From 63beace25d14ca0b8918b467dbfe7bc0f3281742 Mon Sep 17 00:00:00 2001
From: h0x0er <84621253+h0x0er@users.noreply.github.com>
Date: Mon, 14 Feb 2022 11:16:12 +0530
Subject: [PATCH 01/36] added github_token permission
---
deployments/terraform.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 589f1f3..b7cbc3a 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -50,6 +50,9 @@ on:
- $default-branch
pull_request:
+permissions:
+ contents: read
+
jobs:
terraform:
name: 'Terraform'
From fd8ffb3d9c4336e2e4584baebffce4196086e794 Mon Sep 17 00:00:00 2001
From: arjundashrath <54043589+arjundashrath@users.noreply.github.com>
Date: Mon, 14 Feb 2022 13:01:38 +0530
Subject: [PATCH 02/36] Update aws.yml
---
deployments/aws.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/deployments/aws.yml b/deployments/aws.yml
index dab851f..65f445f 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -41,6 +41,9 @@ env:
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
+permissions:
+ contents: read
+
jobs:
deploy:
name: Deploy
From 8bcdd73aa893896b02a33bf844682a4a632c099a Mon Sep 17 00:00:00 2001
From: h0x0er <84621253+h0x0er@users.noreply.github.com>
Date: Tue, 15 Feb 2022 13:36:24 +0530
Subject: [PATCH 03/36] added github_token permission
---
deployments/alibabacloud.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index ded9178..c783305 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -40,6 +40,9 @@ env:
ACR_EE_IMAGE: repo
ACR_EE_TAG: ${{ github.sha }}
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
From 8c75e2d11fd9040bc7a3492d7bcfcb4c92a194d7 Mon Sep 17 00:00:00 2001
From: arjundashrath <54043589+arjundashrath@users.noreply.github.com>
Date: Thu, 17 Feb 2022 08:57:59 +0530
Subject: [PATCH 04/36] Update pmd.yml
---
code-scanning/pmd.yml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index 0604734..cf4b01d 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -13,8 +13,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
pmd-code-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
From 0b1f2442e511ac2e36f9c551899079d28f0fade5 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 14:58:57 +0100
Subject: [PATCH 05/36] Create sonarcloud.yml
---
code-scanning/sonarcloud.yml | 51 ++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 code-scanning/sonarcloud.yml
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
new file mode 100644
index 0000000..d15db93
--- /dev/null
+++ b/code-scanning/sonarcloud.yml
@@ -0,0 +1,51 @@
+This workflow helps you trigger a SonarCloud analysis of your code.
+name: SonarCloud analysis
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+
+ workflow_dispatch:
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+
+ - name: Analyze with SonarCloud
+
+ # 1. Import your project to SonarCloud.
+ # 2. Import it on SonarCloud
+ # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project.
+ # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically).
+ # * This behavior can be changed in Administration > Analysis Method.
+ #
+ # 3. Copy/paste the Projet Key and the Organization Key in the args below
+ # * On SonarCloud, click on Information at the bottom left
+ # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN
+ # * On SonarCloud, click on your avatar on top-right > My account > Security
+
+ # You may pin to the exact commit or the version.
+ # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ uses: SonarSource/sonarcloud-github-action@v1.6
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments to the sonarcloud scanner
+ args: >
+ # Set the sonar.projectBaseDir analysis property
+ projectBaseDir: . # optional, default is .
+ # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
+ -Dsonar.projectKey= # mandatory
+ # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu)
+ -Dsonar.organization= # mandatory
+ # Comma-separated paths to directories containing main source files.
+ -Dsonar.sources= # optional, default is project base directory
+ # Comma-separated paths to directories containing test source files.
+ -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ -Dsonar.verbose= # optional, default is false
From b80e458c6205c8b77c2a7bd419be52d6a82fc64f Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:29:12 +0100
Subject: [PATCH 06/36] Added documentation links
---
code-scanning/sonarcloud.yml | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index d15db93..387f34c 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,4 +1,19 @@
-This workflow helps you trigger a SonarCloud analysis of your code.
+# This workflow helps you trigger a SonarCloud analysis of your code.
+
+# 1. Login to SonarCloud.io using your GitHub account
+# 2. Import your project on SonarCloud
+# * Add your GitHub organization first, then add your repository as a new project.
+# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically).
