From 9d82221b3c47a53248149b62bc84bfdc8ba6e57d Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:23:39 +0200
Subject: [PATCH 01/36] Create sonarqube.yaml
---
code-scanning/sonarqube.yaml | 65 ++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
create mode 100644 code-scanning/sonarqube.yaml
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
new file mode 100644
index 0000000..c6fbfce
--- /dev/null
+++ b/code-scanning/sonarqube.yaml
@@ -0,0 +1,65 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow helps you trigger a SonarQube analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
+# (this feature is available starting from Developer Edition)
+
+# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
+
+# 2. Import your project on SonarQube
+# * Add your repository as a new project by clicking "Create project" from your homepage.
+#
+# 3. Select GitHub Actions as your CI and follow the tutorial
+# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+# (You'll find this information in SonarQube. Click on "Information" at the bottom left)
+#
+# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarQube, click on your avatar on top-right > My account > Security
+# or go directly to https://sonarcloud.io/account/security/)
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
+name: SonarQube analysis
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ workflow_dispatch:
+
+permissions:
+ pull-requests: read # allows SonarQube to decorate PRs with analysis results
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Analyze with SonarQube
+
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarqube-scan-action@v1.1.0
+ uses: SonarSource/sonarqube-scan-action@v1.1.0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
+ # mandatory
+ -Dsonar.projectKey=
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
From f44ecbf0e28eae370cbcbece24deff8737158257 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:29:30 +0200
Subject: [PATCH 02/36] Added comments
---
code-scanning/sonarqube.yaml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
index c6fbfce..e9b8d98 100644
--- a/code-scanning/sonarqube.yaml
+++ b/code-scanning/sonarqube.yaml
@@ -13,15 +13,16 @@
# * Add your repository as a new project by clicking "Create project" from your homepage.
#
# 3. Select GitHub Actions as your CI and follow the tutorial
-# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
-# (You'll find this information in SonarQube. Click on "Information" at the bottom left)
+# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
#
-# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
-# (On SonarQube, click on your avatar on top-right > My account > Security
-# or go directly to https://sonarcloud.io/account/security/)
+# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL
+#
+# * c. Copy/paste the project Key into the args parameter below
+# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
-# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
-# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10)
name: SonarQube analysis
From 4a1cad76c04ded3d2d1e1f20778ea3855c9e5d1d Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:57:24 +0200
Subject: [PATCH 03/36] Added reference to documentation
---
code-scanning/sonarqube.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
index e9b8d98..f34d48e 100644
--- a/code-scanning/sonarqube.yaml
+++ b/code-scanning/sonarqube.yaml
@@ -5,7 +5,7 @@
# This workflow helps you trigger a SonarQube analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
-# (this feature is available starting from Developer Edition)
+# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
From c7e73d7edc4e376bfdb148a7ee0a1d732c8443f9 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:23:48 +0100
Subject: [PATCH 04/36] Update sonarqube.yaml
---
code-scanning/sonarqube.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml
index f34d48e..23f79da 100644
--- a/code-scanning/sonarqube.yaml
+++ b/code-scanning/sonarqube.yaml
@@ -13,10 +13,10 @@
# * Add your repository as a new project by clicking "Create project" from your homepage.
#
# 3. Select GitHub Actions as your CI and follow the tutorial
-# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
#
-# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL
+# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL
#
# * c. Copy/paste the project Key into the args parameter below
# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
From ca67faa01ca580695b67779e7cc67cf4b6586ddd Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:25:29 +0100
Subject: [PATCH 05/36] Rename sonarqube.yaml to sonarqube.yml
---
code-scanning/{sonarqube.yaml => sonarqube.yml} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename code-scanning/{sonarqube.yaml => sonarqube.yml} (100%)
diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yml
similarity index 100%
rename from code-scanning/sonarqube.yaml
rename to code-scanning/sonarqube.yml
From a5ee5608b9f19e8c4949b365711030820ead5d69 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:27:23 +0100
Subject: [PATCH 06/36] Create sonarqube.properties.json
---
code-scanning/properties/sonarqube.properties.json | 7 +++++++
1 file changed, 7 insertions(+)
create mode 100644 code-scanning/properties/sonarqube.properties.json
diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json
new file mode 100644
index 0000000..9912c51
--- /dev/null
+++ b/code-scanning/properties/sonarqube.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SonarQube",
+ "creator": "Sonar",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
+ "iconName": "sonarqube",
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
+}
From 4c8f3a77aa64cc3b5da5b5b244d75e07285e77d3 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:28:50 +0100
Subject: [PATCH 07/36] Add files via upload
---
icons/SonarQube icon.svg | 1 +
1 file changed, 1 insertion(+)
create mode 100644 icons/SonarQube icon.svg
diff --git a/icons/SonarQube icon.svg b/icons/SonarQube icon.svg
new file mode 100644
index 0000000..b5c23d8
--- /dev/null
+++ b/icons/SonarQube icon.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
From 5081d1525082e71f7be1c3eb381c7e5443e28f95 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 3 Nov 2022 11:29:30 +0100
Subject: [PATCH 08/36] Rename SonarQube icon.svg to sonarqube.svg
---
icons/{SonarQube icon.svg => sonarqube.svg} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename icons/{SonarQube icon.svg => sonarqube.svg} (94%)
diff --git a/icons/SonarQube icon.svg b/icons/sonarqube.svg
similarity index 94%
rename from icons/SonarQube icon.svg
rename to icons/sonarqube.svg
