diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index 4fbc9f0..a3d2eed 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -40,6 +40,7 @@ jobs:
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
+ fail-build: false
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v2
with:
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index 297cae0..e060654 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -37,7 +37,7 @@ jobs:
- uses: actions/checkout@v3
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
- uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
+ uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe
with:
project: ${{ secrets.CHECKMARX_PROJECT }}
team: ${{ secrets.CHECKMARX_TEAMS }}
@@ -46,7 +46,7 @@ jobs:
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
scanners: sast
- params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
+ params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml
index 07cd73a..1ac846e 100644
--- a/code-scanning/crunch42.yml
+++ b/code-scanning/crunch42.yml
@@ -46,7 +46,7 @@ jobs:
- uses: actions/checkout@v3
- name: 42Crunch REST API Static Security Testing
- uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
+ uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json
new file mode 100644
index 0000000..bc12321
--- /dev/null
+++ b/code-scanning/properties/pyre.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pyre",
+ "creator": "Meta",
+ "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.",
+ "iconName": "pyre",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json
new file mode 100644
index 0000000..1a61c40
--- /dev/null
+++ b/code-scanning/properties/pysa.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pysa",
+ "creator": "Meta",
+ "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.",
+ "iconName": "pysa",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml
new file mode 100644
index 0000000..3c32e8b
--- /dev/null
+++ b/code-scanning/pyre.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Pyre with GitHub's
+# Code Scanning feature.
+#
+# Pyre is a performant type checker for Python compliant with
+# PEP 484. Pyre can analyze codebases with millions of lines
+# of code incrementally – providing instantaneous feedback
+# to developers as they write code.
+#
+# See https://pyre-check.org
+
+name: Pyre
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ pyre:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pyre
+ uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pyre-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml
new file mode 100644
index 0000000..a9e3c81
--- /dev/null
+++ b/code-scanning/pysa.yml
@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Python Static Analyzer (Pysa) with
+# GitHub's Code Scanning feature.
+#
+# Python Static Analyzer (Pysa) is a security-focused static
+# analysis tool that tracks flows of data from where they
+# originate to where they terminate in a dangerous location.
+#
+# See https://pyre-check.org/docs/pysa-basics/
+
+name: Pysa
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ pysa:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pysa
+ uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pysa-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
+ infer-types: true
+ include-default-sapp-filters: true
diff --git a/icons/pyre.svg b/icons/pyre.svg
new file mode 100644
index 0000000..2af14c0
--- /dev/null
+++ b/icons/pyre.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/pysa.svg b/icons/pysa.svg
new file mode 100644
index 0000000..ed60fb1
--- /dev/null
+++ b/icons/pysa.svg
@@ -0,0 +1 @@
+
\ No newline at end of file