+# * This behavior can be changed in Administration > Analysis Method.
+#
+# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below
+# * You'll find those info on SonarCloud. Click on "Information" at the bottom left
+# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
+# * On SonarCloud, click on your avatar on top-right > My account > Security
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
name: SonarCloud analysis
on:
@@ -15,18 +30,7 @@ jobs:
steps:
- - name: Analyze with SonarCloud
-
- # 1. Import your project to SonarCloud.
- # 2. Import it on SonarCloud
- # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project.
- # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically).
- # * This behavior can be changed in Administration > Analysis Method.
- #
- # 3. Copy/paste the Projet Key and the Organization Key in the args below
- # * On SonarCloud, click on Information at the bottom left
- # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN
- # * On SonarCloud, click on your avatar on top-right > My account > Security
+ - name: Analyze with SonarCloud
# You may pin to the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
@@ -36,15 +40,15 @@ jobs:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments to the sonarcloud scanner
- args: >
- # Set the sonar.projectBaseDir analysis property
- projectBaseDir: . # optional, default is .
+ args:
# Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.projectKey= # mandatory
# Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.organization= # mandatory
# Comma-separated paths to directories containing main source files.
-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ -Dsonar.projectBaseDir= # optional, default is .
# Comma-separated paths to directories containing test source files.
-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
From c5a70f040535fbdb74601570225b59bc8516a3b7 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:29:42 +0100
Subject: [PATCH 07/36] Removed extra spaces
---
code-scanning/sonarcloud.yml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 387f34c..3441617 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -21,15 +21,13 @@ on:
branches: [ master ]
pull_request:
branches: [ master ]
-
workflow_dispatch:
jobs:
Analysis:
runs-on: ubuntu-latest
-
+
steps:
-
- name: Analyze with SonarCloud
# You may pin to the exact commit or the version.
From 429537d3207f07a271ed289b60a664da53be9b86 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:36:07 +0100
Subject: [PATCH 08/36] Added workflow variables for branches
---
code-scanning/sonarcloud.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 3441617..97f364d 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -18,9 +18,9 @@ name: SonarCloud analysis
on:
push:
- branches: [ master ]
+ branches: [ $default-branch, $protected-branches ]
pull_request:
- branches: [ master ]
+ branches: [ $default-branch ]
workflow_dispatch:
jobs:
From b48f15df6228157c0181ee9fdca8f52f091a3703 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:36:37 +0100
Subject: [PATCH 09/36] Added space between paragraph
---
code-scanning/sonarcloud.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 97f364d..0b58f05 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,6 +1,7 @@
# This workflow helps you trigger a SonarCloud analysis of your code.
# 1. Login to SonarCloud.io using your GitHub account
+
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically).
@@ -8,6 +9,7 @@
#
# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below
# * You'll find those info on SonarCloud. Click on "Information" at the bottom left
+
# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
# * On SonarCloud, click on your avatar on top-right > My account > Security
From fb2b1099ec558e4666229e557860eb8a8dd58ac7 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:39:07 +0100
Subject: [PATCH 10/36] Fixed intro text
---
code-scanning/sonarcloud.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 0b58f05..c4ab0e4 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,4 +1,4 @@
-# This workflow helps you trigger a SonarCloud analysis of your code.
+# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found.
# 1. Login to SonarCloud.io using your GitHub account
From f6596c95685b9d20a9cd83bf0d9df24153043b69 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:41:26 +0100
Subject: [PATCH 11/36] Update sonarcloud.yml
---
code-scanning/sonarcloud.yml | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index c4ab0e4..084feca 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -4,14 +4,15 @@
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
-# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically).
+# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions.
