From 9d82221b3c47a53248149b62bc84bfdc8ba6e57d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:23:39 +0200 Subject: [PATCH 01/36] Create sonarqube.yaml --- code-scanning/sonarqube.yaml | 65 ++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 code-scanning/sonarqube.yaml diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml new file mode 100644 index 0000000..c6fbfce --- /dev/null +++ b/code-scanning/sonarqube.yaml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarQube analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# (this feature is available starting from Developer Edition) + +# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) + +# 2. Import your project on SonarQube +# * Add your repository as a new project by clicking "Create project" from your homepage. +# +# 3. Select GitHub Actions as your CI and follow the tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarQube analysis + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarQube to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarQube + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@v1.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) + # mandatory + -Dsonar.projectKey= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From f44ecbf0e28eae370cbcbece24deff8737158257 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:29:30 +0200 Subject: [PATCH 02/36] Added comments --- code-scanning/sonarqube.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index c6fbfce..e9b8d98 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,15 +13,16 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarQube. Click on "Information" at the bottom left) +# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarQube, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) +# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# +# * c. Copy/paste the project Key into the args parameter below +# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) +# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10) name: SonarQube analysis From 4a1cad76c04ded3d2d1e1f20778ea3855c9e5d1d Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:57:24 +0200 Subject: [PATCH 03/36] Added reference to documentation --- code-scanning/sonarqube.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index e9b8d98..f34d48e 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -5,7 +5,7 @@ # This workflow helps you trigger a SonarQube analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. -# (this feature is available starting from Developer Edition) +# (this feature is available starting from SonarQube 9.7, Developer Edition and above) # 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) From c7e73d7edc4e376bfdb148a7ee0a1d732c8443f9 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:23:48 +0100 Subject: [PATCH 04/36] Update sonarqube.yaml --- code-scanning/sonarqube.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yaml index f34d48e..23f79da 100644 --- a/code-scanning/sonarqube.yaml +++ b/code-scanning/sonarqube.yaml @@ -13,10 +13,10 @@ # * Add your repository as a new project by clicking "Create project" from your homepage. # # 3. Select GitHub Actions as your CI and follow the tutorial -# * a. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN # (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) # -# * b. Copy/paste your SonarQube host URL to your Github repository's secrets using the name SONAR_HOST_URL +# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL # # * c. Copy/paste the project Key into the args parameter below # (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) From ca67faa01ca580695b67779e7cc67cf4b6586ddd Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:25:29 +0100 Subject: [PATCH 05/36] Rename sonarqube.yaml to sonarqube.yml --- code-scanning/{sonarqube.yaml => sonarqube.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/{sonarqube.yaml => sonarqube.yml} (100%) diff --git a/code-scanning/sonarqube.yaml b/code-scanning/sonarqube.yml similarity index 100% rename from code-scanning/sonarqube.yaml rename to code-scanning/sonarqube.yml From a5ee5608b9f19e8c4949b365711030820ead5d69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:27:23 +0100 Subject: [PATCH 06/36] Create sonarqube.properties.json --- code-scanning/properties/sonarqube.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/sonarqube.properties.json diff --git a/code-scanning/properties/sonarqube.properties.json b/code-scanning/properties/sonarqube.properties.json new file mode 100644 index 0000000..9912c51 --- /dev/null +++ b/code-scanning/properties/sonarqube.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SonarQube", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", + "iconName": "sonarqube", + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] +} From 4c8f3a77aa64cc3b5da5b5b244d75e07285e77d3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:28:50 +0100 Subject: [PATCH 07/36] Add files via upload --- icons/SonarQube icon.svg | 1 + 1 file changed, 1 insertion(+) create mode 100644 icons/SonarQube icon.svg diff --git a/icons/SonarQube icon.svg b/icons/SonarQube icon.svg new file mode 100644 index 0000000..b5c23d8 --- /dev/null +++ b/icons/SonarQube icon.svg @@ -0,0 +1 @@ +SonarQube icon \ No newline at end of file From 5081d1525082e71f7be1c3eb381c7e5443e28f95 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 3 Nov 2022 11:29:30 +0100 Subject: [PATCH 08/36] Rename SonarQube icon.svg to sonarqube.svg --- icons/{SonarQube icon.svg => sonarqube.svg} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename icons/{SonarQube