From 63beace25d14ca0b8918b467dbfe7bc0f3281742 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:16:12 +0530 Subject: [PATCH 01/60] added github_token permission --- deployments/terraform.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..b7cbc3a 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' From fd8ffb3d9c4336e2e4584baebffce4196086e794 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:01:38 +0530 Subject: [PATCH 02/60] Update aws.yml --- deployments/aws.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..65f445f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy From 8bcdd73aa893896b02a33bf844682a4a632c099a Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:36:24 +0530 Subject: [PATCH 03/60] added github_token permission --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 8c75e2d11fd9040bc7a3492d7bcfcb4c92a194d7 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:57:59 +0530 Subject: [PATCH 04/60] Update pmd.yml --- code-scanning/pmd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..cf4b01d 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 0b1f2442e511ac2e36f9c551899079d28f0fade5 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 14:58:57 +0100 Subject: [PATCH 05/60] Create sonarcloud.yml --- code-scanning/sonarcloud.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 code-scanning/sonarcloud.yml diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml new file mode 100644 index 0000000..d15db93 --- /dev/null +++ b/code-scanning/sonarcloud.yml @@ -0,0 +1,51 @@ +This workflow helps you trigger a SonarCloud analysis of your code. +name: SonarCloud analysis + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + + workflow_dispatch: + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + + - name: Analyze with SonarCloud + + # 1. Import your project to SonarCloud. + # 2. Import it on SonarCloud + # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. + # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). + # * This behavior can be changed in Administration > Analysis Method. + # + # 3. Copy/paste the Projet Key and the Organization Key in the args below + # * On SonarCloud, click on Information at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN + # * On SonarCloud, click on your avatar on top-right > My account > Security + + # You may pin to the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@v1.6 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments to the sonarcloud scanner + args: > + # Set the sonar.projectBaseDir analysis property + projectBaseDir: . # optional, default is . + # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.projectKey= # mandatory + # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.organization= # mandatory + # Comma-separated paths to directories containing main source files. + -Dsonar.sources= # optional, default is project base directory + # Comma-separated paths to directories containing test source files. + -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + -Dsonar.verbose= # optional, default is false From b80e458c6205c8b77c2a7bd419be52d6a82fc64f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:12 +0100 Subject: [PATCH 06/60] Added documentation links --- code-scanning/sonarcloud.yml | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d15db93..387f34c 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,19 @@ -This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code. + +# 1. Login to SonarCloud.io using your GitHub account +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below +# * You'll find those info on SonarCloud. Click on "Information" at the bottom left +# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# * On SonarCloud, click on your avatar on top-right > My account > Security + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + name: SonarCloud analysis on: @@ -15,18 +30,7 @@ jobs: steps: - - name: Analyze with SonarCloud - - # 1. Import your project to SonarCloud. - # 2. Import it on SonarCloud - # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. - # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). - # * This behavior can be changed in Administration > Analysis Method. - # - # 3. Copy/paste the Projet Key and the Organization Key in the args below - # * On SonarCloud, click on Information at the bottom left - # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN - # * On SonarCloud, click on your avatar on top-right > My account > Security + - name: Analyze with SonarCloud # You may pin to the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -36,15 +40,15 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments to the sonarcloud scanner - args: > - # Set the sonar.projectBaseDir analysis property - projectBaseDir: . # optional, default is . + args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. -Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + -Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. From c5a70f040535fbdb74601570225b59bc8516a3b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:42 +0100 Subject: [PATCH 07/60] Removed extra spaces --- code-scanning/sonarcloud.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 387f34c..3441617 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -21,15 +21,13 @@ on: branches: [ master ] pull_request: branches: [ master ] - workflow_dispatch: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud # You may pin to the exact commit or the version. From 429537d3207f07a271ed289b60a664da53be9b86 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:07 +0100 Subject: [PATCH 08/60] Added workflow variables for branches --- code-scanning/sonarcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 3441617..97f364d 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -18,9 +18,9 @@ name: SonarCloud analysis on: push: - branches: [ master ] + branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ master ] + branches: [ $default-branch ] workflow_dispatch: jobs: From b48f15df6228157c0181ee9fdca8f52f091a3703 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:37 +0100 Subject: [PATCH 09/60] Added space between paragraph --- code-scanning/sonarcloud.