# * This behavior can be changed in Administration > Analysis Method.
#
-# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below
-# * You'll find those info on SonarCloud. Click on "Information" at the bottom left
-
-# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
-# * On SonarCloud, click on your avatar on top-right > My account > Security
+# 3. Follow the SonarCloud's online tutorial
+# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below
+# (You'll find those info on SonarCloud. Click on "Information" at the bottom left)
+#
+# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
+# (On SonarCloud, click on your avatar on top-right > My account > Security)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
From 8fd84d60c85e501ce9d34a7c694fda9f3822daab Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:42:52 +0100
Subject: [PATCH 12/36] Create sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 1 +
1 file changed, 1 insertion(+)
create mode 100644 code-scanning/properties/sonarcloud.properties.json
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -0,0 +1 @@
+
From 6f8fa063712f344fab4c84487b2c885fca2f61a3 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:45:15 +0100
Subject: [PATCH 13/36] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 8b13789..88e2dbf 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1 +1,7 @@
-
+{
+ "name": "SonarCloud Security Scan",
+ "creator": "SonarSource",
+ "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
+ "iconName": "sonarcloud",
+ "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
+}
From c944a105460e766a441f6bc07dc9f798bbb4bc1c Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 17:15:34 +0100
Subject: [PATCH 14/36] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 88e2dbf..428d899 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1,7 +1,7 @@
{
- "name": "SonarCloud Security Scan",
- "creator": "SonarSource",
- "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
+ "name": "SonarCloud",
+ "creator": "Sonar",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects",
"iconName": "sonarcloud",
- "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From d955f56f6791a99e9264a41707cd43f1ff228d67 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 17:17:43 +0100
Subject: [PATCH 15/36] Add files via upload
---
icons/sonarcloud.svg | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
create mode 100644 icons/sonarcloud.svg
diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg
new file mode 100644
index 0000000..5f946d2
--- /dev/null
+++ b/icons/sonarcloud.svg
@@ -0,0 +1,20 @@
+
+
+
From 3b2d5d9c43c2889e9aaed43da59a7332ee5e51b7 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 17 Mar 2022 18:07:03 +0100
Subject: [PATCH 16/36] Added small fixes
---
code-scanning/sonarcloud.yml | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 084feca..d627b96 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -13,6 +13,7 @@
#
# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
# (On SonarCloud, click on your avatar on top-right > My account > Security)
+# (or go directly to https://sonarcloud.io/account/security/)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
@@ -44,13 +45,13 @@ jobs:
args:
# Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.projectKey= # mandatory
- # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu)
+ # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.organization= # mandatory
# Comma-separated paths to directories containing main source files.
- -Dsonar.sources= # optional, default is project base directory
+ #-Dsonar.sources= # optional, default is project base directory
# When you need the analysis to take place in a directory other than the one from which it was launched
- -Dsonar.projectBaseDir= # optional, default is .
+ #-Dsonar.projectBaseDir= # optional, default is .
# Comma-separated paths to directories containing test source files.
- -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
- # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- -Dsonar.verbose= # optional, default is false
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
From 75a7f2983bbe23e5ab84449c61053dfc20206b74 Mon Sep 17 00:00:00 2001
From: Peeter Piegaze
<61758048+peeter-piegaze-sonarsource@users.noreply.github.com>
Date: Fri, 18 Mar 2022 11:13:00 +0100
Subject: [PATCH 17/36] Update sonarcloud.yml
Fix phrasing/word-choice
---
code-scanning/sonarcloud.yml | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index d627b96..69eac6a 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,19 +1,21 @@
-# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found.
+# This workflow helps you trigger a SonarCloud analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
# 1. Login to SonarCloud.io using your GitHub account
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
-# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions.
+# * Please note that many languages are eligible for automatic analysis,
+# which means that the analysis will start automatically without the need to set up GitHub Actions.
# * This behavior can be changed in Administration > Analysis Method.
#
-# 3. Follow the SonarCloud's online tutorial
-# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below
-# (You'll find those info on SonarCloud. Click on "Information" at the bottom left)
+# 3. Follow the SonarCloud in-product tutorial
+# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+# (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
#
-# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
-# (On SonarCloud, click on your avatar on top-right > My account > Security)
-# (or go directly to https://sonarcloud.io/account/security/)
+# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarCloud, click on your avatar on top-right > My account > Security
+# or go directly to https://sonarcloud.io/account/security/)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
@@ -34,14 +36,14 @@ jobs:
steps:
- name: Analyze with SonarCloud
- # You may pin to the exact commit or the version.
