Merge branch 'main' into bump-actions-labeler
This commit is contained in:
@@ -15,9 +15,9 @@ jobs:
|
||||
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
|
||||
git config user.email "cschleiden@github.com"
|
||||
git config user.name "GitHub Actions"
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
node-version: '20'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/sync-ghes/package-lock.json
|
||||
- name: Check starter workflows for GHES compat
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
node-version: '20'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/validate-data/package-lock.json
|
||||
|
||||
|
||||
+1
-1
@@ -14,7 +14,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
# Run Synthetic tests within your GitHub workflow.
|
||||
# For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
|
||||
- name: Run Datadog Synthetic tests
|
||||
uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
|
||||
uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
|
||||
with:
|
||||
api_key: ${{secrets.DD_API_KEY}}
|
||||
app_key: ${{secrets.DD_APP_KEY}}
|
||||
|
||||
@@ -41,9 +41,9 @@ jobs:
|
||||
# https://github.com/sigstore/cosign-installer
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
|
||||
with:
|
||||
cosign-release: 'v2.1.1'
|
||||
cosign-release: 'v2.2.4'
|
||||
|
||||
# Set up BuildKit Docker container builder to be able to build
|
||||
# multi-platform images and export cache
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
settings-path: ${{ github.workspace }} # location for the settings.xml file
|
||||
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
|
||||
- name: Build with Gradle
|
||||
run: ./gradlew build
|
||||
|
||||
+4
-4
@@ -28,10 +28,10 @@ jobs:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
|
||||
# Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
|
||||
- name: Build with Gradle Wrapper
|
||||
run: ./gradlew build
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
# If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
|
||||
#
|
||||
# - name: Setup Gradle
|
||||
# uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
# uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
# with:
|
||||
# gradle-version: '8.5'
|
||||
#
|
||||
@@ -64,4 +64,4 @@ jobs:
|
||||
# Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
|
||||
- name: Generate and submit dependency graph
|
||||
uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/dependency-submission@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
|
||||
|
||||
@@ -18,7 +18,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+1
-1
@@ -22,7 +22,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 17
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
+2
-2
@@ -16,13 +16,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
cache: 'npm'
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm test
|
||||
|
||||
@@ -26,9 +26,9 @@ jobs:
|
||||
packages: write
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
registry-url: $registry-url(npm)
|
||||
- run: npm ci
|
||||
- run: npm publish
|
||||
|
||||
+4
-4
@@ -12,9 +12,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm test
|
||||
|
||||
@@ -23,9 +23,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
registry-url: https://registry.npmjs.org/
|
||||
- run: npm ci
|
||||
- run: npm publish
|
||||
|
||||
+4
-2
@@ -30,7 +30,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
# Add or replace dependency steps here
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
|
||||
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or replace database setup steps here
|
||||
@@ -46,9 +46,11 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
|
||||
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
|
||||
with:
|
||||
bundler-cache: true
|
||||
- name: Generate binstubs
|
||||
run: bundle binstubs bundler-audit brakeman rubocop
|
||||
# Add or replace any other lints here
|
||||
- name: Security audit dependencies
|
||||
run: bin/bundler-audit --update
|
||||
|
||||
+1
-1
@@ -22,7 +22,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
fail-build: true
|
||||
severity-cutoff: critical
|
||||
- name: Upload vulnerability report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||
|
||||
@@ -66,6 +66,6 @@ jobs:
|
||||
# The name of the sarif format result file The file is written only if this property is provided.
|
||||
sarif-result-file: "apisec-results.sarif"
|
||||
- name: Import results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ./apisec-results.sarif
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
exit-code: 0
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -53,6 +53,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: output.sarif.json
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
|
||||
additional_params: --report-format sarif --output-path .
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: cx_result.sarif
|
||||
|
||||
@@ -50,6 +50,6 @@ jobs:
|
||||
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
|
||||
# Upload the Report for CodeQL/Security Alerts
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: cx.sarif
|
||||
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
fail-on-result: 'false'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -48,7 +48,7 @@ jobs:
|
||||
fail-on-result: false
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-watson-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -50,7 +50,7 @@ jobs:
|
||||
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
|
||||
# is needed to ensure the SARIF file is uploaded
|
||||
if: always()
|
||||
|
||||
@@ -56,6 +56,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -76,6 +76,7 @@ jobs:
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
- if: matrix.build-mode == 'manual'
|
||||
shell: bash
|
||||
run: |
|
||||
echo 'If you are using a "manual" build mode for one or more of the' \
|
||||
'languages you are analyzing, replace this with the commands to build' \
|
||||
|
||||
@@ -44,6 +44,6 @@ jobs:
|
||||
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
|
||||
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: codescan.sarif
|
||||
|
||||
@@ -48,6 +48,6 @@ jobs:
|
||||
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
|
||||
#Upload the results to GitHub
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
|
||||
|
||||
@@ -94,9 +94,9 @@ jobs:
|
||||
#
|
||||
# Example:
|
||||
# - name: Setup Node
|
||||
# uses: actions/setup-node@v2
|
||||
# uses: actions/setup-node@v4
|
||||
# with:
|
||||
# node-version: '14'
|
||||
# node-version: '20'
|
||||
|
||||
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
|
||||
- name: Install CRDA CLI
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
- name: credo-scan
|
||||
run: mix credo --format=sarif > credo_output.sarif
|
||||
- name: upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: credo_output.sarif
|
||||
|
||||
@@ -42,6 +42,6 @@ jobs:
|
||||
# Setting a SARIF output will generate a file named "datree.sarif" containing your test results
|
||||
cliArguments: "-o sarif"
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: datree.sarif
|
||||
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-dotnet@v3
|
||||
- uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: |
|
||||
5.0.x
|
||||
@@ -42,6 +42,6 @@ jobs:
|
||||
uses: microsoft/security-devops-action@v1.6.0
|
||||
id: msdo
|
||||
- name: Upload results to Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
|
||||
|
||||
@@ -111,7 +111,7 @@ jobs:
|
||||
)" > ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Uploads results to GitHub repository using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
@@ -29,6 +29,6 @@ jobs:
|
||||
uses: microsoft/DevSkim-Action@v1
|
||||
|
||||
- name: Upload DevSkim scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: devskim-results.sarif
