diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml new file mode 100644 index 0000000..91f4b2d --- /dev/null +++ b/code-scanning/phpmd.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup PHP + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json new file mode 100644 index 0000000..bd95bf9 --- /dev/null +++ b/code-scanning/properties/phpmd.properties.json @@ -0,0 +1,6 @@ +{ + "name": "PHPMD", + "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.", + "iconName": "phpmd", + "categories": [ "Code Scanning", "PHP" ] +} \ No newline at end of file diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c48..cf3b1b7 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -24,18 +24,22 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@b524e2cfbc4f4a5733153a7e624f569913f6c6e9 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} - project_name: ${{ github.repository }} # If you're going to use SARIF the project name should be on the form of `repoowner/reponame` or use the token github.repository + project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - sarif: true # Only set to true if you want to upload the SARIF report to Github - gpat: ${{ secrets.SOOS_GITHUB_PAT }} + output_format: "sarif" + - name: Upload SOOS DAST SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/icons/phpmd.svg b/icons/phpmd.svg new file mode 100644 index 0000000..7697766 --- /dev/null +++ b/icons/phpmd.svg @@ -0,0 +1,595 @@ + + + + + + + + +