+ # You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
uses: SonarSource/sonarcloud-github-action@v1.6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
- # Additional arguments to the sonarcloud scanner
+ # Additional arguments for the sonarcloud scanner
args:
# Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.projectKey= # mandatory
From a1fe90c10dbf737fb1787b358028b5e33641dcc0 Mon Sep 17 00:00:00 2001
From: Shubham malik
Date: Sat, 19 Mar 2022 16:00:04 +0530
Subject: [PATCH 18/36] Update tencent.yml
---
deployments/tencent.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 83bde94..165981a 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -27,6 +27,9 @@ env:
TKE_CLUSTER_ID: cls-mywebapp
DEPLOYMENT_NAME: tke-test
+permissions:
+ contents: read
+
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
From 9ab1bbfdcc4ce2235ab206d529853732f82c40d2 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Mon, 21 Mar 2022 10:08:04 +0100
Subject: [PATCH 19/36] Added Github disclaimer
---
code-scanning/sonarcloud.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 69eac6a..d0cc73b 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,3 +1,8 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
# This workflow helps you trigger a SonarCloud analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
From 1e0060ae0f820f0e350f84c656ca66e287005124 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 30 Mar 2022 10:27:25 +0200
Subject: [PATCH 20/36] Added mention to free plan
---
code-scanning/sonarcloud.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index d0cc73b..bd6a3e1 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -5,6 +5,7 @@
# This workflow helps you trigger a SonarCloud analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
+# Free for open source project.
# 1. Login to SonarCloud.io using your GitHub account
From 589aeb1674483e39ab864dd33cfa5cf63882462a Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 31 Mar 2022 10:34:04 +0200
Subject: [PATCH 21/36] Added restrictive permissions for GITHUB_TOKEN
---
code-scanning/sonarcloud.yml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index bd6a3e1..dade659 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -35,6 +35,9 @@ on:
branches: [ $default-branch ]
workflow_dispatch:
+permissions:
+ pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
jobs:
Analysis:
runs-on: ubuntu-latest
@@ -46,7 +49,7 @@ jobs:
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
uses: SonarSource/sonarcloud-github-action@v1.6
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
From 3f1969e60bade312dd53ca604e2479900b6a6a5f Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 10:26:21 +0200
Subject: [PATCH 22/36] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 428d899..8835ff8 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1,7 +1,7 @@
{
"name": "SonarCloud",
"creator": "Sonar",
- "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!",
"iconName": "sonarcloud",
"categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From 1132fdda5ded5388ebc46d62f1892bece49f3c26 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 10:43:06 +0200
Subject: [PATCH 23/36] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 8835ff8..9b88a78 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1,7 +1,7 @@
{
"name": "SonarCloud",
"creator": "Sonar",
- "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
"iconName": "sonarcloud",
"categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From 50c02af8cf04a5cba88c5f47d64db3d2860ddcff Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 10:59:27 +0200
Subject: [PATCH 24/36] changed version to exact SHA
Co-authored-by: Sampark Sharma
---
code-scanning/sonarcloud.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index dade659..fe9afb4 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -47,7 +47,7 @@ jobs:
# You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- uses: SonarSource/sonarcloud-github-action@v1.6
+ uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
From 090ead86a92181d20a19219314dd1858ec87a787 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 14:51:15 +0200
Subject: [PATCH 25/36] Update syntax for validation
---
code-scanning/sonarcloud.yml | 42 ++++++++++++++++++------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index fe9afb4..ff388c8 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -45,24 +45,24 @@ jobs:
steps:
- name: Analyze with SonarCloud
- # You can pin the exact commit or the version.
- # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
- with:
- # Additional arguments for the sonarcloud scanner
- args:
- # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
- -Dsonar.projectKey= # mandatory
- # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu)
- -Dsonar.organization= # mandatory
- # Comma-separated paths to directories containing main source files.
- #-Dsonar.sources= # optional, default is project base directory
- # When you need the analysis to take place in a directory other than the one from which it was launched
- #-Dsonar.projectBaseDir= # optional, default is .
- # Comma-separated paths to directories containing test source files.
