diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml
new file mode 100644
index 0000000..696b4f8
--- /dev/null
+++ b/.github/auto_assign.yml
@@ -0,0 +1,17 @@
+# Set to true to add reviewers to pull requests
+addReviewers: true
+
+# Set to true to add assignees to pull requests
+addAssignees: false
+
+# A list of reviewers to be added to pull requests (GitHub user name)
+reviewers:
+ - phantsure
+ - anuragc617
+ - tiwarishub
+ - vsvipul
+ - bishal-pdmsft
+
+# A number of reviewers added to the pull request
+# Set 0 to add all the reviewers (default: 0)
+numberOfReviewers: 1
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..62283f9
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+ - package-ecosystem: "npm"
+ directory: "/"
+ schedule:
+ interval: "weekly"
+
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 752dd99..0a98861 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
-- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
+- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
@@ -38,10 +38,10 @@ It is not:
**For _Code Scanning_ workflows, the workflow:**
-- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
+- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
- [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
- [ ] `name`: Name of the Code Scanning integration.
- - [ ] `organization`: Name of the organization producing the Code Scanning integration.
+ - [ ] `creator`: Name of the organization/user producing the Code Scanning integration.
- [ ] `description`: Short description of the Code Scanning integration.
- [ ] `categories`: Array of languages supported by the Code Scanning integration.
- [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
new file mode 100644
index 0000000..adaa8d6
--- /dev/null
+++ b/.github/workflows/auto-assign-issues.yml
@@ -0,0 +1,15 @@
+name: Issue assignment
+
+on:
+ issues:
+ types: [opened]
+
+jobs:
+ auto-assign:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Auto-assign issue'
+ uses: pozil/auto-assign-issue@v1.11.0
+ with:
+ assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
+ numOfAssignee: 1
diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
new file mode 100644
index 0000000..b0789b3
--- /dev/null
+++ b/.github/workflows/auto-assign.yml
@@ -0,0 +1,10 @@
+name: 'Auto Assign'
+on:
+ pull_request_target:
+ types: [opened, ready_for_review]
+
+jobs:
+ add-reviews:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: kentaro-m/auto-assign-action@v1.2.2
diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml
index d13cf87..122caac 100644
--- a/.github/workflows/label-feature.yml
+++ b/.github/workflows/label-feature.yml
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close Issue
- uses: peter-evans/close-issue@v1
+ uses: peter-evans/close-issue@v2
if: contains(github.event.issue.labels.*.name, 'feature')
with:
comment: |
diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml
index ea0f240..e762afc 100644
--- a/.github/workflows/label-support.yml
+++ b/.github/workflows/label-support.yml
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close Issue
- uses: peter-evans/close-issue@v1
+ uses: peter-evans/close-issue@v2
if: contains(github.event.issue.labels.*.name, 'support')
with:
comment: |
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c319ce1..002f30d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v5
+ - uses: actions/stale@v6
with:
stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'
diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml
similarity index 85%
rename from .github/workflows/sync_ghes.yaml
rename to .github/workflows/sync-ghes.yaml
index fb9c623..ddd0484 100644
--- a/.github/workflows/sync_ghes.yaml
+++ b/.github/workflows/sync-ghes.yaml
@@ -2,8 +2,7 @@ name: Sync workflows for GHES
on:
push:
- branches:
- - main
+ branches: [ main ]
jobs:
sync:
@@ -18,7 +17,9 @@ jobs:
git config user.name "GitHub Actions"
- uses: actions/setup-node@v3
with:
- node-version: '12'
+ node-version: '16'
+ cache: 'npm'
+ cache-dependency-path: script/sync-ghes/package-lock.json
- name: Check starter workflows for GHES compat
run: |
npm ci
diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml
index d2ac9a5..7f8701d 100644
--- a/.github/workflows/validate-data.yaml
+++ b/.github/workflows/validate-data.yaml
@@ -14,7 +14,9 @@ jobs:
- uses: actions/setup-node@v3
with:
- node-version: "12"
+ node-version: '16'
+ cache: 'npm'
+ cache-dependency-path: script/validate-data/package-lock.json
- name: Validate workflows
run: |
diff --git a/CODEOWNERS b/CODEOWNERS
index 8866d17..0a7c0a5 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,3 +1,4 @@
* @actions/starter-workflows
-/code-scanning/ @actions/advanced-security-code-scanning
+/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
+/pages/ @actions/pages @actions/starter-workflows
diff --git a/README.md b/README.md
index f39892f..7ff406f 100644
--- a/README.md
+++ b/README.md
@@ -12,10 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions.
### Directory structure
-* [ci](ci): solutions for Continuous Integration workflows.
-* [deployments](deployments): solutions for Deployment workflows.
-* [automation](automation): solutions for automating workflows.
-* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
+* [ci](ci): solutions for Continuous Integration workflows
+* [deployments](deployments): solutions for Deployment workflows
+* [automation](automation): solutions for automating workflows
+* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security)
+* [pages](pages): solutions for Pages workflows
* [icons](icons): svg icons for the relevant template
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
@@ -40,6 +41,8 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
* monitoring
* Automation
* utilities
+* Pages
+* Hugo
### Variables
These variables can be placed in the starter workflow and will be substituted as detailed below:
diff --git a/automation/greetings.yml b/automation/greetings.yml
index 18ba13f..4677434 100644
--- a/automation/greetings.yml
+++ b/automation/greetings.yml
@@ -12,5 +12,5 @@ jobs:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- issue-message: 'Message that will be displayed on users first issue'
- pr-message: 'Message that will be displayed on users first pull request'
+ issue-message: "Message that will be displayed on users' first issue"
+ pr-message: "Message that will be displayed on users' first pull request"
diff --git a/ci/ant.yml b/ci/ant.yml
index 1614664..e9dba01 100644
--- a/ci/ant.yml
+++ b/ci/ant.yml
@@ -1,5 +1,5 @@
# This workflow will build a Java project with Ant
-# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-ant
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-ant
name: Java CI
diff --git a/ci/deno.yml b/ci/deno.yml
index 2234bf6..5ee940d 100644
--- a/ci/deno.yml
+++ b/ci/deno.yml
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
-# This workflow will install Deno then run Deno lint and test.
+# This workflow will install Deno then run `deno lint` and `deno test`.
# For more information see: https://github.com/denoland/setup-deno
name: Deno
@@ -27,7 +27,7 @@ jobs:
- name: Setup Deno
# uses: denoland/setup-deno@v1
- uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366
+ uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54
with:
deno-version: v1.x
@@ -39,4 +39,4 @@ jobs:
run: deno lint
- name: Run tests
- run: deno test -A --unstable
+ run: deno test -A
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 75f9770..11dd662 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
+ uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
with:
- cosign-release: 'v1.7.1'
+ cosign-release: 'v1.11.0'
# Workaround: https://github.com/docker/build-push-action/issues/461
@@ -72,12 +72,15 @@ jobs:
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
- uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+ uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
@@ -90,4 +93,4 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
- run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+ run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index 170b3f6..fd82a39 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -69,9 +69,9 @@ jobs:
# Install the .NET Core workload
- name: Install .NET Core
- uses: actions/setup-dotnet@v2
+ uses: actions/setup-dotnet@v3
with:
- dotnet-version: 5.0.x
+ dotnet-version: 6.0.x
# Add MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
- name: Setup MSBuild.exe
@@ -105,7 +105,7 @@ jobs:
# Remove the pfx
- name: Remove the pfx
- run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
+ run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
diff --git a/ci/dotnet.yml b/ci/dotnet.yml
index 5974d4a..f11f050 100644
--- a/ci/dotnet.yml
+++ b/ci/dotnet.yml
@@ -1,3 +1,6 @@
+# This workflow will build a .NET project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
+
name: .NET
on:
@@ -14,9 +17,9 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Setup .NET
- uses: actions/setup-dotnet@v2
+ uses: actions/setup-dotnet@v3
with:
- dotnet-version: 5.0.x
+ dotnet-version: 6.0.x
- name: Restore dependencies
run: dotnet restore
- name: Build
diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..a249449
--- /dev/null
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ outputs:
+ digests: ${{ steps.hash.outputs.digests }}
+
+ steps:
+ - uses: actions/checkout@v3
+
+ # ========================================================
+ #
+ # Step 1: Build your artifacts.
+ #
+ # ========================================================
+ - name: Build artifacts
+ run: |
+ # These are some amazing artifacts.
+ echo "artifact1" > artifact1
+ echo "artifact2" > artifact2
+
+ # ========================================================
+ #
+ # Step 2: Add a step to generate the provenance subjects
+ # as shown below. Update the sha256 sum arguments
+ # to include all binaries that you generate
+ # provenance for.
+ #
+ # ========================================================
+ - name: Generate subject
+ id: hash
+ run: |
+ set -euo pipefail
+
+ # List the artifacts the provenance will refer to.
+ files=$(ls artifact*)
+ # Generate the subjects (base64 encoded).
+ echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
+
+ provenance:
+ needs: [build]
+ permissions:
+ actions: read # To read the workflow path.
+ id-token: write # To sign the provenance.
+ contents: write # To add assets to a release.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+ with:
+ base64-subjects: "${{ needs.build.outputs.digests }}"
+ upload-assets: true # Optional: Upload to a new release
diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..a738875
--- /dev/null
+++ b/ci/go-ossf-slsa3-publish.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA Go releaser
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ # ========================================================================================================================================
+ # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
+ # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
+ #=========================================================================================================================================
+ build:
+ permissions:
+ id-token: write # To sign.
+ contents: write # To upload release assets.
+ actions: read # To read workflow path.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
+ with:
+ go-version: 1.17
+ # =============================================================================================================
+ # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
+ # =============================================================================================================
+
diff --git a/ci/go.yml b/ci/go.yml
index 6f498a6..4d95674 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -1,3 +1,6 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
name: Go
on:
@@ -16,7 +19,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: 1.17
+ go-version: 1.18
- name: Build
run: go build -v ./...
