Merge branch 'main' into soosdast
This commit is contained in:
@@ -0,0 +1,16 @@
|
||||
# To get started with Dependabot version updates, you'll need to specify which
|
||||
# package ecosystems to update and where the package manifests are located.
|
||||
# Please see the documentation for all configuration options:
|
||||
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "npm"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
@@ -41,7 +41,7 @@ It is not:
|
||||
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
|
||||
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
|
||||
- [ ] `name`: Name of the Code Scanning integration.
|
||||
- [ ] `organization`: Name of the organization producing the Code Scanning integration.
|
||||
- [ ] `creator`: Name of the organization/user producing the Code Scanning integration.
|
||||
- [ ] `description`: Short description of the Code Scanning integration.
|
||||
- [ ] `categories`: Array of languages supported by the Code Scanning integration.
|
||||
- [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).
|
||||
|
||||
@@ -9,7 +9,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Auto-assign issue'
|
||||
uses: pozil/auto-assign-issue@v1.4.0
|
||||
uses: pozil/auto-assign-issue@v1.11.0
|
||||
with:
|
||||
assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
|
||||
numOfAssignee: 1
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
name: 'Auto Assign'
|
||||
on:
|
||||
pull_request:
|
||||
pull_request_target:
|
||||
types: [opened, ready_for_review]
|
||||
|
||||
jobs:
|
||||
add-reviews:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: kentaro-m/auto-assign-action@v1.2.1
|
||||
- uses: kentaro-m/auto-assign-action@v1.2.2
|
||||
|
||||
@@ -10,7 +10,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Close Issue
|
||||
uses: peter-evans/close-issue@v1
|
||||
uses: peter-evans/close-issue@v2
|
||||
if: contains(github.event.issue.labels.*.name, 'feature')
|
||||
with:
|
||||
comment: |
|
||||
|
||||
@@ -10,7 +10,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Close Issue
|
||||
uses: peter-evans/close-issue@v1
|
||||
uses: peter-evans/close-issue@v2
|
||||
if: contains(github.event.issue.labels.*.name, 'support')
|
||||
with:
|
||||
comment: |
|
||||
|
||||
@@ -13,7 +13,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/stale@v5
|
||||
- uses: actions/stale@v6
|
||||
with:
|
||||
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
|
||||
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
|
||||
|
||||
@@ -2,8 +2,7 @@ name: Sync workflows for GHES
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
branches: [ main ]
|
||||
|
||||
jobs:
|
||||
sync:
|
||||
@@ -18,7 +17,9 @@ jobs:
|
||||
git config user.name "GitHub Actions"
|
||||
- uses: actions/setup-node@v3
|
||||
with:
|
||||
node-version: '12'
|
||||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/sync-ghes/package-lock.json
|
||||
- name: Check starter workflows for GHES compat
|
||||
run: |
|
||||
npm ci
|
||||
|
||||
@@ -14,7 +14,9 @@ jobs:
|
||||
|
||||
- uses: actions/setup-node@v3
|
||||
with:
|
||||
node-version: "12"
|
||||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/validate-data/package-lock.json
|
||||
|
||||
- name: Validate workflows
|
||||
run: |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
* @actions/starter-workflows
|
||||
|
||||
/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
|
||||
/pages/ @actions/pages @actions/starter-workflows
|
||||
|
||||
@@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions.
|
||||
|
||||
### Directory structure
|
||||
|
||||
* [ci](ci): solutions for Continuous Integration workflows.
|
||||
* [deployments](deployments): solutions for Deployment workflows.
|
||||
* [automation](automation): solutions for automating workflows.
|
||||
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
|
||||
* [ci](ci): solutions for Continuous Integration workflows
|
||||
* [deployments](deployments): solutions for Deployment workflows
|
||||
* [automation](automation): solutions for automating workflows
|
||||
* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security)
|
||||
* [pages](pages): solutions for Pages workflows
|
||||
* [icons](icons): svg icons for the relevant template
|
||||
|
||||
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
|
||||
@@ -40,6 +41,8 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
|
||||
* monitoring
|
||||
* Automation
|
||||
* utilities
|
||||
* Pages
|
||||
* Hugo
|
||||
|
||||
### Variables
|
||||
These variables can be placed in the starter workflow and will be substituted as detailed below:
|
||||
|
||||
+1
-1
@@ -1,5 +1,5 @@
|
||||
# This workflow will build a Java project with Ant
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-ant
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-ant
|
||||
|
||||
name: Java CI
|
||||
|
||||
|
||||
@@ -41,9 +41,9 @@ jobs:
|
||||
# https://github.com/sigstore/cosign-installer
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
|
||||
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
|
||||
with:
|
||||
cosign-release: 'v1.7.1'
|
||||
cosign-release: 'v1.11.0'
|
||||
|
||||
|
||||
# Workaround: https://github.com/docker/build-push-action/issues/461
|
||||
@@ -78,6 +78,9 @@ jobs:
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
|
||||
|
||||
# Sign the resulting Docker image digest except on PRs.
|
||||
# This will only write to the public Rekor transparency log when the Docker
|
||||
@@ -90,4 +93,4 @@ jobs:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
# This step uses the identity token to provision an ephemeral certificate
|
||||
# against the sigstore community Fulcio instance.
|
||||
run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }}
|
||||
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
@@ -69,9 +69,9 @@ jobs:
|
||||
|
||||
# Install the .NET Core workload
|
||||
- name: Install .NET Core
|
||||
uses: actions/setup-dotnet@v2
|
||||
uses: actions/setup-dotnet@v3
|
||||
with:
|
||||
dotnet-version: 5.0.x
|
||||
dotnet-version: 6.0.x
|
||||
|
||||
# Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
|
||||
- name: Setup MSBuild.exe
|
||||
|
||||
+5
-2
@@ -1,3 +1,6 @@
|
||||
# This workflow will build a .NET project
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
|
||||
|
||||
name: .NET
|
||||
|
||||
on:
|
||||
@@ -14,9 +17,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Setup .NET
|
||||
uses: actions/setup-dotnet@v2
|
||||
uses: actions/setup-dotnet@v3
|
||||
with:
|
||||
dotnet-version: 5.0.x
|
||||
dotnet-version: 6.0.x
|
||||
- name: Restore dependencies
|
||||
run: dotnet restore
|
||||
- name: Build
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow lets you generate SLSA provenance file for your project.
|
||||
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
|
||||
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
|
||||
# https://github.com/slsa-framework/slsa-github-generator.
|
||||
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
|
||||
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
|
||||
|
||||
name: SLSA generic generator
|
||||
on:
|
||||
workflow_dispatch:
|
||||
release:
|
||||
types: [created]
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
digests: ${{ steps.hash.outputs.digests }}
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# ========================================================
|
||||
#
|
||||
# Step 1: Build your artifacts.
|
||||
#
|
||||
# ========================================================
|
||||
- name: Build artifacts
|
||||
run: |
|
||||
# These are some amazing artifacts.
|
||||
echo "artifact1" > artifact1
|
||||
echo "artifact2" > artifact2
|
||||
|
||||
# ========================================================
|
||||
#
|
||||
# Step 2: Add a step to generate the provenance subjects
|
||||
# as shown below. Update the sha256 sum arguments
|
||||
# to include all binaries that you generate
|
||||
# provenance for.
|
||||
#
|
||||
# ========================================================
|
||||
- name: Generate subject
|
||||
id: hash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# List the artifacts the provenance will refer to.
|
||||
files=$(ls artifact*)
|
||||
# Generate the subjects (base64 encoded).
|
||||
echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
|
||||
|
||||
provenance:
|
||||
needs: [build]
|
||||
permissions:
|
||||
actions: read # To read the workflow path.
|
||||
id-token: write # To sign the provenance.
|
||||
contents: write # To add assets to a release.
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
|
||||
with:
|
||||
base64-subjects: "${{ needs.build.outputs.digests }}"
|
||||
upload-assets: true # Optional: Upload to a new release
|
||||
@@ -0,0 +1,38 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow lets you compile your Go project using a SLSA3 compliant builder.
|
||||
# This workflow will generate a so-called "provenance" file describing the steps
|
||||
# that were performed to generate the final binary.
|
||||
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
|
||||
# https://github.com/slsa-framework/slsa-github-generator.
|
||||
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
|
||||
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
|
||||
|
||||
name: SLSA Go releaser
|
||||
on:
|
||||
workflow_dispatch:
|
||||
release:
|
||||
types: [created]
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
# ========================================================================================================================================
|
||||
# Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
|
||||
# See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
|
||||
#=========================================================================================================================================
|
||||
build:
|
||||
permissions:
|
||||
id-token: write # To sign.
|
||||
contents: write # To upload release assets.
|
||||
actions: read # To read workflow path.