- #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
- # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- #-Dsonar.verbose= # optional, default is false
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+ # mandatory
+ -Dsonar.projectKey=
+ -Dsonar.organization=
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
From cca97c83b88349992531d905e3456a9227e2a391 Mon Sep 17 00:00:00 2001
From: Yong Yan
Date: Sat, 9 Apr 2022 01:28:14 -0700
Subject: [PATCH 26/36] Add rust-clippy starter workflow (#1462)
* Add rust-clippy starter workflow
* fix parameter `wait-for-processing` indent of action github/codeql-action/upload-sarif@v1
* Use commit sha instead of tag
* addressing pr comments
* Update creator
* Add comments
---
.../properties/rust-clippy.properties.json | 10 ++++
code-scanning/rust-clippy.yml | 54 +++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100644 code-scanning/properties/rust-clippy.properties.json
create mode 100644 code-scanning/rust-clippy.yml
diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json
new file mode 100644
index 0000000..ea5c871
--- /dev/null
+++ b/code-scanning/properties/rust-clippy.properties.json
@@ -0,0 +1,10 @@
+{
+ "name": "rust-clippy",
+ "creator": "Rust",
+ "description": "A collection of lints to catch common mistakes and improve your Rust code.",
+ "iconName": "rust",
+ "categories": [
+ "Code Scanning",
+ "rust"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
new file mode 100644
index 0000000..e9c426a
--- /dev/null
+++ b/code-scanning/rust-clippy.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# rust-clippy is a tool that runs a bunch of lints to catch common
+# mistakes in your Rust code and help improve your Rust code.
+# More details at https://github.com/rust-lang/rust-clippy
+# and https://rust-lang.github.io/rust-clippy/
+
+name: rust-clippy analyze
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ rust-clippy-analyze:
+ name: Run rust-clippy analyzing
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Install Rust toolchain
+ uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1
+ with:
+ profile: minimal
+ toolchain: stable
+ components: clippy
+ override: true
+
+ - name: Install required cargo
+ run: cargo install clippy-sarif sarif-fmt
+
+ - name: Run rust-clippy
+ run:
+ cargo clippy
+ --all-features
+ --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: rust-clippy-results.sarif
+ wait-for-processing: true
\ No newline at end of file
From 769950ce816c2f79f8df05cf138640f9aa08625d Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Sun, 10 Apr 2022 17:20:15 +0530
Subject: [PATCH 27/36] Removing code-scanning/shiftleft as per author request
(#1513)
Co-authored-by: Bishal Prasad
---
.../properties/shiftleft.properties.json | 7 ---
code-scanning/shiftleft.yml | 47 -------------------
icons/shiftleft.svg | 6 ---
3 files changed, 60 deletions(-)
delete mode 100644 code-scanning/properties/shiftleft.properties.json
delete mode 100644 code-scanning/shiftleft.yml
delete mode 100644 icons/shiftleft.svg
diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json
deleted file mode 100644
index 1cb36c9..0000000
--- a/code-scanning/properties/shiftleft.properties.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "name": "Scan",
- "creator": "ShiftLeft",
- "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
- "iconName": "shiftleft",
- "categories": ["Code Scanning"]
-}
\ No newline at end of file
diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml
deleted file mode 100644
index b042670..0000000
--- a/code-scanning/shiftleft.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Scan with GitHub's code scanning feature
-# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
-# Visit https://slscan.io/en/latest/integrations/code-scan for help
-name: SL Scan
-
-on:
- push:
- branches: [ $default-branch, $protected-branches ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [ $default-branch ]
- schedule:
- - cron: $cron-weekly
-
-jobs:
- Scan-Build:
- # Scan runs on ubuntu, mac and windows
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- # Instructions
- # 1. Setup JDK, Node.js, Python etc depending on your project type
- # 2. Compile or build the project before invoking scan
- # Example: mvn compile, or npm install or pip install goes here
- # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
-
- - name: Perform Scan
- uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
- env:
- WORKSPACE: ""
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- SCAN_AUTO_BUILD: true
- with:
- output: reports
- # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
- # type: credscan,java
- # type: python
-
- - name: Upload report
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: reports
diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg
deleted file mode 100644
index f8e944a..0000000
--- a/icons/shiftleft.svg
+++ /dev/null
@@ -1,6 +0,0 @@
-
From 31b35634e10474dd37c3d2929577d2778e781cbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Andr=C3=A9?=
Date: Sun, 10 Apr 2022 15:07:11 +0200
Subject: [PATCH 28/36] Fix pull request trigger in greetings.yml (#1518)
---
automation/greetings.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/automation/greetings.yml b/automation/greetings.yml
index ee1cb11..18ba13f 100644
--- a/automation/greetings.yml
+++ b/automation/greetings.yml
@@ -1,6 +1,6 @@
name: Greetings
-on: [pull_request, issues]
+on: [pull_request_target, issues]
jobs:
greeting:
From d80712faf41487f0d71d06018ec3bae11b859987 Mon Sep 17 00:00:00 2001
From: Anthony Roussel
Date: Sun, 10 Apr 2022 15:29:47 +0200
Subject: [PATCH 29/36] Disable Terraform interactive prompts during apply &
plan (#1467)
---
deployments/terraform.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 96e44e0..6142d2c 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -82,10 +82,10 @@ jobs:
# Generates an execution plan for Terraform
- name: Terraform Plan
- run: terraform plan
+ run: terraform plan -input=false
# On push to $default-branch, build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push'
- run: terraform apply -auto-approve
+ run: terraform apply -auto-approve -input=false
From 970a7b52557fbdf7dc31c20e64499c21f45deff2 Mon Sep 17 00:00:00 2001
From: dlorenc
Date: Sun, 10 Apr 2022 13:06:23 -0500
Subject: [PATCH 30/36] =?UTF-8?q?Update=20the=20cosign-install=20action=20?=
=?UTF-8?q?and=20default=20version=20from=201.4.0=20to=201.=E2=80=A6=20(#1?=
=?UTF-8?q?452)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* Update the cosign-install action and default version from 1.4.0 to 1.5.1.