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 9aeb2b8..42eae27 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 4642c75..2be0b58 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
-# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle
name: Java CI with Gradle
@@ -29,6 +29,6 @@ jobs:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
diff --git a/ci/jekyll.yml b/ci/jekyll-docker.yml
similarity index 100%
rename from ci/jekyll.yml
rename to ci/jekyll-docker.yml
diff --git a/ci/maven.yml b/ci/maven.yml
index 65e0dff..c553f73 100644
--- a/ci/maven.yml
+++ b/ci/maven.yml
@@ -1,5 +1,10 @@
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
-# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
name: Java CI with Maven
@@ -24,3 +29,7 @@ jobs:
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
+
+ # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
+ - name: Update dependency graph
+ uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 87ef0d8..f230593 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -1,5 +1,5 @@
# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
name: Node.js CI
@@ -16,7 +16,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index eda97e1..e39ddbf 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index 504f22e..7606dea 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml
index 638ccf8..e790f4d 100644
--- a/ci/npm-publish-github-packages.yml
+++ b/ci/npm-publish-github-packages.yml
@@ -1,5 +1,5 @@
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
name: Node.js Package
diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml
index c461c85..6cdebaf 100644
--- a/ci/npm-publish.yml
+++ b/ci/npm-publish.yml
@@ -1,5 +1,5 @@
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
name: Node.js Package
diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..32cf63d
--- /dev/null
+++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Generic generator",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Generate SLSA3 provenance for your existing release workflows",
+ "iconName": "generator-generic-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
+}
diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..2d58eaf
--- /dev/null
+++ b/ci/properties/go-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Go releaser",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Compile your Go project using a SLSA3 compliant builder",
+ "iconName": "go-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go"]
+}
diff --git a/ci/properties/jekyll.properties.json b/ci/properties/jekyll-docker.properties.json
similarity index 80%
rename from ci/properties/jekyll.properties.json
rename to ci/properties/jekyll-docker.properties.json
index bbe279c..7c66dba 100644
--- a/ci/properties/jekyll.properties.json
+++ b/ci/properties/jekyll-docker.properties.json
@@ -1,5 +1,5 @@
{
- "name": "Jekyll",
+ "name": "Jekyll using Docker image",
"description": "Package a Jekyll site using the jekyll/builder Docker image.",
"iconName": "jekyll",
"categories": ["Continuous integration", "HTML"]
diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json
index 49b29a4..7a2c18a 100644
--- a/ci/properties/rubyonrails.properties.json
+++ b/ci/properties/rubyonrails.properties.json
@@ -1,5 +1,5 @@
{
- "name": "Ruby on Rails continuous integration",
+ "name": "Ruby on Rails",
"description": "Build, lint, and test a Rails application",
"iconName": "rails",
"categories": ["Continuous integration", "Ruby", "Rails"]
diff --git a/ci/python-app.yml b/ci/python-app.yml
index 4b7fa5f..9945382 100644
--- a/ci/python-app.yml
+++ b/ci/python-app.yml
@@ -1,5 +1,5 @@
# This workflow will install Python dependencies, run tests and lint with a single version of Python
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: Python application
diff --git a/ci/python-package.yml b/ci/python-package.yml
index 583a366..de579a3 100644
--- a/ci/python-package.yml
+++ b/ci/python-package.yml
@@ -1,5 +1,5 @@
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: Python package
diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index ec70354..bdaab28 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -1,5 +1,5 @@
# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
diff --git a/ci/ruby.yml b/ci/ruby.yml
index 256aa14..6340760 100644
--- a/ci/ruby.yml
+++ b/ci/ruby.yml
@@ -30,7 +30,7 @@ jobs:
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
# uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
index 2ad891f..958a104 100644
--- a/ci/rubyonrails.yml
+++ b/ci/rubyonrails.yml
@@ -30,7 +30,7 @@ jobs:
uses: actions/checkout@v3
# Add or replace dependency steps here
- name: Install Ruby and gems
- uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
bundler-cache: true
# Add or replace database setup steps here
@@ -46,7 +46,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Ruby and gems
- uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
bundler-cache: true
# Add or replace any other lints here
diff --git a/ci/scala.yml b/ci/scala.yml
index c985f74..14ba966 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -1,3 +1,8 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
name: Scala CI
on:
@@ -21,5 +26,9 @@ jobs:
with:
java-version: '11'
distribution: 'temurin'
+ cache: 'sbt'
- name: Run tests
run: sbt test
+ # Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository
+ - name: Upload dependency graph
+ uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91
diff --git a/ci/swift.yml b/ci/swift.yml
index 3668fc0..91276e3 100644
--- a/ci/swift.yml
+++ b/ci/swift.yml
@@ -1,3 +1,6 @@
+# This workflow will build a Swift project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-swift
+
name: Swift
on:
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 6449fe7..0bc6406 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -12,7 +12,7 @@ jobs:
strategy:
matrix:
- node-version: [12.x, 14.x, 16.x]
+ node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/anchore-syft.yml b/code-scanning/anchore-syft.yml
new file mode 100644
index 0000000..8180622
--- /dev/null
+++ b/code-scanning/anchore-syft.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
+# submission API.
+
+# For more information on the Anchore sbom-action usage
+# and parameters, see https://github.com/anchore/sbom-action. For more
+# information about the Anchore SBOM tool, Syft, see
+# https://github.com/anchore/syft
+name: Anchore Syft SBOM scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+
+permissions:
+ contents: write
+
+jobs:
+ Anchore-Build-Scan:
+ permissions:
+ contents: write # required to upload to the Dependency submission API
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@v3
+ - name: Build the Docker image
+ run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+ - name: Scan the image and upload dependency results
+ uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
+ with:
+ image: "localbuild/testimage:latest"
+ artifact-name: image.spdx.json
+ dependency-snapshot: true
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index 6f52d5d..818fb70 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -9,7 +9,7 @@
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
-name: Anchore Container Scan
+name: Anchore Grype vulnerability scan
on:
push:
@@ -28,18 +28,21 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- - name: Checkout the code
+ - name: Check out the code
uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
- uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
+ - name: Run the Anchore Grype scan action
+ uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
+ id: scan
with:
image: "localbuild/testimage:latest"
- acs-report-enable: true
- - name: Upload Anchore Scan Report
+ fail-build: true
+ severity-cutoff: critical
+ - name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: results.sarif
+ sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 5a9b751..209e882 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -46,9 +46,11 @@ permissions:
contents: read
jobs:
- Trigger APIsec scan:
+
+ Trigger_APIsec_scan:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index 155208f..957343c 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
@@ -34,7 +35,7 @@ jobs:
# Customize the ruby version depending on your needs
- name: Setup Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: '2.7'
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index 297cae0..9bdb136 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -29,6 +29,7 @@ jobs:
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
@@ -37,7 +38,7 @@ jobs:
- uses: actions/checkout@v3
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
- uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
+ uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe
with:
project: ${{ secrets.CHECKMARX_PROJECT }}
team: ${{ secrets.CHECKMARX_TEAMS }}
@@ -46,7 +47,7 @@ jobs:
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
scanners: sast
- params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
+ params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
index 4150cbb..4487e23 100644
--- a/code-scanning/clj-holmes.yml
+++ b/code-scanning/clj-holmes.yml
@@ -24,6 +24,7 @@ jobs:
permissions:
contents: read
security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
@@ -31,7 +32,7 @@ jobs:
- name: Scan code
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
with:
- rules-repository: 'git://org/private-rules-repo#main'
+ # rules-repository: 'git://org/private-rules-repo#main'
output-type: 'sarif'
output-file: 'clj-holmes-results.sarif'
fail-on-result: 'false'
@@ -40,4 +41,4 @@ jobs:
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
- ait-for-processing: true
\ No newline at end of file
+ wait-for-processing: true
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
new file mode 100644
index 0000000..76903a9
--- /dev/null
+++ b/code-scanning/clj-watson.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# clj-watson scans dependencies in a clojure deps.edn
+# seeking for vulnerable direct/transitive dependencies and
+# build a report with all the information needed to help you
+# understand how the vulnerability manifest in your software.
+# More details at https://github.com/clj-holmes/clj-watson
+
+name: clj-watson
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-watson scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Dependency scan
+ uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
+ with:
+ clj-watson-sha: "65d928c"
+ clj-watson-tag: "v4.0.1"
+ database-strategy: github-advisory
+ aliases: clojure-lsp,test
+ deps-edn-path: deps.edn
+ suggest-fix: true
+ output-type: sarif
+ output-file: clj-watson-results.sarif
+ fail-on-result: false
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: ${{github.workspace}}/clj-watson-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index b74e449..7b705bd 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -30,6 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 37109ab..34c5de7 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -34,7 +34,7 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
- # Learn more about CodeQL language support at https://git.io/codeql-language-support
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
@@ -48,23 +48,27 @@ jobs:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+ # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
- # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+
+ # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# โน๏ธ Command-line programs to run using the OS shell.
- # ๐ https://git.io/JvXDl
+ # ๐ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- # โ๏ธ If the Autobuild fails above, remove it and uncomment the following three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
+ # If the Autobuild fails above, remove it and uncomment the following three lines.
+ # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- #- run: |
- # make bootstrap
- # make release
+ # - run: |
+ # echo "Run, Build Application using script"
+ # ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{matrix.language}}"
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index 92707b1..a9f1053 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout repository
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
new file mode 100644
index 0000000..4e4deb7
--- /dev/null
+++ b/code-scanning/contrast-scan.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
+# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
+# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
+# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
+
+# Pre-requisites:
+# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
+# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+name: Scan analyze workflow
+jobs:
+ build-and-scan:
+ permissions:
+ contents: read # for actions/checkout
+ security-events: write # for github/codeql-action/upload-sarif
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ # check out project
+ steps:
+ - uses: actions/checkout@v3
+ # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
+ # -name: Build Project
+ # ...
+ # Scan Artifact
+ - name: Contrast Scan Action
+ uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
+ with:
+ artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
+ apiKey: ${{ secrets.CONTRAST_API_KEY }}
+ orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
+ authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
+ #Upload the results to GitHub
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml
new file mode 100644
index 0000000..d5bb88f
--- /dev/null
+++ b/code-scanning/crda.yml
@@ -0,0 +1,126 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow performs a static analysis of your source code using
+# Red Hat CodeReady Dependency Analytics.
+
+# Scans are triggered:
+# 1. On every push to default and protected branches
+# 2. On every Pull Request targeting the default branch
+# 3. On a weekly schedule
+# 4. Manually, on demand, via the "workflow_dispatch" event
+
+# ๐ The CRDA Starter workflow will:
+# - Checkout your repository
+# - Setup the required tool stack
+# - Install the CRDA command line tool
+# - Auto detect the manifest file and install the project's dependencies
+# - Perform the security scan using CRDA
+# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
+# - Optionally upload the SARIF file as an artifact for the future reference
+
+# โน๏ธ Configure your repository and the workflow with the following steps:
+# 1. Setup the tool stack based on the project's requirement.
+# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
+# 2. (Optional) CRDA action attempt to detect the language and install the
+# required dependencies for your project. If your project doesn't aligns
+# with the default dependency installation command mentioned here
+# https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# Use the required inputs to setup the same
+# 3. (Optional) CRDA action attempts to detect the manifest file if it is
+# present in the root of the project and named as per the default mentioned
+# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# If it deviates from the default, use the required inputs to setup the same
+# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
+# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
+# 5. (Optional) Upload SARIF file as an Artifact to download and view
+# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
+
+# ๐ Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
+
+name: CRDA Scan
+
+# Controls when the workflow will run
+on:
+ # TODO: Customize trigger events based on your DevSecOps processes
+ #
+ # This workflow is made to run with OpenShift starter workflow
+ # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
+ # However, if you want to run this workflow as a standalone workflow, please
+ # uncomment the 'push' trigger below and configure it based on your requirements.
+ #
+ workflow_call:
+ secrets:
+ CRDA_KEY:
+ required: false
+ SNYK_TOKEN:
+ required: false
+ workflow_dispatch:
+
+ # push:
+ # branches: [ $default-branch, $protected-branches ]
+
+ # pull_request_target is used to securely share secret to the PR's workflow run.
+ # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+ pull_request_target:
+ branches: [ $default-branch ]
+ types: [ assigned, opened, synchronize, reopened, labeled, edited ]
+
+permissions:
+ contents: read
+
+jobs:
+ crda-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for redhat-actions/crda to upload SARIF results
+ name: Scan project vulnerabilities with CRDA
+ runs-on: ubuntu-20.04
+ steps:
+
+ - name: Check out repository
+ uses: actions/checkout@v2
+
+ # *******************************************************************
+ # Required: Instructions to setup project
+ # 1. Setup Go, Java, Node.js or Python depending on your project type
+ # 2. Setup Actions are listed below, choose one from them:
+ # - Go: https://github.com/actions/setup-go
+ # - Java: https://github.com/actions/setup-java
+ # - Node.js: https://github.com/actions/setup-node
+ # - Python: https://github.com/actions/setup-python
+ #
+ # Example:
+ # - name: Setup Node
+ # uses: actions/setup-node@v2
+ # with:
+ # node-version: '14'
+
+ # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
+ - name: Install CRDA CLI
+ uses: redhat-actions/openshift-tools-installer@v1
+ with:
+ source: github
+ github_pat: ${{ github.token }}
+ # Choose the desired version of the CRDA CLI
+ crda: "latest"
+
+ ######################################################################################
+ # https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # By default, CRDA will detect the manifest file and install the required dependencies
+ # using the standard command for the project type.
+ # If your project doesn't aligns with the defaults mentioned in this action, you will
+ # need to set few inputs that are described here:
+ # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
+ # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
+ # process to get a SNYK_TOKEN or a CRDA_KEY
+ - name: CRDA Scan
+ id: scan
+ uses: redhat-actions/crda@v1
+ with:
+ crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
+ # snyk_token: ${{ secrets.SNYK_TOKEN }}
+ # upload_artifact: false # Set this to false to skip artifact upload
diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml
index 07cd73a..1ac846e 100644
--- a/code-scanning/crunch42.yml
+++ b/code-scanning/crunch42.yml
@@ -46,7 +46,7 @@ jobs:
- uses: actions/checkout@v3
- name: 42Crunch REST API Static Security Testing
- uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
+ uses: 42Crunch/api-security-audit-action@f3a4f4d44ca6f538fe84361373d7a2a374018fdd
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
index 0e72a00..fe461b4 100644
--- a/code-scanning/dependency-review.yml
+++ b/code-scanning/dependency-review.yml
@@ -1,6 +1,6 @@
# Dependency Review Action
#
-# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
@@ -17,4 +17,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
- uses: actions/dependency-review-action@v1
+ uses: actions/dependency-review-action@v2
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
new file mode 100644
index 0000000..54b01c8
--- /dev/null
+++ b/code-scanning/eslint.yml
@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# ESLint is a tool for identifying and reporting on patterns
+# found in ECMAScript/JavaScript code.