index b5c23d8..a4bba35 100644
--- a/icons/SonarQube icon.svg
+++ b/icons/sonarqube.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
From 0b50b4b57933ac53f9bf799ff67aea8c2bdcaddf Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Fri, 4 Nov 2022 20:45:41 +0100
Subject: [PATCH 09/36] Remove extra whitespaces
---
.github/dependabot.yml | 6 ++---
ci/ada.yml | 2 +-
ci/cmake.yml | 4 +--
ci/go-ossf-slsa3-publish.yml | 8 +++---
ci/makefile.yml | 8 +++---
ci/npm-grunt.yml | 2 +-
ci/npm-gulp.yml | 2 +-
ci/webpack.yml | 2 +-
code-scanning/apisec-scan.yml | 6 ++---
code-scanning/brakeman.yml | 2 +-
code-scanning/checkmarx.yml | 2 +-
code-scanning/clj-holmes.yml | 4 +--
code-scanning/clj-watson.yml | 6 ++---
code-scanning/cloudrail.yml | 6 ++---
code-scanning/codacy.yml | 2 +-
code-scanning/codeql.yml | 6 ++---
code-scanning/codescan.yml | 2 +-
code-scanning/contrast-scan.yml | 8 +++---
code-scanning/detekt.yml | 4 +--
code-scanning/devskim.yml | 2 +-
code-scanning/eslint.yml | 4 +--
code-scanning/ethicalcheck.yml | 8 +++---
code-scanning/hadolint.yml | 2 +-
code-scanning/lintr.yml | 2 +-
code-scanning/mobsf.yml | 4 +--
code-scanning/msvc.yml | 2 +-
code-scanning/neuralegion.yml | 4 +--
code-scanning/njsscan.yml | 2 +-
code-scanning/ossar.yml | 2 +-
code-scanning/phpmd.yml | 6 ++---
code-scanning/pmd.yml | 2 +-
code-scanning/powershell.yml | 10 +++----
code-scanning/prisma.yml | 2 +-
code-scanning/puppet-lint.yml | 2 +-
code-scanning/rust-clippy.yml | 4 +--
code-scanning/securitycodescan.yml | 6 ++---
code-scanning/semgrep.yml | 2 +-
code-scanning/snyk-container.yml | 2 +-
code-scanning/snyk-infrastructure.yml | 2 +-
code-scanning/sobelow.yml | 6 ++---
code-scanning/sonarcloud.yml | 16 ++++++------
code-scanning/soos-dast-scan.yml | 4 +--
code-scanning/synopsys-io.yml | 16 ++++++------
code-scanning/sysdig-scan.yml | 6 ++---
code-scanning/tfsec.yml | 6 ++---
code-scanning/trivy.yml | 2 +-
code-scanning/veracode.yml | 2 +-
code-scanning/xanitizer.yml | 2 +-
code-scanning/zscan.yml | 9 +++----
deployments/alibabacloud.yml | 32 +++++++++++------------
deployments/azure-container-webapp.yml | 2 +-
deployments/azure-webapps-dotnet-core.yml | 2 +-
deployments/azure-webapps-java-jar.yml | 2 +-
deployments/azure-webapps-node.yml | 2 +-
deployments/azure-webapps-python.yml | 8 +++---
deployments/tencent.yml | 12 ++++-----
56 files changed, 140 insertions(+), 141 deletions(-)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 62283f9..ee66df2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,12 +5,12 @@
version: 2
updates:
- - package-ecosystem: "npm"
+ - package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
-
- - package-ecosystem: "github-actions"
+
+ - package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
diff --git a/ci/ada.yml b/ci/ada.yml
index 7e94b38..417ed2e 100644
--- a/ci/ada.yml
+++ b/ci/ada.yml
@@ -17,7 +17,7 @@ jobs:
- name: Set up GNAT toolchain
run: >
- sudo apt-get update &&
+ sudo apt-get update &&
sudo apt-get install gnat gprbuild
- name: Build
diff --git a/ci/cmake.yml b/ci/cmake.yml
index 6f06f75..95d7efd 100644
--- a/ci/cmake.yml
+++ b/ci/cmake.yml
@@ -31,7 +31,7 @@ jobs:
- name: Test
working-directory: ${{github.workspace}}/build
- # Execute tests defined by the CMake configuration.
+ # Execute tests defined by the CMake configuration.
# See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
run: ctest -C ${{env.BUILD_TYPE}}
-
+
diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml
index a738875..b357cc0 100644
--- a/ci/go-ossf-slsa3-publish.yml
+++ b/ci/go-ossf-slsa3-publish.yml
@@ -3,10 +3,10 @@
# separate terms of service, privacy policy, and support
# documentation.
-# This workflow lets you compile your Go project using a SLSA3 compliant builder.
-# This workflow will generate a so-called "provenance" file describing the steps
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
# that were performed to generate the final binary.
-# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
@@ -21,7 +21,7 @@ permissions: read-all
jobs:
# ========================================================================================================================================
- # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
+ # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
# See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
#=========================================================================================================================================
build:
diff --git a/ci/makefile.yml b/ci/makefile.yml
index 0156944..1b53855 100644
--- a/ci/makefile.yml
+++ b/ci/makefile.yml
@@ -13,15 +13,15 @@ jobs:
steps:
- uses: actions/checkout@v3
-
+
- name: configure
run: ./configure
-
+
- name: Install dependencies
run: make
-
+
- name: Run check
run: make check
-
+
- name: Run distcheck
run: make distcheck
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index e39ddbf..0bcbd1c 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -13,7 +13,7 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
-
+
steps:
- uses: actions/checkout@v3
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index 7606dea..7d79002 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -13,7 +13,7 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
-
+
steps:
- uses: actions/checkout@v3
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 0bc6406..2b8b18a 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -13,7 +13,7 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
-
+
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 209e882..09f50cd 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -3,8 +3,8 @@
# separate terms of service, privacy policy, and support
# documentation.
-# APIsec addresses the critical need to secure APIs before they reach production.
-# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
+# APIsec addresses the critical need to secure APIs before they reach production.
+# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
# How to Get Started with APIsec.ai
@@ -50,7 +50,7 @@ jobs:
Trigger_APIsec_scan:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index 957343c..5547c59 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -25,7 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index 9bdb136..582488a 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -29,7 +29,7 @@ jobs:
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
index 4487e23..87f11cb 100644
--- a/code-scanning/clj-holmes.yml
+++ b/code-scanning/clj-holmes.yml
@@ -16,7 +16,7 @@ on:
permissions:
contents: read
-
+
jobs:
clj-holmes:
name: Run clj-holmes scanning
@@ -24,7 +24,7 @@ jobs:
permissions:
contents: read
security-events: write
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
index 76903a9..59bfd41 100644
--- a/code-scanning/clj-watson.yml
+++ b/code-scanning/clj-watson.yml
@@ -6,7 +6,7 @@
# seeking for vulnerable direct/transitive dependencies and
# build a report with all the information needed to help you
# understand how the vulnerability manifest in your software.
-# More details at https://github.com/clj-holmes/clj-watson
+# More details at https://github.com/clj-holmes/clj-watson
name: clj-watson
@@ -29,7 +29,7 @@ jobs:
permissions:
contents: read
security-events: write
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
@@ -40,7 +40,7 @@ jobs:
clj-watson-sha: "65d928c"
clj-watson-tag: "v4.0.1"
database-strategy: github-advisory
- aliases: clojure-lsp,test
+ aliases: clojure-lsp,test
deps-edn-path: deps.edn
suggest-fix: true
output-type: sarif
diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml
index 4a0cd73..e5defa3 100644
--- a/code-scanning/cloudrail.yml
+++ b/code-scanning/cloudrail.yml
@@ -9,7 +9,7 @@ on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
- branches: [ $default-branch ]
+ branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
@@ -26,7 +26,7 @@ jobs:
- name: Clone repo
uses: actions/checkout@v3
- # For Terraform, Cloudrail requires the plan as input. So we generate it using
+ # For Terraform, Cloudrail requires the plan as input. So we generate it using
# the Terraform core binary.
- uses: hashicorp/setup-terraform@v1
with:
@@ -53,6 +53,6 @@ jobs:
uses: github/codeql-action/upload-sarif@v2
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
- if: always()
+ if: always()
with:
sarif_file: cloudrail_results.sarif
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index 7b705bd..bbb2118 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -30,7 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 34c5de7..3f0ecfb 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -48,11 +48,11 @@ jobs:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
-
+
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
-
+
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
@@ -61,7 +61,7 @@ jobs:
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- # If the Autobuild fails above, remove it and uncomment the following three lines.
+ # If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index a9f1053..0959d23 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -25,7 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout repository
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
index 4e4deb7..ff3d9d3 100644
--- a/code-scanning/contrast-scan.yml
+++ b/code-scanning/contrast-scan.yml
@@ -8,7 +8,7 @@
# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
-# Pre-requisites:
+# Pre-requisites:
# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
@@ -30,7 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout
security-events: write # for github/codeql-action/upload-sarif
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
# check out project
steps:
@@ -38,7 +38,7 @@ jobs:
# Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
# -name: Build Project
# ...
- # Scan Artifact
+ # Scan Artifact
- name: Contrast Scan Action
uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
with:
@@ -46,7 +46,7 @@ jobs:
apiKey: ${{ secrets.CONTRAST_API_KEY }}
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
- #Upload the results to GitHub
+ #Upload the results to GitHub
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index 0c65813..a13a517 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -69,13 +69,13 @@ jobs:
}
}
' 1> gh_response.json
-
+
DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
echo "Release tag doesn't match expected commit SHA"
exit 1
fi
-
+
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml
index bf11261..4abd6ca 100644
--- a/code-scanning/devskim.yml
+++ b/code-scanning/devskim.yml
@@ -27,7 +27,7 @@ jobs:
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
-
+
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
index 54b01c8..fcb4f21 100644
--- a/code-scanning/eslint.yml
+++ b/code-scanning/eslint.yml
@@ -25,7 +25,7 @@ jobs:
permissions:
contents: read
security-events: write
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
@@ -39,7 +39,7 @@ jobs:
run: npx eslint .
--config .eslintrc.js
--ext .js,.jsx,.ts,.tsx
- --format @microsoft/eslint-formatter-sarif
+ --format @microsoft/eslint-formatter-sarif
--output-file eslint-results.sarif
continue-on-error: true
diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml
index 2818bc6..a68d0a2 100644
--- a/code-scanning/ethicalcheck.yml
+++ b/code-scanning/ethicalcheck.yml
@@ -44,12 +44,12 @@ on:
permissions:
contents: read
-
+
jobs:
Trigger_EthicalCheck:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
@@ -61,9 +61,9 @@ jobs:
# The email address to which the penetration test report will be sent.
email: "xxx@apisec.ai"
sarif-result-file: "ethicalcheck-results.sarif"
-
+
- name: Upload sarif file to repository
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./ethicalcheck-results.sarif
-
+
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
index 3153652..68aebaa 100644
--- a/code-scanning/hadolint.yml
+++ b/code-scanning/hadolint.yml
@@ -27,7 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml
index 350df19..8a6de57 100644
--- a/code-scanning/lintr.yml
+++ b/code-scanning/lintr.yml
@@ -29,7 +29,7 @@ jobs:
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 1013749..2146248 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -9,7 +9,7 @@ on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
- branches: [ $default-branch ]
+ branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
@@ -21,7 +21,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index e8dac88..172d855 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -28,7 +28,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Analyze
runs-on: windows-latest
diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml
index e24e14a..e9189d5 100644
--- a/code-scanning/neuralegion.yml
+++ b/code-scanning/neuralegion.yml
@@ -50,7 +50,7 @@
#
# `restart_scan`
#
-# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login). Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
+# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login). Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
#
# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
#
@@ -95,7 +95,7 @@
#
# `hosts_filter`
#
-# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
+# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
#
# Outputs
#
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index d766a6f..81e3650 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -25,7 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index 2bd91dd..63a7515 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -27,7 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: windows-latest
steps:
diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml
index d10ace1..686551a 100644
--- a/code-scanning/phpmd.yml
+++ b/code-scanning/phpmd.yml
@@ -2,9 +2,9 @@
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
-# PHPMD is a spin-off project of PHP Depend and
+# PHPMD is a spin-off project of PHP Depend and
# aims to be a PHP equivalent of the well known Java tool PMD.
-# What PHPMD does is: It takes a given PHP source code base
+# What PHPMD does is: It takes a given PHP source code base
# and look for several potential problems within that source.
# These problems can be things like:
# Possible bugs
@@ -34,7 +34,7 @@ jobs:
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index 8115116..6b5b7ea 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -21,7 +21,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index 02e5de7..1e8a426 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -16,7 +16,7 @@ on:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
-
+
permissions:
contents: read
@@ -25,7 +25,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
@@ -37,11 +37,11 @@ jobs:
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
path: .\
- recurse: true
- # Include your own basic security rules. Removing this option will run all the rules
+ recurse: true
+ # Include your own basic security rules. Removing this option will run all the rules
includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"'
output: results.sarif
-
+
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 1a12b86..9b24386 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -29,7 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
index 50b86db..26b6cca 100644
--- a/code-scanning/puppet-lint.yml
+++ b/code-scanning/puppet-lint.yml
@@ -29,7 +29,7 @@ jobs:
permissions:
contents: read # for checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
index c5f10ee..90583f3 100644
--- a/code-scanning/rust-clippy.yml
+++ b/code-scanning/rust-clippy.yml
@@ -4,7 +4,7 @@
# documentation.
# rust-clippy is a tool that runs a bunch of lints to catch common
# mistakes in your Rust code and help improve your Rust code.
-# More details at https://github.com/rust-lang/rust-clippy
+# More details at https://github.com/rust-lang/rust-clippy
# and https://rust-lang.github.io/rust-clippy/
name: rust-clippy analyze
@@ -25,7 +25,7 @@ jobs:
permissions:
contents: read
security-events: write
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
index b6ee5ad..7a93d8a 100644
--- a/code-scanning/securitycodescan.yml
+++ b/code-scanning/securitycodescan.yml
@@ -24,11 +24,11 @@ jobs:
- uses: actions/checkout@v3
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
- uses: microsoft/setup-msbuild@v1.0.2
-
+
- name: Set up projects for analysis
uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
-
- - name: Restore dependencies
+
+ - name: Restore dependencies
run: dotnet restore
- name: Build
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index b10a930..23486e4 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -27,7 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index a232c53..c3756c8 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -30,7 +30,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index 3ca1035..aedf2a3 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -29,7 +29,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml
index 7d38c77..61d376f 100644
--- a/code-scanning/sobelow.yml
+++ b/code-scanning/sobelow.yml
@@ -16,7 +16,7 @@ on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
- branches: [ $default-branch ]
+ branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
@@ -28,11 +28,11 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v3
- id: run-action
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
- name: Upload report
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index ff388c8..41075e4 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.
-# This workflow helps you trigger a SonarCloud analysis of your code and populates
+# This workflow helps you trigger a SonarCloud analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
# Free for open source project.
@@ -11,16 +11,16 @@
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
-# * Please note that many languages are eligible for automatic analysis,
+# * Please note that many languages are eligible for automatic analysis,
# which means that the analysis will start automatically without the need to set up GitHub Actions.
# * This behavior can be changed in Administration > Analysis Method.
-#
+#
# 3. Follow the SonarCloud in-product tutorial
# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
# (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
#
# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
-# (On SonarCloud, click on your avatar on top-right > My account > Security
+# (On SonarCloud, click on your avatar on top-right > My account > Security
# or go directly to https://sonarcloud.io/account/security/)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
@@ -41,9 +41,9 @@ permissions:
jobs:
Analysis:
runs-on: ubuntu-latest
-
+
steps:
- - name: Analyze with SonarCloud
+ - name: Analyze with SonarCloud
# You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
@@ -53,7 +53,7 @@ jobs:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
- args:
+ args:
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
# mandatory
-Dsonar.projectKey=
@@ -65,4 +65,4 @@ jobs:
# Comma-separated paths to directories containing test source files.
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- #-Dsonar.verbose= # optional, default is false
+ #-Dsonar.verbose= # optional, default is false
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index 95dfd67..2ab3d4c 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -12,7 +12,7 @@
#
# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
#
-# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
+# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID.
#
# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
#
@@ -29,7 +29,7 @@ jobs:
soos:
permissions:
security-events: write # for uploading code scanning alert info
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: SOOS DAST Scan
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
index c32334c..61169e2 100644
--- a/code-scanning/synopsys-io.yml
+++ b/code-scanning/synopsys-io.yml
@@ -22,11 +22,11 @@ jobs:
actions: read
contents: read
security-events: write
-
+
steps:
- name: Checkout repository
uses: actions/checkout@v3
-
+
- name: Synopsys Intelligent Security Scan
id: prescription
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08
@@ -36,7 +36,7 @@ jobs:
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}}
additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
stage: "IO"
-
+
# Please note that the ID in previous step was set to prescription
# in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN
# is defined in settings
@@ -48,7 +48,7 @@ jobs:
wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip
unzip -j polaris_cli-linux64.zip -d /tmp
/tmp/polaris analyze -w
-
+
# Please note that the ID in previous step was set to prescription
# in order for this logic to work
- name: Software Composition Analysis with Black Duck
@@ -56,7 +56,7 @@ jobs:
uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38
with:
args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"'
-
+
- name: Synopsys Intelligent Security Scan
if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }}
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08
@@ -64,11 +64,11 @@ jobs:
ioServerUrl: ${{secrets.IO_SERVER_URL}}
ioServerToken: ${{secrets.IO_SERVER_TOKEN}}
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}}
- additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}}
- --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
+ additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}}
+ --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}}
--blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}}
stage: "WORKFLOW"
-
+
- name: Upload SARIF file
if: ${{steps.prescription.outputs.sastScan == 'true' }}
uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index f9b61b9..8c13a4b 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -24,7 +24,7 @@ jobs:
checks: write # for sysdiglabs/scan-action to publish the checks
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
@@ -39,7 +39,7 @@ jobs:
id: scan
uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163
with:
- # Tag of the image to analyse.
+ # Tag of the image to analyse.
# Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above
image-tag: ${{ github.repository }}:latest
# API token for Sysdig Scanning auth
@@ -47,7 +47,7 @@ jobs:
# Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
# US-East https://secure.sysdig.com
# US-West https://us2.app.sysdig.com
- # EU https://eu1.app.sysdig.com
+ # EU https://eu1.app.sysdig.com
sysdig-secure-url: https://us2.app.sysdig.com
dockerfile-path: ./Dockerfile
input-type: docker-daemon
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 77f8156..48ee4d2 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -9,7 +9,7 @@ on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
- branches: [ $default-branch ]
+ branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
@@ -29,10 +29,10 @@ jobs:
- name: Run tfsec
uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
- sarif_file: tfsec.sarif
+ sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
- sarif_file: tfsec.sarif
+ sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index f56d9e5..4a8fe41 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -22,7 +22,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-18.04"
steps:
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index 89d35df..04fc814 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -27,7 +27,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 5724a97..8fd5c7b 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -51,7 +51,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml
index 1ac6bbd..7f035f5 100644
--- a/code-scanning/zscan.yml
+++ b/code-scanning/zscan.yml
@@ -3,16 +3,16 @@
# separate terms of service, privacy policy, and support
# documentation.
#
-# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
+# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
# and identifies security, privacy, and compliance-related vulnerabilities.
#
# Prerequisites:
# * An active Zimperium zScan account is required. If you are not an existing Zimperium
# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
-# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
+# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
# issues and view the remediation information inside of GitHub code scanning alerts.
#
-# For additional information and setup instructions
+# For additional information and setup instructions
# please visit: https://github.com/Zimperium/zScanMarketplace#readme
name: "Zimperium zScan"
@@ -33,7 +33,7 @@ jobs:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout repository
uses: actions/checkout@v3
@@ -58,4 +58,3 @@ jobs:
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: Zimperium.sarif
-
\ No newline at end of file
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index 9853b75..96d5d38 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -3,7 +3,7 @@
#
# To use this workflow, you will need to complete the following set-up steps:
#
-# 1. Create an ACR repository to store your container images.
