Merge branch 'main' into main

This commit is contained in:
Christophe H
2022-11-03 11:37:14 +01:00
committed by GitHub
180 changed files with 5022 additions and 416 deletions
+17
View File
@@ -0,0 +1,17 @@
# Set to true to add reviewers to pull requests
addReviewers: true
# Set to true to add assignees to pull requests
addAssignees: false
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- phantsure
- anuragc617
- tiwarishub
- vsvipul
- bishal-pdmsft
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 1
+16
View File
@@ -0,0 +1,16 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
+3 -3
View File
@@ -26,7 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
@@ -38,10 +38,10 @@ It is not:
**For _Code Scanning_ workflows, the workflow:**
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
- [ ] `name`: Name of the Code Scanning integration.
- [ ] `organization`: Name of the organization producing the Code Scanning integration.
- [ ] `creator`: Name of the organization/user producing the Code Scanning integration.
- [ ] `description`: Short description of the Code Scanning integration.
- [ ] `categories`: Array of languages supported by the Code Scanning integration.
- [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).
+15
View File
@@ -0,0 +1,15 @@
name: Issue assignment
on:
issues:
types: [opened]
jobs:
auto-assign:
runs-on: ubuntu-latest
steps:
- name: 'Auto-assign issue'
uses: pozil/auto-assign-issue@v1.11.0
with:
assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
numOfAssignee: 1
+10
View File
@@ -0,0 +1,10 @@
name: 'Auto Assign'
on:
pull_request_target:
types: [opened, ready_for_review]
jobs:
add-reviews:
runs-on: ubuntu-latest
steps:
- uses: kentaro-m/auto-assign-action@v1.2.2
+1 -1
View File
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close Issue
uses: peter-evans/close-issue@v1
uses: peter-evans/close-issue@v2
if: contains(github.event.issue.labels.*.name, 'feature')
with:
comment: |
+1 -1
View File
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close Issue
uses: peter-evans/close-issue@v1
uses: peter-evans/close-issue@v2
if: contains(github.event.issue.labels.*.name, 'support')
with:
comment: |
+1 -1
View File
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v5
- uses: actions/stale@v6
with:
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
@@ -2,8 +2,7 @@ name: Sync workflows for GHES
on:
push:
branches:
- main
branches: [ main ]
jobs:
sync:
@@ -18,7 +17,9 @@ jobs:
git config user.name "GitHub Actions"
- uses: actions/setup-node@v3
with:
node-version: '12'
node-version: '16'
cache: 'npm'
cache-dependency-path: script/sync-ghes/package-lock.json
- name: Check starter workflows for GHES compat
run: |
npm ci
+3 -1
View File
@@ -14,7 +14,9 @@ jobs:
- uses: actions/setup-node@v3
with:
node-version: "12"
node-version: '16'
cache: 'npm'
cache-dependency-path: script/validate-data/package-lock.json
- name: Validate workflows
run: |
+2 -1
View File
@@ -1,3 +1,4 @@
* @actions/starter-workflows
/code-scanning/ @actions/advanced-security-code-scanning
/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
/pages/ @actions/pages @actions/starter-workflows
+7 -4
View File
@@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions.
### Directory structure
* [ci](ci): solutions for Continuous Integration workflows.
* [deployments](deployments): solutions for Deployment workflows.
* [automation](automation): solutions for automating workflows.
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
* [ci](ci): solutions for Continuous Integration workflows
* [deployments](deployments): solutions for Deployment workflows
* [automation](automation): solutions for automating workflows
* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security)
* [pages](pages): solutions for Pages workflows
* [icons](icons): svg icons for the relevant template
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
@@ -40,6 +41,8 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
* monitoring
* Automation
* utilities
* Pages
* Hugo
### Variables
These variables can be placed in the starter workflow and will be substituted as detailed below:
+2 -2
View File
@@ -12,5 +12,5 @@ jobs:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: 'Message that will be displayed on users first issue'
pr-message: 'Message that will be displayed on users first pull request'
issue-message: "Message that will be displayed on users' first issue"
pr-message: "Message that will be displayed on users' first pull request"
+1 -1
View File
@@ -1,5 +1,5 @@
# This workflow will build a Java project with Ant
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-ant
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-ant
name: Java CI
+3 -3
View File
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will install Deno then run Deno lint and test.