+# More details at https://github.com/eslint/eslint
+# and https://eslint.org
+
+name: ESLint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ eslint:
+ name: Run eslint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Install ESLint
+ run: |
+ npm install eslint@8.10.0
+ npm install @microsoft/eslint-formatter-sarif@2.1.7
+
+ - name: Run ESLint
+ run: npx eslint .
+ --config .eslintrc.js
+ --ext .js,.jsx,.ts,.tsx
+ --format @microsoft/eslint-formatter-sarif
+ --output-file eslint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: eslint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml
new file mode 100644
index 0000000..2818bc6
--- /dev/null
+++ b/code-scanning/ethicalcheck.yml
@@ -0,0 +1,69 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
+
+# EthicalCheck provides the industryโs only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
+# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
+
+# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
+
+# Know your API and Applications are secure with EthicalCheck โ our free & automated API security testing service.
+
+# How EthicalCheck works?
+# EthicalCheck functions in the following simple steps.
+# 1. Security Testing.
+# Provide your OpenAPI specification or start with a public Postman collection URL.
+# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
+# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
+
+# 2. Reporting.
+# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
+# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
+
+
+# This is a starter workflow to help you get started with EthicalCheck Actions
+
+name: EthicalCheck-Workflow
+
+# Controls when the workflow will run
+on:
+ # Triggers the workflow on push or pull request events but only for the $default-branch branch
+ # Customize trigger events based on your DevSecOps processes.
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ Trigger_EthicalCheck:
+ permissions:
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: EthicalCheck Free & Automated API Security Testing Service
+ uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
+ with:
+ # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
+ oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
+ # The email address to which the penetration test report will be sent.
+ email: "xxx@apisec.ai"
+ sarif-result-file: "ethicalcheck-results.sarif"
+
+ - name: Upload sarif file to repository
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: ./ethicalcheck-results.sarif
+
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
new file mode 100644
index 0000000..0089f10
--- /dev/null
+++ b/code-scanning/frogbot-scan-and-fix.yml
@@ -0,0 +1,56 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Frogbot Scan and Fix does the following:
+# Automatically creates pull requests with fixes for vulnerable project dependencies.
+# Uses JFrog Xray to scan the project.
+# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+
+name: "Frogbot Scan and Fix"
+on:
+ push:
+ branches: [ $default-branch ]
+permissions:
+ contents: write
+ pull-requests: write
+ security-events: write
+jobs:
+ create-fix-pull-requests:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ # Install prerequisites - uncomment the relevant one
+
+ # - uses: actions/setup-go@v3
+ # with:
+ # go-version: 1.17.x
+
+ # - uses: actions/setup-java@v3
+ # with:
+ # java-version: "11"
+ # distribution: "temurin"
+
+ # - uses: actions/setup-node@v3
+ # with:
+ # node-version: "16.x"
+
+
+ - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
+ env:
+ # [Mandatory]
+ # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
+ JF_URL: ${{ secrets.FROGBOT_URL }}
+
+ # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ # JFrog access token with 'read' permissions on Xray service
+ JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Mandatory if using npm]
+ # The command that installs the dependencies
+ # JF_INSTALL_DEPS_CMD: "npm i"
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
new file mode 100644
index 0000000..bd1a9c2
--- /dev/null
+++ b/code-scanning/frogbot-scan-pr.yml
@@ -0,0 +1,75 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Frogbot Scan Pull Request does the following:
+# Automatically scans new pull requests for security vulnerabilities.
+# Uses JFrog Xray to scan the project.
+# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+
+name: "Frogbot Scan Pull Request"
+on:
+ pull_request_target:
+ types: [ opened, synchronize ]
+permissions:
+ pull-requests: write
+ contents: read
+jobs:
+ scan-pull-request:
+ runs-on: ubuntu-latest
+ # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
+ # "frogbot" GitHub environment can approve the pull request to be scanned.
+ environment: frogbot
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+
+ # Install prerequisites - uncomment the relevant ones
+
+ # - uses: actions/setup-go@v3
+ # with:
+ # go-version: 1.17.x
+
+ # - uses: actions/setup-java@v3
+ # with:
+ # java-version: "11"
+ # distribution: "temurin"
+
+ # - uses: actions/setup-node@v3
+ # with:
+ # node-version: "16.x"
+
+ # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
+
+ - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
+ env:
+ # [Mandatory]
+ # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
+ JF_URL: ${{ secrets.JF_URL }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
+ JF_USER: ${{ secrets.JF_USER }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog password. Must be provided with JF_USER
+ JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ # JFrog access token with 'read' permissions on Xray service
+ # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+ # [Mandatory when using npm]
+ # The command that installs the dependencies
+ # JF_INSTALL_DEPS_CMD: "npm i"
+
+ # [Mandatory when using .NET]
+ # The command that installs the dependencies
+ # JF_INSTALL_DEPS_CMD: "dotnet restore"
+
+ # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
new file mode 100644
index 0000000..3153652
--- /dev/null
+++ b/code-scanning/hadolint.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# hadoint is a Dockerfile linter written in Haskell
+# that helps you build best practice Docker images.
+# More details at https://github.com/hadolint/hadolint
+
+name: Hadolint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ hadolint:
+ name: Run hadolint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Run hadolint
+ uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
+ with:
+ dockerfile: ./Dockerfile
+ format: sarif
+ output-file: hadolint-results.sarif
+ no-fail: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: hadolint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml
new file mode 100644
index 0000000..350df19
--- /dev/null
+++ b/code-scanning/lintr.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# lintr provides static code analysis for R.
+# It checks for adherence to a given style,
+# identifying syntax errors and possible semantic issues,
+# then reports them to you so you can take action.
+# More details at https://lintr.r-lib.org/
+
+name: lintr
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ lintr:
+ name: Run lintr scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup R
+ uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492
+
+ - name: Setup lintr
+ uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492
+ with:
+ extra-packages: lintr
+
+ - name: Run lintr
+ run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif")
+ shell: Rscript {0}
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: lintr-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 6d2bfb8..1013749 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -21,6 +21,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 863fbcb..e8dac88 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -28,6 +28,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Analyze
runs-on: windows-latest
diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml
new file mode 100644
index 0000000..e24e14a
--- /dev/null
+++ b/code-scanning/neuralegion.yml
@@ -0,0 +1,175 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Run a Nexploit Scan
+# This action runs a new security scan in Nexploit, or reruns an existing one.
+# Build Secure Apps & APIs. Fast.
+# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.
+# Automatically Tests Every Aspect of Your Apps & APIs
+# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports
+# Seamlessly integrates with the Tools and Workflows You Already Use
+#
+# NeuraLegion works with your existing CI/CD pipelines โ trigger scans on every commit, pull request or build with unit testing.
+# Spin-Up, Configure and Control Scans with Code
+# One file. One command. One scan. No UI needed.
+#
+# Super-Fast Scans
+#
+# Interacts with applications and APIs, instead of just crawling them and guessing.
+# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.
+#
+# No False Positives
+#
+# Stop chasing ghosts and wasting time. NeuraLegion doesnโt return false positives, so you can focus on releasing code.
+#
+# Comprehensive Security Testing
+#
+# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.
+#
+# More information is available on NeuraLegionโs:
+# * [Website](https://www.neuralegion.com/)
+# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart)
+# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw)
+# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+)
+#
+# Inputs
+#
+# `name`
+#
+# **Required**. Scan name.
+#
+# _Example:_ `name: GitHub scan ${{ github.sha }}`
+#
+# `api_token`
+#
+# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens).
+#
+# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}`
+#
+# `restart_scan`
+#
+# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
+#
+# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
+#
+# `discovery_types`
+#
+# **Required**. Array of discovery types. The following types are available:
+# * `archive` - uses an uploaded HAR-file for a scan
+# * `crawler` - uses a crawler to define the attack surface for a scan
+# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default.
+#
+# _Example:_
+#
+# ```yml
+# discovery_types: |
+# [ "crawler", "archive" ]
+# ```
+#
+# `file_id`
+#
+# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login).
+#
+# _Example:_
+#
+# ```
+# FILE_ID=$(nexploit-cli archive:upload \
+# --token ${{ secrets.NEXPLOIT_TOKEN }} \
+# --discard true \
+# ./example.har)
+# ```
+#
+# `crawler_urls`
+#
+# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface.
+#
+# _Example:_
+#
+# ```
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# ```
+#
+# `hosts_filter`
+#
+# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
+#
+# Outputs
+#
+# `url`
+#
+# Url of the resulting scan
+#
+# `id`
+#
+# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions:
+# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues)
+# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan)
+#
+# Example usage
+#
+# Start a new scan with parameters
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# discovery_types: |
+# [ "crawler", "archive" ]
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# file_id: LiYknMYSdbSZbqgMaC9Sj
+# hosts_filter: |
+# [ ]
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+# ```
+#
+# Restart an existing scan
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+
+
+name: "NeuraLegion"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ neuralegion_scan:
+ runs-on: ubuntu-18.04
+ name: A job to run a Nexploit scan
+ steps:
+ - uses: actions/checkout@v2
+ - name: Start Nexploit Scan ๐
+ id: start
+ uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+ with:
+ api_token: ${{ secrets.NEURALEGION_TOKEN }}
+ name: GitHub scan ${{ github.sha }}
+ discovery_types: |
+ [ "crawler" ]
+ crawler_urls: |
+ [ "https://brokencrystals.com" ] # โ๏ธ Update this to the url you wish to scan
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index 8c359b8..d766a6f 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
diff --git a/code-scanning/nowsecure-mobile-sbom.yml b/code-scanning/nowsecure-mobile-sbom.yml
new file mode 100644
index 0000000..b9cf039
--- /dev/null
+++ b/code-scanning/nowsecure-mobile-sbom.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# NowSecure: The Mobile Security Experts .
+#
+# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
+# you can find it in NowSecure Platform.
+#
+# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
+# .
+#
+# Instructions:
+#
+# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
+# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
+# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
+#
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
+
+name: "NowSecure Mobile SBOM"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ nowsecure:
+ name: NowSecure Mobile SBOM
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Build your application
+ run: ./gradlew assembleDebug # Update this to build your Android or iOS application
+
+ - name: NowSecure upload app
+ uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
+ with:
+ token: ${{ secrets.NS_TOKEN }}
+ app_file: app-debug.apk # Update this to a path to your .ipa or .apk
+ group_id: {{ groupId }} # Update this to your desired Platform group ID
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index cbef5a2..2bd91dd 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: windows-latest
steps:
diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml
new file mode 100644
index 0000000..d10ace1
--- /dev/null
+++ b/code-scanning/phpmd.yml
@@ -0,0 +1,57 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# PHPMD is a spin-off project of PHP Depend and
+# aims to be a PHP equivalent of the well known Java tool PMD.
+# What PHPMD does is: It takes a given PHP source code base
+# and look for several potential problems within that source.