+# 1. Create an ACR repository to store your container images.
# You can use ACR EE instance for more security and better performance.
# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm
#
@@ -14,7 +14,7 @@
# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`.
# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/
#
-# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME.
+# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME.
#
name: Build and Deploy to ACK
@@ -46,12 +46,12 @@ jobs:
build:
runs-on: ubuntu-latest
environment: production
-
+
steps:
- name: Checkout
uses: actions/checkout@v3
-
- # 1.1 Login to ACR
+
+ # 1.1 Login to ACR
- name: Login to ACR with the AccessKey pair
uses: aliyun/acr-login@v1
with:
@@ -59,13 +59,13 @@ jobs:
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
- # 1.2 Buid and push image to ACR
- - name: Build and push image to ACR
+ # 1.2 Buid and push image to ACR
+ - name: Build and push image to ACR
run: |
- docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
- docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG"
-
- # 1.3 Scan image in ACR
+ docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
+ docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG"
+
+ # 1.3 Scan image in ACR
- name: Scan image in ACR
uses: aliyun/acr-scan@v1
with:
@@ -75,7 +75,7 @@ jobs:
repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}"
tag: "${{ env.TAG }}"
- # 2.1 (Optional) Login to ACR EE
+ # 2.1 (Optional) Login to ACR EE
- uses: actions/checkout@v3
- name: Login to ACR EE with the AccessKey pair
uses: aliyun/acr-login@v1
@@ -86,12 +86,12 @@ jobs:
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
instance-id: "${{ env.ACR_EE_INSTANCE_ID }}"
- # 2.2 (Optional) Build and push image ACR EE
- - name: Build and push image to ACR EE
+ # 2.2 (Optional) Build and push image ACR EE
+ - name: Build and push image to ACR EE
run: |
docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" .
docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG"
- # 2.3 (Optional) Scan image in ACR EE
+ # 2.3 (Optional) Scan image in ACR EE
- name: Scan image in ACR EE
uses: aliyun/acr-scan@v1
with:
@@ -102,7 +102,7 @@ jobs:
repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}"
tag: "${{ env.ACR_EE_TAG }}"
- # 3.1 Set ACK context
+ # 3.1 Set ACK context
- name: Set K8s context
uses: aliyun/ack-set-context@v1
with:
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index cc2e1dd..4d98340 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -11,7 +11,7 @@
# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
#
-# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
+# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
#
# 4. Create three app settings on your Azure Web app:
# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io"
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 9b21895..005aef2 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -43,7 +43,7 @@ jobs:
uses: actions/setup-dotnet@v2
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
-
+
- name: Set up dependency caching for faster builds
uses: actions/cache@v3
with:
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index 60fa68c..c29d871 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -63,7 +63,7 @@ jobs:
environment:
name: 'Development'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
-
+
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v3
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index 98e72c2..c72b1be 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -70,7 +70,7 @@ jobs:
name: node-app
- name: 'Deploy to Azure WebApp'
- id: deploy-to-webapp
+ id: deploy-to-webapp
uses: azure/webapps-deploy@v2
with:
app-name: ${{ env.AZURE_WEBAPP_NAME }}
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index d7aa802..0ce3ce9 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -51,15 +51,15 @@ jobs:
- name: Install dependencies
run: pip install -r requirements.txt
-
+
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
-
+
- name: Upload artifact for deployment jobs
uses: actions/upload-artifact@v3
with:
name: python-app
path: |
- .
+ .
!venv/
deploy:
@@ -77,7 +77,7 @@ jobs:
with:
name: python-app
path: .
-
+
- name: 'Deploy to Azure Web App'
id: deploy-to-webapp
uses: azure/webapps-deploy@v2
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index ba65fe5..3d22854 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -2,12 +2,12 @@
#
# To configure this workflow:
#
-# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster,
+# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster,
# including deployment.yml, kustomization.yml, service.yml, etc.
#
-# 2. Set up secrets in your workspace:
+# 2. Set up secrets in your workspace:
# - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id
-# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key
+# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key
# - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id
# - TKE_REGISTRY_PASSWORD with TKE registry password
#
@@ -38,10 +38,10 @@ jobs:
- name: Checkout
uses: actions/checkout@v3
-
+
# Build
- name: Build Docker image
- run: |
+ run: |
docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} .
- name: Login TKE Registry
@@ -65,7 +65,7 @@ jobs:
secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }}
tke_region: ${{ env.TKE_REGION }}
cluster_id: ${{ env.TKE_CLUSTER_ID }}
-
+
- name: Switch to TKE context
run: |
kubectl config use-context ${TKE_CLUSTER_ID}-context-default
From 417e1b988833bf9a2e61584d6ac86f0235e3116c Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Tue, 8 Nov 2022 14:09:19 +0100
Subject: [PATCH 10/36] Apply suggestions from code review
Co-authored-by: Sampark Sharma
---
code-scanning/zscan.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml
index 7f035f5..01c3b05 100644
--- a/code-scanning/zscan.yml
+++ b/code-scanning/zscan.yml
@@ -6,11 +6,11 @@
# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android)
# and identifies security, privacy, and compliance-related vulnerabilities.
#
-# Prerequisites:
+# Prerequisites:
# * An active Zimperium zScan account is required. If you are not an existing Zimperium
# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us.
# * Either GitHub Advanced Security (GHAS) or a public repository is required to display
-# issues and view the remediation information inside of GitHub code scanning alerts.
+# issues and view the remediation information inside of GitHub code scanning alerts.