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 97f364d..0b58f05 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,6 +1,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code. # 1. Login to SonarCloud.io using your GitHub account + # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. # * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). @@ -8,6 +9,7 @@ # # 3. Copy/paste the Projet Key and the Organization Key in the args parameter below # * You'll find those info on SonarCloud. Click on "Information" at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # * On SonarCloud, click on your avatar on top-right > My account > Security From fb2b1099ec558e4666229e557860eb8a8dd58ac7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:39:07 +0100 Subject: [PATCH 10/60] Fixed intro text --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 0b58f05..c4ab0e4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,4 @@ -# This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account From f6596c95685b9d20a9cd83bf0d9df24153043b69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:41:26 +0100 Subject: [PATCH 11/60] Update sonarcloud.yml --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index c4ab0e4..084feca 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -4,14 +4,15 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below -# * You'll find those info on SonarCloud. Click on "Information" at the bottom left - -# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# * On SonarCloud, click on your avatar on top-right > My account > Security +# 3. Follow the SonarCloud's online tutorial +# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below +# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) From 8fd84d60c85e501ce9d34a7c694fda9f3822daab Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:42:52 +0100 Subject: [PATCH 12/60] Create sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 1 + 1 file changed, 1 insertion(+) create mode 100644 code-scanning/properties/sonarcloud.properties.json diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/code-scanning/properties/sonarcloud.properties.json @@ -0,0 +1 @@ + From 6f8fa063712f344fab4c84487b2c885fca2f61a3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:45:15 +0100 Subject: [PATCH 13/60] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8b13789..88e2dbf 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1 +1,7 @@ - +{ + "name": "SonarCloud Security Scan", + "creator": "SonarSource", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "sonarcloud", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} From c944a105460e766a441f6bc07dc9f798bbb4bc1c Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:15:34 +0100 Subject: [PATCH 14/60] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 88e2dbf..428d899 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { - "name": "SonarCloud Security Scan", - "creator": "SonarSource", - "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "name": "SonarCloud", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", "iconName": "sonarcloud", - "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From d955f56f6791a99e9264a41707cd43f1ff228d67 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:17:43 +0100 Subject: [PATCH 15/60] Add files via upload --- icons/sonarcloud.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/sonarcloud.svg diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg new file mode 100644 index 0000000..5f946d2 --- /dev/null +++ b/icons/sonarcloud.svg @@ -0,0 +1,20 @@ + + + + +SonarCloud icon + + + + From 3b2d5d9c43c2889e9aaed43da59a7332ee5e51b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 17 Mar 2022 18:07:03 +0100 Subject: [PATCH 16/60] Added small fixes --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 084feca..d627b96 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -13,6 +13,7 @@ # # * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # (On SonarCloud, click on your avatar on top-right > My account > Security) +# (or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -44,13 +45,13 @@ jobs: args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory - # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. - -Dsonar.sources= # optional, default is project base directory + #-Dsonar.sources= # optional, default is project base directory # When you need the analysis to take place in a directory other than the one from which it was launched - -Dsonar.projectBaseDir= # optional, default is . + #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. - -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - -Dsonar.verbose= # optional, default is false + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From 75a7f2983bbe23e5ab84449c61053dfc20206b74 Mon Sep 17 00:00:00 2001 From: Peeter Piegaze <61758048+peeter-piegaze-sonarsource@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:13:00 +0100 Subject: [PATCH 17/60] Update sonarcloud.yml Fix phrasing/word-choice --- code-scanning/sonarcloud.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d627b96..69eac6a 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,19 +1,21 @@ -# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Follow the SonarCloud's online tutorial -# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below -# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # -# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security) -# (or go directly to https://sonarcloud.io/account/security/) +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -34,14 +36,14 @@ jobs: steps: - name: Analyze with SonarCloud - # You may pin to the exact commit or the version. + # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments to the sonarcloud scanner + # Additional arguments for the sonarcloud scanner args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory From 962b63852bcaf3eb7e38772047448700ada94d5f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:56:24 +0530 Subject: [PATCH 18/60] Update alibabacloud.yml --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From a1fe90c10dbf737fb1787b358028b5e33641dcc0 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:00:04 +0530 Subject: [PATCH 19/60] Update tencent.yml --- deployments/tencent.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..165981a 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy From 9ab1bbfdcc4ce2235ab206d529853732f82c40d2 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Mon, 21 Mar 2022 10:08:04 +0100 Subject: [PATCH 20/60] Added Github disclaimer --- code-scanning/sonarcloud.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 69eac6a..d0cc73b 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. From d8be55169b88f4cf8f90c7a7fe03f63244b2afb2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 21 Mar 2022 11:40:07 -0700 Subject: [PATCH 21/60] add Security Gallery entry for new Dependency Review Action --- dependency-graph/dependency-review.yml | 11 +++++++++++ .../dependency-review.properties.json | 17 +++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 dependency-graph/dependency-review.yml create mode 100644 dependency-graph/properties/dependency-review.properties.json diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml new file mode 100644 index 0000000..6e46018 --- /dev/null +++ b/dependency-graph/dependency-review.yml @@ -0,0 +1,11 @@ +name: 'Dependency Review' +on: [pull_request] + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: github/dependency-review-action@main diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json new file mode 100644 index 0000000..e8a14a1 --- /dev/null +++ b/dependency-graph/properties/dependency-review.properties.json @@ -0,0 +1,17 @@ +{ + "name": "Dependency Review", + "creator": "GitHub", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "iconName": "octicon mark-github", + "categories": [ + "Dependency Graph", + "Dependency Review", + "Go", + "Java", + "JavaScript", + "TypeScript", + "Python", + "Ruby", + "Actions", + "PHP"] +} From c5111ef87154111daba867bf116825b8848ad936 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 24 Mar 2022 13:09:18 -0700 Subject: [PATCH 22/60] update org the final, open-sourced DR Action will be hosted under for GA release --- dependency-graph/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-graph/dependency-review.yml b/dependency-graph/dependency-review.yml index 6e46018..8e94ea0 100644 --- a/dependency-graph/dependency-review.yml +++ b/dependency-graph/dependency-review.yml @@ -8,4 +8,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: github/dependency-review-action@main + uses: actions/dependency-review-action@main From 6537e55e9700a5fa61e5b5f612e4b1efb0251124 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 10:58:48 -0700 Subject: [PATCH 23/60] post-review: use default "creator" entry: "By GitHub" --- dependency-graph/properties/dependency-review.properties.json | 1 - 1 file changed, 1 deletion(-) diff --git a/dependency-graph/properties/dependency-review.properties.json b/dependency-graph/properties/dependency-review.properties.json index e8a14a1..3ccbf1f 100644 --- a/dependency-graph/properties/dependency-review.properties.json +++ b/dependency-graph/properties/dependency-review.properties.json @@ -1,6 +1,5 @@ { "name": "Dependency Review", - "creator": "GitHub", "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ From c3a21a83b2a61aa77fecbf9f85c70d6e6f2ad01a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:33:59 -0700 Subject: [PATCH 24/60] post-review: move DR Action spec and props file into code-scanning/ dir tree temporarily, until maintainers refactor this to security/ --- {dependency-graph => code-scanning}/dependency-review.yml | 0 .../properties/dependency-review.properties.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {dependency-graph => code-scanning}/dependency-review.yml (100%) rename {dependency-graph => code-scanning}/properties/dependency-review.properties.json (100%) diff --git a/dependency-graph/dependency-review.yml b/code-scanning/dependency-review.yml similarity index 100% rename from dependency-graph/dependency-review.yml rename to code-scanning/dependency-review.yml diff --git a/dependency-graph/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json similarity index 100% rename from dependency-graph/properties/dependency-review.properties.json rename to code-scanning/properties/dependency-review.properties.json From 4aa004f885b18219244520462aa3b46af0146cd0 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 13:39:46 -0700 Subject: [PATCH 25/60] linter: add tags to props file appropriate for code-scanning/ entries (security gallery) --- code-scanning/properties/dependency-review.properties.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3ccbf1f..3badf40 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,6 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ + "Code Scanning", + "Automation", "Dependency Graph", "Dependency Review", "Go", From 5bd031f3071b0e3ef3c7d0cda4fdc064790c734f Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:50:23 -0700 Subject: [PATCH 26/60] add explanatory comments with links to DR security gallery workflow template file --- code-scanning/dependency-review.