+# These problems can be things like:
+# Possible bugs
+# Suboptimal code
+# Overcomplicated expressions
+# Unused parameters, methods, properties
+# More details at https://phpmd.org/
+
+name: PHPMD
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ PHPMD:
+ name: Run PHPMD scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup PHP
+ uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161
+ with:
+ coverage: none
+ tools: phpmd
+
+ - name: Run PHPMD
+ run: phpmd . sarif codesize --reportfile phpmd-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: phpmd-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index 0bc512c..8115116 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -13,8 +13,15 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
pmd-code-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index 1d72a9b..02e5de7 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -25,13 +25,14 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run PSScriptAnalyzer
- uses: microsoft/psscriptanalyzer-action@2044ae068e37d0161fa2127de04c19633882f061
+ uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
with:
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 6f2031b..1a12b86 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json
new file mode 100644
index 0000000..aa4cb1e
--- /dev/null
+++ b/code-scanning/properties/anchore-syft.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Anchore Syft SBOM Scan",
+ "creator": "Anchore",
+ "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
+ "iconName": "anchore",
+ "categories": ["Code Scanning", "dockerfile", "dependency-management"]
+}
diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json
index d997da4..94634dd 100644
--- a/code-scanning/properties/anchore.properties.json
+++ b/code-scanning/properties/anchore.properties.json
@@ -1,7 +1,7 @@
{
- "name": "Anchore Container Scan",
- "creator": "Indeni Cloudrail",
- "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
+ "name": "Anchore Grype Vulnerability Scan",
+ "creator": "Anchore",
+ "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile"]
-}
\ No newline at end of file
+}
diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json
new file mode 100644
index 0000000..966314a
--- /dev/null
+++ b/code-scanning/properties/clj-watson.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "clj-watson",
+ "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.",
+ "iconName": "clj-watson",
+ "categories": [
+ "Code Scanning",
+ "Clojure"
+ ]
+}
diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json
index ddb4627..8ee80b4 100644
--- a/code-scanning/properties/codeql.properties.json
+++ b/code-scanning/properties/codeql.properties.json
@@ -1,6 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
+ "enterprise": true,
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json
new file mode 100644
index 0000000..67369b8
--- /dev/null
+++ b/code-scanning/properties/contrast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Contrast Scan",
+ "creator": "Contrast Security Inc",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
+ "iconName": "contrast",
+ "categories": ["Code Scanning", "java", "javascript", "dotnet"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json
new file mode 100644
index 0000000..9e1a7ac
--- /dev/null
+++ b/code-scanning/properties/crda.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Red Hat CodeReady Dependency Analytics",
+ "creator": "Red Hat",
+ "description": "Scan your project's dependencies with CodeReady Dependency Analytics.",
+ "iconName": "openshift",
+ "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"]
+}
diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json
index e84278c..c195c73 100644
--- a/code-scanning/properties/dependency-review.properties.json
+++ b/code-scanning/properties/dependency-review.properties.json
@@ -1,6 +1,6 @@
{
"name": "Dependency Review",
- "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository",
"iconName": "octicon mark-github",
"categories": [
"Dependency review",
diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json
new file mode 100644
index 0000000..2a1271f
--- /dev/null
+++ b/code-scanning/properties/eslint.properties.json
@@ -0,0 +1,12 @@
+{
+ "name": "ESLint",
+ "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
+ "iconName": "eslint",
+ "enterprise": false,
+ "categories": [
+ "Code Scanning",
+ "JavaScript",
+ "EcmaScript",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/properties/ethicalcheck.properties.json b/code-scanning/properties/ethicalcheck.properties.json
new file mode 100644
index 0000000..8728ca7
--- /dev/null
+++ b/code-scanning/properties/ethicalcheck.properties.json
@@ -0,0 +1,24 @@
+{
+ "name": "EthicalCheck",
+ "creator": "APIsec",
+ "description": "EthicalCheck provides the industryโs only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.",
+ "iconName": "apisec",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C#",
+ "C++",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Kotlin",
+ "Objective C",
+ "PHP",
+ "Python",
+ "Ruby",
+ "Rust",
+ "Scala",
+ "Swift",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/properties/frogbot-scan-and-fix.properties.json b/code-scanning/properties/frogbot-scan-and-fix.properties.json
new file mode 100644
index 0000000..a072c5a
--- /dev/null
+++ b/code-scanning/properties/frogbot-scan-and-fix.properties.json
@@ -0,0 +1,15 @@
+{
+ "name": "Frogbot Scan and Fix",
+ "description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
+ "iconName": "frogbot",
+ "categories": [
+ "Code Scanning",
+ "Go Module",
+ "Maven POM",
+ "NPM Config",
+ "Gradle",
+ "C#",
+ "Python"
+ ],
+ "creator": "JFrog"
+}
diff --git a/code-scanning/properties/frogbot-scan-pr.properties.json b/code-scanning/properties/frogbot-scan-pr.properties.json
new file mode 100644
index 0000000..257f9d6
--- /dev/null
+++ b/code-scanning/properties/frogbot-scan-pr.properties.json
@@ -0,0 +1,15 @@
+{
+ "name": "Frogbot Scan Pull Request",
+ "description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
+ "iconName": "frogbot",
+ "categories": [
+ "Code Scanning",
+ "Go Module",
+ "Maven POM",
+ "NPM Config",
+ "Gradle",
+ "C#",
+ "Python"
+ ],
+ "creator": "JFrog"
+}
diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json
new file mode 100644
index 0000000..b4f7141
--- /dev/null
+++ b/code-scanning/properties/hadolint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Haskell Dockerfile Linter",
+ "description": "A smarter Dockerfile linter that helps you build best practice Docker images.",
+ "iconName": "hadolint",
+ "categories": ["Code Scanning", "Dockerfile"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/lintr.properties.json b/code-scanning/properties/lintr.properties.json
new file mode 100644
index 0000000..07e9741
--- /dev/null
+++ b/code-scanning/properties/lintr.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "lintr",
+ "description": "lintr provides static code analysis for R.",
+ "iconName": "lintr",
+ "categories": [ "Code Scanning", "R" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json
new file mode 100644
index 0000000..ee64a52
--- /dev/null
+++ b/code-scanning/properties/neuralegion.properties.json
@@ -0,0 +1,24 @@
+{
+ "name": "NeuraLegion",
+ "creator": "NeuraLegion",
+ "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports",
+ "iconName": "neuralegion",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C#",
+ "C++",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Kotlin",
+ "Objective C",
+ "PHP",
+ "Python",
+ "Ruby",
+ "Rust",
+ "Scala",
+ "Swift",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/properties/nowsecure-mobile-sbom.properties.json b/code-scanning/properties/nowsecure-mobile-sbom.properties.json
new file mode 100644
index 0000000..32a7964
--- /dev/null
+++ b/code-scanning/properties/nowsecure-mobile-sbom.properties.json
@@ -0,0 +1,21 @@
+{
+ "name": "NowSecure Mobile SBOM",
+ "creator": "NowSecure",
+ "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
+ "iconName": "nowsecure",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "Kotlin",
+ "Scala",
+ "Swift",
+ "Objective C",
+ "C",
+ "C++",
+ "C#",
+ "Rust",
+ "JavaScript",
+ "TypeScript",
+ "Node"
+ ]
+}
diff --git a/code-scanning/properties/phpmd.properties.json b/code-scanning/properties/phpmd.properties.json
new file mode 100644
index 0000000..bd95bf9
--- /dev/null
+++ b/code-scanning/properties/phpmd.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "PHPMD",
+ "description": "A spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD.",
+ "iconName": "phpmd",
+ "categories": [ "Code Scanning", "PHP" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json
new file mode 100644
index 0000000..62ebd9e
--- /dev/null
+++ b/code-scanning/properties/puppet-lint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "puppet-lint",
+ "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
+ "iconName": "puppet-lint",
+ "categories": [ "Code Scanning", "Puppet" ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json
new file mode 100644
index 0000000..bc12321
--- /dev/null
+++ b/code-scanning/properties/pyre.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pyre",
+ "creator": "Meta",
+ "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally โ providing instantaneous feedback to developers as they write code.",
+ "iconName": "pyre",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json
new file mode 100644
index 0000000..1a61c40
--- /dev/null
+++ b/code-scanning/properties/pysa.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Pysa",
+ "creator": "Meta",
+ "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.",
+ "iconName": "pysa",
+ "categories": ["Code Scanning", "Python"]
+}
diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json
index ea5c871..4737786 100644
--- a/code-scanning/properties/rust-clippy.properties.json
+++ b/code-scanning/properties/rust-clippy.properties.json
@@ -1,10 +1,9 @@
{
"name": "rust-clippy",
- "creator": "Rust",
"description": "A collection of lints to catch common mistakes and improve your Rust code.",
"iconName": "rust",
"categories": [
"Code Scanning",
"rust"
]
-}
\ No newline at end of file
+}
diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json
new file mode 100644
index 0000000..163e866
--- /dev/null
+++ b/code-scanning/properties/sobelow.properties.json
@@ -0,0 +1,11 @@
+{
+ "name": "Sobelow",
+ "creator": "nccgroup",
+ "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.",
+ "iconName": "sobelow",
+ "categories": [
+ "Code Scanning",
+ "Elixir"
+ ]
+ }
+
\ No newline at end of file
diff --git a/code-scanning/properties/soos-dast-scan.properties.json b/code-scanning/properties/soos-dast-scan.properties.json
new file mode 100644
index 0000000..6ef5121
--- /dev/null
+++ b/code-scanning/properties/soos-dast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SOOS DAST Scan",
+ "creator": "SOOS",
+ "description": "SOOS DAST is the easy-to-integrate no-limit web vulnerability scanner. Integrate SOOS DAST with your CI pipeline to find vulnerabilities by scanning a web app or APIs.",
+ "iconName": "soos",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json
new file mode 100644
index 0000000..274d17a
--- /dev/null
+++ b/code-scanning/properties/zscaler-iac-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Zscaler IaC Scan",
+ "creator": "Zscaler CWP",
+ "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app",
+ "iconName": "zscaler",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/zscan.properties.json b/code-scanning/properties/zscan.properties.json
new file mode 100644
index 0000000..6b55756
--- /dev/null
+++ b/code-scanning/properties/zscan.properties.json
@@ -0,0 +1,14 @@
+{
+ "name": "zScan",
+ "creator": "Zimperium",
+ "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. โ",
+ "iconName": "zscan",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "Kotlin",
+ "Scala",
+ "Swift",
+ "Objective C"
+ ]
+}
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
new file mode 100644
index 0000000..50b86db
--- /dev/null
+++ b/code-scanning/puppet-lint.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
+# https://puppet.com/docs/puppet/7/style_guide.html
+# Puppet Lint validates only code style; it does not validate syntax.
+# To test syntax, use Puppet's puppet parser validate command.
+# More details at https://github.com/puppetlabs/puppet-lint/
+
+name: puppet-lint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ puppet-lint:
+ name: Run puppet-lint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
+ with:
+ ruby-version: 2.7
+ bundler-cache: true
+
+ - name: Install puppet-lint
+ run: gem install puppet-lint
+
+ - name: Run puppet-lint
+ run: puppet-lint . --sarif > puppet-lint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: puppet-lint-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml
new file mode 100644
index 0000000..3c32e8b
--- /dev/null
+++ b/code-scanning/pyre.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Pyre with GitHub's
+# Code Scanning feature.
+#
+# Pyre is a performant type checker for Python compliant with
+# PEP 484. Pyre can analyze codebases with millions of lines
+# of code incrementally โ providing instantaneous feedback
+# to developers as they write code.
+#
+# See https://pyre-check.org
+
+name: Pyre
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ pyre:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pyre
+ uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pyre-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml
new file mode 100644
index 0000000..a9e3c81
--- /dev/null
+++ b/code-scanning/pysa.yml
@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Python Static Analyzer (Pysa) with
+# GitHub's Code Scanning feature.
+#
+# Python Static Analyzer (Pysa) is a security-focused static
+# analysis tool that tracks flows of data from where they
+# originate to where they terminate in a dangerous location.
+#
+# See https://pyre-check.org/docs/pysa-basics/
+
+name: Pysa
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ pysa:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ submodules: true
+
+ - name: Run Pysa
+ uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pysa-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
+ infer-types: true
+ include-default-sapp-filters: true
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index ed458b2..8018ca1 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -28,7 +28,7 @@ jobs:
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
- uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
with:
ruby-version: 2.6
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
index e9c426a..c5f10ee 100644
--- a/code-scanning/rust-clippy.yml
+++ b/code-scanning/rust-clippy.yml
@@ -25,6 +25,7 @@ jobs:
permissions:
contents: read
security-events: write
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index a6bde3a..11e305f 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -1,7 +1,14 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
name: Scorecards supply-chain security
on:
- # Only the default branch is supported.