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
### Use this section to define the build steps used by your software package.
|
||||
### Endor Labs builds your software for you where possible but the required build tools must be made available.
|
||||
# - name: Setup Java
|
||||
# uses: actions/setup-java@v3
|
||||
# uses: actions/setup-java@v4
|
||||
# with:
|
||||
# distribution: 'microsoft'
|
||||
# java-version: '17'
|
||||
@@ -46,6 +46,6 @@ jobs:
|
||||
ci_run: "false"
|
||||
sarif_file: findings.sarif
|
||||
- name: Upload SARIF to github
|
||||
uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: findings.sarif
|
||||
|
||||
@@ -44,7 +44,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: eslint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -63,7 +63,7 @@ jobs:
|
||||
sarif-result-file: "ethicalcheck-results.sarif"
|
||||
|
||||
- name: Upload sarif file to repository
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ./ethicalcheck-results.sarif
|
||||
|
||||
|
||||
@@ -33,6 +33,6 @@ jobs:
|
||||
output: 'flawfinder_results.sarif'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
|
||||
+51
-65
@@ -4,32 +4,31 @@
|
||||
# documentation.
|
||||
|
||||
################################################################################################################################################
|
||||
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
|
||||
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
|
||||
# or contact our sales team, visit microfocus.com/appsecurity. #
|
||||
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
|
||||
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
|
||||
# #
|
||||
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
|
||||
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
|
||||
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
|
||||
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
|
||||
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
|
||||
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
|
||||
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
|
||||
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
|
||||
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
|
||||
# documentation. If you need additional assistance, please contact Fortify support. #
|
||||
################################################################################################################################################
|
||||
|
||||
name: Fortify on Demand Scan
|
||||
name: Fortify AST Scan
|
||||
|
||||
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
|
||||
# Customize trigger events based on your DevSecOps process and/or policy
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
FoD-SAST-Scan:
|
||||
# Use the appropriate runner for building your source code.
|
||||
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
|
||||
Fortify-AST-Scan:
|
||||
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
@@ -41,58 +40,45 @@ jobs:
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Java is required to run the various Fortify utilities.
|
||||
# When scanning a Java application, please use the appropriate Java version for building your application.
|
||||
# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
|
||||
- name: Setup Java
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 8
|
||||
java-version: 17
|
||||
distribution: 'temurin'
|
||||
|
||||
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
|
||||
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
|
||||
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
|
||||
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
|
||||
# ScanCentral has additional options that should be set for PHP and Python projects
|
||||
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
|
||||
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
|
||||
- name: Download Fortify ScanCentral Client
|
||||
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
|
||||
- name: Package Code + Dependencies
|
||||
run: scancentral package $PACKAGE_OPTS -o package.zip
|
||||
env:
|
||||
PACKAGE_OPTS: "-bt mvn"
|
||||
|
||||
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
|
||||
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
|
||||
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
|
||||
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
|
||||
- name: Download Fortify on Demand Universal CI Tool
|
||||
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
|
||||
- name: Perform SAST Scan
|
||||
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
|
||||
env:
|
||||
FOD_URL: "https://ams.fortify.com/"
|
||||
FOD_API_URL: "https://api.ams.fortify.com/"
