Merge branch 'main' into main
This commit is contained in:
@@ -15,9 +15,9 @@ jobs:
|
||||
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
|
||||
git config user.email "cschleiden@github.com"
|
||||
git config user.name "GitHub Actions"
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
node-version: '20'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/sync-ghes/package-lock.json
|
||||
- name: Check starter workflows for GHES compat
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
node-version: '20'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/validate-data/package-lock.json
|
||||
|
||||
|
||||
+1
-1
@@ -14,7 +14,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
# Run Synthetic tests within your GitHub workflow.
|
||||
# For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
|
||||
- name: Run Datadog Synthetic tests
|
||||
uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
|
||||
uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
|
||||
with:
|
||||
api_key: ${{secrets.DD_API_KEY}}
|
||||
app_key: ${{secrets.DD_APP_KEY}}
|
||||
|
||||
@@ -41,9 +41,9 @@ jobs:
|
||||
# https://github.com/sigstore/cosign-installer
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
|
||||
with:
|
||||
cosign-release: 'v2.1.1'
|
||||
cosign-release: 'v2.2.4'
|
||||
|
||||
# Set up BuildKit Docker container builder to be able to build
|
||||
# multi-platform images and export cache
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
settings-path: ${{ github.workspace }} # location for the settings.xml file
|
||||
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
|
||||
- name: Build with Gradle
|
||||
run: ./gradlew build
|
||||
|
||||
+4
-4
@@ -28,10 +28,10 @@ jobs:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
|
||||
# Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
|
||||
- name: Build with Gradle Wrapper
|
||||
run: ./gradlew build
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
# If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
|
||||
#
|
||||
# - name: Setup Gradle
|
||||
# uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
# uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
# with:
|
||||
# gradle-version: '8.5'
|
||||
#
|
||||
@@ -64,4 +64,4 @@ jobs:
|
||||
# Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
|
||||
- name: Generate and submit dependency graph
|
||||
uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
|
||||
@@ -18,7 +18,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+1
-1
@@ -22,7 +22,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 17
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
+2
-2
@@ -16,13 +16,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
cache: 'npm'
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm test
|
||||
|
||||
@@ -26,9 +26,9 @@ jobs:
|
||||
packages: write
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
registry-url: $registry-url(npm)
|
||||
- run: npm ci
|
||||
- run: npm publish
|
||||
|
||||
+4
-4
@@ -12,9 +12,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm test
|
||||
|
||||
@@ -23,9 +23,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
registry-url: https://registry.npmjs.org/
|
||||
- run: npm ci
|
||||
- run: npm publish
|
||||
|
||||
+4
-2
@@ -30,7 +30,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
# Add or replace dependency steps here
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
|
||||
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or replace database setup steps here
|
||||
@@ -46,9 +46,11 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
|
||||
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
|
||||
with:
|
||||
bundler-cache: true
|
||||
- name: Generate binstubs
|
||||
run: bundle binstubs bundler-audit brakeman rubocop
|
||||
# Add or replace any other lints here
|
||||
- name: Security audit dependencies
|
||||
run: bin/bundler-audit --update
|
||||
|
||||
+1
-1
@@ -22,7 +22,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
fail-build: true
|
||||
severity-cutoff: critical
|
||||
- name: Upload vulnerability report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||
|
||||
@@ -66,6 +66,6 @@ jobs:
|
||||
# The name of the sarif format result file The file is written only if this property is provided.
|
||||
sarif-result-file: "apisec-results.sarif"
|
||||
- name: Import results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ./apisec-results.sarif
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
exit-code: 0
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -53,6 +53,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: output.sarif.json
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
|
||||
additional_params: --report-format sarif --output-path .