Signed-off-by: Dan Lorenc
* Update to 1.7.1 and the latest cosign-installer action.
Signed-off-by: Dan Lorenc
Co-authored-by: Bishal Prasad
---
ci/docker-publish.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 7b6add3..75f9770 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+ uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
with:
- cosign-release: 'v1.4.0'
+ cosign-release: 'v1.7.1'
# Workaround: https://github.com/docker/build-push-action/issues/461
From eeb7d2860d40ef8ccea22e7cc47f0a7088dc886a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Bedran?=
Date: Sun, 10 Apr 2022 16:46:50 -0300
Subject: [PATCH 31/36] Removes " Simulator" substring from device name.
(#1470)
---
ci/ios.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ci/ios.yml b/ci/ios.yml
index 5cec5e7..693a7d5 100644
--- a/ci/ios.yml
+++ b/ci/ios.yml
@@ -26,7 +26,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
@@ -37,7 +37,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
From 9e81e73fe1c6c6786692b02864aeb1271734d235 Mon Sep 17 00:00:00 2001
From: Andrew Freckelton <7751633+frecks@users.noreply.github.com>
Date: Mon, 11 Apr 2022 15:04:06 -0400
Subject: [PATCH 32/36] chore: Update go version to 1.18
---
ci/go.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ci/go.yml b/ci/go.yml
index 6f498a6..bb3ec96 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -16,7 +16,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: 1.17
+ go-version: 1.18
- name: Build
run: go build -v ./...
From 66f87f9dfe82ccc8055c7063ef35ee994f1a3ae1 Mon Sep 17 00:00:00 2001
From: Yong Yan
Date: Mon, 11 Apr 2022 21:41:27 -0700
Subject: [PATCH 33/36] Add clj-watson starter workflow (#1460)
* Add clj-watson starter workflow
* update permissions
* update to latest release
* Update clj-watson-action to official release
* Update code-scanning/clj-watson.yml
Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com>
* Update code-scanning/clj-watson.yml
Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com>
* update categories
* update categories
* Update code-scanning/clj-watson.yml
Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com>
* Update code-scanning/properties/clj-watson.properties.json
Co-authored-by: Bishal Prasad
* Update code-scanning/clj-watson.yml
Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com>
* add comments to yml file
* Update clj-watson.properties.json
* use codeql-action/upload-sarif v2
Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com>
Co-authored-by: Bishal Prasad
---
code-scanning/clj-watson.yml | 53 +++++++++++++++++++
.../properties/clj-watson.properties.json | 9 ++++
icons/clj-watson.svg | 1 +
3 files changed, 63 insertions(+)
create mode 100644 code-scanning/clj-watson.yml
create mode 100644 code-scanning/properties/clj-watson.properties.json
create mode 100644 icons/clj-watson.svg
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
new file mode 100644
index 0000000..2e4ab3c
--- /dev/null
+++ b/code-scanning/clj-watson.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# clj-watson scans dependencies in a clojure deps.edn
+# seeking for vulnerable direct/transitive dependencies and
+# build a report with all the information needed to help you
+# understand how the vulnerability manifest in your software.
