bf11261 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -23,12 +23,12 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000..9067a7d --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index 080953e..4ed8792 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: flawfinder_scan uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index d67d194..5e7c422 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -39,14 +39,15 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Java is required to run the various Fortify utilities. # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: @@ -92,6 +93,6 @@ jobs: # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000..2f554e4 --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 1cad70c..c432673 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -24,7 +24,7 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run kubesec scanner uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 59d66a0..64fe71a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -42,7 +42,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Run your API in the background. Ideally, the API would run in debug # mode & send stacktraces back on "500 Internal Server Error" responses @@ -61,6 +61,6 @@ jobs: sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index d8eaa92..6d2bfb8 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -24,10 +24,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.8 @@ -37,6 +37,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0abb409..863fbcb 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure CMake run: cmake -B ${{ env.build }} @@ -53,7 +53,7 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000..e24e14a --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index a6da087..8c359b8 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -29,13 +29,13 @@ jobs: name: njsscan code scanning steps: - name: Checkout the code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: nodejsscan scan id: njsscan uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 92126bd..7b5ba8f 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build your application run: ./gradlew assembleDebug # Update this to build your Android or iOS application @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index b5aefa4..cbef5a2 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -17,15 +17,21 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: OSSAR-Scan: # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: windows-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -33,7 +39,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v1 + # uses: actions/setup-dotnet@v2 # with: # dotnet-version: '3.1.x' @@ -44,6 +50,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..a1e32c4 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,13 +13,19 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: java-version: '11' distribution: 'temurin' @@ -31,6 +37,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index dfbf452..1d72a9b 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -17,12 +17,18 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061 @@ -37,6 +43,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5b11482..6f2031b 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -33,7 +33,7 @@ jobs: name: Run Prisma Cloud IaC Scan to check steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - id: iac-scan name: Run Scan on CFT files in the repository uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 @@ -48,7 +48,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/properties/clj-holmes.properties.json b/code-scanning/properties/clj-holmes.properties.json new file mode 100644 index 0000000..71f29c0 --- /dev/null +++ b/code-scanning/properties/clj-holmes.properties.json @@ -0,0 +1,10 @@ +{ + "name": "clj-holmes", + "creator": "Matheus Bernardes", + "description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.", + "iconName": "clj-holmes", + "categories": [ + "Code Scanning", + "clojure" + ] +} \ No newline at end of file diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000..966314a --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json new file mode 100644 index 0000000..c195c73 --- /dev/null +++ b/code-scanning/properties/dependency-review.properties.json @@ -0,0 +1,16 @@ +{ + "name": "Dependency Review", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository", + "iconName": "octicon mark-github", + "categories": [ + "Dependency review", + "Dependency graph", + "Go", + "Java", + "JavaScript", + "TypeScript", + "Python", + "Ruby", + "Actions", + "PHP"] +} diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000..a84646a --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000..b4f7141 --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000..ee64a52 --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000..4737786 --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,9 @@ +{ + "name": "rust-clippy", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9..0000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000..163e866 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json new file mode 100644 index 0000000..9b88a78 --- /dev/null +++ b/code-scanning/properties/sonarcloud.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SonarCloud", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", + "iconName": "sonarcloud", + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] +} diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index 373d5b6..ed458b2 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # If running on a self-hosted runner, check it meets the requirements # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: rubocop.sarif diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000..e9c426a --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index d63b462..a6bde3a 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 with: name: SARIF file path: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 3063c7a..b6ee5ad 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -21,7 +21,7 @@ jobs: SCS: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f99d441..fae9885 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project source - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Scan code using project's configuration on https://semgrep.dev/manage - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 @@ -42,7 +42,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index 48b86d3..0000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 8ff2c9a..0fbbf87 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -22,11 +22,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build a Docker image run: docker build -t your/image-to-test . - name: Run Snyk to check Docker image for vulnerabilities @@ -43,6 +49,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index b79bf34..a685323 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -21,11 +21,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Run Snyk to check configuration files for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the issues to GitHub Code Scanning @@ -42,6 +48,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000..21cb6e7 --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml new file