# This workflow will install Deno then run `deno lint` and `deno test`.
# For more information see: https://github.com/denoland/setup-deno
name: Deno
@@ -27,7 +27,7 @@ jobs:
- name: Setup Deno
# uses: denoland/setup-deno@v1
uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366
uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54
with:
deno-version: v1.x
@@ -39,4 +39,4 @@ jobs:
run: deno lint
- name: Run tests
run: deno test -A --unstable
run: deno test -A
+7 -4
View File
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
with:
cosign-release: 'v1.7.1'
cosign-release: 'v1.11.0'
# Workaround: https://github.com/docker/build-push-action/issues/461
@@ -72,12 +72,15 @@ jobs:
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
@@ -90,4 +93,4 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+3 -3
View File
@@ -69,9 +69,9 @@ jobs:
# Install the .NET Core workload
- name: Install .NET Core
uses: actions/setup-dotnet@v2
uses: actions/setup-dotnet@v3
with:
dotnet-version: 5.0.x
dotnet-version: 6.0.x
# Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
- name: Setup MSBuild.exe
@@ -105,7 +105,7 @@ jobs:
# Remove the pfx
- name: Remove the pfx
run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
+5 -2
View File
@@ -1,3 +1,6 @@
# This workflow will build a .NET project
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
name: .NET
on:
@@ -14,9 +17,9 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Setup .NET
uses: actions/setup-dotnet@v2
uses: actions/setup-dotnet@v3
with:
dotnet-version: 5.0.x
dotnet-version: 6.0.x
- name: Restore dependencies
run: dotnet restore
- name: Build
@@ -0,0 +1,68 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow lets you generate SLSA provenance file for your project.
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
name: SLSA generic generator
on:
workflow_dispatch:
release:
types: [created]
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
outputs:
digests: ${{ steps.hash.outputs.digests }}
steps:
- uses: actions/checkout@v3
# ========================================================
#
# Step 1: Build your artifacts.
#
# ========================================================
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "artifact1" > artifact1
echo "artifact2" > artifact2
# ========================================================
#
# Step 2: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
#
# ========================================================
- name: Generate subject
id: hash
run: |
set -euo pipefail
# List the artifacts the provenance will refer to.
files=$(ls artifact*)
# Generate the subjects (base64 encoded).
echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
provenance:
needs: [build]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
upload-assets: true # Optional: Upload to a new release
+38
View File
@@ -0,0 +1,38 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow lets you compile your Go project using a SLSA3 compliant builder.
# This workflow will generate a so-called "provenance" file describing the steps
# that were performed to generate the final binary.
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
name: SLSA Go releaser
on:
workflow_dispatch:
release:
types: [created]
permissions: read-all
jobs:
# ========================================================================================================================================
# Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
# See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
#=========================================================================================================================================
build:
permissions:
id-token: write # To sign.
contents: write # To upload release assets.
actions: read # To read workflow path.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
with:
go-version: 1.17
# =============================================================================================================
# Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
# =============================================================================================================
+4 -1
View File
@@ -1,3 +1,6 @@
# This workflow will build a golang project
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
name: Go
on:
@@ -16,7 +19,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.17
go-version: 1.18
- name: Build
run: go build -v ./...
+2 -2
View File
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: publish
env:
+2 -2
View File
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle
name: Java CI with Gradle
@@ -29,6 +29,6 @@ jobs:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
+10 -1
View File
@@ -1,5 +1,10 @@
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Java CI with Maven
@@ -24,3 +29,7 @@ jobs:
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
# Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
- name: Update dependency graph
uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
+2 -2
View File
@@ -1,5 +1,5 @@
# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
name: Node.js CI
@@ -16,7 +16,7 @@ jobs:
strategy:
matrix:
node-version: [12.x, 14.x, 16.x]
node-version: [14.x, 16.x, 18.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
node-version: [12.x, 14.x, 16.x]
node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
node-version: [12.x, 14.x, 16.x]
node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
+1 -1
View File
@@ -1,5 +1,5 @@
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
name: Node.js Package