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
|
||||
with:
|
||||
go-version: 1.17
|
||||
# =============================================================================================================
|
||||
# Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
|
||||
# =============================================================================================================
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
# This workflow will build a golang project
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
|
||||
|
||||
name: Go
|
||||
|
||||
on:
|
||||
|
||||
@@ -30,14 +30,14 @@ jobs:
|
||||
settings-path: ${{ github.workspace }} # location for the settings.xml file
|
||||
|
||||
- name: Build with Gradle
|
||||
uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
|
||||
uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
|
||||
with:
|
||||
arguments: build
|
||||
|
||||
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
|
||||
# the publishing section of your build.gradle
|
||||
- name: Publish to GitHub Packages
|
||||
uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
|
||||
uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
|
||||
with:
|
||||
arguments: publish
|
||||
env:
|
||||
|
||||
+2
-2
@@ -3,7 +3,7 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle
|
||||
|
||||
name: Java CI with Gradle
|
||||
|
||||
@@ -29,6 +29,6 @@ jobs:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
- name: Build with Gradle
|
||||
uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
|
||||
uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
|
||||
with:
|
||||
arguments: build
|
||||
|
||||
+10
-1
@@ -1,5 +1,10 @@
|
||||
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
|
||||
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: Java CI with Maven
|
||||
|
||||
@@ -24,3 +29,7 @@ jobs:
|
||||
cache: maven
|
||||
- name: Build with Maven
|
||||
run: mvn -B package --file pom.xml
|
||||
|
||||
# Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
|
||||
- name: Update dependency graph
|
||||
uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
|
||||
|
||||
+2
-2
@@ -1,5 +1,5 @@
|
||||
# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
|
||||
|
||||
name: Node.js CI
|
||||
|
||||
@@ -16,7 +16,7 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [12.x, 14.x, 16.x]
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
|
||||
|
||||
steps:
|
||||
|
||||
+1
-1
@@ -12,7 +12,7 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [12.x, 14.x, 16.x]
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
+1
-1
@@ -12,7 +12,7 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [12.x, 14.x, 16.x]
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
|
||||
# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
|
||||
|
||||
name: Node.js Package
|
||||
|
||||
|
||||
+1
-1
@@ -1,5 +1,5 @@
|
||||
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
|
||||
# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
|
||||
|
||||
name: Node.js Package
|
||||
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "SLSA Generic generator",
|
||||
"creator": "Open Source Security Foundation (OpenSSF)",
|
||||
"description": "Generate SLSA3 provenance for your existing release workflows",
|
||||
"iconName": "generator-generic-ossf-slsa3-publish",
|
||||
"categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "SLSA Go releaser",
|
||||
"creator": "Open Source Security Foundation (OpenSSF)",
|
||||
"description": "Compile your Go project using a SLSA3 compliant builder",
|
||||
"iconName": "go-ossf-slsa3-publish",
|
||||
"categories": ["Continuous integration", "Go"]
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"name": "Jekyll",
|
||||
"name": "Jekyll using Docker image",
|
||||
"description": "Package a Jekyll site using the jekyll/builder Docker image.",
|
||||
"iconName": "jekyll",
|
||||
"categories": ["Continuous integration", "HTML"]
|
||||
+1
-1
@@ -1,5 +1,5 @@
|
||||
# This workflow will install Python dependencies, run tests and lint with a single version of Python
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
|
||||
|
||||
name: Python application
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
|
||||
|
||||
name: Python package
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# This workflow will upload a Python Package using Twine when a release is created
|
||||
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
|
||||
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
|
||||
+1
-1
@@ -30,7 +30,7 @@ jobs:
|
||||
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
|
||||
# change this to (see https://github.com/ruby/setup-ruby#versioning):
|
||||
# uses: ruby/setup-ruby@v1
|
||||
uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: ${{ matrix.ruby-version }}
|
||||
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
|
||||
|
||||
+2
-2
@@ -30,7 +30,7 @@ jobs:
|
||||
uses: actions/checkout@v3
|
||||
# Add or replace dependency steps here
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or replace database setup steps here
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or replace any other lints here
|
||||
|
||||
@@ -21,5 +21,6 @@ jobs:
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
cache: 'sbt'
|
||||
- name: Run tests
|
||||
run: sbt test
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
# This workflow will build a Swift project
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift
|
||||
|
||||
name: Swift
|
||||
|
||||
on:
|
||||
|
||||
+1
-1
@@ -12,7 +12,7 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [12.x, 14.x, 16.x]
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, builds an image, performs a container image