|
||||
FOD_TENANT: ${{ secrets.FOD_TENANT }}
|
||||
FOD_USER: ${{ secrets.FOD_USER }}
|
||||
FOD_PAT: ${{ secrets.FOD_PAT }}
|
||||
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
|
||||
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
|
||||
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
|
||||
|
||||
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
|
||||
- name: Export results to GitHub-optimized SARIF
|
||||
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
|
||||
# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
|
||||
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
|
||||
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
|
||||
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
|
||||
# details.
|
||||
- name: Run FoD SAST Scan
|
||||
uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
|
||||
with:
|
||||
fod_base_url: "https://ams.fortify.com/"
|
||||
fod_tenant: ${{ secrets.FOD_TENANT }}
|
||||
fod_user: ${{ secrets.FOD_USER }}
|
||||
fod_password: ${{ secrets.FOD_PAT }}
|
||||
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
|
||||
|
||||
# Import Fortify on Demand results to GitHub Security Code Scanning
|
||||
- name: Import Results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ./gh-fortify-sast.sarif
|
||||
sast-scan: true
|
||||
env:
|
||||
### Required configuration when integrating with Fortify on Demand
|
||||
FOD_URL: https://ams.fortify.com
|
||||
FOD_TENANT: ${{secrets.FOD_TENANT}}
|
||||
FOD_USER: ${{secrets.FOD_USER}}
|
||||
FOD_PASSWORD: ${{secrets.FOD_PAT}}
|
||||
### Optional configuration when integrating with Fortify on Demand
|
||||
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
|
||||
# Debricked SCA scan is enabled on Fortify on Demand
|
||||
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
||||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
|
||||
# replace app+release name with numeric release ID
|
||||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
|
||||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
|
||||
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
|
||||
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL
|
||||
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
|
||||
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
|
||||
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
|
||||
# usually defined as organization or repo variable
|
||||
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
|
||||
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
||||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
|
||||
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
|
||||
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
|
||||
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
# Frogbot Scan and Fix does the following:
|
||||
# Automatically creates pull requests with fixes for vulnerable project dependencies.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
|
||||
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
|
||||
|
||||
name: "Frogbot Scan and Fix"
|
||||
on:
|
||||
@@ -23,11 +23,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
|
||||
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
|
||||
env:
|
||||
# [Mandatory if the two conditions below are met]
|
||||
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
# Frogbot Scan Pull Request does the following:
|
||||
# Automatically scans new pull requests for security vulnerabilities.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
|
||||
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
|
||||
|
||||
name: "Frogbot Scan Pull Request"
|
||||
on:
|
||||
@@ -21,18 +21,14 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
|
||||
# "frogbot" GitHub environment can approve the pull request to be scanned.
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions
|
||||
environment: frogbot
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
|
||||
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
|
||||
env:
|
||||
# [Mandatory if the two conditions below are met]
|
||||
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
|
||||
|
||||
@@ -41,7 +41,7 @@ jobs:
|
||||
no-fail: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: hadolint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -28,9 +28,9 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 18
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm run build
|
||||
- name: Jscrambler Code Integrity
|
||||
|
||||
@@ -36,6 +36,6 @@ jobs:
|
||||
exit-code: "0"
|
||||
|
||||
- name: Upload Kubesec scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: kubesec-results.sarif
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: lintr-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -61,6 +61,6 @@ jobs:
|
||||
sarif-report: mapi.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: mapi.sarif
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
args: . --sarif --output results.sarif || true
|
||||
|
||||
- name: Upload mobsfscan report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -54,7 +54,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file to GitHub Code Scanning Alerts
|
||||
- name: Upload SARIF to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
|
||||
@@ -37,6 +37,6 @@ jobs:
|
||||
with:
|
||||
args: '. --sarif --output results.sarif || true'
|
||||
- name: Upload njsscan report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -47,6 +47,6 @@ jobs:
|
||||
group_id: {{ groupId }} # Update this to your desired Platform group ID
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: NowSecure.sarif
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
|
||||
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
|
||||
# - name: Install .NET
|
||||
# uses: actions/setup-dotnet@v2
|
||||
# uses: actions/setup-dotnet@v4
|
||||
# with:
|
||||
# dotnet-version: '3.1.x'
|
||||
|
||||
@@ -51,6 +51,6 @@ jobs:
|
||||
|
||||
# Upload results to the Security tab
|
||||
- name: Upload OSSAR results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|
||||
|
||||
@@ -51,7 +51,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: phpmd-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
sourcePath: 'src/main/java'
|
||||
analyzeModifiedFilesOnly: false
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: pmd-report.sarif
|
||||
|
||||
@@ -20,7 +20,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
jobs:
|
||||
@@ -45,7 +46,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
@@ -57,11 +58,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -71,14 +73,26 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
reference-policy: ${{ env.REFERENCE }}
|
||||
reference-policy: ${{ env.REFERENCE_POLICY }}
|
||||
reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
|
||||
region: ${{env.REGION }}
|
||||
# Print result from CHECK_NO_NEW_ACCESS check
|
||||
- name: Print the result for CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -21,7 +21,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
|
||||
@@ -48,7 +49,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -60,11 +61,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -74,7 +76,7 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -85,3 +87,15 @@ jobs:
|
||||
- name: Print the result CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -44,6 +44,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