+1 -1
View File
@@ -1,5 +1,5 @@
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
name: Node.js Package
@@ -0,0 +1,7 @@
{
"name": "SLSA Generic generator",
"creator": "Open Source Security Foundation (OpenSSF)",
"description": "Generate SLSA3 provenance for your existing release workflows",
"iconName": "generator-generic-ossf-slsa3-publish",
"categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
}
@@ -0,0 +1,7 @@
{
"name": "SLSA Go releaser",
"creator": "Open Source Security Foundation (OpenSSF)",
"description": "Compile your Go project using a SLSA3 compliant builder",
"iconName": "go-ossf-slsa3-publish",
"categories": ["Continuous integration", "Go"]
}
@@ -1,5 +1,5 @@
{
"name": "Jekyll",
"name": "Jekyll using Docker image",
"description": "Package a Jekyll site using the jekyll/builder Docker image.",
"iconName": "jekyll",
"categories": ["Continuous integration", "HTML"]
+1 -1
View File
@@ -1,5 +1,5 @@
{
"name": "Ruby on Rails continuous integration",
"name": "Ruby on Rails",
"description": "Build, lint, and test a Rails application",
"iconName": "rails",
"categories": ["Continuous integration", "Ruby", "Rails"]
+1 -1
View File
@@ -1,5 +1,5 @@
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: Python application
+1 -1
View File
@@ -1,5 +1,5 @@
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: Python package
+1 -1
View File
@@ -1,5 +1,5 @@
# This workflow will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
+1 -1
View File
@@ -30,7 +30,7 @@ jobs:
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
# uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+2 -2
View File
@@ -30,7 +30,7 @@ jobs:
uses: actions/checkout@v3
# Add or replace dependency steps here
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
bundler-cache: true
# Add or replace database setup steps here
@@ -46,7 +46,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
bundler-cache: true
# Add or replace any other lints here
+9
View File
@@ -1,3 +1,8 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Scala CI
on:
@@ -21,5 +26,9 @@ jobs:
with:
java-version: '11'
distribution: 'temurin'
cache: 'sbt'
- name: Run tests
run: sbt test
# Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository
- name: Upload dependency graph
uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91
+3
View File
@@ -1,3 +1,6 @@
# This workflow will build a Swift project
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift
name: Swift
on:
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
node-version: [12.x, 14.x, 16.x]
node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
+38
View File
@@ -0,0 +1,38 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
# submission API.
# For more information on the Anchore sbom-action usage
# and parameters, see https://github.com/anchore/sbom-action. For more
# information about the Anchore SBOM tool, Syft, see
# https://github.com/anchore/syft
name: Anchore Syft SBOM scan
on:
push:
branches: [ $default-branch, $protected-branches ]
permissions:
contents: write
jobs:
Anchore-Build-Scan:
permissions:
contents: write # required to upload to the Dependency submission API
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Scan the image and upload dependency results
uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
with:
image: "localbuild/testimage:latest"
artifact-name: image.spdx.json
dependency-snapshot: true
+10 -7
View File
@@ -9,7 +9,7 @@
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name: Anchore Container Scan
name: Anchore Grype vulnerability scan
on:
push:
@@ -28,18 +28,21 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout the code
- name: Check out the code
uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
- name: Run the Anchore Grype scan action
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
id: scan
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: Upload Anchore Scan Report
fail-build: true
severity-cutoff: critical
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
sarif_file: ${{ steps.scan.outputs.sarif }}
+3 -1
View File
@@ -46,9 +46,11 @@ permissions:
contents: read
jobs:
Trigger APIsec scan:
Trigger_APIsec_scan:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
+2 -1
View File
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
@@ -34,7 +35,7 @@ jobs:
# Customize the ruby version depending on your needs
- name: Setup Ruby
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: '2.7'
+3 -2
View File
@@ -29,6 +29,7 @@ jobs:
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
@@ -37,7 +38,7 @@ jobs:
- uses: actions/checkout@v3
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe
with:
project: ${{ secrets.CHECKMARX_PROJECT }}
team: ${{ secrets.CHECKMARX_TEAMS }}
@@ -46,7 +47,7 @@ jobs:
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
scanners: sast
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
+3 -2
View File
@@ -24,6 +24,7 @@ jobs:
permissions:
contents: read
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
@@ -31,7 +32,7 @@ jobs:
- name: Scan code
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
with:
rules-repository: 'git://org/private-rules-repo#main'
# rules-repository: 'git://org/private-rules-repo#main'
output-type: 'sarif'
output-file: 'clj-holmes-results.sarif'
fail-on-result: 'false'
@@ -40,4 +41,4 @@ jobs:
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
ait-for-processing: true
wait-for-processing: true
+54
View File
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# clj-watson scans dependencies in a clojure deps.edn
# seeking for vulnerable direct/transitive dependencies and
# build a report with all the information needed to help you
# understand how the vulnerability manifest in your software.
# More details at https://github.com/clj-holmes/clj-watson
name: clj-watson
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
clj-holmes:
name: Run clj-watson scanning
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Dependency scan
uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
with:
clj-watson-sha: "65d928c"
clj-watson-tag: "v4.0.1"
database-strategy: github-advisory
aliases: clojure-lsp,test
deps-edn-path: deps.edn
suggest-fix: true
output-type: sarif
output-file: clj-watson-results.sarif
fail-on-result: false
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/clj-watson-results.sarif
wait-for-processing: true
+1
View File
@@ -30,6 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
+14 -10
View File
@@ -34,7 +34,7 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
@@ -48,23 +48,27 @@ jobs:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
#- run: |
# make bootstrap
# make release
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
+1
View File
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout repository
+53
View File
@@ -0,0 +1,53 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
# Pre-requisites:
# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
name: Scan analyze workflow
jobs:
build-and-scan:
permissions:
contents: read # for actions/checkout
security-events: write # for github/codeql-action/upload-sarif
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# check out project
steps:
- uses: actions/checkout@v3
# Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
# -name: Build Project
# ...
# Scan Artifact
- name: Contrast Scan Action
uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
with:
artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
apiKey: ${{ secrets.CONTRAST_API_KEY }}
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
#Upload the results to GitHub
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
+126
View File
@@ -0,0 +1,126 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow performs a static analysis of your source code using
# Red Hat CodeReady Dependency Analytics.
# Scans are triggered:
# 1. On every push to default and protected branches
# 2. On every Pull Request targeting the default branch
# 3. On a weekly schedule
# 4. Manually, on demand, via the "workflow_dispatch" event
# 💁 The CRDA Starter workflow will:
# - Checkout your repository
# - Setup the required tool stack
# - Install the CRDA command line tool
# - Auto detect the manifest file and install the project's dependencies
# - Perform the security scan using CRDA
# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
# - Optionally upload the SARIF file as an artifact for the future reference
# ️ Configure your repository and the workflow with the following steps:
# 1. Setup the tool stack based on the project's requirement.
# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
# 2. (Optional) CRDA action attempt to detect the language and install the
# required dependencies for your project. If your project doesn't aligns
# with the default dependency installation command mentioned here
# https://github.com/redhat-actions/crda/#3-installing-dependencies.
# Use the required inputs to setup the same
# 3. (Optional) CRDA action attempts to detect the manifest file if it is
# present in the root of the project and named as per the default mentioned
# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
# If it deviates from the default, use the required inputs to setup the same
# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
# 5. (Optional) Upload SARIF file as an Artifact to download and view
# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
name: CRDA Scan
# Controls when the workflow will run
on:
# TODO: Customize trigger events based on your DevSecOps processes
#
# This workflow is made to run with OpenShift starter workflow
# https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
# However, if you want to run this workflow as a standalone workflow, please
# uncomment the 'push' trigger below and configure it based on your requirements.
#
workflow_call:
secrets:
CRDA_KEY:
required: false
SNYK_TOKEN:
required: false
workflow_dispatch:
# push:
# branches: [ $default-branch, $protected-branches ]
# pull_request_target is used to securely share secret to the PR's workflow run.
# For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
pull_request_target:
branches: [ $default-branch ]
types: [ assigned, opened, synchronize, reopened, labeled, edited ]
permissions:
contents: read
jobs:
crda-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for redhat-actions/crda to upload SARIF results
name: Scan project vulnerabilities with CRDA
runs-on: ubuntu-20.04
steps:
- name: Check out repository
uses: actions/checkout@v2
# *******************************************************************
# Required: Instructions to setup project
# 1. Setup Go, Java, Node.js or Python depending on your project type
# 2. Setup Actions are listed below, choose one from them:
# - Go: https://github.com/actions/setup-go
# - Java: https://github.com/actions/setup-java
# - Node.js: https://github.com/actions/setup-node
# - Python: https://github.com/actions/setup-python
#
# Example:
# - name: Setup Node
# uses: actions/setup-node@v2
# with:
# node-version: '14'
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
- name: Install CRDA CLI
uses: redhat-actions/openshift-tools-installer@v1
with:
source: github
github_pat: ${{ github.token }}
# Choose the desired version of the CRDA CLI
crda: "latest"
######################################################################################
# https://github.com/redhat-actions/crda/blob/main/README.md
#
# By default, CRDA will detect the manifest file and install the required dependencies
# using the standard command for the project type.
# If your project doesn't aligns with the defaults mentioned in this action, you will
# need to set few inputs that are described here:
# https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
# Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
# process to get a SNYK_TOKEN or a CRDA_KEY
- name: CRDA Scan
id: scan
uses: redhat-actions/crda@v1
with:
crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
# snyk_token: ${{ secrets.SNYK_TOKEN }}
# upload_artifact: false # Set this to false to skip artifact upload
+1 -1
View File
@@ -46,7 +46,7 @@ jobs:
- uses: actions/checkout@v3
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+2 -2
View File
@@ -1,6 +1,6 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
@@ -17,4 +17,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
uses: actions/dependency-review-action@v2
+50
View File
@@ -0,0 +1,50 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# ESLint is a tool for identifying and reporting on patterns
# found in ECMAScript/JavaScript code.
# More details at https://github.com/eslint/eslint
# and https://eslint.org
name: ESLint
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
eslint:
name: Run eslint scanning
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install ESLint
run: |
npm install eslint@8.10.0
npm install @microsoft/eslint-formatter-sarif@2.1.7
- name: Run ESLint
run: npx eslint .
--config .eslintrc.js
--ext .js,.jsx,.ts,.tsx
--format @microsoft/eslint-formatter-sarif
--output-file eslint-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: eslint-results.sarif
wait-for-processing: true
+69
View File
@@ -0,0 +1,69 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
# EthicalCheck provides the industrys only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
# Know your API and Applications are secure with EthicalCheck our free & automated API security testing service.
# How EthicalCheck works?
# EthicalCheck functions in the following simple steps.
# 1. Security Testing.
# Provide your OpenAPI specification or start with a public Postman collection URL.
# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
# 2. Reporting.
# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
# This is a starter workflow to help you get started with EthicalCheck Actions
name: EthicalCheck-Workflow
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the $default-branch branch
# Customize trigger events based on your DevSecOps processes.
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
contents: read
jobs:
Trigger_EthicalCheck:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: EthicalCheck Free & Automated API Security Testing Service
uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
with:
# The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
# The email address to which the penetration test report will be sent.
email: "xxx@apisec.ai"
sarif-result-file: "ethicalcheck-results.sarif"
- name: Upload sarif file to repository
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./ethicalcheck-results.sarif
+56
View File
@@ -0,0 +1,56 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Frogbot Scan and Fix does the following:
# Automatically creates pull requests with fixes for vulnerable project dependencies.
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
name: "Frogbot Scan and Fix"
on:
push:
branches: [ $default-branch ]
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Install prerequisites - uncomment the relevant one
# - uses: actions/setup-go@v3
# with:
# go-version: 1.17.x
# - uses: actions/setup-java@v3
# with:
# java-version: "11"
# distribution: "temurin"
# - uses: actions/setup-node@v3
# with:
# node-version: "16.x"
- uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.FROGBOT_URL }}
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Mandatory if using npm]
# The command that installs the dependencies
# JF_INSTALL_DEPS_CMD: "npm i"
+75
View File
@@ -0,0 +1,75 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Frogbot Scan Pull Request does the following:
# Automatically scans new pull requests for security vulnerabilities.
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
name: "Frogbot Scan Pull Request"
on:
pull_request_target:
types: [ opened, synchronize ]
permissions:
pull-requests: write
contents: read
jobs:
scan-pull-request:
runs-on: ubuntu-latest
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
# "frogbot" GitHub environment can approve the pull request to be scanned.
environment: frogbot
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
# Install prerequisites - uncomment the relevant ones
# - uses: actions/setup-go@v3
# with:
# go-version: 1.17.x
# - uses: actions/setup-java@v3
# with:
# java-version: "11"
# distribution: "temurin"
# - uses: actions/setup-node@v3
# with:
# node-version: "16.x"
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
- uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.JF_URL }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
JF_USER: ${{ secrets.JF_USER }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
# [Mandatory when using npm]
# The command that installs the dependencies
# JF_INSTALL_DEPS_CMD: "npm i"
# [Mandatory when using .NET]
# The command that installs the dependencies
# JF_INSTALL_DEPS_CMD: "dotnet restore"
# The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
+47
View File
@@ -0,0 +1,47 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# hadoint is a Dockerfile linter written in Haskell
# that helps you build best practice Docker images.
# More details at https://github.com/hadolint/hadolint
name: Hadolint
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
hadolint:
name: Run hadolint scanning
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run hadolint
uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
with:
dockerfile: ./Dockerfile
format: sarif
output-file: hadolint-results.sarif
no-fail: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: hadolint-results.sarif
wait-for-processing: true
+55
View File
@@ -0,0 +1,55 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# lintr provides static code analysis for R.