|
||||
# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
|
||||
# submission API.
|
||||
|
||||
# For more information on the Anchore sbom-action usage
|
||||
# and parameters, see https://github.com/anchore/sbom-action. For more
|
||||
# information about the Anchore SBOM tool, Syft, see
|
||||
# https://github.com/anchore/syft
|
||||
name: Anchore Syft SBOM scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
Anchore-Build-Scan:
|
||||
permissions:
|
||||
contents: write # required to upload to the Dependency submission API
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
uses: actions/checkout@v3
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
|
||||
- name: Scan the image and upload dependency results
|
||||
uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
artifact-name: image.spdx.json
|
||||
dependency-snapshot: true
|
||||
@@ -9,7 +9,7 @@
|
||||
# and parameters, see https://github.com/anchore/scan-action. For more
|
||||
# information on Anchore's container image scanning tool Grype, see
|
||||
# https://github.com/anchore/grype
|
||||
name: Anchore Container Scan
|
||||
name: Anchore Grype vulnerability scan
|
||||
|
||||
on:
|
||||
push:
|
||||
@@ -28,20 +28,21 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v3
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
|
||||
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
|
||||
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
|
||||
- name: Run the Anchore Grype scan action
|
||||
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
|
||||
id: scan
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
acs-report-enable: true
|
||||
fail-build: false
|
||||
- name: Upload Anchore Scan Report
|
||||
fail-build: true
|
||||
severity-cutoff: critical
|
||||
- name: Upload vulnerability report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||
|
||||
@@ -46,9 +46,11 @@ permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Trigger APIsec scan:
|
||||
|
||||
Trigger_APIsec_scan:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -25,6 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Brakeman Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
@@ -34,7 +35,7 @@ jobs:
|
||||
|
||||
# Customize the ruby version depending on your needs
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: '2.7'
|
||||
|
||||
|
||||
@@ -29,6 +29,7 @@ jobs:
|
||||
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
|
||||
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
|
||||
|
||||
@@ -24,6 +24,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
@@ -31,7 +32,7 @@ jobs:
|
||||
- name: Scan code
|
||||
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
|
||||
with:
|
||||
rules-repository: 'git://org/private-rules-repo#main'
|
||||
# rules-repository: 'git://org/private-rules-repo#main'
|
||||
output-type: 'sarif'
|
||||
output-file: 'clj-holmes-results.sarif'
|
||||
fail-on-result: 'false'
|
||||
@@ -40,4 +41,4 @@ jobs:
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
|
||||
ait-for-processing: true
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -29,6 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
@@ -30,6 +30,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -70,3 +70,5 @@ jobs:
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
@@ -25,6 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
|
||||
@@ -0,0 +1,53 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
|
||||
# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
|
||||
# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
|
||||
# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
|
||||
|
||||
# Pre-requisites:
|
||||
# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
|
||||
# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
name: Scan analyze workflow
|
||||
jobs:
|
||||
build-and-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout
|
||||
security-events: write # for github/codeql-action/upload-sarif
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
# check out project
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
# Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
|
||||
# -name: Build Project
|
||||
# ...
|
||||
# Scan Artifact
|
||||
- name: Contrast Scan Action
|
||||
uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
|
||||
with:
|
||||
artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
|
||||
apiKey: ${{ secrets.CONTRAST_API_KEY }}
|
||||
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
|
||||
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
|
||||
#Upload the results to GitHub
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
|
||||
@@ -0,0 +1,126 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow performs a static analysis of your source code using
|
||||
# Red Hat CodeReady Dependency Analytics.
|
||||
|
||||
# Scans are triggered:
|
||||
# 1. On every push to default and protected branches
|
||||
# 2. On every Pull Request targeting the default branch
|
||||
# 3. On a weekly schedule
|
||||
# 4. Manually, on demand, via the "workflow_dispatch" event
|
||||
|
||||
# 💁 The CRDA Starter workflow will:
|
||||
# - Checkout your repository
|
||||
# - Setup the required tool stack
|
||||
# - Install the CRDA command line tool
|
||||
# - Auto detect the manifest file and install the project's dependencies
|
||||
# - Perform the security scan using CRDA
|
||||
# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
|
||||
# - Optionally upload the SARIF file as an artifact for the future reference
|
||||
|
||||
# ℹ️ Configure your repository and the workflow with the following steps:
|
||||
# 1. Setup the tool stack based on the project's requirement.
|
||||
# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
|
||||
# 2. (Optional) CRDA action attempt to detect the language and install the
|
||||
# required dependencies for your project. If your project doesn't aligns
|
||||
# with the default dependency installation command mentioned here
|
||||
# https://github.com/redhat-actions/crda/#3-installing-dependencies.
|
||||
# Use the required inputs to setup the same
|
||||
# 3. (Optional) CRDA action attempts to detect the manifest file if it is
|
||||
# present in the root of the project and named as per the default mentioned
|
||||
# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
|
||||
# If it deviates from the default, use the required inputs to setup the same
|
||||
# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
|
||||
# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
|
||||
# 5. (Optional) Upload SARIF file as an Artifact to download and view
|
||||
# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
|
||||
|
||||
# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
|
||||
|
||||
name: CRDA Scan
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
# TODO: Customize trigger events based on your DevSecOps processes
|
||||
#
|
||||
# This workflow is made to run with OpenShift starter workflow
|
||||
# https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
|
||||
# However, if you want to run this workflow as a standalone workflow, please
|
||||
# uncomment the 'push' trigger below and configure it based on your requirements.
|
||||
#
|
||||
workflow_call:
|
||||
secrets:
|
||||
CRDA_KEY:
|
||||
required: false
|
||||
SNYK_TOKEN:
|
||||
required: false
|
||||
workflow_dispatch:
|
||||
|
||||
# push:
|
||||
# branches: [ $default-branch, $protected-branches ]
|
||||
|
||||
# pull_request_target is used to securely share secret to the PR's workflow run.
|
||||
# For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
||||
pull_request_target:
|
||||
branches: [ $default-branch ]
|
||||
types: [ assigned, opened, synchronize, reopened, labeled, edited ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
crda-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for redhat-actions/crda to upload SARIF results
|
||||
name: Scan project vulnerabilities with CRDA
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# *******************************************************************
|
||||
# Required: Instructions to setup project
|
||||
# 1. Setup Go, Java, Node.js or Python depending on your project type
|
||||
# 2. Setup Actions are listed below, choose one from them:
|
||||
# - Go: https://github.com/actions/setup-go
|
||||
# - Java: https://github.com/actions/setup-java
|
||||
# - Node.js: https://github.com/actions/setup-node
|
||||
# - Python: https://github.com/actions/setup-python
|
||||
#
|
||||
# Example:
|
||||
# - name: Setup Node
|
||||
# uses: actions/setup-node@v2
|
||||
# with:
|
||||
# node-version: '14'
|
||||
|
||||
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
|
||||
- name: Install CRDA CLI
|
||||
uses: redhat-actions/openshift-tools-installer@v1
|
||||
with:
|
||||
source: github
|
||||
github_pat: ${{ github.token }}
|
||||
# Choose the desired version of the CRDA CLI
|
||||
crda: "latest"
|
||||
|
||||
######################################################################################
|
||||
# https://github.com/redhat-actions/crda/blob/main/README.md
|
||||
#
|
||||
# By default, CRDA will detect the manifest file and install the required dependencies
|
||||
# using the standard command for the project type.
|
||||
# If your project doesn't aligns with the defaults mentioned in this action, you will
|
||||
# need to set few inputs that are described here:
|
||||
# https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
|
||||
# Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
|
||||
# process to get a SNYK_TOKEN or a CRDA_KEY
|
||||
- name: CRDA Scan
|
||||
id: scan
|
||||
uses: redhat-actions/crda@v1
|
||||
with:
|
||||
crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
|
||||
# snyk_token: ${{ secrets.SNYK_TOKEN }}
|
||||
# upload_artifact: false # Set this to false to skip artifact upload
|
||||
@@ -17,4 +17,4 @@ jobs:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v3
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v1
|
||||
uses: actions/dependency-review-action@v2
|
||||
|
||||
@@ -25,6 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
@@ -0,0 +1,69 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
|
||||
|
||||
# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
|
||||
# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
|
||||
|
||||
# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
|
||||
|
||||
# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.
|
||||
|
||||
# How EthicalCheck works?
|
||||
# EthicalCheck functions in the following simple steps.
|
||||
# 1. Security Testing.
|
||||
# Provide your OpenAPI specification or start with a public Postman collection URL.
|
||||
# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
|
||||
# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
|
||||
|
||||
# 2. Reporting.
|
||||
# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
|
||||
# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
|
||||
|
||||
|
||||
# This is a starter workflow to help you get started with EthicalCheck Actions
|
||||
|
||||
name: EthicalCheck-Workflow
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
# Triggers the workflow on push or pull request events but only for the $default-branch branch
|
||||
# Customize trigger events based on your DevSecOps processes.
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Trigger_EthicalCheck:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: EthicalCheck Free & Automated API Security Testing Service
|
||||
uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
|
||||
with:
|
||||
# The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
|
||||
oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
|
||||
# The email address to which the penetration test report will be sent.
|
||||
email: "xxx@apisec.ai"
|
||||
sarif-result-file: "ethicalcheck-results.sarif"
|
||||
|
||||
- name: Upload sarif file to repository
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ./ethicalcheck-results.sarif
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# Frogbot Scan and Fix does the following:
|
||||
# Automatically creates pull requests with fixes for vulnerable project dependencies.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
|
||||
name: "Frogbot Scan and Fix"
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
security-events: write
|
||||
jobs:
|
||||
create-fix-pull-requests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# Install prerequisites - uncomment the relevant one
|
||||
|
||||
# - uses: actions/setup-go@v3
|
||||
# with:
|
||||
# go-version: 1.17.x
|
||||
|
||||
# - uses: actions/setup-java@v3
|
||||
# with:
|
||||
# java-version: "11"
|
||||
# distribution: "temurin"
|
||||
|
||||
# - uses: actions/setup-node@v3
|
||||
# with:
|
||||
# node-version: "16.x"
|
||||
|
||||
|
||||
- uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
JF_URL: ${{ secrets.FROGBOT_URL }}
|
||||
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
|
||||
|
||||
# [Mandatory]
|
||||
# The GitHub token automatically generated for the job
|
||||
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# [Mandatory if using npm]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "npm i"
|
||||
@@ -0,0 +1,75 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# Frogbot Scan Pull Request does the following:
|
||||
# Automatically scans new pull requests for security vulnerabilities.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
|
||||
name: "Frogbot Scan Pull Request"
|
||||
on:
|
||||
pull_request_target:
|
||||
types: [ opened, synchronize ]
|
||||
permissions:
|
||||
pull-requests: write
|
||||
contents: read
|
||||
jobs:
|
||||
scan-pull-request:
|
||||
runs-on: ubuntu-latest
|
||||
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
|
||||
# "frogbot" GitHub environment can approve the pull request to be scanned.
|
||||
environment: frogbot
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
# Install prerequisites - uncomment the relevant ones
|
||||
|
||||
# - uses: actions/setup-go@v3
|
||||
# with:
|
||||
# go-version: 1.17.x
|
||||
|
||||
# - uses: actions/setup-java@v3
|
||||
# with:
|
||||
# java-version: "11"
|
||||
# distribution: "temurin"
|
||||
|
||||
# - uses: actions/setup-node@v3
|
||||
# with:
|
||||
# node-version: "16.x"
|
||||
|
||||
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
|
||||
- uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
JF_URL: ${{ secrets.JF_URL }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
|
||||
JF_USER: ${{ secrets.JF_USER }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog password. Must be provided with JF_USER
|
||||
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
|
||||
|
||||
# [Mandatory]
|
||||
# The GitHub token automatically generated for the job
|
||||
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
|
||||
|
||||
# [Mandatory when using npm]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "npm i"
|
||||
|
||||
# [Mandatory when using .NET]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "dotnet restore"
|
||||
|
||||
# The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# lintr provides static code analysis for R.
|
||||
# It checks for adherence to a given style,
|
||||
# identifying syntax errors and possible semantic issues,
|
||||
# then reports them to you so you can take action.
|
||||
# More details at https://lintr.r-lib.org/
|
||||
|
||||
name: lintr
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
lintr:
|
||||
name: Run lintr scanning
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup R
|
||||
uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492
|
||||
|
||||
- name: Setup lintr
|
||||
uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492
|
||||
with:
|
||||
extra-packages: lintr
|
||||
|
||||
- name: Run lintr
|
||||
run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif")
|
||||
shell: Rscript {0}
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: lintr-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -21,6 +21,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -28,6 +28,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Analyze
|
||||
runs-on: windows-latest
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
name: njsscan code scanning
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
|
||||
#
|
||||
# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
|
||||
# you can find it in NowSecure Platform.
|
||||
#
|
||||
# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
|
||||
# <https://bit.ly/ns-git-sbom>.
|
||||
#
|
||||
# Instructions:
|
||||
#
|
||||
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
|
||||
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
|
||||
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
|
||||
#
|
||||
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
|
||||
# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
|
||||
|
||||
name: "NowSecure Mobile SBOM"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
nowsecure:
|
||||
name: NowSecure Mobile SBOM
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Build your application
|
||||
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
|
||||
|
||||
- name: NowSecure upload app
|
||||
uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
|
||||
with:
|
||||
token: ${{ secrets.NS_TOKEN }}
|
||||
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
|
||||
group_id: {{ groupId }} # Update this to your desired Platform group ID
|
||||
@@ -27,6 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: windows-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,57 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# PHPMD is a spin-off project of PHP Depend and
|
||||
# aims to be a PHP equivalent of the well known Java tool PMD.
|
||||
# What PHPMD does is: It takes a given PHP source code base
|
||||
# and look for several potential problems within that source.
|
||||
# These problems can be things like:
|
||||
# Possible bugs
|
||||
# Suboptimal code
|
||||
# Overcomplicated expressions
|
||||
# Unused parameters, methods, properties
|
||||
# More details at https://phpmd.org/
|
||||
|
||||
name: PHPMD
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
PHPMD:
|
||||
name: Run PHPMD scanning
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161
|
||||
with:
|
||||
coverage: none
|
||||
tools: phpmd
|
||||
|
||||
- name: Run PHPMD
|
||||
run: phpmd . sarif codesize --reportfile phpmd-results.sarif
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: phpmd-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -21,6 +21,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -25,13 +25,14 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: PSScriptAnalyzer
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Run PSScriptAnalyzer
|
||||
uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
|
||||
uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
|
||||
with:
|
||||
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
|
||||
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
|
||||
|
||||
@@ -29,6 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
name: Run Prisma Cloud IaC Scan to check
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Anchore Syft SBOM Scan",
|
||||
"creator": "Anchore",
|
||||
"description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile", "dependency-management"]
|
||||
}
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Anchore Container Scan",
|
||||
"creator": "Indeni Cloudrail",
|
||||
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
|
||||
"name": "Anchore Grype Vulnerability Scan",
|
||||
"creator": "Anchore",
|
||||
"description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile"]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"name": "CodeQL Analysis",
|
||||
"creator": "GitHub",
|
||||
"enterprise": true,
|
||||
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Contrast Scan",
|
||||
"creator": "Contrast Security Inc",
|
||||
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
|
||||
"iconName": "contrast",
|
||||
"categories": ["Code Scanning", "java", "javascript", "dotnet"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Red Hat CodeReady Dependency Analytics",
|
||||
"creator": "Red Hat",
|
||||
