diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17..91153de 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..18ba13f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 7b6add3..a9fd4b3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.7.1' # Workaround: https://github.com/docker/build-push-action/issues/461 @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/ci/go.yml b/ci/go.yml index 6f498a6..bb3ec96 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... diff --git a/ci/ios.yml b/ci/ios.yml index 5cec5e7..693a7d5 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json index 49b29a4..7a2c18a 100644 --- a/ci/properties/rubyonrails.properties.json +++ b/ci/properties/rubyonrails.properties.json @@ -1,5 +1,5 @@ { - "name": "Ruby on Rails continuous integration", + "name": "Ruby on Rails", "description": "Build, lint, and test a Rails application", "iconName": "rails", "categories": ["Continuous integration", "Ruby", "Rails"] diff --git a/ci/ruby.yml b/ci/ruby.yml index 256aa14..81ea363 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000..2e4ab3c --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab..0e57f4b 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,7 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository @@ -56,7 +56,7 @@ jobs: uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml new file mode 100644 index 0000000..0e72a00 --- /dev/null +++ b/code-scanning/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v1 diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000..9067a7d --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000..e24e14a --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0bc512c..a1e32c4 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000..966314a --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json new file mode 100644 index 0000000..c195c73 --- /dev/null +++ b/code-scanning/properties/dependency-review.properties.json @@ -0,0 +1,16 @@ +{ + "name": "Dependency Review", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository", + "iconName": "octicon mark-github", + "categories": [ + "Dependency review", + "Dependency graph", + "Go", + "Java", + "JavaScript", + "TypeScript", + "Python", + "Ruby", + "Actions", + "PHP"] +} diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000..a84646a --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000..ee64a52 --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000..4737786 --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,9 @@ +{ + "name": "rust-clippy", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9..0000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000..163e866 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json new file mode 100644 index 0000000..9b88a78 --- /dev/null +++ b/code-scanning/properties/sonarcloud.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SonarCloud", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", + "iconName": "sonarcloud", + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] +} diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000..e9c426a --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index b042670..0000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: reports diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000..21cb6e7 --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml new file mode 100644 index 0000000..ff388c8 --- /dev/null +++ b/code-scanning/sonarcloud.yml @@ -0,0 +1,68 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. + +# 1. Login to SonarCloud.io using your GitHub account + +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarCloud analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarCloud + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 841a2fd..d7c27d9 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/deployments/aws.yml b/deployments/aws.yml index fe5e076..47253bf 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 948e7db..510abcd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. # Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. @@ -48,12 +48,10 @@ env: CHART_OVERRIDE_PATH: "your-chart-override-path" jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -72,6 +70,20 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -85,7 +97,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -96,7 +110,30 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Helm to create manifest files - name: Bake deployment @@ -112,11 +149,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 7c25319..0cf23ba 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. # Set your dockerComposeFile and kompose-version to suit your configuration. @@ -40,12 +40,10 @@ env: DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -63,7 +61,21 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -77,7 +89,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -88,7 +102,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kompose to create manifest files - name: Bake deployment @@ -101,11 +141,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index f6928d0..14469db 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. # Set your kustomizationPath and kubectl-version to suit your configuration. @@ -46,12 +46,10 @@ env: KUSTOMIZE_PATH: "your-kustomize-path" jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -69,6 +67,23 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context @@ -83,7 +98,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -94,7 +111,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kustomize to create manifest files - name: Bake deployment @@ -107,11 +150,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index bb513d4..d04a2ac 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -8,8 +8,7 @@ # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID @@ -19,7 +18,7 @@ # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) # - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions @@ -43,12 +42,10 @@ env: DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: - build: + buildImage: permissions: - actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -67,6 +64,20 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -80,7 +91,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -93,13 +106,39 @@ jobs: container-registry-password: ${{ steps.get-acr-creds.outputs.password }} secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Deploys application based on given manifest file - name: Deploys application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 2bf2a68..4e9e9f6 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 96e44e0..53efe48 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' @@ -82,10 +85,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000..23964aa --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000..0534225 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944a..0000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000..4d243ea --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + + diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg new file mode 100644 index 0000000..5f946d2 --- /dev/null +++ b/icons/sonarcloud.svg @@ -0,0 +1,20 @@ + + + + +SonarCloud icon + + + + diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36..ef8ee60 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -9,6 +9,7 @@ "Continuous integration", "Deployment", "Code Scanning", + "Dependency review", "Automation" ] -} \ No newline at end of file +}