icon.svg => sonarqube.svg} (94%) diff --git a/icons/SonarQube icon.svg b/icons/sonarqube.svg similarity index 94% rename from icons/SonarQube icon.svg rename to icons/sonarqube.svg index b5c23d8..a4bba35 100644 --- a/icons/SonarQube icon.svg +++ b/icons/sonarqube.svg @@ -1 +1 @@ -SonarQube icon \ No newline at end of file +SonarQube icon From 0b50b4b57933ac53f9bf799ff67aea8c2bdcaddf Mon Sep 17 00:00:00 2001 From: jorgectf Date: Fri, 4 Nov 2022 20:45:41 +0100 Subject: [PATCH 09/36] Remove extra whitespaces --- .github/dependabot.yml | 6 ++--- ci/ada.yml | 2 +- ci/cmake.yml | 4 +-- ci/go-ossf-slsa3-publish.yml | 8 +++--- ci/makefile.yml | 8 +++--- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/webpack.yml | 2 +- code-scanning/apisec-scan.yml | 6 ++--- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/clj-holmes.yml | 4 +-- code-scanning/clj-watson.yml | 6 ++--- code-scanning/cloudrail.yml | 6 ++--- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 6 ++--- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 8 +++--- code-scanning/detekt.yml | 4 +-- code-scanning/devskim.yml | 2 +- code-scanning/eslint.yml | 4 +-- code-scanning/ethicalcheck.yml | 8 +++--- code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mobsf.yml | 4 +-- code-scanning/msvc.yml | 2 +- code-scanning/neuralegion.yml | 4 +-- code-scanning/njsscan.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 6 ++--- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 10 +++---- code-scanning/prisma.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rust-clippy.yml | 4 +-- code-scanning/securitycodescan.yml | 6 ++--- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/sobelow.yml | 6 ++--- code-scanning/sonarcloud.yml | 16 ++++++------ code-scanning/soos-dast-scan.yml | 4 +-- code-scanning/synopsys-io.yml | 16 ++++++------ code-scanning/sysdig-scan.yml | 6 ++--- code-scanning/tfsec.yml | 6 ++--- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscan.yml | 9 +++---- deployments/alibabacloud.yml | 32 +++++++++++------------ deployments/azure-container-webapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-python.yml | 8 +++--- deployments/tencent.yml | 12 ++++----- 56 files changed, 140 insertions(+), 141 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 62283f9..ee66df2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,12 @@ version: 2 updates: - - package-ecosystem: "npm" + - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" - - - package-ecosystem: "github-actions" + + - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" diff --git a/ci/ada.yml b/ci/ada.yml index 7e94b38..417ed2e 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -17,7 +17,7 @@ jobs: - name: Set up GNAT toolchain run: > - sudo apt-get update && + sudo apt-get update && sudo apt-get install gnat gprbuild - name: Build diff --git a/ci/cmake.yml b/ci/cmake.yml index 6f06f75..95d7efd 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -31,7 +31,7 @@ jobs: - name: Test working-directory: ${{github.workspace}}/build - # Execute tests defined by the CMake configuration. + # Execute tests defined by the CMake configuration. # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail run: ctest -C ${{env.BUILD_TYPE}} - + diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index a738875..b357cc0 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -3,10 +3,10 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps # that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. @@ -21,7 +21,7 @@ permissions: read-all jobs: # ======================================================================================================================================== - # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file #========================================================================================================================================= build: diff --git a/ci/makefile.yml b/ci/makefile.yml index 0156944..1b53855 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -13,15 +13,15 @@ jobs: steps: - uses: actions/checkout@v3 - + - name: configure run: ./configure - + - name: Install dependencies run: make - + - name: Run check run: make check - + - name: Run distcheck run: make distcheck diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index e39ddbf..0bcbd1c 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 7606dea..7d79002 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/ci/webpack.yml b/ci/webpack.yml index 0bc6406..2b8b18a 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 209e882..09f50cd 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -3,8 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# APIsec addresses the critical need to secure APIs before they reach production. -# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. # Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. # How to Get Started with APIsec.ai @@ -50,7 +50,7 @@ jobs: Trigger_APIsec_scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 957343c..5547c59 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 9bdb136..582488a 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,7 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 4487e23..87f11cb 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -16,7 +16,7 @@ on: permissions: contents: read - + jobs: clj-holmes: name: Run clj-holmes scanning @@ -24,7 +24,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 76903a9..59bfd41 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -6,7 +6,7 @@ # seeking for vulnerable direct/transitive dependencies and # build a report with all the