# It checks for adherence to a given style,
# identifying syntax errors and possible semantic issues,
# then reports them to you so you can take action.
# More details at https://lintr.r-lib.org/
name: lintr
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
lintr:
name: Run lintr scanning
runs-on: ubuntu-latest
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup R
uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492
- name: Setup lintr
uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492
with:
extra-packages: lintr
- name: Run lintr
run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif")
shell: Rscript {0}
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: lintr-results.sarif
wait-for-processing: true
+1
View File
@@ -21,6 +21,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
+1
View File
@@ -28,6 +28,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Analyze
runs-on: windows-latest
+175
View File
@@ -0,0 +1,175 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# Run a Nexploit Scan
# This action runs a new security scan in Nexploit, or reruns an existing one.
# Build Secure Apps & APIs. Fast.
# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.
# Automatically Tests Every Aspect of Your Apps & APIs
# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports
# Seamlessly integrates with the Tools and Workflows You Already Use
#
# NeuraLegion works with your existing CI/CD pipelines trigger scans on every commit, pull request or build with unit testing.
# Spin-Up, Configure and Control Scans with Code
# One file. One command. One scan. No UI needed.
#
# Super-Fast Scans
#
# Interacts with applications and APIs, instead of just crawling them and guessing.
# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.
#
# No False Positives
#
# Stop chasing ghosts and wasting time. NeuraLegion doesnt return false positives, so you can focus on releasing code.
#
# Comprehensive Security Testing
#
# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.
#
# More information is available on NeuraLegions:
# * [Website](https://www.neuralegion.com/)
# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart)
# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw)
# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+)
#
# Inputs
#
# `name`
#
# **Required**. Scan name.
#
# _Example:_ `name: GitHub scan ${{ github.sha }}`
#
# `api_token`
#
# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens).
#
# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}`
#
# `restart_scan`
#
# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
#
# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
#
# `discovery_types`
#
# **Required**. Array of discovery types. The following types are available:
# * `archive` - uses an uploaded HAR-file for a scan
# * `crawler` - uses a crawler to define the attack surface for a scan
# * `oas` - uses an uploaded OpenAPI schema for a scan <br>
# If no discovery type is specified, `crawler` is applied by default.
#
# _Example:_
#
# ```yml
# discovery_types: |
# [ "crawler", "archive" ]
# ```
#
# `file_id`
#
# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login).
#
# _Example:_
#
# ```
# FILE_ID=$(nexploit-cli archive:upload \
# --token ${{ secrets.NEXPLOIT_TOKEN }} \
# --discard true \
# ./example.har)
# ```
#
# `crawler_urls`
#
# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface.
#
# _Example:_
#
# ```
# crawler_urls: |
# [ "http://vulnerable-bank.com" ]
# ```
#
# `hosts_filter`
#
# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
#
# Outputs
#
# `url`
#
# Url of the resulting scan
#
# `id`
#
# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions:
# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues)
# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan)
#
# Example usage
#
# Start a new scan with parameters
#
# ```yml
# steps:
# - name: Start Nexploit Scan
# id: start
# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
# with:
# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
# name: GitHub scan ${{ github.sha }}
# discovery_types: |
# [ "crawler", "archive" ]
# crawler_urls: |
# [ "http://vulnerable-bank.com" ]
# file_id: LiYknMYSdbSZbqgMaC9Sj
# hosts_filter: |
# [ ]
# - name: Get the output scan url
# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
# ```
#
# Restart an existing scan
#
# ```yml
# steps:
# - name: Start Nexploit Scan
# id: start
# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
# with:
# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
# name: GitHub scan ${{ github.sha }}
# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ
# - name: Get the output scan url
# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
name: "NeuraLegion"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
neuralegion_scan:
runs-on: ubuntu-18.04
name: A job to run a Nexploit scan
steps:
- uses: actions/checkout@v2
- name: Start Nexploit Scan 🏁
id: start
uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
with:
api_token: ${{ secrets.NEURALEGION_TOKEN }}
name: GitHub scan ${{ github.sha }}
discovery_types: |
[ "crawler" ]
