diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..09c98c0
--- /dev/null
+++ b/ci/go-ossf-slsa3-publish.yml
@@ -0,0 +1,35 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA Go releaser
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ build:
+ permissions:
+ id-token: write # To sign.
+ contents: write # To upload release assets.
+ actions: read # To read workflow path.
+ # If you need more configuration options, such as ldflag examples,
+ # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0
+ with:
+ # By default, the config file is .slsa-goreleaser.yml in the root directory.
+ # The format of the config file is described in
+ # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file.
+ go-version: 1.17
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 9aeb2b8..42eae27 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 4642c75..0c0f12c 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -29,6 +29,6 @@ jobs:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..2d58eaf
--- /dev/null
+++ b/ci/properties/go-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Go releaser",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Compile your Go project using a SLSA3 compliant builder",
+ "iconName": "go-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go"]
+}
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
new file mode 100644
index 0000000..61ffd7a
--- /dev/null
+++ b/code-scanning/contrast-scan.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
+# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
+# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
+# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
+
+# Pre-requisites:
+# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
+# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+name: Scan analyze workflow
+jobs:
+ build-and-scan:
+ permissions:
+ contents: read # for actions/checkout
+ security-events: write # for github/codeql-action/upload-sarif
+ runs-on: ubuntu-latest
+ # check out project
+ steps:
+ - uses: actions/checkout@v3
+ # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
+ # -name: Build Project
+ # ...
+ # Scan Artifact
+ - name: Contrast Scan Action
+ uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
+ with:
+ artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
+ apiKey: ${{ secrets.CONTRAST_API_KEY }}
+ orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
+ authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
+ #Upload the results to GitHub
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json
new file mode 100644
index 0000000..67369b8
--- /dev/null
+++ b/code-scanning/properties/contrast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Contrast Scan",
+ "creator": "Contrast Security Inc",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
+ "iconName": "contrast",
+ "categories": ["Code Scanning", "java", "javascript", "dotnet"]
+}
\ No newline at end of file
diff --git a/icons/contrast.svg b/icons/contrast.svg
new file mode 100644
index 0000000..7680157
--- /dev/null
+++ b/icons/contrast.svg
@@ -0,0 +1,16 @@
+
+
+
diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/go-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+