#
# For additional information and setup instructions
# please visit: https://github.com/Zimperium/zScanMarketplace#readme
From ff2f23cb02201f3dec599148501033e5b9e7f164 Mon Sep 17 00:00:00 2001
From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com>
Date: Tue, 8 Nov 2022 16:05:26 +0200
Subject: [PATCH 11/36] Update frogbot-scan-pr.yml
---
code-scanning/frogbot-scan-pr.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
index bd1a9c2..74ee41e 100644
--- a/code-scanning/frogbot-scan-pr.yml
+++ b/code-scanning/frogbot-scan-pr.yml
@@ -42,7 +42,7 @@ jobs:
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
- - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
+ - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
From 762810aba56b19721e194f22cf5ee461b36eb635 Mon Sep 17 00:00:00 2001
From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com>
Date: Tue, 8 Nov 2022 16:05:42 +0200
Subject: [PATCH 12/36] Update frogbot-scan-and-fix.yml
---
code-scanning/frogbot-scan-and-fix.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
index 0089f10..12414a1 100644
--- a/code-scanning/frogbot-scan-and-fix.yml
+++ b/code-scanning/frogbot-scan-and-fix.yml
@@ -37,7 +37,7 @@ jobs:
# node-version: "16.x"
- - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
+ - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694
env:
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
From 4050b957a2285c70272bc6bfdb4b2443847d09cf Mon Sep 17 00:00:00 2001
From: SOOS-JAlvarez
Date: Tue, 8 Nov 2022 15:34:49 -0300
Subject: [PATCH 13/36] update soos dast version
---
code-scanning/soos-dast-scan.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index 47f6c48..8723a8b 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -28,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Scan
- uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6
+ uses: soos-io/soos-dast-github-action@5b9c65687cee49aee1c776759f25561f908be565
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
From a31c09a4f1fd94bb31fb3e8955e4c05c0b855cc1 Mon Sep 17 00:00:00 2001
From: Arjan Keeman
Date: Tue, 15 Nov 2022 09:52:54 +0100
Subject: [PATCH 14/36] update deprecated syntax
see https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
---
deployments/aws.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deployments/aws.yml b/deployments/aws.yml
index 9585844..af7d87d 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -75,7 +75,7 @@ jobs:
# be deployed to ECS.
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
- echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
+ echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
From a749535e85718bb29553b8e7f6b5217e71a5ccd1 Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Wed, 16 Nov 2022 01:05:10 +0100
Subject: [PATCH 15/36] Add lint workflow
---
.github/workflows/lint.yaml | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
create mode 100644 .github/workflows/lint.yaml
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
new file mode 100644
index 0000000..cd3fb3d
--- /dev/null
+++ b/.github/workflows/lint.yaml
@@ -0,0 +1,32 @@
+name: Lint
+
+on:
+ pull_request:
+ branches:
+ - main
+
+jobs:
+
+ pre-commit:
+ name: pre-commit
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - uses: actions/setup-python@v4
+ with:
+ python-version: 3.8
+ cache: 'pip'
+
+ - name: Cache pre-commit
+ uses: actions/cache@v3
+ with:
+ path: ~/.cache/pre-commit
+ key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
+ - name: Install pre-commit
+ run: pip3 install pre-commit
+
+ - name: Run pre-commit
+ run: pre-commit run --all-files --show-diff-on-failure --color always
\ No newline at end of file
From 6cd7a70d9f1db1f8485ccb48d863ef766fa0fbc1 Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Wed, 16 Nov 2022 01:05:19 +0100
Subject: [PATCH 16/36] Add pre-commit configuration file
---
.pre-commit-config.yaml | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 .pre-commit-config.yaml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..7699e82
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.3.0
+ hooks:
+ - id: trailing-whitespace
\ No newline at end of file
From 5bc87732339ec6887dbd6275cb90686464b3de3c Mon Sep 17 00:00:00 2001
From: jorgectf
Date: Wed, 16 Nov 2022 01:16:46 +0100
Subject: [PATCH 17/36] Remove pip cache
---
.github/workflows/lint.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index cd3fb3d..76c82c2 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -17,7 +17,6 @@ jobs:
- uses: actions/setup-python@v4
with:
python-version: 3.8
- cache: 'pip'
- name: Cache pre-commit
uses: actions/cache@v3
From edcef6ec3eb410566c2f21feaae17d5c4eacef6c Mon Sep 17 00:00:00 2001
From: laurentsimon
Date: Tue, 22 Nov 2022 19:23:58 +0000
Subject: [PATCH 18/36] update
---
code-scanning/scorecards.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml
index 11e305f..0e42bae 100644
--- a/code-scanning/scorecards.yml
+++ b/code-scanning/scorecards.yml
@@ -41,11 +41,11 @@ jobs:
with:
results_file: results.sarif
results_format: sarif
- # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+ # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
- # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+ # repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
From d0d2da4fd3080c5a70fddd00f554a21a5aeef591 Mon Sep 17 00:00:00 2001
From: "James M. Greene"
Date: Tue, 22 Nov 2022 13:38:23 -0600
Subject: [PATCH 19/36] Astro: Update to use the detected package manager
---
pages/astro.yml | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/pages/astro.yml b/pages/astro.yml
index 1d4ec5f..54d4672 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -40,12 +40,10 @@ jobs:
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
echo "::set-output name=manager::yarn"
echo "::set-output name=command::install"
- echo "::set-output name=runner::yarn"
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
echo "::set-output name=manager::npm"
echo "::set-output name=command::ci"
- echo "::set-output name=runner::npx --no-install"
exit 0
else
echo "Unable to determine packager manager"
@@ -57,9 +55,14 @@ jobs:
node-version: "16"
cache: ${{ steps.detect-package-manager.outputs.manager }}
cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
- - run: npm install && npm run build
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
working-directory: ${{ env.BUILD_PATH }}
- - uses: actions/upload-pages-artifact@v1
+ - name: Build with Astro
+ run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ working-directory: ${{ env.BUILD_PATH }}
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v1
with:
path: ${{ env.BUILD_PATH }}/dist
From 1ffc2dce9f0e0d25af6d872223730be7badd2a93 Mon Sep 17 00:00:00 2001
