diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..e650e2a 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project. diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..4737d06 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0..d8eaa92 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76..a6da087 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b..5b11482 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce28..d63b462 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387b..f99d441 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f..af220c0 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d7..f9b29fc 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd..073d1b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: