Merge branch 'actions:main' into main

This commit is contained in:
Nagarjun Sanji
2025-12-01 16:18:07 +05:30
committed by GitHub
22 changed files with 505 additions and 64 deletions
+1 -1
View File
@@ -31,7 +31,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Bandit Scan
uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd
with: # optional arguments
# exit with 0, even with results found
exit_zero: true # optional, default is DEFAULT
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines.
# For more information about configuring your workflow,
# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan
name: CI Black Duck security scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
security-events: write
actions: read
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Black Duck SCA scan
uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
with:
### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ----------
blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
### ---------- COVERITY SCANNING: REQUIRED FIELDS ----------
coverity_url: ${{ vars.COVERITY_URL }}
coverity_user: ${{ secrets.COVERITY_USER }}
coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
### ---------- POLARIS SCANNING: REQUIRED FIELDS ----------
polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
polaris_assessment_types: "SCA,SAST"
### ---------- SRM SCANNING: REQUIRED FIELDS ----------
srm_url: ${{ vars.SRM_URL }}
srm_apikey: ${{ secrets.SRM_API_KEY }}
srm_assessment_types: "SCA,SAST"
+10 -3
View File
@@ -55,9 +55,15 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4
# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
@@ -74,7 +80,8 @@ jobs:
# to build your code.
# ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
- name: Run manual build steps
if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
@@ -85,6 +92,6 @@ jobs:
exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
+83 -38
View File
@@ -34,51 +34,96 @@ jobs:
actions: read
contents: read
security-events: write
# pull-requests: write # Required if DO_PR_COMMENT is set to true
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4
# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
- name: Setup Java
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
# details.
- name: Run FoD SAST Scan
uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
# documentation at https://github.com/fortify/github-action#readme for more information on the various
# configuration options and available sub-actions.
- name: Run Fortify Scan
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
with:
sast-scan: true
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
### Required configuration when integrating with Fortify on Demand
FOD_URL: https://ams.fortify.com
FOD_TENANT: ${{secrets.FOD_TENANT}}
FOD_USER: ${{secrets.FOD_USER}}
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
FOD_PASSWORD: ${{secrets.FOD_PAT}}
### Optional configuration when integrating with Fortify on Demand
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
# Debricked SCA scan is enabled on Fortify on Demand
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
# replace app+release name with numeric release ID
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
# usually defined as organization or repo variable
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# Pass extra options to setup action:
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
#############################################################
##### Fortify Hosted / Software Security Center & ScanCentral
##### Remove this section if you're integrating with Fortify on Demand (see above)
### Required configuration
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
### Optional configuration
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Set up SSC application & version
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
+1 -1
View File
@@ -60,7 +60,7 @@ jobs:
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
# uses: actions/upload-artifact@v3
# uses: actions/upload-artifact@v4
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
@@ -0,0 +1,22 @@
{
"name": "Black Duck Security Scan Workflow",
"creator": "Black Duck Software, Inc.",
"description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results",
"iconName": "black-duck",
"categories": [
"Code Scanning",
"C",
"C++",
"C#",
"Go",
"Java",
"JavaScript",
"Ruby",
"PHP",
"Swift",
"Kotlin",
"Python",
"VB.NET",
"Objective C"
]
}
+8 -3
View File
@@ -21,6 +21,8 @@ jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
@@ -32,12 +34,12 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
@@ -56,10 +58,13 @@ jobs:
# of the value entered here.
publish_results: true
# (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
# file_mode: git
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
+13 -3
View File
@@ -36,15 +36,25 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Analysis
uses: soos-io/soos-dast-github-action@65d9878d77c8993f3db9e86a92bc2ad3a6e060af
uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
project_name: "<YOUR-PROJECT-NAME>"
scan_mode: "baseline"
target_url: "https://www.example.com/"
output_format: "sarif"
export_format: "Sarif"
export_file_type: "Json"
- name: Find and rename SARIF file since it is unique
run: |
file=$(find . -name "*.sarif.json" | head -n 1)
if [ -n "$file" ]; then
mv "$file" output.sarif.json
echo "Renamed $file to output.sarif.json"
else
echo "No SARIF file found" && exit 1
fi
- name: Upload SOOS DAST SARIF Report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
sarif_file: output.sarif.json
+1 -1
View File
@@ -87,7 +87,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@v4
with:
name: Xanitizer-Reports
path: |