From: "James M. Greene"
Date: Tue, 22 Nov 2022 13:43:51 -0600
Subject: [PATCH 20/36] Pages: Update Node.js-based workflows to use
non-deprecated mechanism for setting outputs
See https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
---
pages/astro.yml | 8 ++++----
pages/gatsby.yml | 8 ++++----
pages/nextjs.yml | 12 ++++++------
pages/nuxtjs.yml | 8 ++++----
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/pages/astro.yml b/pages/astro.yml
index 54d4672..9f845f3 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -38,12 +38,12 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
index 4f2857d..7db9291 100644
--- a/pages/gatsby.yml
+++ b/pages/gatsby.yml
@@ -39,12 +39,12 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
diff --git a/pages/nextjs.yml b/pages/nextjs.yml
index 5c2bf67..7e39f83 100644
--- a/pages/nextjs.yml
+++ b/pages/nextjs.yml
@@ -34,14 +34,14 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
- echo "::set-output name=runner::yarn"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
+ echo "runner=yarn" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
- echo "::set-output name=runner::npx --no-install"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
+ echo "runner=npx --no-install" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml
index 4178f18..660202e 100644
--- a/pages/nuxtjs.yml
+++ b/pages/nuxtjs.yml
@@ -34,12 +34,12 @@ jobs:
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
- echo "::set-output name=manager::yarn"
- echo "::set-output name=command::install"
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
- echo "::set-output name=manager::npm"
- echo "::set-output name=command::ci"
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
From c868fdbf8caaf8ec83c4b4e884a8546044d8c46b Mon Sep 17 00:00:00 2001
From: "James M. Greene"
Date: Tue, 22 Nov 2022 21:47:03 -0600
Subject: [PATCH 21/36] Pages: Configure Astro origin and base path using CLI
arguments
---
pages/astro.yml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/pages/astro.yml b/pages/astro.yml
index 9f845f3..77f2924 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -40,10 +40,12 @@ jobs:
if [ -f "${{ github.workspace }}/yarn.lock" ]; then
echo "manager=yarn" >> $GITHUB_OUTPUT
echo "command=install" >> $GITHUB_OUTPUT
+ echo "runner=yarn" >> $GITHUB_OUTPUT
exit 0
elif [ -f "${{ github.workspace }}/package.json" ]; then
echo "manager=npm" >> $GITHUB_OUTPUT
echo "command=ci" >> $GITHUB_OUTPUT
+ echo "runner=npx --no-install" >> $GITHUB_OUTPUT
exit 0
else
echo "Unable to determine packager manager"
@@ -55,11 +57,17 @@ jobs:
node-version: "16"
cache: ${{ steps.detect-package-manager.outputs.manager }}
cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v2
- name: Install dependencies
run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
working-directory: ${{ env.BUILD_PATH }}
- name: Build with Astro
- run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ run: |
+ ${{ steps.detect-package-manager.outputs.runner }} astro build \
+ --site "${{ steps.pages.outputs.origin }}" \
+ --base "${{ steps.pages.outputs.base_path }}"
working-directory: ${{ env.BUILD_PATH }}
- name: Upload artifact
uses: actions/upload-pages-artifact@v1
From 2f81287648d16dc1cda091d44b06368c5e73af73 Mon Sep 17 00:00:00 2001
From: Nguyen Long Nhat <27698189+torn4dom4n@users.noreply.github.com>
Date: Mon, 21 Nov 2022 01:17:23 +0700
Subject: [PATCH 22/36] Using node 18
---
pages/gatsby.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
index 7db9291..a288d7d 100644
--- a/pages/gatsby.yml
+++ b/pages/gatsby.yml
@@ -53,7 +53,7 @@ jobs:
- name: Setup Node
uses: actions/setup-node@v3
with:
- node-version: "16"
+ node-version: "18"
cache: ${{ steps.detect-package-manager.outputs.manager }}
- name: Setup Pages
id: pages
From e493e52668ef051fc37be7453871d17470f56e0e Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Tue, 29 Nov 2022 17:48:50 +0530
Subject: [PATCH 23/36] Check only certain files
---
.pre-commit-config.yaml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7699e82..5d6f7eb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,5 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
+ files: ^automation|ci|code-scanning|deployments|pages
hooks:
- - id: trailing-whitespace
\ No newline at end of file
+ - id: trailing-whitespace
From ec11d3549bcc7ca2a1df7f76461d31c70313d391 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Tue, 29 Nov 2022 18:13:36 +0530
Subject: [PATCH 24/36] Check for only certain files
---
.pre-commit-config.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5d6f7eb..19bf39d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
- files: ^automation|ci|code-scanning|deployments|pages
hooks:
- id: trailing-whitespace
+ files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$
From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Thu, 1 Dec 2022 06:55:46 +0000
Subject: [PATCH 25/36] Add instructions to test templates
---
README.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/README.md b/README.md
index 7ff406f..1048694 100644
--- a/README.md
+++ b/README.md
@@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as
* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
* `$protected-branches`: will substitute any protected branches from the repository
* `$cron-daily`: will substitute a valid but random time within the day
+
+## How to test templates before publishing
+
+### Disable template for public
+The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX.
+Example `properties.json` file:
+```json
+{
+ "name": "Node.js",
+ "description": "Build and test a Node.js project with npm.",
+ "iconName": "nodejs",
+ "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"],
+ "labels": ["preview"]
+}
+```
+
+Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible.
+
+### Enable template for public
+Remove the `labels` array from `properties.json` file to publish the template to public
From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001
From: Sampark Sharma
Date: Thu, 1 Dec 2022 13:06:55 +0530
Subject: [PATCH 26/36] Apply suggestions from code review
Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com>
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 1048694..e455e13 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as
## How to test templates before publishing
### Disable template for public
-The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX.
+The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL.
Example `properties.json` file:
```json
{
@@ -66,7 +66,7 @@ Example `properties.json` file:
}
```
-Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible.
+For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`.
