From 308401f5246098792d1a773569cb339141141361 Mon Sep 17 00:00:00 2001 From: DhavalPatelPersistent <93903969+DhavalPatelPersistent@users.noreply.github.com> Date: Mon, 25 Apr 2022 15:30:28 +0530 Subject: [PATCH 1/7] Update checkmarx.yml --- code-scanning/checkmarx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 297cae0..ed13389 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -46,7 +46,7 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From 77df908268e8577f2b7955bbc9d27b46a316aae8 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:16:42 +0200 Subject: [PATCH 2/7] Set `fail-build` property to false Whenever a security issue is found the `scan action` fails the build and the step, which causes the workflow to fail before uploading the results to Code Scanning. This change turns the error into a warning. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..b0e542e 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -39,6 +39,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: From ab9d895e8dfdfcc309424b079d074d637b744367 Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Mon, 6 Jun 2022 11:45:21 +0530 Subject: [PATCH 3/7] Repo Url and SHA value updated. --- code-scanning/checkmarx.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index ed13389..1c57150 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,27 +17,19 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v2 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314 + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe with: project: ${{ secrets.CHECKMARX_PROJECT }} team: ${{ secrets.CHECKMARX_TEAMS }} @@ -46,9 +38,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: cx.sarif From eda5a46a9546396c96ef0e05ad1840c0fbe2e060 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Tue, 17 May 2022 19:00:28 -0400 Subject: [PATCH 4/7] Add Pyre starter workflow --- code-scanning/properties/pyre.properties.json | 7 +++ code-scanning/pyre.yml | 46 +++++++++++++++++++ icons/pyre.svg | 1 + 3 files changed, 54 insertions(+) create mode 100644 code-scanning/properties/pyre.properties.json create mode 100644 code-scanning/pyre.yml create mode 100644 icons/pyre.svg diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000..bc12321 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000..3c32e8b --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000..2af14c0 --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file From 862560d6d0ce6dacc03697cf601d8e83c74520b9 Mon Sep 17 00:00:00 2001 From: Edward <14011954+0xedward@users.noreply.github.com> Date: Mon, 16 May 2022 17:42:13 -0400 Subject: [PATCH 5/7] Add workflow for Pysa https://github.com/facebook/pysa-action https://github.com/facebook/pyre-check --- code-scanning/properties/pysa.properties.json | 7 +++ code-scanning/pysa.yml | 50 +++++++++++++++++++ icons/pysa.svg | 1 + 3 files changed, 58 insertions(+) create mode 100644 code-scanning/properties/pysa.properties.json create mode 100644 code-scanning/pysa.yml create mode 100644 icons/pysa.svg diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json new file mode 100644 index 0000000..1a61c40 --- /dev/null +++ b/code-scanning/properties/pysa.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pysa", + "creator": "Meta", + "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.", + "iconName": "pysa", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml new file mode 100644 index 0000000..a9e3c81 --- /dev/null +++ b/code-scanning/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true diff --git a/icons/pysa.svg b/icons/pysa.svg new file mode 100644 index 0000000..ed60fb1 --- /dev/null +++ b/icons/pysa.svg @@ -0,0 +1 @@ + \ No newline at end of file From 44f8355dd3fcc819e5064577d46aeb5d0b5070a4 Mon Sep 17 00:00:00 2001 From: Anton Krasovsky Date: Tue, 7 Jun 2022 17:57:25 +0100 Subject: [PATCH 6/7] Update workflow to use the newest version of 42Crunch REST API Static Security Testing Action --- code-scanning/crunch42.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 07cd73a..1ac846e 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd with: # Please create free account at https://platform.42crunch.com/register # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm From 7ba355c39e6939dea937ef47c51c708de6ec51a6 Mon Sep 17 00:00:00 2001 From: Satyam Chaurasia Date: Wed, 8 Jun 2022 06:39:55 +0530 Subject: [PATCH 7/7] Adding changes of version and repo URL issue --- code-scanning/checkmarx.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 1c57150..e060654 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,16 +17,24 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - name: Checkmarx CxFlow Action uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe @@ -38,9 +46,9 @@ jobs: checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory --repo-url=${{ github.event.repository.url }} + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: cx.sarif