# The service need to know the type of IaC being scanned
|
||||
template_type: 'CFT'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
# Results are generated only on a success or failure
|
||||
# this is required since GitHub by default won't run the next step
|
||||
# when the previous one has failed.
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Fortify on Demand Scan",
|
||||
"creator": "Micro Focus",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
|
||||
"name": "Fortify Scan",
|
||||
"creator": "OpenText",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.",
|
||||
"iconName": "fortify",
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"]
|
||||
}
|
||||
|
||||
@@ -33,6 +33,6 @@ jobs:
|
||||
uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
|
||||
|
||||
- name: Upload Security Analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: puppet-lint-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -47,6 +47,6 @@ jobs:
|
||||
"
|
||||
|
||||
- name: Upload Sarif output
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: rubocop.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: rust-clippy-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -68,6 +68,6 @@ jobs:
|
||||
# Upload the results to GitHub's code scanning dashboard (optional).
|
||||
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -38,4 +38,4 @@ jobs:
|
||||
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
|
||||
|
||||
- name: Upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: semgrep.sarif
|
||||
if: always()
|
||||
|
||||
@@ -50,6 +50,6 @@ jobs:
|
||||
image: your/image-to-test
|
||||
args: --file=Dockerfile
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
@@ -49,6 +49,6 @@ jobs:
|
||||
# or `main.tf` for a Terraform configuration file
|
||||
file: your-file-to-test.yaml
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
@@ -43,9 +43,9 @@ jobs:
|
||||
|
||||
# For Snyk Open Source you must first set up the development environment for your application's dependencies
|
||||
# For example for Node
|
||||
#- uses: actions/setup-node@v3
|
||||
#- uses: actions/setup-node@v4
|
||||
# with:
|
||||
# node-version: 16
|
||||
# node-version: 20
|
||||
|
||||
env:
|
||||
# This is where you will need to introduce the Snyk API token created with your Snyk account
|
||||
@@ -74,6 +74,6 @@ jobs:
|
||||
|
||||
# Push the Snyk Code results into GitHub Code Scanning tab
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk-code.sarif
|
||||
|
||||
@@ -36,6 +36,6 @@ jobs:
|
||||
- id: run-action
|
||||
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
|
||||
- name: Upload report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -46,13 +46,12 @@ jobs:
|
||||
- name: Analyze with SonarCloud
|
||||
|
||||
# You can pin the exact commit or the version.
|
||||
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
# uses: SonarSource/sonarcloud-github-action@v2.2.0
|
||||
uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
|
||||
with:
|
||||
# Additional arguments for the sonarcloud scanner
|
||||
# Additional arguments for the SonarScanner CLI
|
||||
args:
|
||||
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
|
||||
# mandatory
|
||||
@@ -60,9 +59,9 @@ jobs:
|
||||
-Dsonar.organization=
|
||||
# Comma-separated paths to directories containing main source files.
|
||||
#-Dsonar.sources= # optional, default is project base directory
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched
|
||||
#-Dsonar.projectBaseDir= # optional, default is .
|
||||
# Comma-separated paths to directories containing test source files.
|
||||
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
|
||||
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched, default is .
|
||||
projectBaseDir: .
|
||||
|
||||
@@ -71,7 +71,7 @@ jobs:
|
||||
|
||||
- name: Upload SARIF file
|
||||
if: ${{steps.prescription.outputs.sastScan == 'true' }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: workflowengine-results.sarif.json
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
# Sysdig inline scanner requires privileged rights
|
||||
run-as-user: root
|
||||
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
#Upload SARIF file
|
||||
if: always()
|
||||
with:
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
|
||||
- run: unzip -o pipeline-scan-LATEST.zip
|
||||
|
||||
- uses: actions/setup-java@v3
|
||||
- uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 8
|
||||
distribution: 'temurin'
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
|
||||
with:
|
||||
pipeline-results-json: results.json
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: veracode-results.sarif
|
||||
|
||||
@@ -62,7 +62,7 @@ jobs:
|
||||
# Set up the correct Java version for your project
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 11
|
||||
distribution: 'temurin'
|
||||
@@ -95,6 +95,6 @@ jobs:
|
||||
*-Findings-List.sarif
|
||||
|
||||
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: Xanitizer-Findings-List.sarif
|
||||
|
||||
@@ -51,6 +51,6 @@ jobs:
|
||||
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
|
||||
- name: Upload SARIF file
|
||||
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
|
||||
|
||||
@@ -55,6 +55,6 @@ jobs:
|
||||
app_file: app-release-unsigned.apk
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: Zimperium.sarif
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
|
||||
uses: actions/setup-dotnet@v3
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ permissions:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file
|
||||
DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
|
||||
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
|
||||
|
||||
jobs:
|
||||
@@ -47,8 +48,9 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
|
||||
uses: actions/setup-java@v1
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
|
||||
# Build function project with functions gradle plugin
|
||||
|
||||
@@ -25,6 +25,7 @@ on:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file
|
||||
DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
|
||||
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
|
||||
|
||||
jobs:
|
||||
@@ -42,8 +43,9 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
|
||||
uses: actions/setup-java@v1
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
|
||||
- name: 'Restore Project Dependencies Using Mvn'
|
||||
|
||||
@@ -27,7 +27,7 @@ on:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
|
||||
NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
|
||||
NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
|
||||
|
||||
jobs:
|
||||
build-and-deploy:
|
||||
@@ -44,7 +44,7 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Node ${{ env.NODE_VERSION }} Environment
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ env.NODE_VERSION }}
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up .NET Core
|
||||
uses: actions/setup-dotnet@v2
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Java version
|
||||
uses: actions/setup-java@v3.0.0
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Java version
|
||||
uses: actions/setup-java@v3.0.0
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
|
||||
@@ -25,7 +25,7 @@ on:
|
||||
env:
|
||||
AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
|
||||
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
|
||||
NODE_VERSION: '14.x' # set this to the node version to use
|
||||
NODE_VERSION: '20.x' # set this to the node version to use
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Node.js
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ env.NODE_VERSION }}
|
||||
cache: 'npm'
|
||||
|
||||
@@ -67,11 +67,11 @@ jobs:
|
||||
# TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab.
|
||||
# For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows
|
||||
|
||||
crda-scan:
|
||||
uses: ./.github/workflows/crda.yml
|
||||
secrets:
|
||||
CRDA_KEY: ${{ secrets.CRDA_KEY }}
|
||||
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
|
||||
#crda-scan:
|
||||
# uses: ./.github/workflows/crda.yml
|
||||
# secrets:
|
||||
# CRDA_KEY: ${{ secrets.CRDA_KEY }}
|
||||
# # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
|
||||
|
||||
openshift-ci-cd:
|
||||
# 🖊️ Uncomment this if you are using CRDA scan step above
|
||||
|
||||
+29
-1
@@ -1 +1,29 @@
|
||||
<svg width="95" height="63" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" overflow="hidden"><defs><clipPath id="clip0"><rect x="979" y="281" width="95" height="63"/></clipPath></defs><g clip-path="url(#clip0)" transform="translate(-979 -281)"><path d="M0.495362 32.6809 16.4466 32.6809 16.4466 36.8041 5.29445 36.8041 5.29445 41.7043 16.2098 41.7043 16.2098 45.8261 5.29445 45.8261 5.29445 55.2206 0.495362 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M17.6294 47.0435C17.6294 42.4134 20.8731 38.4938 26.247 38.4938 31.6541 38.4938 34.8978 42.4134 34.8978 47.0435 34.8978 51.7069 31.6541 55.6264 26.247 55.6264 20.8731 55.6264 17.6294 51.7025 17.6294 47.0435ZM30.4366 47.0435C30.4366 44.5089 28.9173 42.3123 26.2484 42.3123 23.5795 42.3123 22.0963 44.5089 22.0963 47.0435 22.0963 49.6113 23.5824 51.8094 26.2528 51.8094 28.9231 51.8094 30.4366 49.6113 30.4366 47.0435Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M37.0612 38.8997 41.3534 38.8997 41.3534 41.1295C42.5087 39.6766 44.5306 38.5299 46.5525 38.5299L46.5525 42.7181C46.1644 42.6295 45.7677 42.584 45.3697 42.5824 43.95 42.5824 42.0581 43.394 41.349 44.4411L41.349 55.2206 37.0612 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M50.4027 51.1667 50.4027 42.6459 47.7064 42.6459 47.7064 38.891 50.4027 38.891 50.4027 34.4385 54.7354 34.4385 54.7354 38.8997 58.0469 38.8997 58.0469 42.6546 54.7354 42.6546 54.7354 50.02C54.7354 51.031 55.2755 51.8108 56.2214 51.8108 56.8641 51.8108 57.4721 51.574 57.709 51.3386L58.6203 54.5823C57.979 55.16 56.8295 55.6293 55.0386 55.6293 52.0318 55.6264 50.4027 54.0725 50.4027 51.1667Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M59.533 33.9388C59.5282 32.5199 60.6746 31.3657 62.0936 31.3609 63.5125 31.3561 64.6667 32.5025 64.6715 33.9215 64.6762 35.3404 63.5298 36.4946 62.1109 36.4994 62.1076 36.4994 62.1041 36.4994 62.1008 36.4994 60.69 36.4884 59.5479 35.3495 59.533 33.9388ZM59.9663 38.9069 64.2671 38.9069 64.2671 55.2264 59.9735 55.2264Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M68.4553 42.6502 65.7517 42.6502 65.7517 38.8953 68.4553 38.8953 68.4553 38.0158C68.4553 34.4674 70.753 32.3386 73.9635 32.3386 75.1795 32.3386 76.2944 32.6087 77.0729 33.0145L76.1934 36.056C75.7716 35.8179 75.2923 35.701 74.8083 35.7181 73.5909 35.7181 72.7865 36.5297 72.7865 38.0837L72.7865 38.8953 76.098 38.8953 76.098 42.6502 72.7879 42.6502 72.7879 55.2148 68.4553 55.2148Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M80.3166 58.0267C81.4315 58.0267 82.1752 57.722 82.5811 56.8439L83.1862 55.4575 76.5659 38.8997 81.1643 38.8997 85.4189 50.2583 89.6851 38.8997 94.3066 38.8997 86.6364 57.8909C85.4189 60.9657 83.257 61.7773 80.4523 61.8452 79.737 61.8309 79.0244 61.7516 78.3235 61.6083L78.9648 57.7552C79.3944 57.9294 79.853 58.0214 80.3166 58.0267Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M22.5166 12.2757C22.519 17.9292 17.9379 22.5141 12.2844 22.5166 12.2815 22.5166 12.2786 22.5166 12.2757 22.5166L0 22.5166 0 12.2757ZM12.2757 10.2351 12.2757 10.2351C17.9284 10.2383 22.5134 5.65845 22.5166 0.00577884 22.5166 0.00385269 22.5166 0.00192654 22.5166 3.96827e-07L0 0 0 10.2351Z" fill="#F42147" transform="matrix(1 0 0 1.01243 979.012 281)"/></g></svg>