crawler_urls: |
[ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan
+1
View File
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
+55
View File
@@ -0,0 +1,55 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
#
# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
# you can find it in NowSecure Platform.
#
# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
# <https://bit.ly/ns-git-sbom>.
#
# Instructions:
#
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
#
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
name: "NowSecure Mobile SBOM"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
nowsecure:
name: NowSecure Mobile SBOM
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
- name: NowSecure upload app
uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
with:
token: ${{ secrets.NS_TOKEN }}
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
group_id: {{ groupId }} # Update this to your desired Platform group ID
+1
View File
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: windows-latest
steps:
+57
View File
@@ -0,0 +1,57 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# PHPMD is a spin-off project of PHP Depend and
# aims to be a PHP equivalent of the well known Java tool PMD.
# What PHPMD does is: It takes a given PHP source code base
# and look for several potential problems within that source.
# These problems can be things like:
# Possible bugs
# Suboptimal code
# Overcomplicated expressions
# Unused parameters, methods, properties
# More details at https://phpmd.org/
name: PHPMD
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
PHPMD:
name: Run PHPMD scanning
runs-on: ubuntu-latest
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup PHP
uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161
with:
coverage: none
tools: phpmd
- name: Run PHPMD
run: phpmd . sarif codesize --reportfile phpmd-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: phpmd-results.sarif
wait-for-processing: true
+7
View File
@@ -13,8 +13,15 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
pmd-code-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
+2 -1
View File
@@ -25,13 +25,14 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run PSScriptAnalyzer
uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
with:
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
+1
View File
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
@@ -0,0 +1,7 @@
{
"name": "Anchore Syft SBOM Scan",
"creator": "Anchore",
"description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile", "dependency-management"]
}
@@ -1,7 +1,7 @@
{
"name": "Anchore Container Scan",
"creator": "Indeni Cloudrail",
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
"name": "Anchore Grype Vulnerability Scan",
"creator": "Anchore",
"description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile"]
}
}
@@ -0,0 +1,9 @@
{
"name": "clj-watson",
"description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.",
"iconName": "clj-watson",
"categories": [
"Code Scanning",
"Clojure"
]
}
@@ -1,6 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
"enterprise": true,
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
@@ -0,0 +1,7 @@
{
"name": "Contrast Scan",
"creator": "Contrast Security Inc",
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
"iconName": "contrast",
"categories": ["Code Scanning", "java", "javascript", "dotnet"]
}
@@ -0,0 +1,7 @@
{
"name": "Red Hat CodeReady Dependency Analytics",
"creator": "Red Hat",
"description": "Scan your project's dependencies with CodeReady Dependency Analytics.",
"iconName": "openshift",
"categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"]
}
@@ -1,6 +1,6 @@
{
"name": "Dependency Review",
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository",
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository",
"iconName": "octicon mark-github",
"categories": [
"Dependency review",
@@ -0,0 +1,12 @@
{
"name": "ESLint",
"description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
"iconName": "eslint",
"enterprise": false,
"categories": [
"Code Scanning",
"JavaScript",
"EcmaScript",
"TypeScript"
]
}
@@ -0,0 +1,24 @@
{
"name": "EthicalCheck",
"creator": "APIsec",
"description": "EthicalCheck provides the industrys only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.",
"iconName": "apisec",
"categories": [
"Code Scanning",
"C",
"C#",
"C++",
"Go",
"Java",
"JavaScript",
"Kotlin",
"Objective C",
"PHP",
"Python",
"Ruby",
"Rust",
"Scala",
"Swift",
"TypeScript"
]
}
@@ -0,0 +1,15 @@
{
"name": "Frogbot Scan and Fix",
"description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
"iconName": "frogbot",
"categories": [
"Code Scanning",
"Go Module",
"Maven POM",
"NPM Config",
"Gradle",
"C#",
"Python"
],
"creator": "JFrog"
}
@@ -0,0 +1,15 @@
{
"name": "Frogbot Scan Pull Request",
"description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
"iconName": "frogbot",
"categories": [
"Code Scanning",
"Go Module",
"Maven POM",
"NPM Config",
"Gradle",
"C#",
"Python"
],
"creator": "JFrog"
}
@@ -0,0 +1,6 @@
{
"name": "Haskell Dockerfile Linter",
"description": "A smarter Dockerfile linter that helps you build best practice Docker images.",
"iconName": "hadolint",
"categories": ["Code Scanning", "Dockerfile"]
}
@@ -0,0 +1,6 @@