mode 100644 index 0000000..ff388c8 --- /dev/null +++ b/code-scanning/sonarcloud.yml @@ -0,0 +1,68 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. + +# 1. Login to SonarCloud.io using your GitHub account + +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarCloud analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarCloud + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index af220c0..64e9b9b 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Start your service run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 0c1ff16..c32334c 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Synopsys Intelligent Security Scan id: prescription @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b29fc..f075a80 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the Docker image # Tag image to be built @@ -54,7 +54,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 479f713..6536fbe 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run tfsec uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 3d5373f..06b5cae 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -26,7 +26,7 @@ jobs: runs-on: "ubuntu-18.04" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Build an image from Dockerfile run: | @@ -42,6 +42,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 073d1b6..b8a5b37 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -31,7 +31,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: repository: '' @@ -41,9 +41,10 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: - java-version: 1.8 + java-version: 8 + distribution: 'temurin' - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip continue-on-error: true - name: Convert pipeline scan output to SARIF format @@ -51,7 +52,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index dc3c9ce..3462eaa 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -42,22 +42,29 @@ on: - cron: $cron-weekly workflow_dispatch: +permissions: + contents: read + jobs: xanitizer-security-analysis: # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: # Check out the repository - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v1 + uses: actions/setup-java@v3 with: java-version: 11 + distribution: 'temurin' # Compile the code for Java projects and get all libraries, e.g. via Maven # Please adapt, if your project uses another build system to compile Java source code. @@ -87,6 +94,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v1 + - uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Xanitizer-Findings-List.sarif diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..d7c27d9 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -47,7 +50,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair @@ -74,7 +77,7 @@ jobs: tag: "${{ env.TAG }}" # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 with: diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..47253bf 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy @@ -49,7 +52,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..8b69065 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,12 +35,15 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 506819d..510abcd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. # Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. @@ -48,16 +48,14 @@ env: CHART_OVERRIDE_PATH: "your-chart-override-path" jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login @@ -72,6 +70,20 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -85,7 +97,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -96,7 +110,30 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Helm to create manifest files - name: Bake deployment @@ -112,11 +149,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 1d33fe3..0cf23ba 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. # Set your dockerComposeFile and kompose-version to suit your configuration. @@ -40,16 +40,14 @@ env: DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login @@ -63,7 +61,21 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -77,7 +89,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -88,7 +102,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kompose to create manifest files - name: Bake deployment @@ -101,11 +141,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 51b7d69..14469db 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. # Set your kustomizationPath and kubectl-version to suit your configuration. @@ -46,16 +46,14 @@ env: KUSTOMIZE_PATH: "your-kustomize-path" jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login @@ -69,6 +67,23 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context @@ -83,7 +98,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -94,7 +111,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kustomize to create manifest files - name: Bake deployment @@ -107,11 +150,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index e61e64e..d04a2ac 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -8,8 +8,7 @@ # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID @@ -19,7 +18,7 @@ # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) # - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions @@ -43,16 +42,14 @@ env: DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in - - uses: actions/checkout@master + - uses: actions/checkout@v3 # Logs in with your Azure credentials - name: Azure login @@ -67,6 +64,20 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -80,7 +91,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -93,13 +106,39 @@ jobs: container-registry-password: ${{ steps.get-acr-creds.outputs.password }} secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Deploys application based on given manifest file - name: Deploys application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..becfede 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest name: Build and Deploy Job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - name: Build And Deploy diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..3357dc8 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -35,15 +35,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Set up dependency caching for faster builds - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..d29b0c9 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution on: push: @@ -34,12 +35,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Java version - uses: actions/setup-java@v2.3.1 + uses: actions/setup-java@v3.0.0 with: java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} cache: 'maven' - name: Build with Maven diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..c967bdb 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -32,10 +32,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a4442cf..98e8dc7 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Setup PHP uses: shivammathur/setup-php@7c0b4c8c8ebed23eca9ec2802474895d105b11bc @@ -58,7 +58,7 @@ jobs: echo "::set-output name=dir::$(composer config cache-files-dir)" - name: Set up dependency caching for faster installs - uses: actions/cache@v2 + uses: actions/cache@v3 if: steps.check_files.outputs.files_exists == 'true' with: path: ${{ steps.composer-cache.outputs.dir }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..50f4823 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,15 +29,18 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python version - uses: actions/setup-python@v2.2.2 + uses: actions/setup-python@v3.0.0 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml new file mode 100644 index 0000000..b8d0511 --- /dev/null +++ b/deployments/google-cloudrun-docker.yml @@ -0,0 +1,114 @@ +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml new file mode 100644 index 0000000..2916b45 --- /dev/null +++ b/deployments/google-cloudrun-source.yml @@ -0,0 +1,96 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - $default-branch + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google.yml b/deployments/google.yml index 003e53b..6150672 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Configure Workload Identity Federation and generate an access token. - id: 'auth' diff --git a/deployments/ibm.yml b/deployments/ibm.yml index 216b04d..cb3080f 100644 --- a/deployments/ibm.yml +++ b/deployments/ibm.