### Enable template for public
Remove the `labels` array from `properties.json` file to publish the template to public
From db5c5c4b5e88807a37600118dc80be71301ba48b Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 1 Dec 2022 17:08:17 +0100
Subject: [PATCH 27/36] Apply suggestions from code review
Co-authored-by: Sampark Sharma
---
code-scanning/sonarqube.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml
index 23f79da..68585a9 100644
--- a/code-scanning/sonarqube.yml
+++ b/code-scanning/sonarqube.yml
@@ -41,7 +41,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - name: Analyze with SonarQube
+ - name: Analyze with SonarQube
# You can pin the exact commit or the version.
# uses: SonarSource/sonarqube-scan-action@v1.1.0
@@ -52,7 +52,7 @@ jobs:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
- args:
+ args:
# Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
# mandatory
-Dsonar.projectKey=
@@ -63,4 +63,4 @@ jobs:
# Comma-separated paths to directories containing test source files.
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- #-Dsonar.verbose= # optional, default is false
+ #-Dsonar.verbose= # optional, default is false
From 0cd0541922d9efdce53b33f9c49b01d6cd6ca54b Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 1 Dec 2022 17:13:18 +0100
Subject: [PATCH 28/36] added SHA to action definition
---
code-scanning/sonarqube.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml
index 68585a9..f01b9dc 100644
--- a/code-scanning/sonarqube.yml
+++ b/code-scanning/sonarqube.yml
@@ -45,7 +45,7 @@ jobs:
# You can pin the exact commit or the version.
# uses: SonarSource/sonarqube-scan-action@v1.1.0
- uses: SonarSource/sonarqube-scan-action@v1.1.0
+ uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
From 3408b65a7132d3f0ffa75a4e7a42aa2849f04a1d Mon Sep 17 00:00:00 2001
From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com>
Date: Thu, 8 Dec 2022 14:38:34 +1300
Subject: [PATCH 29/36] Update Go version to 1.19
Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released.
---
ci/go.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ci/go.yml b/ci/go.yml
index 4d95674..e89f6c9 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -19,7 +19,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: 1.18
+ go-version: 1.19
- name: Build
run: go build -v ./...
From 7a584505f5655db11a8c6f01d1913bc7ab3b0a50 Mon Sep 17 00:00:00 2001
From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com>
Date: Thu, 8 Dec 2022 14:41:48 +1300
Subject: [PATCH 30/36] Fixed misspelling of "privileged"
---
.github/pull_request_template.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 0a98861..05cb4b1 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
-- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
+- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 23 Nov 2022 16:19:36 +0200
Subject: [PATCH 31/36] add Datree
---
code-scanning/datree.yml | 44 +++++++++++++++++++
.../properties/datree.properties.json | 7 +++
icons/datree.svg | 1 +
3 files changed, 52 insertions(+)
create mode 100644 code-scanning/datree.yml
create mode 100644 code-scanning/properties/datree.properties.json
create mode 100644 icons/datree.svg
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
new file mode 100644
index 0000000..682ab5d
--- /dev/null
+++ b/code-scanning/datree.yml
@@ -0,0 +1,44 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI.
+# The results are then uploaded to GitHub Security Code Scanning.
+#
+# For more information and configurations options, see https://github.com/datreeio/action-datree/
+
+name: Datree
+
+on:
+ push:
+ branches: [ main ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ main ]
+
+jobs:
+ datree:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Run Datree policy check
+ continue-on-error: true
+ uses: hadar-co/action-datree@main
+ env:
+ # In order to use the Datree action you will need to have a Datree token.
+ # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
+ DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
+ with:
+ # Add the path to the configuration file/s that you would like to test.
+ # See https://github.com/datreeio/action-datree#usage for all available options.
+ path: test-file.yaml
+ # Setting a SARIF output will generate a file named "datree.sarif" containing your test results
+ cliArguments: "-o sarif"
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: datree.sarif
\ No newline at end of file
diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json
new file mode 100644
index 0000000..99e07a5
--- /dev/null
+++ b/code-scanning/properties/datree.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Datree",
+ "creator": "Datree",
+ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning",
+ "iconName": "datree",
+ "categories": ["Code Scanning", "YAML"]
+}
\ No newline at end of file
diff --git a/icons/datree.svg b/icons/datree.svg
new file mode 100644
index 0000000..ca986c6
--- /dev/null
+++ b/icons/datree.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 23 Nov 2022 16:37:43 +0200
Subject: [PATCH 32/36] add Datree
---
code-scanning/datree.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index 682ab5d..df301c7 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -12,10 +12,10 @@ name: Datree
on:
push:
- branches: [ main ]
+ branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
- branches: [ main ]
+ branches: [ $default-branch ]
jobs:
datree:
From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 7 Dec 2022 16:23:25 +0200
Subject: [PATCH 33/36] fix workflow
---
code-scanning/datree.yml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index df301c7..44afd69 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -17,6 +17,9 @@ on:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
datree:
permissions:
@@ -27,7 +30,7 @@ jobs:
- uses: actions/checkout@v3
- name: Run Datree policy check
continue-on-error: true
- uses: hadar-co/action-datree@main
+ uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a
env:
# In order to use the Datree action you will need to have a Datree token.
# See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
@@ -41,4 +44,4 @@ jobs:
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: datree.sarif
\ No newline at end of file
+ sarif_file: datree.sarif
From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Wed, 7 Dec 2022 16:24:28 +0200
Subject: [PATCH 34/36] fix workflow
---
code-scanning/properties/datree.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json
index 99e07a5..b7c695c 100644
--- a/code-scanning/properties/datree.properties.json
+++ b/code-scanning/properties/datree.properties.json
@@ -4,4 +4,4 @@
"description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning",
"iconName": "datree",
"categories": ["Code Scanning", "YAML"]
-}
\ No newline at end of file
+}
From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001
From: hadar-co
Date: Thu, 8 Dec 2022 09:57:36 +0200
Subject: [PATCH 35/36] Update code-scanning/datree.yml
Co-authored-by: Sampark Sharma
---
code-scanning/datree.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index 44afd69..2e44682 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -34,7 +34,7 @@ jobs:
env:
# In order to use the Datree action you will need to have a Datree token.
# See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
- DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
+ DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
with:
# Add the path to the configuration file/s that you would like to test.
# See https://github.com/datreeio/action-datree#usage for all available options.
From 89d867e0d8e0e6a099005135a107deee089c5a32 Mon Sep 17 00:00:00 2001
From: Simon Engledew
Date: Tue, 13 Dec 2022 10:30:16 +0000
Subject: [PATCH 36/36] Fix code-scanning filtering for relative paths
---
script/sync-ghes/index.ts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts
index a320d36..f53d220 100755
--- a/script/sync-ghes/index.ts
+++ b/script/sync-ghes/index.ts
@@ -61,7 +61,7 @@ async function checkWorkflows(
const enabled =
!isPartnerWorkflow &&
- (workflowProperties.enterprise === true || folder !== 'code-scanning') &&
+ (workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') &&
(await checkWorkflow(workflowFilePath, enabledActions));
const workflowDesc: WorkflowDesc = {