+# More details at https://github.com/clj-holmes/clj-watson
+
+name: clj-watson
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-watson scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Dependency scan
+ uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
+ with:
+ clj-watson-sha: "65d928c"
+ clj-watson-tag: "v4.0.1"
+ database-strategy: github-advisory
+ aliases: clojure-lsp,test
+ deps-edn-path: deps.edn
+ suggest-fix: true
+ output-type: sarif
+ output-file: clj-watson-results.sarif
+ fail-on-result: false
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: ${{github.workspace}}/clj-watson-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json
new file mode 100644
index 0000000..966314a
--- /dev/null
+++ b/code-scanning/properties/clj-watson.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "clj-watson",
+ "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.",
+ "iconName": "clj-watson",
+ "categories": [
+ "Code Scanning",
+ "Clojure"
+ ]
+}
diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-watson.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
From 94d3aff4c62f40e4751c3c71c61b23c4ec02a072 Mon Sep 17 00:00:00 2001
From: Bishal Prasad
Date: Tue, 12 Apr 2022 10:27:04 +0530
Subject: [PATCH 34/36] Remove creator property from rust-clippy
This is owned by @josepalafox's BD team in GitHub.
---
code-scanning/properties/rust-clippy.properties.json | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json
index ea5c871..4737786 100644
--- a/code-scanning/properties/rust-clippy.properties.json
+++ b/code-scanning/properties/rust-clippy.properties.json
@@ -1,10 +1,9 @@
{
"name": "rust-clippy",
- "creator": "Rust",
"description": "A collection of lints to catch common mistakes and improve your Rust code.",
"iconName": "rust",
"categories": [
"Code Scanning",
"rust"
]
-}
\ No newline at end of file
+}
From ae0ff4dd3a81c243bea35ec3e2035ab14b94bc9e Mon Sep 17 00:00:00 2001
From: Bishal Prasad
Date: Tue, 12 Apr 2022 10:29:04 +0530
Subject: [PATCH 35/36] Add Actions team as CODEOWNERS for code-scanning
starter workflows
---
CODEOWNERS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CODEOWNERS b/CODEOWNERS
index 8866d17..91153de 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,3 +1,3 @@
* @actions/starter-workflows
-/code-scanning/ @actions/advanced-security-code-scanning
+/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
From 92b20ce19b85f9e2d7eb558aa665eb6ac9287cb5 Mon Sep 17 00:00:00 2001
From: Yong Yan
Date: Wed, 13 Apr 2022 23:04:48 -0700
Subject: [PATCH 36/36] Add ESLint starter workflow (#1461)
* Add ESLint starter workflow
* Specify versions
* update permission
* Add typescript to categories
* Update codeql action to v2; add comments
* address review feedbacks
* update categories
---
code-scanning/eslint.yml | 49 +++++++++++++++++++
.../properties/eslint.properties.json | 11 +++++
icons/eslint.svg | 1 +
3 files changed, 61 insertions(+)
create mode 100644 code-scanning/eslint.yml
create mode 100644 code-scanning/properties/eslint.properties.json
create mode 100644 icons/eslint.svg
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
new file mode 100644
index 0000000..9067a7d
--- /dev/null
+++ b/code-scanning/eslint.yml
@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# ESLint is a tool for identifying and reporting on patterns
+# found in ECMAScript/JavaScript code.
+# More details at https://github.com/eslint/eslint
+# and https://eslint.org
+
+name: ESLint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ eslint:
+ name: Run eslint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Install ESLint
+ run: |
+ npm install eslint@8.10.0
+ npm install @microsoft/eslint-formatter-sarif@2.1.7
+
+ - name: Run ESLint
+ run: npx eslint .
+ --config .eslintrc.js
+ --ext .js,.jsx,.ts,.tsx
+ --format @microsoft/eslint-formatter-sarif
+ --output-file eslint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: eslint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json
new file mode 100644
index 0000000..a84646a
--- /dev/null
+++ b/code-scanning/properties/eslint.properties.json
@@ -0,0 +1,11 @@
+{
+ "name": "ESLint",
+ "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
+ "iconName": "eslint",
+ "categories": [
+ "Code Scanning",
+ "JavaScript",
+ "EcmaScript",
+ "TypeScript"
+ ]
+}
\ No newline at end of file
diff --git a/icons/eslint.svg b/icons/eslint.svg
new file mode 100644
index 0000000..23964aa
--- /dev/null
+++ b/icons/eslint.svg
@@ -0,0 +1 @@
+
\ No newline at end of file