+ # For Branch-Protection check. Only the default branch is supported. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
+ # To guarantee Maintained check is occasionally updated. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: $cron-weekly
push:
@@ -17,32 +24,42 @@ jobs:
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
- actions: read
- contents: read
+ # Needed to publish results and get a badge (see publish_results below).
+ id-token: write
+ # Uncomment the permissions below if installing in a private repository.
+ # contents: read
+ # actions: read
steps:
- name: "Checkout code"
- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
+ uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+ uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
with:
results_file: results.sarif
results_format: sarif
- # Read-only PAT token. To create it,
- # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
- repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
- # Publish the results to enable scorecard badges. For more details, see
- # https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories, `publish_results` will automatically be set to `false`,
- # regardless of the value entered here.
+ # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecards on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+ # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+ # Public repositories:
+ # - Publish results to OpenSSF REST API for easy access by consumers
+ # - Allows the repository to include the Scorecard badge.
+ # - See https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories:
+ # - `publish_results` will always be set to `false`, regardless
+ # of the value entered here.
publish_results: true
- # Upload the results as artifacts (optional).
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
+ uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif
@@ -50,6 +67,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+ uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
with:
sarif_file: results.sarif
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index fae9885..b10a930 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 0fbbf87..a232c53 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -30,6 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index a685323..3ca1035 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -29,6 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml
new file mode 100644
index 0000000..7d38c77
--- /dev/null
+++ b/code-scanning/sobelow.yml
@@ -0,0 +1,41 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/
+#
+# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
+#
+# Instructions:
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Security" tab once the action has run.
+name: Sobelow
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+ - id: run-action
+ uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
+ - name: Upload report
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
new file mode 100644
index 0000000..95dfd67
--- /dev/null
+++ b/code-scanning/soos-dast-scan.yml
@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# SOOS is the easy-to-integrate and affordable software security solution for your whole team.
+# Learn more at https://soos.io/
+#
+# To use this action, perform the following steps:
+#
+# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products.
+#
+# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
+#
+# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
+#
+# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
+#
+
+name: "SOOS DAST Scan"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+jobs:
+ soos:
+ permissions:
+ security-events: write # for uploading code scanning alert info
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ name: SOOS DAST Scan
+ runs-on: ubuntu-latest
+ steps:
+ - name: Run SOOS DAST Scan
+ uses: soos-io/soos-dast-github-action@093de8c09530d4b96f12322adeb74444def866db # Use latest version from https://github.com/marketplace/actions/soos-dast
+ with:
+ client_id: ${{ secrets.SOOS_CLIENT_ID }}
+ api_key: ${{ secrets.SOOS_API_KEY }}
+ project_name: ""
+ scan_mode: "baseline"
+ target_url: "https://www.example.com/"
+ output_format: "sarif"
+ - name: Upload SOOS DAST SARIF Report
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
+
+
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index f075a80..f9b61b9 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -24,6 +24,7 @@ jobs:
checks: write # for sysdiglabs/scan-action to publish the checks
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 6536fbe..77f8156 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@v3
- name: Run tfsec
- uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+ uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index 06b5cae..f56d9e5 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -22,6 +22,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-18.04"
steps:
@@ -33,7 +34,7 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+ uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index b8a5b37..89d35df 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -27,6 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 3462eaa..5724a97 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -51,6 +51,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml
new file mode 100644
index 0000000..e880bdf
--- /dev/null
+++ b/code-scanning/zscaler-iac-scan.yml
@@ -0,0 +1,56 @@
+#This workflow uses actions that are not certified by GitHub.
+#They are provided by a third party and are governed by
+#separate terms of service, privacy policy, and support
+#documentation.
+
+#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
+#which detects security misconfigurations in IaC templates and publishes the findings
+#under the code scanning alerts section within the repository.
+
+#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process.
+#Copy the client ID and client secret key generated during the onboarding process and configure.
+#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
+
+#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
+#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
+
+name: Zscaler IaC Scan
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ zscaler-iac-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+ steps:
+ - name : Code Checkout
+ uses: actions/checkout@v3
+ - name : Zscaler IAC Scan
+ uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087
+ id : zscaler-iac-scan
+ with:
+ client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
+ client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
+ #This is the user region specified during the onboarding process within the ZPC Admin Portal.
+ region : 'US'
+ iac_dir : #Enter the IaC directory path from root.
+ iac_file : #Enter the IaC file path from root.
+ output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
+ #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
+ fail_build : #Enter true/false
+ #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
+ - name: Upload SARIF file
+ if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml
new file mode 100644
index 0000000..1ac6bbd
--- /dev/null
+++ b/code-scanning/zscan.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
+# and identifies security, privacy, and compliance-related vulnerabilities. โ
+#
+# Prerequisites: โ
+# * An active Zimperium zScan account is required. If you are not an existing Zimperium
+# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
+# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
+# issues and view the remediation information inside of GitHub code scanning alerts. โ
+#
+# For additional information and setup instructions
+# please visit: https://github.com/Zimperium/zScanMarketplace#readme
+
+name: "Zimperium zScan"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+
+permissions:
+ contents: read
+
+jobs:
+ zscan:
+ name: zScan
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ - name: Execute gradle build
+ run: ./gradlew build # Change this to build your mobile application
+
+ - name: Run Zimperium zScan
+ uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d
+ timeout-minutes: 60
+ with:
+ # REPLACE: Zimperium Client Environment Name
+ client_env: env_string
+ # REPLACE: Zimperium Client ID
+ client_id: id_string
+ # REPLACE: Zimperium Client Secret
+ client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
+ # REPLACE: The path to an .ipa or .apk
+ app_file: app-release-unsigned.apk
+
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: Zimperium.sarif
+
\ No newline at end of file
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index d7c27d9..9853b75 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -21,8 +21,7 @@ name: Build and Deploy to ACK
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow.
env:
diff --git a/deployments/aws.yml b/deployments/aws.yml
index fe5e076..9585844 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -28,8 +28,7 @@ name: Deploy to Amazon ECS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
@@ -41,6 +40,9 @@ env:
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
+permissions:
+ contents: read
+
jobs:
deploy:
name: Deploy
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index c882bde..cc2e1dd 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -31,10 +31,12 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -63,6 +65,8 @@ jobs:
file: ./Dockerfile
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
index 948e7db..86582e7 100644
--- a/deployments/azure-kubernetes-service-helm.yml
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -1,25 +1,27 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
@@ -34,8 +36,7 @@ name: Build and deploy an app to AKS with Helm
on:
push:
- branches:
- - $default-branch
+ branches: [$default-branch]
workflow_dispatch:
env:
@@ -43,80 +44,75 @@ env:
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
- IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
CHART_PATH: "your-chart-path"
CHART_OVERRIDE_PATH: "your-chart-override-path"
jobs:
- build:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
permissions:
actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
+ needs: [buildImage]
steps:
- # Checks out the repository this file is in
- - uses: actions/checkout@v3
-
- # Logs in with your Azure credentials
- - name: Azure login
- uses: azure/login@v1.4.3
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- # Builds and pushes an image up to your Azure Container Registry
- - name: Build and push image to ACR
- run: |
- az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
- # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- - name: Get K8s context
- uses: azure/aks-set-context@v2.0
- with:
- resource-group: ${{ env.RESOURCE_GROUP }}
- cluster-name: ${{ env.CLUSTER_NAME }}
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- # Retrieves the credentials for pulling images from your Azure Container Registry
- - name: Get ACR credentials
- run: |
- az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
- ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
- ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
- echo "::set-output name=username::${ACR_USERNAME}"
- echo "::set-output name=password::${ACR_PASSWORD}"
- id: get-acr-creds
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
- # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- - name: Create K8s secret for pulling image from ACR
- uses: Azure/k8s-create-secret@v1.1
- with:
- container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
- container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
- container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+ # Runs Helm to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2
+ with:
+ renderEngine: "helm"
+ helmChart: ${{ env.CHART_PATH }}
+ overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
+ overrides: |
+ replicas:2
+ helm-version: "latest"
+ id: bake
- # Runs Helm to create manifest files
- - name: Bake deployment
- uses: azure/k8s-bake@v2.1
- with:
- renderEngine: 'helm'
- helmChart: ${{ env.CHART_PATH }}
- overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
- overrides: |
- replicas:2
- helm-version: 'latest'
- id: bake
-
- # Deploys application based on manifest files from previous step
- - name: Deploy application
- uses: Azure/k8s-deploy@v3.0
- with:
- action: deploy
- manifests: ${{ steps.bake.outputs.manifestsBundle }}
- images: |
- ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
- imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
index 7c25319..a0e6bdd 100644
--- a/deployments/azure-kubernetes-service-kompose.yml
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -1,25 +1,27 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
# Set your dockerComposeFile and kompose-version to suit your configuration.
@@ -31,81 +33,81 @@
name: Build and deploy an app to AKS with Kompose
+on:
+ push:
+ branches: [$default-branch]
+ workflow_dispatch:
+
env:
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
- IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
jobs:
- build:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
permissions:
actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
+ needs: [buildImage]
steps:
- # Checks out the repository this file is in
- - uses: actions/checkout@v3
-
- # Logs in with your Azure credentials
- - name: Azure login
- uses: azure/login@v1.4.3
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- # Builds and pushes an image up to your Azure Container Registry
- - name: Build and push image to ACR
- run: |
- az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
- # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- - name: Get K8s context
- uses: azure/aks-set-context@v2.0
- with:
- resource-group: ${{ env.RESOURCE_GROUP }}
- cluster-name: ${{ env.CLUSTER_NAME }}
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- # Retrieves the credentials for pulling images from your Azure Container Registry
- - name: Get ACR credentials
- run: |
- az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
- ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
- ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
- echo "::set-output name=username::${ACR_USERNAME}"
- echo "::set-output name=password::${ACR_PASSWORD}"
- id: get-acr-creds
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
- # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- - name: Create K8s secret for pulling image from ACR
- uses: Azure/k8s-create-secret@v1.1
- with:
- container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
- container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
- container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+ # Runs Kompose to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2
+ with:
+ renderEngine: "kompose"
+ dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
+ kompose-version: "latest"
+ id: bake
- # Runs Kompose to create manifest files
- - name: Bake deployment
- uses: azure/k8s-bake@v2.1
- with:
- renderEngine: 'kompose'
- dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
- kompose-version: 'latest'
- id: bake
-
- # Deploys application based on manifest files from previous step
- - name: Deploy application
- uses: Azure/k8s-deploy@v3.0
- with:
- action: deploy
- manifests: ${{ steps.bake.outputs.manifestsBundle }}
- images: |
- ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
- imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
index f6928d0..6c87057 100644
--- a/deployments/azure-kubernetes-service-kustomize.yml
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -1,25 +1,27 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
