Merge branch 'users/shaopeng-gh/phpmd' of https://github.com/shaopeng-gh/starter-workflows into users/shaopeng-gh/phpmd
This commit is contained in:
@@ -40,6 +40,7 @@ jobs:
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
acs-report-enable: true
|
||||
fail-build: false
|
||||
- name: Upload Anchore Scan Report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
|
||||
- name: Checkmarx CxFlow Action
|
||||
uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
|
||||
uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe
|
||||
with:
|
||||
project: ${{ secrets.CHECKMARX_PROJECT }}
|
||||
team: ${{ secrets.CHECKMARX_TEAMS }}
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
|
||||
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
|
||||
scanners: sast
|
||||
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
|
||||
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
|
||||
# Upload the Report for CodeQL/Security Alerts
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: 42Crunch REST API Static Security Testing
|
||||
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
|
||||
uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd
|
||||
with:
|
||||
# Please create free account at https://platform.42crunch.com/register
|
||||
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Pyre",
|
||||
"creator": "Meta",
|
||||
"description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.",
|
||||
"iconName": "pyre",
|
||||
"categories": ["Code Scanning", "Python"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Pysa",
|
||||
"creator": "Meta",
|
||||
"description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.",
|
||||
"iconName": "pysa",
|
||||
"categories": ["Code Scanning", "Python"]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Pyre with GitHub's
|
||||
# Code Scanning feature.
|
||||
#
|
||||
# Pyre is a performant type checker for Python compliant with
|
||||
# PEP 484. Pyre can analyze codebases with millions of lines
|
||||
# of code incrementally – providing instantaneous feedback
|
||||
# to developers as they write code.
|
||||
#
|
||||
# See https://pyre-check.org
|
||||
|
||||
name: Pyre
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
pyre:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
submodules: true
|
||||
|
||||
- name: Run Pyre
|
||||
uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
|
||||
with:
|
||||
# To customize these inputs:
|
||||
# See https://github.com/facebook/pyre-action#inputs
|
||||
repo-directory: './'
|
||||
requirements-path: 'requirements.txt'
|
||||
@@ -0,0 +1,50 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Python Static Analyzer (Pysa) with
|
||||
# GitHub's Code Scanning feature.
|
||||
#
|
||||
# Python Static Analyzer (Pysa) is a security-focused static
|
||||
# analysis tool that tracks flows of data from where they
|
||||
# originate to where they terminate in a dangerous location.
|
||||
#
|
||||
# See https://pyre-check.org/docs/pysa-basics/
|
||||
|
||||
name: Pysa
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
pysa:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
submodules: true
|
||||
|
||||
- name: Run Pysa
|
||||
uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
|
||||
with:
|
||||
# To customize these inputs:
|
||||
# See https://github.com/facebook/pysa-action#inputs
|
||||
repo-directory: './'
|
||||
requirements-path: 'requirements.txt'
|
||||
infer-types: true
|
||||
include-default-sapp-filters: true
|
||||
Reference in New Issue
Block a user