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Download and Install IBM Cloud CLI - name: Install IBM Cloud CLI diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 46ff961..5775cb0 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -71,7 +71,7 @@ jobs: steps: - name: Check for required secrets - uses: actions/github-script@v4 + uses: actions/github-script@v6 with: script: | const secrets = { @@ -109,7 +109,7 @@ jobs: } - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Determine app name if: env.APP_NAME == '' diff --git a/deployments/properties/google-cloudrun-docker.properties.json b/deployments/properties/google-cloudrun-docker.properties.json new file mode 100644 index 0000000..b1a2b2b --- /dev/null +++ b/deployments/properties/google-cloudrun-docker.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy to Cloud Run", + "description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"] +} diff --git a/deployments/properties/google-cloudrun-source.properties.json b/deployments/properties/google-cloudrun-source.properties.json new file mode 100644 index 0000000..2735d80 --- /dev/null +++ b/deployments/properties/google-cloudrun-source.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Deploy to Cloud Run from Source", + "description": "Deploy to Google Cloud Run directly from source.", + "creator": "Google Cloud", + "iconName": "google-cloud", + "categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"] +} diff --git a/deployments/properties/google.properties.json b/deployments/properties/google.properties.json index f1bd883..e226385 100644 --- a/deployments/properties/google.properties.json +++ b/deployments/properties/google.properties.json @@ -2,6 +2,6 @@ "name": "Build and Deploy to GKE", "description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.", "creator": "Google Cloud", - "iconName": "googlegke", + "iconName": "google-cloud", "categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"] } \ No newline at end of file diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..4e9e9f6 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy @@ -35,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Build - name: Build Docker image diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..53efe48 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' @@ -64,7 +67,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform @@ -82,10 +85,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false diff --git a/icons/clj-holmes.svg b/icons/clj-holmes.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-holmes.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/datadog.svg b/icons/datadog.svg new file mode 100644 index 0000000..91cb3b6 --- /dev/null +++ b/icons/datadog.svg @@ -0,0 +1,4 @@ + + + + diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000..23964aa --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/googlegke.svg b/icons/google-cloud.svg similarity index 100% rename from icons/googlegke.svg rename to icons/google-cloud.svg diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000..048b86c --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000..0534225 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944a..0000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000..4d243ea --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + + diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg new file mode 100644 index 0000000..5f946d2 --- /dev/null +++ b/icons/sonarcloud.svg @@ -0,0 +1,20 @@ + + + + +SonarCloud icon + + + + diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts index 7dce3d1..4bd260d 100755 --- a/script/validate-data/index.ts +++ b/script/validate-data/index.ts @@ -1,7 +1,7 @@ #!/usr/bin/env npx ts-node import { promises as fs } from "fs"; import { safeLoad } from "js-yaml"; -import { basename, extname, join } from "path"; +import { basename, extname, join, dirname } from "path"; import { Validator as validator } from "jsonschema"; import { endGroup, error, info, setFailed, startGroup } from '@actions/core'; @@ -14,6 +14,7 @@ interface WorkflowWithErrors { interface WorkflowProperties { name: string; description: string; + creator: string; iconName: string; categories: string[]; } @@ -40,7 +41,7 @@ const propertiesSchema = { } } -async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise { +async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise { const result: WorkflowWithErrors[] = [] const workflow_template_names = new Set() for (const folder of folders) { @@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]): return result; } -async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise { +async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise { let workflowErrors: WorkflowWithErrors = { id: workflowPath, name: null, @@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow } } - if (!workflowPath.endsWith("blank.yml") && (!properties.categories || - !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) { - workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`) + var path = dirname(workflowPath) + var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"] + if (!workflowPath.endsWith("blank.yml")) { + if(!properties.categories || properties.categories.length == 0) { + workflowErrors.errors.push(`Workflow categories cannot be null or empty`) + } + else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) { + workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`) + } + } + + if(basename(path).toLowerCase() == 'deployments' && !properties.creator) { + workflowErrors.errors.push(`The "creator" in properties.json must be present.`) } } catch (e) { workflowErrors.errors.push(e.toString()) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36..852f575 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -5,10 +5,22 @@ "../../deployments", "../../code-scanning" ], - "allowed_categories" : [ - "Continuous integration", - "Deployment", - "Code Scanning", - "Automation" + "allowed_categories": [ + { + "path": "../../ci", + "categories": ["Continuous integration"] + }, + { + "path": "../../automation", + "categories": ["Automation"] + }, + { + "path": "../../deployments", + "categories": ["Deployment"] + }, + { + "path": "../../code-scanning", + "categories": ["Code Scanning", "Dependency review"] + } ] -} \ No newline at end of file +}