# Set your kustomizationPath and kubectl-version to suit your configuration.
@@ -33,8 +35,7 @@ name: Build and deploy an app to AKS with Kustomize
on:
push:
- branches:
- - $default-branch
+ branches: [$default-branch]
workflow_dispatch:
env:
@@ -42,76 +43,71 @@ env:
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
- IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
KUSTOMIZE_PATH: "your-kustomize-path"
jobs:
- build:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
permissions:
actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
+ needs: [buildImage]
steps:
- # Checks out the repository this file is in
- - uses: actions/checkout@v3
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
- # Logs in with your Azure credentials
- - name: Azure login
- uses: azure/login@v1.4.3
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- # Builds and pushes an image up to your Azure Container Registry
- - name: Build and push image to ACR
- run: |
- az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- - name: Get K8s context
- uses: azure/aks-set-context@v2.0
- with:
- resource-group: ${{ env.RESOURCE_GROUP }}
- cluster-name: ${{ env.CLUSTER_NAME }}
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
- # Retrieves the credentials for pulling images from your Azure Container Registry
- - name: Get ACR credentials
- run: |
- az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
- ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
- ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
- echo "::set-output name=username::${ACR_USERNAME}"
- echo "::set-output name=password::${ACR_PASSWORD}"
- id: get-acr-creds
+ # Runs Kustomize to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2
+ with:
+ renderEngine: "kustomize"
+ kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
+ kubectl-version: latest
+ id: bake
- # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- - name: Create K8s secret for pulling image from ACR
- uses: Azure/k8s-create-secret@v1.1
- with:
- container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
- container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
- container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
-
- # Runs Kustomize to create manifest files
- - name: Bake deployment
- uses: azure/k8s-bake@v2.1
- with:
- renderEngine: 'kustomize'
- kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
- kubectl-version: latest
- id: bake
-
- # Deploys application based on manifest files from previous step
- - name: Deploy application
- uses: Azure/k8s-deploy@v3.0
- with:
- action: deploy
- manifests: ${{ steps.bake.outputs.manifestsBundle }}
- images: |
- ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
- imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
index bb513d4..f0b2b38 100644
--- a/deployments/azure-kubernetes-service.yml
+++ b/deployments/azure-kubernetes-service.yml
@@ -1,15 +1,16 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
@@ -19,7 +20,7 @@
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
@@ -30,8 +31,7 @@ name: Build and deploy an app to AKS
on:
push:
- branches:
- - $default-branch
+ branches: [$default-branch]
workflow_dispatch:
env:
@@ -39,67 +39,62 @@ env:
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
- IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
- DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
+ DEPLOYMENT_MANIFEST_PATH: "your-deployment-manifest-path"
jobs:
- build:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
permissions:
actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
+ needs: [buildImage]
steps:
- # Checks out the repository this file is in
- - uses: actions/checkout@v3
-
- # Logs in with your Azure credentials
- - name: Azure login
- uses: azure/login@v1.4.3
- with:
- client-id: ${{ secrets.AZURE_CLIENT_ID }}
- tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
- # Builds and pushes an image up to your Azure Container Registry
- - name: Build and push image to ACR
- run: |
- az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
- # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- - name: Get K8s context
- uses: azure/aks-set-context@v2.0
- with:
- resource-group: ${{ env.RESOURCE_GROUP }}
- cluster-name: ${{ env.CLUSTER_NAME }}
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- # Retrieves the credentials for pulling images from your Azure Container Registry
- - name: Get ACR credentials
- run: |
- az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
- ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
- ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
- echo "::set-output name=username::${ACR_USERNAME}"
- echo "::set-output name=password::${ACR_PASSWORD}"
- id: get-acr-creds
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
- # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- - name: Create K8s secret for pulling image from ACR
- uses: Azure/k8s-create-secret@v1.1
- with:
- container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
- container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
- container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
-
- # Deploys application based on given manifest file
- - name: Deploys application
- uses: Azure/k8s-deploy@v3.0
- with:
- action: deploy
- manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
- images: |
- ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
- imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ # Deploys application based on given manifest file
+ - name: Deploys application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml
index becfede..8fe07ce 100644
--- a/deployments/azure-staticwebapp.yml
+++ b/deployments/azure-staticwebapp.yml
@@ -14,12 +14,10 @@ name: Deploy web app to Azure Static Web Apps
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
pull_request:
types: [opened, synchronize, reopened, closed]
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
@@ -28,8 +26,14 @@ env:
APP_ARTIFACT_LOCATION: "build" # location of client code build output
AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app
+permissions:
+ contents: read
+
jobs:
build_and_deploy_job:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
@@ -52,6 +56,8 @@ jobs:
###### End of Repository/Build Configurations ######
close_pull_request_job:
+ permissions:
+ contents: none
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 3357dc8..9b21895 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -26,10 +26,12 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -63,6 +65,8 @@ jobs:
path: ${{env.DOTNET_ROOT}}/myapp
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index d29b0c9..60fa68c 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -26,10 +26,12 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -54,6 +56,8 @@ jobs:
path: '${{ github.workspace }}/target/*.jar'
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index c967bdb..98e72c2 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -19,8 +19,7 @@
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
@@ -28,6 +27,9 @@ env:
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
NODE_VERSION: '14.x' # set this to the node version to use
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -53,6 +55,8 @@ jobs:
path: .
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 04f55f4..4d08dbd 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -21,8 +21,7 @@ name: Build and deploy PHP app to Azure Web App
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
env:
@@ -30,6 +29,9 @@ env:
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
PHP_VERSION: '8.x' # set this to the PHP version to use
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -74,6 +76,8 @@ jobs:
path: .
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index af6a9dd..d7aa802 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -25,10 +25,12 @@ env:
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -61,6 +63,8 @@ jobs:
!venv/
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
index b8d0511..bd748f8 100644
--- a/deployments/google-cloudrun-docker.yml
+++ b/deployments/google-cloudrun-docker.yml
@@ -46,8 +46,7 @@ name: Build and Deploy to Cloud Run
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
index 2916b45..e6fcb52 100644
--- a/deployments/google-cloudrun-source.yml
+++ b/deployments/google-cloudrun-source.yml
@@ -48,8 +48,7 @@ name: Deploy to Cloud Run from Source
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
diff --git a/deployments/google.yml b/deployments/google.yml
index 6150672..846452a 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -14,8 +14,7 @@ name: Build and Deploy to GKE
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
diff --git a/deployments/ibm.yml b/deployments/ibm.yml
index cb3080f..53a58c5 100644
--- a/deployments/ibm.yml
+++ b/deployments/ibm.yml
@@ -10,8 +10,7 @@ name: Build and Deploy to IKS
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
diff --git a/deployments/openshift.yml b/deployments/openshift.yml
index 5775cb0..8504059 100644
--- a/deployments/openshift.yml
+++ b/deployments/openshift.yml
@@ -54,15 +54,30 @@ env:
on:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+ workflow_dispatch:
push:
# Edit to the branch(es) you want to build and deploy on each push.
branches: [ $default-branch ]
jobs:
+ # ๐๏ธ EDIT if you want to run vulnerability check on your project before deploying
+ # the application. Please uncomment the below CRDA scan job and configure to run it in
+ # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab.
+ # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows
+
+ crda-scan:
+ uses: ./.github/workflows/crda.yml
+ secrets:
+ CRDA_KEY: ${{ secrets.CRDA_KEY }}
+ # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
+
openshift-ci-cd:
+ # ๐๏ธ Uncomment this if you are using CRDA scan step above
+ # needs: crda-scan
name: Build and deploy to OpenShift
- # ubuntu-20.04 can also be used.
- runs-on: ubuntu-18.04
+ runs-on: ubuntu-20.04
environment: production
outputs:
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 2bf2a68..ba65fe5 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -17,8 +17,7 @@ name: Tencent Kubernetes Engine
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
# Environment variables available to all jobs and steps in this workflow
env:
@@ -27,6 +26,9 @@ env:
TKE_CLUSTER_ID: cls-mywebapp
DEPLOYMENT_NAME: tke-test
+permissions:
+ contents: read
+
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 6142d2c..c06f685 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -46,10 +46,12 @@ name: 'Terraform'
on:
push:
- branches:
- - $default-branch
+ branches: [ $default-branch ]
pull_request:
+permissions:
+ contents: read
+
jobs:
terraform:
name: 'Terraform'
diff --git a/icons/astro.svg b/icons/astro.svg
new file mode 100644
index 0000000..ff9dd54
--- /dev/null
+++ b/icons/astro.svg
@@ -0,0 +1,20 @@
+
diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-watson.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/contrast.svg b/icons/contrast.svg
new file mode 100644
index 0000000..7680157
--- /dev/null
+++ b/icons/contrast.svg
@@ -0,0 +1,16 @@
+
+
+
diff --git a/icons/eslint.svg b/icons/eslint.svg
new file mode 100644
index 0000000..23964aa
--- /dev/null
+++ b/icons/eslint.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/frogbot.svg b/icons/frogbot.svg
new file mode 100644
index 0000000..21100d9
--- /dev/null
+++ b/icons/frogbot.svg
@@ -0,0 +1,80 @@
+
diff --git a/icons/gatsby.svg b/icons/gatsby.svg
new file mode 100644
index 0000000..5578b06
--- /dev/null
+++ b/icons/gatsby.svg
@@ -0,0 +1,7 @@
+
diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/generator-generic-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/go-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/hadolint.svg b/icons/hadolint.svg
new file mode 100644
index 0000000..048b86c
--- /dev/null
+++ b/icons/hadolint.svg
@@ -0,0 +1,131 @@
+
+
+
diff --git a/icons/hugo.svg b/icons/hugo.svg
new file mode 100644
index 0000000..ea72a6f
--- /dev/null
+++ b/icons/hugo.svg
@@ -0,0 +1,9 @@
+
diff --git a/icons/jekyll-tube.svg b/icons/jekyll-tube.svg
new file mode 100644
index 0000000..89dd55d
--- /dev/null
+++ b/icons/jekyll-tube.svg
@@ -0,0 +1 @@
+
diff --git a/icons/lintr.svg b/icons/lintr.svg
new file mode 100644
index 0000000..cdc40d8
--- /dev/null
+++ b/icons/lintr.svg
@@ -0,0 +1,679 @@
+
+
+
+
diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg
new file mode 100644
index 0000000..0534225
--- /dev/null
+++ b/icons/neuralegion.svg
@@ -0,0 +1,57 @@
+
+
+
diff --git a/icons/nextjs.svg b/icons/nextjs.svg
new file mode 100644
index 0000000..c45d6e6
--- /dev/null
+++ b/icons/nextjs.svg
@@ -0,0 +1,3 @@
+
diff --git a/icons/nuxtjs.svg b/icons/nuxtjs.svg
new file mode 100644
index 0000000..bebded3
--- /dev/null
+++ b/icons/nuxtjs.svg
@@ -0,0 +1,4 @@
+
diff --git a/icons/phpmd.svg b/icons/phpmd.svg
new file mode 100644
index 0000000..7697766
--- /dev/null
+++ b/icons/phpmd.svg
@@ -0,0 +1,595 @@
+
+
+
+
diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg
new file mode 100644
index 0000000..4e5d4d0
--- /dev/null
+++ b/icons/puppet-lint.svg
@@ -0,0 +1,95 @@
+
+
+
+
diff --git a/icons/pyre.svg b/icons/pyre.svg
new file mode 100644
index 0000000..2af14c0
--- /dev/null
+++ b/icons/pyre.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/pysa.svg b/icons/pysa.svg
new file mode 100644
index 0000000..ed60fb1
--- /dev/null
+++ b/icons/pysa.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/sobelow.svg b/icons/sobelow.svg
new file mode 100644
index 0000000..4d243ea
--- /dev/null
+++ b/icons/sobelow.svg
@@ -0,0 +1,20 @@
+
+
+
diff --git a/icons/soos.svg b/icons/soos.svg
new file mode 100644
index 0000000..17a31fc
--- /dev/null
+++ b/icons/soos.svg
@@ -0,0 +1,17 @@
+
+
+
diff --git a/icons/zscaler.svg b/icons/zscaler.svg
new file mode 100644
index 0000000..3897442
--- /dev/null
+++ b/icons/zscaler.svg
@@ -0,0 +1,3 @@
+
diff --git a/icons/zscan.svg b/icons/zscan.svg
new file mode 100644
index 0000000..1dff416
--- /dev/null
+++ b/icons/zscan.svg
@@ -0,0 +1,11 @@
+
+
+
diff --git a/pages/astro.yml b/pages/astro.yml
new file mode 100644
index 0000000..1d4ec5f
--- /dev/null
+++ b/pages/astro.yml
@@ -0,0 +1,76 @@
+# Sample workflow for building and deploying an Astro site to GitHub Pages
+#
+# To get started with Astro see: https://docs.astro.build/en/getting-started/
+#
+name: Deploy Astro site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+env:
+ BUILD_PATH: "." # default value when not using subfolders
+ # BUILD_PATH: subfolder
+
+jobs:
+ build:
+ name: Build
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ echo "::set-output name=runner::yarn"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ echo "::set-output name=runner::npx --no-install"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
+ - run: npm install && npm run build
+ working-directory: ${{ env.BUILD_PATH }}
+ - uses: actions/upload-pages-artifact@v1
+ with:
+ path: ${{ env.BUILD_PATH }}/dist
+
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ needs: build
+ runs-on: ubuntu-latest
+ name: Deploy
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
new file mode 100644
index 0000000..4f2857d
--- /dev/null
+++ b/pages/gatsby.yml
@@ -0,0 +1,96 @@
+# Sample workflow for building and deploying a Gatsby site to GitHub Pages
+#
+# To get started with Gatsby see: https://www.gatsbyjs.com/docs/quick-start/
+#
+name: Deploy Gatsby site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+# Default to bash
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
+ with:
+ # Automatically inject pathPrefix in your Gatsby configuration file.