"description": "Scan your project's dependencies with CodeReady Dependency Analytics.",
|
||||
"iconName": "openshift",
|
||||
"categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"]
|
||||
}
|
||||
@@ -2,10 +2,11 @@
|
||||
"name": "ESLint",
|
||||
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
|
||||
"iconName": "eslint",
|
||||
"enterprise": false,
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"JavaScript",
|
||||
"EcmaScript",
|
||||
"TypeScript"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
{
|
||||
"name": "EthicalCheck",
|
||||
"creator": "APIsec",
|
||||
"description": "EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.",
|
||||
"iconName": "apisec",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"C",
|
||||
"C#",
|
||||
"C++",
|
||||
"Go",
|
||||
"Java",
|
||||
"JavaScript",
|
||||
"Kotlin",
|
||||
"Objective C",
|
||||
"PHP",
|
||||
"Python",
|
||||
"Ruby",
|
||||
"Rust",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"TypeScript"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"name": "Frogbot Scan and Fix",
|
||||
"description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
|
||||
"iconName": "frogbot",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Go Module",
|
||||
"Maven POM",
|
||||
"NPM Config",
|
||||
"Gradle",
|
||||
"C#",
|
||||
"Python"
|
||||
],
|
||||
"creator": "JFrog"
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"name": "Frogbot Scan Pull Request",
|
||||
"description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
|
||||
"iconName": "frogbot",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Go Module",
|
||||
"Maven POM",
|
||||
"NPM Config",
|
||||
"Gradle",
|
||||
"C#",
|
||||
"Python"
|
||||
],
|
||||
"creator": "JFrog"
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "lintr",
|
||||
"description": "lintr provides static code analysis for R.",
|
||||
"iconName": "lintr",
|
||||
"categories": [ "Code Scanning", "R" ]
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
"name": "NowSecure Mobile SBOM",
|
||||
"creator": "NowSecure",
|
||||
"description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
|
||||
"iconName": "nowsecure",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Kotlin",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"Objective C",
|
||||
"C",
|
||||
"C++",
|
||||
"C#",
|
||||
"Rust",
|
||||
"JavaScript",
|
||||
"TypeScript",
|
||||
"Node"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "PHPMD",
|
||||
"description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.",
|
||||
"iconName": "phpmd",
|
||||
"categories": [ "Code Scanning", "PHP" ]
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "puppet-lint",
|
||||
"description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
|
||||
"iconName": "puppet-lint",
|
||||
"categories": [ "Code Scanning", "Puppet" ]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Zscaler IaC Scan",
|
||||
"creator": "Zscaler CWP",
|
||||
"description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app",
|
||||
"iconName": "zscaler",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
{
|
||||
"name": "zScan",
|
||||
"creator": "Zimperium",
|
||||
"description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ",
|
||||
"iconName": "zscan",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Kotlin",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"Objective C"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,55 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
|
||||
# https://puppet.com/docs/puppet/7/style_guide.html
|
||||
# Puppet Lint validates only code style; it does not validate syntax.
|
||||
# To test syntax, use Puppet's puppet parser validate command.
|
||||
# More details at https://github.com/puppetlabs/puppet-lint/
|
||||
|
||||
name: puppet-lint
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
puppet-lint:
|
||||
name: Run puppet-lint scanning
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: 2.7
|
||||
bundler-cache: true
|
||||
|
||||
- name: Install puppet-lint
|
||||
run: gem install puppet-lint
|
||||
|
||||
- name: Run puppet-lint
|
||||
run: puppet-lint . --sarif > puppet-lint-results.sarif
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: puppet-lint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -28,7 +28,7 @@ jobs:
|
||||
# If running on a self-hosted runner, check it meets the requirements
|
||||
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
|
||||
- name: Set up Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: 2.6
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
@@ -17,20 +17,20 @@ jobs:
|
||||
permissions:
|
||||
# Needed to upload the results to code-scanning dashboard.
|
||||
security-events: write
|
||||
# Used to receive a badge. (Upcoming feature)
|
||||
# Used to receive a badge.
|
||||
id-token: write
|
||||
# Needs for private repositories.
|
||||
contents: read
|
||||
actions: read
|
||||
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
|
||||
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1
|
||||
uses: ossf/scorecard-action@865b4092859256271290c77adbd10a43f4779972 # tag=v2.0.3
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
@@ -41,22 +41,22 @@ jobs:
|
||||
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
|
||||
# Publish the results for public repositories to enable scorecard badges. For more details, see
|
||||
# https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories, `publish_results` will automatically be set to `false`, regardless
|
||||
# https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories, `publish_results` will automatically be set to `false`, regardless
|
||||
# of the value entered here.
|
||||
publish_results: true
|
||||
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
|
||||
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
|
||||
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -27,6 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -30,6 +30,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -29,6 +29,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
@@ -28,6 +28,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -3,13 +3,18 @@
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
|
||||
# SOOS is the easy-to-integrate and affordable software security solution for your whole team.
|
||||
# Learn more at https://soos.io/
|
||||
#
|
||||
# To use this action you need to fill the following requirements:
|
||||
# To use this action, perform the following steps:
|
||||
#
|
||||
# 1. Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
|
||||
# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products.