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: cx_result.sarif
|
||||
|
||||
@@ -50,6 +50,6 @@ jobs:
|
||||
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
|
||||
# Upload the Report for CodeQL/Security Alerts
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: cx.sarif
|
||||
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
fail-on-result: 'false'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -48,7 +48,7 @@ jobs:
|
||||
fail-on-result: false
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-watson-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -50,7 +50,7 @@ jobs:
|
||||
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
|
||||
# is needed to ensure the SARIF file is uploaded
|
||||
if: always()
|
||||
|
||||
@@ -56,6 +56,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -44,6 +44,6 @@ jobs:
|
||||
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
|
||||
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: codescan.sarif
|
||||
|
||||
@@ -48,6 +48,6 @@ jobs:
|
||||
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
|
||||
#Upload the results to GitHub
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
|
||||
|
||||
@@ -94,9 +94,9 @@ jobs:
|
||||
#
|
||||
# Example:
|
||||
# - name: Setup Node
|
||||
# uses: actions/setup-node@v2
|
||||
# uses: actions/setup-node@v4
|
||||
# with:
|
||||
# node-version: '14'
|
||||
# node-version: '20'
|
||||
|
||||
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
|
||||
- name: Install CRDA CLI
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
- name: credo-scan
|
||||
run: mix credo --format=sarif > credo_output.sarif
|
||||
- name: upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: credo_output.sarif
|
||||
|
||||
@@ -42,6 +42,6 @@ jobs:
|
||||
# Setting a SARIF output will generate a file named "datree.sarif" containing your test results
|
||||
cliArguments: "-o sarif"
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: datree.sarif
|
||||
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-dotnet@v3
|
||||
- uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: |
|
||||
5.0.x
|
||||
@@ -42,6 +42,6 @@ jobs:
|
||||
uses: microsoft/security-devops-action@v1.6.0
|
||||
id: msdo
|
||||
- name: Upload results to Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
|
||||
|
||||
@@ -111,7 +111,7 @@ jobs:
|
||||
)" > ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Uploads results to GitHub repository using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
@@ -29,6 +29,6 @@ jobs:
|
||||
uses: microsoft/DevSkim-Action@v1
|
||||
|
||||
- name: Upload DevSkim scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: devskim-results.sarif
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
### Use this section to define the build steps used by your software package.
|
||||
### Endor Labs builds your software for you where possible but the required build tools must be made available.
|
||||
# - name: Setup Java
|
||||
# uses: actions/setup-java@v3
|
||||
# uses: actions/setup-java@v4
|
||||
# with:
|
||||
# distribution: 'microsoft'
|
||||
# java-version: '17'
|
||||
@@ -46,6 +46,6 @@ jobs:
|
||||
ci_run: "false"
|
||||
sarif_file: findings.sarif
|
||||
- name: Upload SARIF to github
|
||||
uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: findings.sarif
|
||||
|
||||
@@ -44,7 +44,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: eslint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -63,7 +63,7 @@ jobs:
|
||||
sarif-result-file: "ethicalcheck-results.sarif"
|
||||
|
||||
- name: Upload sarif file to repository
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ./ethicalcheck-results.sarif
|
||||
|
||||
|
||||
@@ -33,6 +33,6 @@ jobs:
|
||||
output: 'flawfinder_results.sarif'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
|
||||
@@ -5,9 +5,9 @@
|
||||
# Frogbot Scan and Fix does the following:
|
||||
# Automatically creates pull requests with fixes for vulnerable project dependencies.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
|
||||
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
|
||||
|
||||
name: "Frogbot Scan and Fix"
|
||||
on:
|
||||
@@ -23,11 +23,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
|
||||
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
|
||||
env:
|
||||
# [Mandatory if the two conditions below are met]
|
||||
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
# Frogbot Scan Pull Request does the following:
|
||||
# Automatically scans new pull requests for security vulnerabilities.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
|
||||
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
|
||||
|
||||
name: "Frogbot Scan Pull Request"
|
||||
on:
|
||||
@@ -21,18 +21,14 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
|
||||
# "frogbot" GitHub environment can approve the pull request to be scanned.
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions
|
||||
environment: frogbot
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
|
||||
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
|
||||
env:
|
||||
# [Mandatory if the two conditions below are met]
|
||||
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
|
||||
|
||||
@@ -41,7 +41,7 @@ jobs:
|
||||
no-fail: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: hadolint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -28,9 +28,9 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 18
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm run build
|
||||
- name: Jscrambler Code Integrity
|
||||
|
||||
@@ -36,6 +36,6 @@ jobs:
|
||||
exit-code: "0"
|
||||
|
||||
- name: Upload Kubesec scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: kubesec-results.sarif
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: lintr-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -59,6 +59,6 @@ jobs:
|
||||
sarif-report: mapi.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: mapi.sarif
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
args: . --sarif --output results.sarif || true
|
||||
|
||||
- name: Upload mobsfscan report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -54,7 +54,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file to GitHub Code Scanning Alerts
|
||||
- name: Upload SARIF to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
|
||||
@@ -37,6 +37,6 @@ jobs:
|
||||
with:
|
||||
args: '. --sarif --output results.sarif || true'
|
||||
- name: Upload njsscan report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -47,6 +47,6 @@ jobs:
|
||||
group_id: {{ groupId }} # Update this to your desired Platform group ID
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: NowSecure.sarif
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
|
||||
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
|
||||
# - name: Install .NET
|
||||
# uses: actions/setup-dotnet@v2
|
||||
# uses: actions/setup-dotnet@v4
|
||||
# with:
|
||||
# dotnet-version: '3.1.x'
|
||||
|
||||
@@ -51,6 +51,6 @@ jobs:
|
||||
|
||||
# Upload results to the Security tab
|
||||
- name: Upload OSSAR results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|
||||
|
||||
@@ -51,7 +51,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: phpmd-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
sourcePath: 'src/main/java'
|
||||
analyzeModifiedFilesOnly: false
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: pmd-report.sarif
|
||||
|
||||
@@ -20,7 +20,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
jobs:
|
||||
@@ -45,7 +46,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
@@ -57,11 +58,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -71,14 +73,26 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
reference-policy: ${{ env.REFERENCE }}
|
||||
reference-policy: ${{ env.REFERENCE_POLICY }}
|
||||
reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
|
||||
region: ${{env.REGION }}
|
||||
# Print result from CHECK_NO_NEW_ACCESS check
|
||||
- name: Print the result for CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -21,7 +21,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
|
||||
@@ -48,7 +49,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -60,11 +61,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -74,7 +76,7 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -85,3 +87,15 @@ jobs:
|
||||
- name: Print the result CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -44,6 +44,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
# The service need to know the type of IaC being scanned
|
||||
template_type: 'CFT'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
# Results are generated only on a success or failure
|
||||
# this is required since GitHub by default won't run the next step
|
||||
# when the previous one has failed.
|
||||
|
||||
@@ -33,6 +33,6 @@ jobs:
|
||||
uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
|
||||
|
||||
- name: Upload Security Analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: puppet-lint-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -47,6 +47,6 @@ jobs:
|
||||
"
|
||||
|
||||
- name: Upload Sarif output
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: rubocop.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: rust-clippy-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -68,6 +68,6 @@ jobs:
|
||||
# Upload the results to GitHub's code scanning dashboard (optional).
|
||||
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -38,4 +38,4 @@ jobs:
|
||||
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
|
||||
|
||||
- name: Upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: semgrep.sarif
|
||||
if: always()
|
||||
|
||||
@@ -50,6 +50,6 @@ jobs:
|
||||
image: your/image-to-test
|
||||
args: --file=Dockerfile
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
@@ -49,6 +49,6 @@ jobs:
|
||||
# or `main.tf` for a Terraform configuration file
|
||||
file: your-file-to-test.yaml
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
@@ -43,9 +43,9 @@ jobs:
|
||||
|
||||
# For Snyk Open Source you must first set up the development environment for your application's dependencies
|
||||
# For example for Node
|
||||
#- uses: actions/setup-node@v3
|
||||
#- uses: actions/setup-node@v4
|
||||
# with:
|
||||
# node-version: 16
|
||||
# node-version: 20
|
||||
|
||||
env:
|
||||
# This is where you will need to introduce the Snyk API token created with your Snyk account
|
||||
@@ -74,6 +74,6 @@ jobs:
|
||||
|
||||
# Push the Snyk Code results into GitHub Code Scanning tab
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk-code.sarif
|
||||
|
||||
@@ -36,6 +36,6 @@ jobs:
|
||||
- id: run-action
|
||||
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
|
||||
- name: Upload report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -46,13 +46,12 @@ jobs:
|
||||
- name: Analyze with SonarCloud
|
||||
|
||||
# You can pin the exact commit or the version.
|
||||
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
# uses: SonarSource/sonarcloud-github-action@v2.2.0
|
||||
uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
|
||||
with:
|
||||
# Additional arguments for the sonarcloud scanner
|
||||
# Additional arguments for the SonarScanner CLI
|
||||
args:
|
||||
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
|
||||
# mandatory
|
||||
@@ -60,9 +59,9 @@ jobs:
|
||||
-Dsonar.organization=
|
||||
# Comma-separated paths to directories containing main source files.
|
||||
#-Dsonar.sources= # optional, default is project base directory
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched
|
||||
#-Dsonar.projectBaseDir= # optional, default is .