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: gatsby
+ - name: Restore cache
+ uses: actions/cache@v3
+ with:
+ path: |
+ public
+ .cache
+ key: ${{ runner.os }}-gatsby-build-${{ hashFiles('public') }}
+ restore-keys: |
+ ${{ runner.os }}-gatsby-build-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Build with Gatsby
+ env:
+ PREFIX_PATHS: 'true'
+ run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./public
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/hugo.yml b/pages/hugo.yml
new file mode 100644
index 0000000..f273fb2
--- /dev/null
+++ b/pages/hugo.yml
@@ -0,0 +1,70 @@
+# Sample workflow for building and deploying a Hugo site to GitHub Pages
+name: Deploy Hugo site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+# Default to bash
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ env:
+ HUGO_VERSION: 0.102.3
+ steps:
+ - name: Install Hugo CLI
+ run: |
+ wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb \
+ && sudo dpkg -i ${{ runner.temp }}/hugo.deb
+ - name: Checkout
+ uses: actions/checkout@v3
+ with:
+ submodules: recursive
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
+ - name: Build with Hugo
+ env:
+ # For maximum backward compatibility with Hugo modules
+ HUGO_ENVIRONMENT: production
+ HUGO_ENV: production
+ run: |
+ hugo \
+ --minify \
+ --baseURL "${{ steps.pages.outputs.base_url }}/"
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./public
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml
new file mode 100644
index 0000000..8c7a207
--- /dev/null
+++ b/pages/jekyll-gh-pages.yml
@@ -0,0 +1,50 @@
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ - name: Build with Jekyll
+ uses: actions/jekyll-build-pages@v1
+ with:
+ source: ./
+ destination: ./_site
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/jekyll.yml b/pages/jekyll.yml
new file mode 100644
index 0000000..d039d12
--- /dev/null
+++ b/pages/jekyll.yml
@@ -0,0 +1,63 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
+ with:
+ ruby-version: '3.0' # Not needed with a .ruby-version file
+ bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+ cache-version: 0 # Increment this number if you need to re-download cached gems
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
+ - name: Build with Jekyll
+ # Outputs to the './_site' directory by default
+ run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
+ env:
+ JEKYLL_ENV: production
+ - name: Upload artifact
+ # Automatically uploads an artifact from the './_site' directory by default
+ uses: actions/upload-pages-artifact@v1
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/nextjs.yml b/pages/nextjs.yml
new file mode 100644
index 0000000..5c2bf67
--- /dev/null
+++ b/pages/nextjs.yml
@@ -0,0 +1,94 @@
+# Sample workflow for building and deploying a Next.js site to GitHub Pages
+#
+# To get started with Next.js see: https://nextjs.org/docs/getting-started
+#
+name: Deploy Next.js site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ echo "::set-output name=runner::yarn"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ echo "::set-output name=runner::npx --no-install"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ with:
+ # Automatically inject basePath in your Next.js configuration file and disable
+ # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized).
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: next
+ - name: Restore cache
+ uses: actions/cache@v3
+ with:
+ path: |
+ .next/cache
+ # Generate a new cache whenever packages or source files change.
+ key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
+ # If source files changed but packages didn't, rebuild from a prior cache.
+ restore-keys: |
+ ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Build with Next.js
+ run: ${{ steps.detect-package-manager.outputs.runner }} next build
+ - name: Static HTML export with Next.js
+ run: ${{ steps.detect-package-manager.outputs.runner }} next export
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./out
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml
new file mode 100644
index 0000000..4178f18
--- /dev/null
+++ b/pages/nuxtjs.yml
@@ -0,0 +1,89 @@
+# Sample workflow for building and deploying a Nuxt site to GitHub Pages
+#
+# To get started with Nuxt see: https://nuxtjs.org/docs/get-started/installation
+#
+name: Deploy Nuxt site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "::set-output name=manager::yarn"
+ echo "::set-output name=command::install"
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "::set-output name=manager::npm"
+ echo "::set-output name=command::ci"
+ exit 0
+ else
+ echo "Unable to determine packager manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ with:
+ # Automatically inject router.base in your Nuxt configuration file and set
+ # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/).
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: nuxt
+ - name: Restore cache
+ uses: actions/cache@v3
+ with:
+ path: |
+ dist
+ .nuxt
+ key: ${{ runner.os }}-nuxt-build-${{ hashFiles('dist') }}
+ restore-keys: |
+ ${{ runner.os }}-nuxt-build-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Static HTML export with Nuxt
+ run: ${{ steps.detect-package-manager.outputs.manager }} run generate
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ path: ./dist
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/pages/properties/astro.properties.json b/pages/properties/astro.properties.json
new file mode 100644
index 0000000..bc7db05
--- /dev/null
+++ b/pages/properties/astro.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Astro",
+ "description": "Deploy an Astro site.",
+ "iconName": "astro",
+ "categories": ["Pages", "Astro"]
+}
diff --git a/pages/properties/gatsby.properties.json b/pages/properties/gatsby.properties.json
new file mode 100644
index 0000000..df260f8
--- /dev/null
+++ b/pages/properties/gatsby.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Gatsby",
+ "description": "Package a Gatsby site.",
+ "iconName": "gatsby",
+ "categories": ["Pages", "Gatsby"]
+}
\ No newline at end of file
diff --git a/pages/properties/hugo.properties.json b/pages/properties/hugo.properties.json
new file mode 100644
index 0000000..b6f6dc7
--- /dev/null
+++ b/pages/properties/hugo.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Hugo",
+ "description": "Package a Hugo site.",
+ "iconName": "hugo",
+ "categories": ["Pages", "Hugo"]
+}
\ No newline at end of file
diff --git a/pages/properties/jekyll-gh-pages.properties.json b/pages/properties/jekyll-gh-pages.properties.json
new file mode 100644
index 0000000..3e38602
--- /dev/null
+++ b/pages/properties/jekyll-gh-pages.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "GitHub Pages Jekyll",
+ "description": "Package a Jekyll site with GitHub Pages dependencies preinstalled.",
+ "iconName": "jekyll-tube",
+ "categories": ["Pages", "Jekyll"]
+}
diff --git a/pages/properties/jekyll.properties.json b/pages/properties/jekyll.properties.json
new file mode 100644
index 0000000..8b4c1d2
--- /dev/null
+++ b/pages/properties/jekyll.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Jekyll",
+ "description": "Package a Jekyll site.",
+ "iconName": "jekyll-tube",
+ "categories": ["Pages", "Jekyll"]
+}
diff --git a/pages/properties/nextjs.properties.json b/pages/properties/nextjs.properties.json
new file mode 100644
index 0000000..4209908
--- /dev/null
+++ b/pages/properties/nextjs.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Next.js",
+ "description": "Package a Next.js site.",
+ "iconName": "nextjs",
+ "categories": ["Pages", "Next"]
+}
diff --git a/pages/properties/nuxtjs.properties.json b/pages/properties/nuxtjs.properties.json
new file mode 100644
index 0000000..d79909e
--- /dev/null
+++ b/pages/properties/nuxtjs.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "NuxtJS",
+ "description": "Package a NuxtJS site.",
+ "iconName": "nuxtjs",
+ "categories": ["Pages", "Nuxt"]
+}
\ No newline at end of file
diff --git a/pages/properties/static.properties.json b/pages/properties/static.properties.json
new file mode 100644
index 0000000..372579c
--- /dev/null
+++ b/pages/properties/static.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Static HTML",
+ "description": "Deploy static files in a repository without a build.",
+ "iconName": "html",
+ "categories": ["Pages", "HTML", "JavaScript", "CSS"]
+}
diff --git a/pages/static.yml b/pages/static.yml
new file mode 100644
index 0000000..9e0e871
--- /dev/null
+++ b/pages/static.yml
@@ -0,0 +1,42 @@
+# Simple workflow for deploying static content to GitHub Pages
+name: Deploy static content to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: [$default-branch]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+ group: "pages"
+ cancel-in-progress: true
+
+jobs:
+ # Single deploy job since we're just deploying
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Setup Pages
+ uses: actions/configure-pages@v2
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
+ with:
+ # Upload entire repository
+ path: '.'
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v1
diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts
index 608e73d..a320d36 100755
--- a/script/sync-ghes/index.ts
+++ b/script/sync-ghes/index.ts
@@ -61,7 +61,7 @@ async function checkWorkflows(
const enabled =
!isPartnerWorkflow &&
- workflowProperties.enterprise !== false &&
+ (workflowProperties.enterprise === true || folder !== 'code-scanning') &&
(await checkWorkflow(workflowFilePath, enabledActions));
const workflowDesc: WorkflowDesc = {
diff --git a/script/sync-ghes/package-lock.json b/script/sync-ghes/package-lock.json
index ebcd318..768bbda 100644
--- a/script/sync-ghes/package-lock.json
+++ b/script/sync-ghes/package-lock.json
@@ -1,8 +1,166 @@
{
"name": "sync-ghes-actions",
"version": "1.0.0",
- "lockfileVersion": 1,
+ "lockfileVersion": 2,
"requires": true,
+ "packages": {
+ "": {
+ "name": "sync-ghes-actions",
+ "version": "1.0.0",
+ "license": "MIT",
+ "dependencies": {
+ "js-yaml": "^3.13.1"
+ },
+ "devDependencies": {
+ "@types/js-yaml": "^3.12.4",
+ "@types/node": "^14.0.1",
+ "ts-node": "^8.10.1",
+ "typescript": "^3.9.2"
+ }
+ },
+ "node_modules/@types/js-yaml": {
+ "version": "3.12.4",
+ "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz",
+ "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==",
+ "dev": true
+ },
+ "node_modules/@types/node": {
+ "version": "14.0.1",
+ "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz",
+ "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==",
+ "dev": true
+ },
+ "node_modules/arg": {
+ "version": "4.1.3",
+ "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz",
+ "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==",
+ "dev": true
+ },
+ "node_modules/argparse": {
+ "version": "1.0.10",
+ "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
+ "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+ "dependencies": {
+ "sprintf-js": "~1.0.2"
+ }
+ },
+ "node_modules/buffer-from": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz",
+ "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==",
+ "dev": true
+ },
+ "node_modules/diff": {
+ "version": "4.0.2",
+ "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
+ "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.3.1"
+ }
+ },
+ "node_modules/esprima": {
+ "version": "4.0.1",
+ "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+ "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+ "bin": {
+ "esparse": "bin/esparse.js",
+ "esvalidate": "bin/esvalidate.js"
+ },
+ "engines": {
+ "node": ">=4"
+ }
+ },
+ "node_modules/js-yaml": {
+ "version": "3.13.1",
+ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
+ "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
+ "dependencies": {
+ "argparse": "^1.0.7",
+ "esprima": "^4.0.0"
+ },
+ "bin": {
+ "js-yaml": "bin/js-yaml.js"
+ }
+ },
+ "node_modules/make-error": {
+ "version": "1.3.6",
+ "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz",
+ "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
+ "dev": true
+ },
+ "node_modules/source-map": {
+ "version": "0.6.1",
+ "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+ "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.10.0"
+ }
+ },
+ "node_modules/source-map-support": {
+ "version": "0.5.19",
+ "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz",
+ "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==",
+ "dev": true,
+ "dependencies": {
+ "buffer-from": "^1.0.0",
+ "source-map": "^0.6.0"
+ }
+ },