|
||||
#
|
||||
# 2. Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
|
||||
# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
|
||||
#
|
||||
# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
|
||||
#
|
||||
# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
|
||||
#
|
||||
|
||||
name: "SOOS DAST Scan"
|
||||
@@ -24,6 +29,7 @@ jobs:
|
||||
soos:
|
||||
permissions:
|
||||
security-events: write # for uploading code scanning alert info
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: SOOS DAST Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
@@ -32,10 +38,13 @@ jobs:
|
||||
with:
|
||||
client_id: ${{ secrets.SOOS_CLIENT_ID }}
|
||||
api_key: ${{ secrets.SOOS_API_KEY }}
|
||||
project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository
|
||||
project_name: "<YOUR-PROJECT-NAME>"
|
||||
scan_mode: "baseline"
|
||||
target_url: "https://www.example.com/"
|
||||
sarif: true # Only set to true if you want to upload the SARIF report to Github
|
||||
gpat: ${{ secrets.SOOS_GITHUB_PAT }}
|
||||
output_format: "sarif"
|
||||
- name: Upload SOOS DAST SARIF Report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
|
||||
|
||||
@@ -24,6 +24,7 @@ jobs:
|
||||
checks: write # for sysdiglabs/scan-action to publish the checks
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run tfsec
|
||||
uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
|
||||
uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
|
||||
with:
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
|
||||
@@ -22,6 +22,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Build
|
||||
runs-on: "ubuntu-18.04"
|
||||
steps:
|
||||
@@ -33,7 +34,7 @@ jobs:
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
|
||||
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
|
||||
@@ -27,6 +27,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
|
||||
@@ -51,6 +51,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
#This workflow uses actions that are not certified by GitHub.
|
||||
#They are provided by a third party and are governed by
|
||||
#separate terms of service, privacy policy, and support
|
||||
#documentation.
|
||||
|
||||
#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
|
||||
#which detects security misconfigurations in IaC templates and publishes the findings
|
||||
#under the code scanning alerts section within the repository.
|
||||
|
||||
#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process.
|
||||
#Copy the client ID and client secret key generated during the onboarding process and configure.
|
||||
#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
|
||||
|
||||
#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
|
||||
#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
|
||||
|
||||
name: Zscaler IaC Scan
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
zscaler-iac-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name : Code Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name : Zscaler IAC Scan
|
||||
uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087
|
||||
id : zscaler-iac-scan
|
||||
with:
|
||||
client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
|
||||
client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
|
||||
#This is the user region specified during the onboarding process within the ZPC Admin Portal.
|
||||
region : 'US'
|
||||
iac_dir : #Enter the IaC directory path from root.
|
||||
iac_file : #Enter the IaC file path from root.
|
||||
output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
|
||||
#To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
|
||||
fail_build : #Enter true/false
|
||||
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
|
||||
- name: Upload SARIF file
|
||||
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
|
||||
@@ -0,0 +1,61 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
|
||||
# and identifies security, privacy, and compliance-related vulnerabilities.
|
||||
#
|
||||
# Prerequisites:
|
||||
# * An active Zimperium zScan account is required. If you are not an existing Zimperium
|
||||
# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
|
||||
# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
|
||||
# issues and view the remediation information inside of GitHub code scanning alerts.
|
||||
#
|
||||
# For additional information and setup instructions
|
||||
# please visit: https://github.com/Zimperium/zScanMarketplace#readme
|
||||
|
||||
name: "Zimperium zScan"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
zscan:
|
||||
name: zScan
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Execute gradle build
|
||||
run: ./gradlew build # Change this to build your mobile application
|
||||
|
||||
- name: Run Zimperium zScan
|
||||
uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d
|
||||
timeout-minutes: 60
|
||||
with:
|
||||
# REPLACE: Zimperium Client Environment Name
|
||||
client_env: env_string
|
||||
# REPLACE: Zimperium Client ID
|
||||
client_id: id_string
|
||||
# REPLACE: Zimperium Client Secret
|
||||
client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
|
||||
# REPLACE: The path to an .ipa or .apk
|
||||
app_file: app-release-unsigned.apk
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: Zimperium.sarif
|
||||
|
||||
@@ -21,8 +21,7 @@ name: Build and Deploy to ACK
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
branches: [ $default-branch ]
|
||||
|
||||
# Environment variables available to all jobs and steps in this workflow.
|
||||
env:
|
||||
|
||||
+1
-2
@@ -28,8 +28,7 @@ name: Deploy to Amazon ECS
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
branches: [ $default-branch ]
|
||||
|
||||
env:
|
||||
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
|
||||
|
||||
@@ -31,8 +31,7 @@ env:
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
branches: [ $default-branch ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user