|
||||
<svg width="238" height="93" viewBox="0 0 238 93" fill="none" xmlns="http://www.w3.org/2000/svg">
|
||||
<g clip-path="url(#clip0_27_36971)">
|
||||
<path d="M57.3999 65.4001H59.7399V72.9101H59.9399C60.4599 72.1201 61.3699 70.2901 64.3499 70.2901C68.1999 70.2901 70.8699 73.3501 70.8699 78.1601C70.8699 82.9701 68.2099 86.0701 64.3899 86.0701C61.4499 86.0701 60.4599 84.2401 59.9399 83.4101H59.6599V85.7501H57.3999V65.4101V65.4001ZM64.0699 83.9601C67.0099 83.9601 68.5199 81.3801 68.5199 78.1201C68.5199 74.8601 67.0499 72.4001 64.0699 72.4001C61.0899 72.4001 59.6999 74.7001 59.6999 78.1201C59.6999 81.5401 61.2499 83.9601 64.0699 83.9601Z" fill="black"/>
|
||||
<path d="M72.9497 91.1902L73.5497 89.1202C75.2597 89.5602 76.3097 89.3402 77.1697 87.0102L77.6097 85.8202L71.9697 70.4802H74.5097L78.7197 82.6402H78.8797L83.0897 70.4802H85.6297L79.1497 87.9602C78.2697 90.3302 76.7797 91.4602 74.6597 91.4602C73.8697 91.4602 73.1897 91.3002 72.9497 91.1802V91.1902Z" fill="black"/>
|
||||
<path d="M113.43 77.7301C113.43 82.1801 110.87 86.9901 104 86.9901C99.0498 86.9901 94.5298 84.2301 94.5298 77.7301C94.5298 72.3401 97.9298 68.2001 104.67 68.5701C111.85 68.9701 113.43 74.5301 113.43 77.7301ZM100.63 74.3501C99.9898 75.3401 99.7498 76.5201 99.7498 77.7001C99.7498 80.4301 101.1 82.9001 103.99 82.9001C106.88 82.9001 108.17 80.6301 108.17 77.9301C108.17 76.0201 107.7 74.5401 106.72 73.6201C105.64 72.6301 104.43 72.6001 103.69 72.6701C102.21 72.7701 101.33 73.2601 100.62 74.3501H100.63Z" fill="black"/>
|
||||
<path d="M159.42 70.5601C159.93 70.0201 160.26 69.6201 161.17 69.1801C161.98 68.8401 163.12 68.5701 164.37 68.5701C165.41 68.5701 166.59 68.7401 167.5 69.2401C169.35 70.2201 169.82 71.8001 169.82 74.5301V86.5601H164.67V76.6601C164.67 75.0801 164.64 74.5001 164.43 74.0301C164.03 73.0901 163.12 72.6801 162.11 72.6801C159.38 72.6801 159.38 74.8701 159.38 77.0601V86.5601H154.19V69.0101H159.41V70.5601H159.42Z" fill="black"/>
|
||||
<path d="M151.74 82.0101C151.26 83.0101 149.73 86.9901 142.98 86.9901C137.76 86.9901 134.09 83.8001 134.09 78.0401C134.09 73.8001 136.18 68.5701 143.12 68.5701C144.16 68.5701 147.2 68.4401 149.45 70.8701C151.74 73.3301 151.88 76.7601 151.94 78.7501H139.38C139.35 80.9401 140.59 83.1301 143.39 83.1301C146.19 83.1301 147.2 81.2801 147.84 80.0301L151.75 82.0201L151.74 82.0101ZM146.59 75.5101C146.49 74.7701 146.35 73.7901 145.61 73.0201C144.97 72.3801 143.99 72.0401 143.08 72.0401C141.83 72.0401 140.96 72.6501 140.45 73.1901C139.74 73.9601 139.57 74.7701 139.41 75.5101H146.59Z" fill="black"/>
|
||||
<path d="M223.87 72.6501H227.31V69.0101H223.91V65.3101H218.76V69.0101H217.94L215.58 72.6501H218.76V81.0001C218.76 82.6801 218.79 83.9301 219.5 84.9701C220.61 86.5901 222.57 86.6901 224.35 86.6901C225.29 86.6901 225.97 86.5901 227.08 86.4201V82.3801L225.23 82.4501C223.85 82.4501 223.85 81.5401 223.88 80.4601V72.6501H223.87Z" fill="black"/>
|
||||
<path d="M172.41 65.3101H177.56V69.0101H182.92L180.56 72.6501H177.53V80.4601C177.5 81.5401 177.5 82.4501 178.88 82.4501L180.73 82.3801V86.4201C179.62 86.5901 178.94 86.6901 178 86.6901C176.21 86.6901 174.26 86.5901 173.15 84.9701C172.44 83.9301 172.41 82.6801 172.41 81.0001V65.3101Z" fill="black"/>
|
||||