information needed to help you # understand how the vulnerability manifest in your software. -# More details at https://github.com/clj-holmes/clj-watson +# More details at https://github.com/clj-holmes/clj-watson name: clj-watson @@ -29,7 +29,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 @@ -40,7 +40,7 @@ jobs: clj-watson-sha: "65d928c" clj-watson-tag: "v4.0.1" database-strategy: github-advisory - aliases: clojure-lsp,test + aliases: clojure-lsp,test deps-edn-path: deps.edn suggest-fix: true output-type: sarif diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 4a0cd73..e5defa3 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -26,7 +26,7 @@ jobs: - name: Clone repo uses: actions/checkout@v3 - # For Terraform, Cloudrail requires the plan as input. So we generate it using + # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. - uses: hashicorp/setup-terraform@v1 with: @@ -53,6 +53,6 @@ jobs: uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded - if: always() + if: always() with: sarif_file: cloudrail_results.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 7b705bd..bbb2118 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 34c5de7..3f0ecfb 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -48,11 +48,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -61,7 +61,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. + # If the Autobuild fails above, remove it and uncomment the following three lines. # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index a9f1053..0959d23 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 4e4deb7..ff3d9d3 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -8,7 +8,7 @@ # Contrast Scan currently supports Java, JavaScript and .NET artifacts. # For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action -# Pre-requisites: +# Pre-requisites: # All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. # The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: @@ -38,7 +38,7 @@ jobs: # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. # -name: Build Project # ... - # Scan Artifact + # Scan Artifact - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 with: @@ -46,7 +46,7 @@ jobs: apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} - #Upload the results to GitHub + #Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0c65813..a13a517 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -69,13 +69,13 @@ jobs: } } ' 1> gh_response.json - + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then echo "Release tag doesn't match expected commit SHA" exit 1 fi - + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index bf11261..4abd6ca 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -27,7 +27,7 @@ jobs: - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 - + - name: Upload DevSkim scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 54b01c8..fcb4f21 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 @@ -39,7 +39,7 @@ jobs: run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx - --format @microsoft/eslint-formatter-sarif + --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif continue-on-error: true diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 2818bc6..a68d0a2 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -44,12 +44,12 @@ on: permissions: contents: read - + jobs: Trigger_EthicalCheck: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -61,9 +61,9 @@ jobs: # The email address to which the penetration test report will be sent. email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - + - name: Upload sarif file to repository uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./ethicalcheck-results.sarif - + diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 3153652..68aebaa 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 350df19..8a6de57 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1013749..2146248 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -21,7 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index e8dac88..172d855 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml index e24e14a..e9189d5 100644 --- a/code-scanning/neuralegion.yml +++ b/code-scanning/neuralegion.yml @@ -50,7 +50,7 @@ # # `restart_scan` # -# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. # # _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` # @@ -95,7 +95,7 @@ # # `hosts_filter` # -# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. # # Outputs # diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index d766a6f..81e3650 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 2bd91dd..63a7515 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index d10ace1..686551a 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,9 +2,9 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. -# PHPMD is a spin-off project of PHP Depend and +# PHPMD is a spin-off project of PHP Depend and # aims to be a PHP equivalent of the well known Java tool PMD. -# What PHPMD does is: It takes a given PHP source code base +# What PHPMD does is: It takes a given PHP source code base # and look for several potential problems within that source. # These problems can be things like: # Possible bugs @@ -34,7 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8115116..6b5b7ea 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 02e5de7..1e8a426 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -16,7 +16,7 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - + permissions: contents: read @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: @@ -37,11 +37,11 @@ jobs: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. path: .