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 8e94ea0..c342269 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,3 +1,9 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: 'Dependency Review' on: [pull_request] From aee1a2083533d8f67f8f771a3671c3cba9de020a Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Mon, 28 Mar 2022 16:57:03 -0700 Subject: [PATCH 27/60] add tigher scoped repo perms to workflow run template file --- code-scanning/dependency-review.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index c342269..eb3a90b 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,6 +7,9 @@ name: 'Dependency Review' on: [pull_request] +permissions: + repo: read + jobs: dependency-review: runs-on: ubuntu-latest From cdc592d6034f2f17c52a825dd1b456e6e9e6f576 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Tue, 29 Mar 2022 08:52:08 -0700 Subject: [PATCH 28/60] update action version used in template to "v1" branch; set perms to "contents: read" --- code-scanning/dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index eb3a90b..0e72a00 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -8,7 +8,7 @@ name: 'Dependency Review' on: [pull_request] permissions: - repo: read + contents: read jobs: dependency-review: @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@main + uses: actions/dependency-review-action@v1 From 1e0060ae0f820f0e350f84c656ca66e287005124 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 30 Mar 2022 10:27:25 +0200 Subject: [PATCH 29/60] Added mention to free plan --- code-scanning/sonarcloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d0cc73b..bd6a3e1 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -5,6 +5,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. # 1. Login to SonarCloud.io using your GitHub account From 3fc061974d6849a15c6ddfd7ccb7c16ed93f38c2 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Wed, 30 Mar 2022 12:52:01 -0700 Subject: [PATCH 30/60] remove "Automation" tag from properites file --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 3badf40..568af90 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,10 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Automation", - "Dependency Graph", "Dependency Review", + "Code Scanning", + "Dependency Graph", "Go", "Java", "JavaScript", From 589aeb1674483e39ab864dd33cfa5cf63882462a Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 31 Mar 2022 10:34:04 +0200 Subject: [PATCH 31/60] Added restrictive permissions for GITHUB_TOKEN --- code-scanning/sonarcloud.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index bd6a3e1..dade659 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -35,6 +35,9 @@ on: branches: [ $default-branch ] workflow_dispatch: +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + jobs: Analysis: runs-on: ubuntu-latest @@ -46,7 +49,7 @@ jobs: # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner From 439bf3cc34005f8b68d877f9bc5e288e491784e3 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Thu, 31 Mar 2022 14:28:28 +0530 Subject: [PATCH 32/60] Change to small case --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 568af90..e84278c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency Review", - "Code Scanning", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From 24a0860545c9fb8bc75902a3944350e15b2ca893 Mon Sep 17 00:00:00 2001 From: Eli Reisman Date: Thu, 31 Mar 2022 10:34:19 -0700 Subject: [PATCH 33/60] fix broken build due to missing required category --- code-scanning/properties/dependency-review.properties.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278c..57ca502 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,8 +3,9 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Dependency review", - "Dependency graph", + "Code Scanning", + "Dependency Review", + "Dependency Graph", "Go", "Java", "JavaScript", From dbba84eb877092dade4cc207fe0f2721d9ed60f2 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:03:32 +0530 Subject: [PATCH 34/60] revert back to "Dependency review" category The CI test needs to be fixed and not the other way round. --- code-scanning/properties/dependency-review.properties.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index 57ca502..e84278c 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -3,9 +3,8 @@ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", "iconName": "octicon mark-github", "categories": [ - "Code Scanning", - "Dependency Review", - "Dependency Graph", + "Dependency review", + "Dependency graph", "Go", "Java", "JavaScript", From d629c82ad7b53ccd396ab5ca9f8b97bf9a67ca68 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 1 Apr 2022 10:04:38 +0530 Subject: [PATCH 35/60] Include "Dependency review" in allowed categories --- script/validate-data/settings.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json index ce89e36..ef8ee60 100644 --- a/script/validate-data/settings.json +++ b/script/validate-data/settings.json @@ -9,6 +9,7 @@ "Continuous integration", "Deployment", "Code Scanning", + "Dependency review", "Automation" ] -} \ No newline at end of file +} From 3f1969e60bade312dd53ca604e2479900b6a6a5f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:26:21 +0200 Subject: [PATCH 36/60] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 428d899..8835ff8 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 1132fdda5ded5388ebc46d62f1892bece49f3c26 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:43:06 +0200 Subject: [PATCH 37/60] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8835ff8..9b88a78 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 50c02af8cf04a5cba88c5f47d64db3d2860ddcff Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:59:27 +0200 Subject: [PATCH 38/60] changed version to exact SHA Co-authored-by: Sampark Sharma --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index dade659..fe9afb4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -47,7 +47,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@v1.6 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 090ead86a92181d20a19219314dd1858ec87a787 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 14:51:15 +0200 Subject: [PATCH 39/60] Update syntax for validation --- code-scanning/sonarcloud.yml | 42 ++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index fe9afb4..ff388c8 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -45,24 +45,24 @@ jobs: steps: - name: Analyze with SonarCloud - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - with: - # Additional arguments for the sonarcloud scanner - args: - # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.projectKey= # mandatory - # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.organization= # mandatory - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From cca97c83b88349992531d905e3456a9227e2a391 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Sat, 9 Apr 2022 01:28:14 -0700 Subject: [PATCH 40/60] Add rust-clippy starter workflow (#1462) * Add rust-clippy starter workflow * fix parameter `wait-for-processing` indent of action github/codeql-action/upload-sarif@v1 * Use commit sha instead of tag * addressing pr comments * Update creator * Add comments --- .../properties/rust-clippy.properties.json | 10 ++++ code-scanning/rust-clippy.yml | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 code-scanning/properties/rust-clippy.properties.json create mode 100644 code-scanning/rust-clippy.yml diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000..ea5c871 --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,10 @@ +{ + "name": "rust-clippy", + "creator": "Rust", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} \ No newline at end of file diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000..e9c426a --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file From 769950ce816c2f79f8df05cf138640f9aa08625d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Sun, 10 Apr 2022 17:20:15 +0530 Subject: [PATCH 41/60] Removing code-scanning/shiftleft as per author request (#1513) Co-authored-by: Bishal Prasad --- .../properties/shiftleft.properties.json | 7 --- code-scanning/shiftleft.yml | 47 ------------------- icons/shiftleft.svg | 6 --- 3 files changed, 60 deletions(-) delete mode 100644 code-scanning/properties/shiftleft.properties.json delete mode 100644 code-scanning/shiftleft.yml delete mode 100644 icons/shiftleft.svg diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9..0000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index b042670..0000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: reports diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944a..0000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - From 31b35634e10474dd37c3d2929577d2778e781cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Sun, 10 Apr 2022 15:07:11 +0200 Subject: [PATCH 42/60] Fix pull request trigger in greetings.yml (#1518) --- automation/greetings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..18ba13f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: From d80712faf41487f0d71d06018ec3bae11b859987 Mon Sep 17 00:00:00 2001 From: Anthony Roussel Date: Sun, 10 Apr 2022 15:29:47 +0200 Subject: [PATCH 43/60] Disable Terraform interactive prompts during apply & plan (#1467) --- deployments/terraform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 96e44e0..6142d2c 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -82,10 +82,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false From 970a7b52557fbdf7dc31c20e64499c21f45deff2 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Sun, 10 Apr 2022 13:06:23 -0500 Subject: [PATCH 44/60] =?UTF-8?q?Update=20the=20cosign-install=20action=20?= =?UTF-8?q?and=20default=20version=20from=201.4.0=20to=201.=E2=80=A6=20(#1?= =?UTF-8?q?452)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update the cosign-install action and default version from 1.4.0 to 1.5.1. Signed-off-by: Dan Lorenc * Update to 1.7.1 and the latest cosign-installer action. Signed-off-by: Dan Lorenc Co-authored-by: Bishal Prasad --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 7b6add3..75f9770 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.7.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From eeb7d2860d40ef8ccea22e7cc47f0a7088dc886a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bedran?= Date: Sun, 10 Apr 2022 16:46:50 -0300 Subject: [PATCH 45/60] Removes " Simulator" substring from device name. (#1470) --- ci/ios.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/ios.yml b/ci/ios.yml index 5cec5e7..693a7d5 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` From 9e81e73fe1c6c6786692b02864aeb1271734d235 Mon Sep 17 00:00:00 2001 From: Andrew Freckelton <7751633+frecks@users.noreply.github.com> Date: Mon, 11 Apr 2022 15:04:06 -0400 Subject: [PATCH 46/60] chore: Update go version to 1.18 --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 6f498a6..bb3ec96 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... From 66f87f9dfe82ccc8055c7063ef35ee994f1a3ae1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 11 Apr 2022 21:41:27 -0700 Subject: [PATCH 47/60] Add clj-watson starter workflow (#1460) * Add clj-watson starter workflow * update permissions * update to latest release * Update clj-watson-action to official release * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * update categories * update categories * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/properties/clj-watson.properties.json Co-authored-by: Bishal Prasad * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * add comments to yml file * Update clj-watson.properties.json * use codeql-action/upload-sarif v2 Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> Co-authored-by: Bishal Prasad --- code-scanning/clj-watson.yml | 53 +++++++++++++++++++ .../properties/clj-watson.properties.json | 9 ++++ icons/clj-watson.svg | 1 + 3 files changed, 63 insertions(+) create mode 100644 code-scanning/clj-watson.yml create mode 100644 code-scanning/properties/clj-watson.properties.json create mode 100644 icons/clj-watson.svg diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000..2e4ab3c --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000..966314a --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file From 94d3aff4c62f40e4751c3c71c61b23c4ec02a072 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:27:04 +0530 Subject: [PATCH 48/60] Remove creator property from rust-clippy This is owned by @josepalafox's BD team in GitHub. --- code-scanning/properties/rust-clippy.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json index ea5c871..4737786 100644 --- a/code-scanning/properties/rust-clippy.properties.json +++ b/code-scanning/properties/rust-clippy.properties.json @@ -1,10 +1,9 @@ { "name": "rust-clippy", - "creator": "Rust", "description": "A collection of lints to catch common mistakes and improve your Rust code.", "iconName": "rust", "categories": [ "Code Scanning", "rust" ] -} \ No newline at end of file +} From ae0ff4dd3a81c243bea35ec3e2035ab14b94bc9e Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:29:04 +0530 Subject: [PATCH 49/60] Add Actions team as CODEOWNERS for code-scanning starter workflows --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17..91153de 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows From 92b20ce19b85f9e2d7eb558aa665eb6ac9287cb5 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 13 Apr 2022 23:04:48 -0700 Subject: [PATCH 50/60] Add ESLint starter workflow (#1461) * Add ESLint starter workflow * Specify versions * update permission * Add typescript to categories * Update codeql action to v2; add comments * address review feedbacks * update categories --- code-scanning/eslint.yml | 49 +++++++++++++++++++ .../properties/eslint.properties.json | 11 +++++ icons/eslint.svg | 1 + 3 files changed, 61 insertions(+) create mode 100644 code-scanning/eslint.yml create mode 100644 code-scanning/properties/eslint.properties.json create mode 100644 icons/eslint.svg diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000..9067a7d --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000..a84646a --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000..23964aa --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file From ac3c29ff5b1f47eab61e718d9a62519799d1a7a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arko?= Date: Sun, 17 Apr 2022 03:07:19 -0700 Subject: [PATCH 51/60] Shorten Rails workflow name, in line with others The workflows for Ruby, RubyGem, Jekyll, and similar are all just the name of the language, package, or framework. This name change brings Rails in line with the other starters. --- ci/properties/rubyonrails.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json index 49b29a4..7a2c18a 100644 --- a/ci/properties/rubyonrails.properties.json +++ b/ci/properties/rubyonrails.properties.json @@ -1,5 +1,5 @@ { - "name": "Ruby on Rails continuous integration", + "name": "Ruby on Rails", "description": "Build, lint, and test a Rails application", "iconName": "rails", "categories": ["Continuous integration", "Ruby", "Rails"] From 2885b083c9ae49c16188ad79cf15bab9e2107547 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Mon, 18 Apr 2022 15:39:08 -0400 Subject: [PATCH 52/60] Update docker/build-push-action https://github.com/docker/build-push-action/commit/ac9327eae2b366085ac7f6a2d02df8aa8ead720a to pick up https://github.com/docker/build-push-action/pull/569 --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 75f9770..a9fd4b3 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: ${{ github.event_name != 'pull_request' }} From c06604910c9a4312db162077a4e46fa7aad61356 Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Fri, 22 Apr 2022 04:10:20 -0400 Subject: [PATCH 53/60] Parallelize Jobs for AKS Starter Workflows (#1534) * Reworked AKS deployment workflows (#1403) * rebased to partner_templates * Renaming workflow * Updated corresponding properties.json files for the new aks workflows under deployments. * Updated properties.json titles for aks workflows * Renamed SECRET_NAME to IMAGE_PULL_SECRET_NAME * Moved permissions down to the job level * Updated documentation links * Updated permission for action to read * Removing redundant permissions * write -> read for actions * Updated descriptions * Less reference documentation in header * Added comments to each AKS Starter Workflow step Co-authored-by: Tommy Barnes * Update AKS workflows to not use imagePullSecrets (#1494) * removing old method of adding imagePullSecrets * fixing step casing * For testing: Dependency review starter workflow * changed back to image pull secret, added mask, clarified website and pull secret instructions * made changes to other aks files * Added back imagepullsecrets param to deploy action, reordered env vars * changing release version of deploy action * restructured starter workflows to parallelize secret creation and image building * renamed to buildImage and removed extra space * cleaned up some random newlines * removed extra space * removing changes from partner branch * removing changes from partner branch * through mistake in changing PR, two files lost step for createSecret Co-authored-by: Tommy Barnes Co-authored-by: Tommy Barnes Co-authored-by: Israel Miller Co-authored-by: Bishal Prasad Co-authored-by: Jaiveer Katariya Co-authored-by: Jaiveer Katariya --- deployments/azure-kubernetes-service-helm.yml | 55 ++++++++++++++--- .../azure-kubernetes-service-kompose.yml | 60 +++++++++++++++--- .../azure-kubernetes-service-kustomize.yml | 61 ++++++++++++++++--- deployments/azure-kubernetes-service.yml | 55 ++++++++++++++--- 4 files changed, 199 insertions(+), 32 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 948e7db..a5edeaa 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. # Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. @@ -48,12 +48,11 @@ env: CHART_OVERRIDE_PATH: "your-chart-override-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -72,6 +71,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -85,7 +99,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -96,7 +112,30 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Helm to create manifest files - name: Bake deployment @@ -112,11 +151,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 7c25319..5b7e4d1 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. # Set your dockerComposeFile and kompose-version to suit your configuration. @@ -40,12 +40,11 @@ env: DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -63,7 +62,22 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -77,7 +91,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -88,7 +104,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kompose to create manifest files - name: Bake deployment @@ -101,11 +143,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index f6928d0..305d6de 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -9,17 +9,17 @@ # To configure this workflow: # # 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID # # 2. Set the following environment variables (or replace the values below): # - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # # 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. # Set your kustomizationPath and kubectl-version to suit your configuration. @@ -46,12 +46,11 @@ env: KUSTOMIZE_PATH: "your-kustomize-path" jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -69,6 +68,24 @@ jobs: - name: Build and push image to ACR run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context @@ -83,7 +100,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -94,7 +113,33 @@ jobs: container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io container-registry-username: ${{ steps.get-acr-creds.outputs.username }} container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} # Runs Kustomize to create manifest files - name: Bake deployment @@ -107,11 +152,11 @@ jobs: # Deploys application based on manifest files from previous step - name: Deploy application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ steps.bake.outputs.manifestsBundle }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index bb513d4..c471793 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -8,8 +8,7 @@ # # To configure this workflow: # -# 1. Set the following secrets in your repository (instructions for getting these -# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication): +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): # - AZURE_CLIENT_ID # - AZURE_TENANT_ID # - AZURE_SUBSCRIPTION_ID @@ -19,7 +18,7 @@ # - RESOURCE_GROUP (where your cluster is deployed) # - CLUSTER_NAME (name of your AKS cluster) # - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - SECRET_NAME (name of the secret associated with pulling your ACR image) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) # - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) # # For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions @@ -43,12 +42,11 @@ env: DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' jobs: - build: + buildImage: permissions: actions: read contents: read id-token: write - runs-on: ubuntu-latest steps: # Checks out the repository this file is in @@ -67,6 +65,21 @@ jobs: run: | az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + createSecret: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - name: Get K8s context uses: azure/aks-set-context@v2.0 @@ -80,7 +93,9 @@ jobs: az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" echo "::set-output name=password::${ACR_PASSWORD}" id: get-acr-creds @@ -93,13 +108,39 @@ jobs: container-registry-password: ${{ steps.get-acr-creds.outputs.password }} secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.3 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v2.0 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + # Deploys application based on given manifest file - name: Deploys application - uses: Azure/k8s-deploy@v3.0 + uses: Azure/k8s-deploy@v3.1 with: action: deploy manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} + ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file From ad9daa8da372928e50064995bb1c2f542c0c345c Mon Sep 17 00:00:00 2001 From: Jaiveer Katariya <35347859+jaiveerk@users.noreply.github.com> Date: Sat, 23 Apr 2022 00:40:21 -0400 Subject: [PATCH 54/60] removed actions read permission from createSecret and buildImage steps (#1539) --- deployments/azure-kubernetes-service-helm.yml | 2 -- deployments/azure-kubernetes-service-kompose.yml | 2 -- deployments/azure-kubernetes-service-kustomize.yml | 2 -- deployments/azure-kubernetes-service.yml | 2 -- 4 files changed, 8 deletions(-) diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index a5edeaa..510abcd 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -50,7 +50,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -73,7 +72,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 5b7e4d1..0cf23ba 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -42,7 +42,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -65,7 +64,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 305d6de..14469db 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -48,7 +48,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -71,7 +70,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml index c471793..d04a2ac 100644 --- a/deployments/azure-kubernetes-service.yml +++ b/deployments/azure-kubernetes-service.yml @@ -44,7 +44,6 @@ env: jobs: buildImage: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest @@ -67,7 +66,6 @@ jobs: createSecret: permissions: - actions: read contents: read id-token: write runs-on: ubuntu-latest From a52cd5a16a7422970cf0d09ddd7489c0abcd1cf3 Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Mon, 25 Apr 2022 15:02:37 +0100 Subject: [PATCH 55/60] Update setup-ruby to the latest release The default github action ruby template references this old commit which doesn't have any modern rubies https://github.com/ruby/setup-ruby/commit/473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e The fix is to update the pinned version to the latest release https://github.com/alphagov/forms-api/pull/3/commits/e3c8ad2759088a12ba9f3040d2c47c23799c8455 --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 256aa14..7daf2cc 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From a2a01a4b0b9b9f8f39c20efdd1f1eee8fd9772d2 Mon Sep 17 00:00:00 2001 From: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Date: Tue, 26 Apr 2022 02:26:34 -0700 Subject: [PATCH 56/60] CodeQL starter workflow: Replace git.io links git.io is deprecated. Replace the references with full links or aka.ms links to the same documentation. --- code-scanning/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 37109ab..0e57f4b 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -34,7 +34,7 @@ jobs: matrix: language: [ $detected-codeql-languages ] # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository @@ -56,7 +56,7 @@ jobs: uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project From 0ae51b0d1063d99894068034e0f6e7de60e6ec5b Mon Sep 17 00:00:00 2001 From: Tristram Oaten Date: Thu, 28 Apr 2022 10:58:56 +0100 Subject: [PATCH 57/60] fix sha --- ci/ruby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/ruby.yml b/ci/ruby.yml index 7daf2cc..81ea363 100644 --- a/ci/ruby.yml +++ b/ci/ruby.yml @@ -30,7 +30,7 @@ jobs: # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, # change this to (see https://github.com/ruby/setup-ruby#versioning): # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@e3c8ad2759088a12ba9f3040d2c47c23799c8455 + uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 662e915c0fe85c4d078b6de037bce62ebc69fe96 Mon Sep 17 00:00:00 2001 From: Bar Hofesh Date: Thu, 28 Apr 2022 22:01:20 +0300 Subject: [PATCH 58/60] Add NeuraLegion to starter workflows (#1203) * Added Neuralegion to starter workflows * Using an action * Fixed Indentation :) * Update neuralegion.yml Co-authored-by: Bishal Prasad --- code-scanning/neuralegion.yml | 175 ++++++++++++++++++ .../properties/neuralegion.properties.json | 24 +++ icons/neuralegion.svg | 57 ++++++ 3 files changed, 256 insertions(+) create mode 100644 code-scanning/neuralegion.yml create mode 100644 code-scanning/properties/neuralegion.properties.json create mode 100644 icons/neuralegion.svg diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml new file mode 100644 index 0000000..e24e14a --- /dev/null +++ b/code-scanning/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json new file mode 100644 index 0000000..ee64a52 --- /dev/null +++ b/code-scanning/properties/neuralegion.properties.json @@ -0,0 +1,24 @@ +{ + "name": "NeuraLegion", + "creator": "NeuraLegion", + "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports", + "iconName": "neuralegion", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg new file mode 100644 index 0000000..0534225 --- /dev/null +++ b/icons/neuralegion.svg @@ -0,0 +1,57 @@ + + + + + + + + + NeuraLegion Logo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From d09e57c7a386f2c92c1d0d5af960c03c79b02eb0 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Thu, 28 Apr 2022 15:22:57 -0400 Subject: [PATCH 59/60] Adding workflow for sobelow (static analysis tool for the Phoenix framework) (#1528) * Adding sobelow workflow * Removing setup-beam dependency * Updating instructions --- .../properties/sobelow.properties.json | 11 +++++ code-scanning/sobelow.yml | 40 +++++++++++++++++++ icons/sobelow.svg | 20 ++++++++++ 3 files changed, 71 insertions(+) create mode 100644 code-scanning/properties/sobelow.properties.json create mode 100644 code-scanning/sobelow.yml create mode 100644 icons/sobelow.svg diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json new file mode 100644 index 0000000..163e866 --- /dev/null +++ b/code-scanning/properties/sobelow.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Sobelow", + "creator": "nccgroup", + "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.", + "iconName": "sobelow", + "categories": [ + "Code Scanning", + "Elixir" + ] + } + \ No newline at end of file diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml new file mode 100644 index 0000000..21cb6e7 --- /dev/null +++ b/code-scanning/sobelow.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/icons/sobelow.svg b/icons/sobelow.svg new file mode 100644 index 0000000..4d243ea --- /dev/null +++ b/icons/sobelow.svg @@ -0,0 +1,20 @@ + + + + + + + + From ca970a212491702286740f8f0b943e097bdb4de3 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Mon, 2 May 2022 12:23:29 +0530 Subject: [PATCH 60/60] Fix typo --- code-scanning/properties/dependency-review.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json index e84278c..c195c73 100644 --- a/code-scanning/properties/dependency-review.properties.json +++ b/code-scanning/properties/dependency-review.properties.json @@ -1,6 +1,6 @@ { "name": "Dependency Review", - "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository", "iconName": "octicon mark-github", "categories": [ "Dependency review",