<path d="M232.08 72.65H231.44V69.54H230.27V69H233.23V69.54H232.08V72.65ZM237.07 72.65H236.44L236.46 70.4L236.49 69.65L236.31 70.26L235.56 72.64H234.99L234.25 70.26L234.06 69.66L234.1 70.4L234.12 72.65H233.51V69.01H234.38L235.29 71.89L236.18 69.01H237.05V72.65H237.07Z" fill="black"/>
|
||||
<path d="M199.16 82.0301L198.17 83.5501C197.25 84.9101 195.51 86.9901 190.53 86.9901C185.55 86.9901 181.8 83.8001 181.8 78.0401C181.8 73.8001 183.89 68.5701 190.83 68.5701C191.87 68.5701 194.91 68.4401 197.16 70.8701C199.45 73.3301 199.59 76.7601 199.65 78.7501H187.09C187.06 80.9401 188.14 83.1301 190.93 83.1301C193.72 83.1301 194.57 81.2801 195.21 80.0301L199.15 82.0301H199.16ZM194.3 75.5101C194.2 74.7701 194.06 73.7901 193.32 73.0201C192.68 72.3801 191.7 72.0401 190.79 72.0401C189.54 72.0401 188.67 72.6501 188.16 73.1901C187.45 73.9601 187.28 74.7701 187.12 75.5101H194.3Z" fill="black"/>
|
||||
<path d="M216.82 86.56L210.37 77.32L215.75 69.01H209.85L207.31 72.93L204.58 69.01H198.68L204.48 77.32L198.5 86.56H204.4L207.54 81.71L210.92 86.56H216.82Z" fill="black"/>
|
||||
<path d="M120.57 70.5601C121.07 69.8101 122.66 68.5701 125.18 68.5701C129.49 68.5701 132.52 71.8401 132.52 77.7001C132.52 81.3001 131.21 87.0001 124.96 87.0001C122.71 87.0001 120.97 85.7501 120.53 85.0101V92.3701H115.34V69.0101H120.56V70.5601H120.57ZM124.07 72.6201C123.13 72.6201 122.15 73.0001 121.41 73.9401C120.67 74.8501 120.33 76.2601 120.33 77.8001C120.33 79.8701 120.94 81.1201 121.58 81.8401C122.18 82.5101 123.06 82.9001 123.9 82.9001C126.43 82.9001 127.54 80.2401 127.54 77.6701C127.54 75.5101 126.9 73.2201 124.78 72.7201C124.54 72.6601 124.31 72.6301 124.07 72.6301V72.6201Z" fill="black"/>
|
||||
<path d="M56.6802 1.93994H87.1502V9.81994H65.8502V19.1799H86.7002V27.0499H65.8502V44.9899H56.6802V1.93994Z" fill="black"/>
|
||||
<path d="M89.0801 29.37C89.0801 20.53 95.2801 13.04 105.54 13.04C115.8 13.04 122.06 20.53 122.06 29.37C122.06 38.21 115.86 45.76 105.54 45.76C95.2201 45.76 89.0801 38.27 89.0801 29.37ZM113.54 29.37C113.54 24.53 110.64 20.33 105.54 20.33C100.44 20.33 97.6001 24.53 97.6001 29.37C97.6001 34.21 100.44 38.47 105.54 38.47C110.64 38.47 113.54 34.27 113.54 29.37Z" fill="black"/>
|
||||
<path d="M124.9 13.8101H133.1V18.0701C135.29 15.2901 139.17 13.1001 143.04 13.1001V21.1001C142.46 20.9701 141.68 20.8401 140.78 20.8401C138.07 20.8401 134.45 22.3901 133.1 24.3901V44.9801H124.9V13.8101Z" fill="black"/>
|
||||
<path d="M149.74 37.24V20.97H144.58V13.81H149.74V5.29004H158V13.81H164.33V20.97H158V35.04C158 36.98 159.03 38.46 160.84 38.46C162.07 38.46 163.23 38.01 163.68 37.56L165.42 43.76C164.19 44.86 162 45.76 158.58 45.76C152.84 45.76 149.74 42.79 149.74 37.24Z" fill="black"/>
|
||||
<path d="M166.26 4.91C166.26 2.2 168.52 0 171.17 0C173.82 0 176.08 2.19 176.08 4.91C176.08 7.63 173.89 9.82 171.17 9.82C168.45 9.82 166.26 7.63 166.26 4.91ZM167.1 13.82H175.3V44.99H167.1V13.81V13.82Z" fill="black"/>
|
||||
<path d="M182.98 20.98H177.82V13.82H182.98V12.14C182.98 5.36005 187.37 1.30005 193.5 1.30005C195.82 1.30005 197.95 1.82005 199.44 2.59005L197.76 8.40005C197.05 7.95005 196.08 7.75005 195.11 7.75005C192.79 7.75005 191.24 9.30005 191.24 12.27V13.82H197.57V20.98H191.24V44.9901H182.98V20.98Z" fill="black"/>
|
||||
<path d="M204.99 50.34C207.12 50.34 208.54 49.7601 209.31 48.0801L210.47 45.43L197.82 13.8H206.6L214.73 35.4901L222.86 13.8H231.7L217.05 50.07C214.73 55.94 210.6 57.49 205.24 57.62C204.27 57.62 202.21 57.43 201.17 57.17L202.4 49.8101C203.11 50.1301 204.21 50.3301 204.98 50.3301L204.99 50.34Z" fill="black"/>
|
||||