|
||||
# Comma-separated paths to directories containing test source files.
|
||||
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
|
||||
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched, default is .
|
||||
projectBaseDir: .
|
||||
|
||||
@@ -71,7 +71,7 @@ jobs:
|
||||
|
||||
- name: Upload SARIF file
|
||||
if: ${{steps.prescription.outputs.sastScan == 'true' }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: workflowengine-results.sarif.json
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
# Sysdig inline scanner requires privileged rights
|
||||
run-as-user: root
|
||||
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
#Upload SARIF file
|
||||
if: always()
|
||||
with:
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
|
||||
- run: unzip -o pipeline-scan-LATEST.zip
|
||||
|
||||
- uses: actions/setup-java@v3
|
||||
- uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 8
|
||||
distribution: 'temurin'
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
|
||||
with:
|
||||
pipeline-results-json: results.json
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: veracode-results.sarif
|
||||
|
||||
@@ -62,7 +62,7 @@ jobs:
|
||||
# Set up the correct Java version for your project
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 11
|
||||
distribution: 'temurin'
|
||||
@@ -95,6 +95,6 @@ jobs:
|
||||
*-Findings-List.sarif
|
||||
|
||||
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: Xanitizer-Findings-List.sarif
|
||||
|
||||
@@ -51,6 +51,6 @@ jobs:
|
||||
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
|
||||
- name: Upload SARIF file
|
||||
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
|
||||
|
||||
@@ -55,6 +55,6 @@ jobs:
|
||||
app_file: app-release-unsigned.apk
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: Zimperium.sarif
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
|
||||
uses: actions/setup-dotnet@v3
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ permissions:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file
|
||||
DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
|
||||
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
|
||||
|
||||
jobs:
|
||||
@@ -47,8 +48,9 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
|
||||
uses: actions/setup-java@v1
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
|
||||
# Build function project with functions gradle plugin
|
||||
|
||||
@@ -25,6 +25,7 @@ on:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file
|
||||
DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
|
||||
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
|
||||
|
||||
jobs:
|
||||
@@ -42,8 +43,9 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
|
||||
uses: actions/setup-java@v1
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
|
||||
- name: 'Restore Project Dependencies Using Mvn'
|
||||
|
||||
@@ -27,7 +27,7 @@ on:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
|
||||
NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
|
||||
NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
|
||||
|
||||
jobs:
|
||||
build-and-deploy:
|
||||
@@ -44,7 +44,7 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Node ${{ env.NODE_VERSION }} Environment
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ env.NODE_VERSION }}
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up .NET Core
|
||||
uses: actions/setup-dotnet@v2
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Java version
|
||||
uses: actions/setup-java@v3.0.0
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Java version
|
||||
uses: actions/setup-java@v3.0.0
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
|
||||
@@ -25,7 +25,7 @@ on:
|
||||
env:
|
||||
AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
|
||||
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
|
||||
NODE_VERSION: '14.x' # set this to the node version to use
|
||||
NODE_VERSION: '20.x' # set this to the node version to use
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Node.js
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ env.NODE_VERSION }}
|
||||
cache: 'npm'
|
||||
|
||||
+2
-3
@@ -31,7 +31,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
HUGO_VERSION: 0.124.1
|
||||
HUGO_VERSION: 0.128.0
|
||||
steps:
|
||||
- name: Install Hugo CLI
|
||||
run: |
|
||||
@@ -50,9 +50,8 @@ jobs:
|
||||
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
|
||||
- name: Build with Hugo
|
||||
env:
|
||||
# For maximum backward compatibility with Hugo modules
|
||||
HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache
|
||||
HUGO_ENVIRONMENT: production
|
||||
HUGO_ENV: production
|
||||
run: |
|
||||
hugo \
|
||||
--minify \
|
||||
|
||||
Reference in New Issue
Block a user