{
"name": "lintr",
"description": "lintr provides static code analysis for R.",
"iconName": "lintr",
"categories": [ "Code Scanning", "R" ]
}
@@ -0,0 +1,24 @@
{
"name": "NeuraLegion",
"creator": "NeuraLegion",
"description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports",
"iconName": "neuralegion",
"categories": [
"Code Scanning",
"C",
"C#",
"C++",
"Go",
"Java",
"JavaScript",
"Kotlin",
"Objective C",
"PHP",
"Python",
"Ruby",
"Rust",
"Scala",
"Swift",
"TypeScript"
]
}
@@ -0,0 +1,21 @@
{
"name": "NowSecure Mobile SBOM",
"creator": "NowSecure",
"description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
"iconName": "nowsecure",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C",
"C",
"C++",
"C#",
"Rust",
"JavaScript",
"TypeScript",
"Node"
]
}
@@ -0,0 +1,6 @@
{
"name": "PHPMD",
"description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.",
"iconName": "phpmd",
"categories": [ "Code Scanning", "PHP" ]
}
@@ -0,0 +1,6 @@
{
"name": "puppet-lint",
"description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
"iconName": "puppet-lint",
"categories": [ "Code Scanning", "Puppet" ]
}
@@ -0,0 +1,7 @@
{
"name": "Pyre",
"creator": "Meta",
"description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally providing instantaneous feedback to developers as they write code.",
"iconName": "pyre",
"categories": ["Code Scanning", "Python"]
}
@@ -0,0 +1,7 @@
{
"name": "Pysa",
"creator": "Meta",
"description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.",
"iconName": "pysa",
"categories": ["Code Scanning", "Python"]
}
@@ -1,10 +1,9 @@
{
"name": "rust-clippy",
"creator": "Rust",
"description": "A collection of lints to catch common mistakes and improve your Rust code.",
"iconName": "rust",
"categories": [
"Code Scanning",
"rust"
]
}
}
@@ -0,0 +1,11 @@
{
"name": "Sobelow",
"creator": "nccgroup",
"description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.",
"iconName": "sobelow",
"categories": [
"Code Scanning",
"Elixir"
]
}
@@ -0,0 +1,7 @@
{
"name": "SOOS DAST Scan",
"creator": "SOOS",
"description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.",
"iconName": "soos",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,7 @@
{
"name": "Zscaler IaC Scan",
"creator": "Zscaler CWP",
"description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app",
"iconName": "zscaler",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,14 @@
{
"name": "zScan",
"creator": "Zimperium",
"description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ",
"iconName": "zscan",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C"
]
}
+55
View File
@@ -0,0 +1,55 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
# https://puppet.com/docs/puppet/7/style_guide.html
# Puppet Lint validates only code style; it does not validate syntax.
# To test syntax, use Puppet's puppet parser validate command.
# More details at https://github.com/puppetlabs/puppet-lint/
name: puppet-lint
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
puppet-lint:
name: Run puppet-lint scanning
runs-on: ubuntu-latest
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Ruby
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: 2.7
bundler-cache: true
- name: Install puppet-lint
run: gem install puppet-lint
- name: Run puppet-lint
run: puppet-lint . --sarif > puppet-lint-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: puppet-lint-results.sarif
wait-for-processing: true
+46
View File
@@ -0,0 +1,46 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates Pyre with GitHub's
# Code Scanning feature.
#
# Pyre is a performant type checker for Python compliant with
# PEP 484. Pyre can analyze codebases with millions of lines
# of code incrementally providing instantaneous feedback
# to developers as they write code.
#
# See https://pyre-check.org
name: Pyre
on:
workflow_dispatch:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
permissions:
contents: read
jobs:
pyre:
permissions:
actions: read
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
submodules: true
- name: Run Pyre
uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
with:
# To customize these inputs:
# See https://github.com/facebook/pyre-action#inputs
repo-directory: './'
requirements-path: 'requirements.txt'
+50
View File
@@ -0,0 +1,50 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates Python Static Analyzer (Pysa) with
# GitHub's Code Scanning feature.
#
# Python Static Analyzer (Pysa) is a security-focused static
# analysis tool that tracks flows of data from where they
# originate to where they terminate in a dangerous location.
#
# See https://pyre-check.org/docs/pysa-basics/
name: Pysa
on:
workflow_dispatch:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
pysa:
permissions:
actions: read
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
submodules: true
- name: Run Pysa
uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
with:
# To customize these inputs:
# See https://github.com/facebook/pysa-action#inputs
repo-directory: './'
requirements-path: 'requirements.txt'
infer-types: true
include-default-sapp-filters: true
+1 -1
View File
@@ -28,7 +28,7 @@ jobs:
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: 2.6

Some files were not shown because too many files have changed in this diff Show More