+ "node_modules/sprintf-js": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
+ "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
+ },
+ "node_modules/ts-node": {
+ "version": "8.10.1",
+ "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz",
+ "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==",
+ "dev": true,
+ "dependencies": {
+ "arg": "^4.1.0",
+ "diff": "^4.0.1",
+ "make-error": "^1.1.1",
+ "source-map-support": "^0.5.17",
+ "yn": "3.1.1"
+ },
+ "bin": {
+ "ts-node": "dist/bin.js",
+ "ts-node-script": "dist/bin-script.js",
+ "ts-node-transpile-only": "dist/bin-transpile.js",
+ "ts-script": "dist/bin-script-deprecated.js"
+ },
+ "engines": {
+ "node": ">=6.0.0"
+ },
+ "peerDependencies": {
+ "typescript": ">=2.7"
+ }
+ },
+ "node_modules/typescript": {
+ "version": "3.9.2",
+ "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
+ "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==",
+ "dev": true,
+ "bin": {
+ "tsc": "bin/tsc",
+ "tsserver": "bin/tsserver"
+ },
+ "engines": {
+ "node": ">=4.2.0"
+ }
+ },
+ "node_modules/yn": {
+ "version": "3.1.1",
+ "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
+ "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==",
+ "dev": true,
+ "engines": {
+ "node": ">=6"
+ }
+ }
+ },
"dependencies": {
"@types/js-yaml": {
"version": "3.12.4",
diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json
index 9648ab4..41d6bcd 100644
--- a/script/sync-ghes/settings.json
+++ b/script/sync-ghes/settings.json
@@ -2,20 +2,27 @@
"folders": [
"../../ci",
"../../automation",
- "../../code-scanning"
+ "../../code-scanning",
+ "../../pages"
],
"enabledActions": [
+ "actions/cache",
"actions/checkout",
+ "actions/configure-pages",
"actions/create-release",
"actions/delete-package-versions",
+ "actions/deploy-pages",
"actions/download-artifact",
+ "actions/jekyll-build-pages",
"actions/setup-dotnet",
"actions/setup-go",
"actions/setup-java",
"actions/setup-node",
+ "actions/setup-python",
"actions/stale",
"actions/starter-workflows",
"actions/upload-artifact",
+ "actions/upload-pages-artifact",
"actions/upload-release-asset",
"github/codeql-action"
],
diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts
index 7dce3d1..4bd260d 100755
--- a/script/validate-data/index.ts
+++ b/script/validate-data/index.ts
@@ -1,7 +1,7 @@
#!/usr/bin/env npx ts-node
import { promises as fs } from "fs";
import { safeLoad } from "js-yaml";
-import { basename, extname, join } from "path";
+import { basename, extname, join, dirname } from "path";
import { Validator as validator } from "jsonschema";
import { endGroup, error, info, setFailed, startGroup } from '@actions/core';
@@ -14,6 +14,7 @@ interface WorkflowWithErrors {
interface WorkflowProperties {
name: string;
description: string;
+ creator: string;
iconName: string;
categories: string[];
}
@@ -40,7 +41,7 @@ const propertiesSchema = {
}
}
-async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise {
+async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise {
const result: WorkflowWithErrors[] = []
const workflow_template_names = new Set()
for (const folder of folders) {
@@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]):
return result;
}
-async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise {
+async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise {
let workflowErrors: WorkflowWithErrors = {
id: workflowPath,
name: null,
@@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow
}
}
- if (!workflowPath.endsWith("blank.yml") && (!properties.categories ||
- !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) {
- workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`)
+ var path = dirname(workflowPath)
+ var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"]
+ if (!workflowPath.endsWith("blank.yml")) {
+ if(!properties.categories || properties.categories.length == 0) {
+ workflowErrors.errors.push(`Workflow categories cannot be null or empty`)
+ }
+ else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) {
+ workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`)
+ }
+ }
+
+ if(basename(path).toLowerCase() == 'deployments' && !properties.creator) {
+ workflowErrors.errors.push(`The "creator" in properties.json must be present.`)
}
} catch (e) {
workflowErrors.errors.push(e.toString())
diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json
index 8839d6a..358c661 100644
--- a/script/validate-data/package-lock.json
+++ b/script/validate-data/package-lock.json
@@ -1,13 +1,226 @@
{
- "name": "sync-ghes-actions",
+ "name": "validate-data",
"version": "1.0.0",
- "lockfileVersion": 1,
+ "lockfileVersion": 2,
"requires": true,
+ "packages": {
+ "": {
+ "name": "validate-data",
+ "version": "1.0.0",
+ "license": "MIT",
+ "dependencies": {
+ "@actions/core": "^1.9.1",
+ "js-yaml": "^3.13.1",
+ "jsonschema": "^1.2.6"
+ },
+ "devDependencies": {
+ "@types/js-yaml": "^3.12.4",
+ "@types/node": "^14.0.1",
+ "ts-node": "^8.10.1",
+ "typescript": "^3.9.2"
+ }
+ },
+ "node_modules/@actions/core": {
+ "version": "1.9.1",
+ "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+ "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
+ "dependencies": {
+ "@actions/http-client": "^2.0.1",
+ "uuid": "^8.3.2"
+ }
+ },
+ "node_modules/@actions/http-client": {
+ "version": "2.0.1",
+ "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+ "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+ "dependencies": {
+ "tunnel": "^0.0.6"
+ }
+ },
+ "node_modules/@types/js-yaml": {
+ "version": "3.12.4",
+ "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-3.12.4.tgz",
+ "integrity": "sha512-fYMgzN+9e28R81weVN49inn/u798ruU91En1ZnGvSZzCRc5jXx9B2EDhlRaWmcO1RIxFHL8AajRXzxDuJu93+A==",
+ "dev": true
+ },
+ "node_modules/@types/node": {
+ "version": "14.0.1",
+ "resolved": "https://registry.npmjs.org/@types/node/-/node-14.0.1.tgz",
+ "integrity": "sha512-FAYBGwC+W6F9+huFIDtn43cpy7+SzG+atzRiTfdp3inUKL2hXnd4rG8hylJLIh4+hqrQy1P17kvJByE/z825hA==",
+ "dev": true
+ },
+ "node_modules/arg": {
+ "version": "4.1.3",
+ "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz",
+ "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==",
+ "dev": true
+ },
+ "node_modules/argparse": {
+ "version": "1.0.10",
+ "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
+ "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==",
+ "dependencies": {
+ "sprintf-js": "~1.0.2"
+ }
+ },
+ "node_modules/buffer-from": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.1.tgz",
+ "integrity": "sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==",
+ "dev": true
+ },
+ "node_modules/diff": {
+ "version": "4.0.2",
+ "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
+ "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.3.1"
+ }
+ },
+ "node_modules/esprima": {
+ "version": "4.0.1",
+ "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+ "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+ "bin": {
+ "esparse": "bin/esparse.js",
+ "esvalidate": "bin/esvalidate.js"
+ },
+ "engines": {
+ "node": ">=4"
+ }
+ },
+ "node_modules/js-yaml": {
+ "version": "3.13.1",
+ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
+ "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
+ "dependencies": {
+ "argparse": "^1.0.7",
+ "esprima": "^4.0.0"
+ },
+ "bin": {
+ "js-yaml": "bin/js-yaml.js"
+ }
+ },
+ "node_modules/jsonschema": {
+ "version": "1.2.6",
+ "resolved": "https://registry.npmjs.org/jsonschema/-/jsonschema-1.2.6.tgz",
+ "integrity": "sha512-SqhURKZG07JyKKeo/ir24QnS4/BV7a6gQy93bUSe4lUdNp0QNpIz2c9elWJQ9dpc5cQYY6cvCzgRwy0MQCLyqA==",
+ "engines": {
+ "node": "*"
+ }
+ },
+ "node_modules/make-error": {
+ "version": "1.3.6",
+ "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz",
+ "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
+ "dev": true
+ },
+ "node_modules/source-map": {
+ "version": "0.6.1",
+ "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+ "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+ "dev": true,
+ "engines": {
+ "node": ">=0.10.0"
+ }
+ },
+ "node_modules/source-map-support": {
+ "version": "0.5.19",
+ "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz",
+ "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==",
+ "dev": true,
+ "dependencies": {
+ "buffer-from": "^1.0.0",
+ "source-map": "^0.6.0"
+ }
+ },
+ "node_modules/sprintf-js": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
+ "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
+ },
+ "node_modules/ts-node": {
+ "version": "8.10.1",
+ "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-8.10.1.tgz",
+ "integrity": "sha512-bdNz1L4ekHiJul6SHtZWs1ujEKERJnHs4HxN7rjTyyVOFf3HaJ6sLqe6aPG62XTzAB/63pKRh5jTSWL0D7bsvw==",
+ "dev": true,
+ "dependencies": {
+ "arg": "^4.1.0",
+ "diff": "^4.0.1",
+ "make-error": "^1.1.1",
+ "source-map-support": "^0.5.17",
+ "yn": "3.1.1"
+ },
+ "bin": {
+ "ts-node": "dist/bin.js",
+ "ts-node-script": "dist/bin-script.js",
+ "ts-node-transpile-only": "dist/bin-transpile.js",
+ "ts-script": "dist/bin-script-deprecated.js"
+ },
+ "engines": {
+ "node": ">=6.0.0"
+ },
+ "peerDependencies": {
+ "typescript": ">=2.7"
+ }
+ },
+ "node_modules/tunnel": {
+ "version": "0.0.6",
+ "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+ "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+ "engines": {
+ "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+ }
+ },
+ "node_modules/typescript": {
+ "version": "3.9.2",
+ "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
+ "integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==",
+ "dev": true,
+ "bin": {
+ "tsc": "bin/tsc",
+ "tsserver": "bin/tsserver"
+ },
+ "engines": {
+ "node": ">=4.2.0"
+ }
+ },
+ "node_modules/uuid": {
+ "version": "8.3.2",
+ "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+ "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+ "bin": {
+ "uuid": "dist/bin/uuid"
+ }
+ },
+ "node_modules/yn": {
+ "version": "3.1.1",
+ "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
+ "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==",
+ "dev": true,
+ "engines": {
+ "node": ">=6"
+ }
+ }
+ },
"dependencies": {
"@actions/core": {
- "version": "1.2.6",
- "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
- "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
+ "version": "1.9.1",
+ "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
+ "integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
+ "requires": {
+ "@actions/http-client": "^2.0.1",
+ "uuid": "^8.3.2"
+ }
+ },
+ "@actions/http-client": {
+ "version": "2.0.1",
+ "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
+ "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
+ "requires": {
+ "tunnel": "^0.0.6"
+ }
},
"@types/js-yaml": {
"version": "3.12.4",
@@ -106,12 +319,22 @@
"yn": "3.1.1"
}
},
+ "tunnel": {
+ "version": "0.0.6",
+ "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+ "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+ },
"typescript": {
"version": "3.9.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz",
"integrity": "sha512-q2ktq4n/uLuNNShyayit+DTobV2ApPEo/6so68JaD5ojvc/6GClBipedB9zNWYxRSAlZXAe405Rlijzl6qDiSw==",
"dev": true
},
+ "uuid": {
+ "version": "8.3.2",
+ "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+ "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+ },
"yn": {
"version": "3.1.1",
"resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
diff --git a/script/validate-data/package.json b/script/validate-data/package.json
index e6403ee..6811f19 100644
--- a/script/validate-data/package.json
+++ b/script/validate-data/package.json
@@ -14,7 +14,7 @@
"typescript": "^3.9.2"
},
"dependencies": {
- "@actions/core": "^1.2.6",
+ "@actions/core": "^1.9.1",
"js-yaml": "^3.13.1",
"jsonschema": "^1.2.6"
}
diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json
index ef8ee60..23c4790 100644
--- a/script/validate-data/settings.json
+++ b/script/validate-data/settings.json
@@ -3,13 +3,29 @@
"../../ci",
"../../automation",
"../../deployments",
- "../../code-scanning"
+ "../../code-scanning",
+ "../../pages"
],
- "allowed_categories" : [
- "Continuous integration",
- "Deployment",
- "Code Scanning",
- "Dependency review",
- "Automation"
+ "allowed_categories": [
+ {
+ "path": "../../ci",
+ "categories": ["Continuous integration"]
+ },
+ {
+ "path": "../../automation",
+ "categories": ["Automation"]
+ },
+ {
+ "path": "../../deployments",
+ "categories": ["Deployment"]
+ },
+ {
+ "path": "../../code-scanning",
+ "categories": ["Code Scanning", "Dependency review"]
+ },
+ {
+ "path": "../../pages",
+ "categories": ["Pages"]
+ }
]
}