<path d="M0 3.1001C0 9.5601 0 16.0201 0 22.4801C0.32 22.4801 0.65 22.4701 0.97 22.4701C8.57 22.4701 16.17 22.4701 23.78 22.4701C24.9 22.4701 26 22.3701 27.1 22.1601C30.81 21.4601 34.03 19.8101 36.77 17.2301C40.49 13.7101 42.46 9.3701 42.88 4.2901C42.91 3.9301 42.87 3.5701 42.86 3.1601H41.81C28.22 3.1601 14.63 3.1601 1.04 3.1601C0.69 3.1601 0.35 3.1301 0 3.1101L0 3.1001Z" fill="#1A6AFF"/>
|
||||
<path d="M0 25.6001C0 32.0601 0 38.5301 0 44.9901C0.32 44.9901 0.65 44.9801 0.97 44.9801C8.57 44.9801 16.17 44.9801 23.78 44.9801C24.9 44.9801 26 44.8801 27.1 44.6701C30.81 43.9701 34.03 42.3201 36.77 39.7401C40.49 36.2201 42.46 31.8801 42.88 26.8001C42.91 26.4401 42.87 26.0801 42.86 25.6701H41.81C28.22 25.6701 14.63 25.6701 1.04 25.6701C0.69 25.6701 0.35 25.6401 0 25.6201L0 25.6001Z" fill="#1A6AFF"/>
|
||||
</g>
|
||||
<defs>
|
||||
<clipPath id="clip0_27_36971">
|
||||
<rect width="237.07" height="92.37" fill="white"/>
|
||||
</clipPath>
|
||||
</defs>
|
||||
</svg>
|
||||
|
||||
|
Before Width: | Height: | Size: 3.2 KiB After Width: | Height: | Size: 7.3 KiB |
+2
-3
@@ -31,7 +31,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
HUGO_VERSION: 0.124.1
|
||||
HUGO_VERSION: 0.128.0
|
||||
steps:
|
||||
- name: Install Hugo CLI
|
||||
run: |
|
||||
@@ -50,9 +50,8 @@ jobs:
|
||||
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
|
||||
- name: Build with Hugo
|
||||
env:
|
||||
# For maximum backward compatibility with Hugo modules
|
||||
HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache
|
||||
HUGO_ENVIRONMENT: production
|
||||
HUGO_ENV: production
|
||||
run: |
|
||||
hugo \
|
||||
--minify \
|
||||
|
||||
@@ -156,13 +156,22 @@ async function checkWorkflow(
|
||||
await exec("git", ["checkout", "ghes"]);
|
||||
|
||||
// In order to sync from main, we might need to remove some workflows, add some
|
||||
// and modify others. The lazy approach is to delete all workflows first, and then
|
||||
// and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then
|
||||
// just bring the compatible ones over from the main branch. We let git figure out
|
||||
// whether it's a deletion, add, or modify and commit the new state.
|
||||
console.log("Remove all workflows");
|
||||
await exec("rm", ["-fr", ...settings.folders]);
|
||||
await exec("rm", ["-fr", "../../icons"]);
|
||||
|
||||
// Bring back the read-only folders
|
||||
console.log("Restore read-only folders");
|
||||
for (let i = 0; i < settings.readOnlyFolders.length; i++) {
|
||||
await exec("git", [
|
||||
"checkout",
|
||||
settings.readOnlyFolders[i]
|
||||
]);
|
||||
}
|
||||
|
||||
console.log("Sync changes from main for compatible workflows");
|
||||
await exec("git", [
|
||||
"checkout",
|
||||
@@ -171,10 +180,13 @@ async function checkWorkflow(
|
||||
...Array.prototype.concat.apply(
|
||||
[],
|
||||
result.compatibleWorkflows.map((x) => {
|
||||
const r = [
|
||||
join(x.folder, `${x.id}.yml`),
|
||||
join(x.folder, "properties", `${x.id}.properties.json`),
|
||||
];
|
||||
const r = [];
|
||||
|
||||
// Don't touch read-only folders
|
||||
if (!settings.readOnlyFolders.includes(x.folder)) {
|
||||
r.push(join(x.folder, `${x.id}.yml`));
|
||||
r.push(join(x.folder, "properties", `${x.id}.properties.json`));
|
||||
};
|
||||
|
||||
if (x.iconType === "svg") {
|
||||
r.push(join("../../icons", `${x.iconName}.svg`));
|
||||
|
||||
@@ -5,6 +5,9 @@
|
||||
"../../code-scanning",
|
||||
"../../pages"
|
||||
],
|
||||
"readOnlyFolders": [
|
||||
"../../pages"
|
||||
],
|
||||
"enabledActions": [
|
||||
"actions/cache",
|
||||
"actions/checkout",
|
||||
|
||||
Reference in New Issue
Block a user