\ - recurse: true - # Include your own basic security rules. Removing this option will run all the rules + recurse: true + # Include your own basic security rules. Removing this option will run all the rules includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' output: results.sarif - + # Upload the SARIF file generated in the previous step - name: Upload SARIF results file uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 1a12b86..9b24386 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 50b86db..26b6cca 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index c5f10ee..90583f3 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -4,7 +4,7 @@ # documentation. # rust-clippy is a tool that runs a bunch of lints to catch common # mistakes in your Rust code and help improve your Rust code. -# More details at https://github.com/rust-lang/rust-clippy +# More details at https://github.com/rust-lang/rust-clippy # and https://rust-lang.github.io/rust-clippy/ name: rust-clippy analyze @@ -25,7 +25,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index b6ee5ad..7a93d8a 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -24,11 +24,11 @@ jobs: - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 - + - name: Set up projects for analysis uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d - - - name: Restore dependencies + + - name: Restore dependencies run: dotnet restore - name: Build diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index b10a930..23486e4 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index a232c53..c3756c8 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index 3ca1035..aedf2a3 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 7d38c77..61d376f 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -16,7 +16,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -28,11 +28,11 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v3 - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index ff388c8..41075e4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow helps you trigger a SonarCloud analysis of your code and populates +# This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. # Free for open source project. @@ -11,16 +11,16 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, +# * Please note that many languages are eligible for automatic analysis, # which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. -# +# # 3. Follow the SonarCloud in-product tutorial # * a. Copy/paste the Project Key and the Organization Key into the args parameter below # (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # # * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security +# (On SonarCloud, click on your avatar on top-right > My account > Security # or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) @@ -41,9 +41,9 @@ permissions: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud + - name: Analyze with SonarCloud # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -53,7 +53,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory -Dsonar.projectKey= @@ -65,4 +65,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 95dfd67..2ab3d4c 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -12,7 +12,7 @@ # # 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. # -# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. # # 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # @@ -29,7 +29,7 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index c32334c..61169e2 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -22,11 +22,11 @@ jobs: actions: read contents: read security-events: write - + steps: - name: Checkout repository uses: actions/checkout@v3 - + - name: Synopsys Intelligent Security Scan id: prescription uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 @@ -36,7 +36,7 @@ jobs: workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} stage: "IO" - + # Please note that the ID in previous step was set to prescription # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN # is defined in settings @@ -48,7 +48,7 @@ jobs: wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip unzip -j polaris_cli-linux64.zip -d /tmp /tmp/polaris analyze -w - + # Please note that the ID in previous step was set to prescription # in order for this logic to work - name: Software Composition Analysis with Black Duck @@ -56,7 +56,7 @@ jobs: uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 with: args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' - + - name: Synopsys Intelligent Security Scan if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 @@ -64,11 +64,11 @@ jobs: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} - additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} - --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} stage: "WORKFLOW" - + - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b61b9..8c13a4b 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,7 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -39,7 +39,7 @@ jobs: id: scan uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 with: - # Tag of the image to analyse. + # Tag of the image to analyse. # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above image-tag: ${{ github.repository }}:latest # API token for Sysdig Scanning auth @@ -47,7 +47,7 @@ jobs: # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ # US-East https://secure.sysdig.com # US-West https://us2.app.sysdig.com - # EU https://eu1.app.sysdig.com + # EU https://eu1.app.sysdig.com sysdig-secure-url: https://us2.app.sysdig.com dockerfile-path: ./Dockerfile input-type: docker-daemon diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 77f8156..48ee4d2 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -29,10 +29,10 @@ jobs: - name: Run tfsec uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index f56d9e5..4a8fe41 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 89d35df..04fc814 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 5724a97..8fd5c7b 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,7 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 1ac6bbd..7f035f5 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -3,16 +3,16 @@ # separate terms of service, privacy policy, and support # documentation. # -# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) # and identifies security, privacy, and compliance-related vulnerabilities. ​ # # Prerequisites: ​ # * An active Zimperium zScan account is required. If you are not an existing Zimperium # zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. -# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display # issues and view the remediation information inside of GitHub code scanning alerts. ​ # -# For additional information and setup instructions +# For additional information and setup instructions # please visit: https://github.com/Zimperium/zScanMarketplace#readme name: "Zimperium zScan" @@ -33,7 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout repository uses: actions/checkout@v3 @@ -58,4 +58,3 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Zimperium.sarif - \ No newline at end of file diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9853b75..96d5d38 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -3,7 +3,7 @@ # # To use this workflow, you will need to complete the following set-up steps: # -# 1. Create an ACR repository to store your container images. +# 1. Create an ACR repository to store your container images. # You can use ACR EE instance for more security and better performance. # For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm # @@ -14,7 +14,7 @@ # 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. # For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ # -# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # name: Build and Deploy to ACK @@ -46,12 +46,12 @@ jobs: build: runs-on: ubuntu-latest environment: production - + steps: - name: Checkout uses: actions/checkout@v3 - - # 1.1 Login to ACR + + # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair uses: aliyun/acr-login@v1 with: @@ -59,13 +59,13 @@ jobs: access-key-id: "${{ secrets.ACCESS_KEY_ID }}" access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - # 1.2 Buid and push image to ACR - - name: Build and push image to ACR + # 1.2 Buid and push image to ACR + - name: Build and push image to ACR run: | - docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . - docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" - - # 1.3 Scan image in ACR + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR - name: Scan image in ACR uses: aliyun/acr-scan@v1 with: @@ -75,7 +75,7 @@ jobs: repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" tag: "${{ env.TAG }}" - # 2.1 (Optional) Login to ACR EE + # 2.1 (Optional) Login to ACR EE - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 @@ -86,12 +86,12 @@ jobs: access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" - # 2.2 (Optional) Build and push image ACR EE - - name: Build and push image to ACR EE + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE run: | docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" - # 2.3 (Optional) Scan image in ACR EE + # 2.3 (Optional) Scan image in ACR EE - name: Scan image in ACR EE uses: aliyun/acr-scan@v1 with: @@ -102,7 +102,7 @@ jobs: repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" tag: "${{ env.ACR_EE_TAG }}" - # 3.1 Set ACK context + # 3.1 Set ACK context - name: Set K8s context uses: aliyun/ack-set-context@v1 with: diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index cc2e1dd..4d98340 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -11,7 +11,7 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. # # 4. Create three app settings on your Azure Web app: # DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 9b21895..005aef2 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -43,7 +43,7 @@ jobs: uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} - + - name: Set up dependency caching for faster builds uses: actions/cache@v3 with: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 60fa68c..c29d871 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -63,7 +63,7 @@ jobs: environment: name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - + steps: - name: Download artifact from build job uses: actions/download-artifact@v3 diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 98e72c2..c72b1be 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -70,7 +70,7 @@ jobs: name: node-app - name: 'Deploy to Azure WebApp' - id: deploy-to-webapp + id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index d7aa802..0ce3ce9 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -51,15 +51,15 @@ jobs: - name: Install dependencies run: pip install -r requirements.txt - + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - + - name: Upload artifact for deployment jobs uses: actions/upload-artifact@v3 with: name: python-app path: | - . + . !venv/ deploy: @@ -77,7 +77,7 @@ jobs: with: name: python-app path: . - + - name: 'Deploy to Azure Web App' id: deploy-to-webapp uses: azure/webapps-deploy@v2 diff --git a/deployments/tencent.yml b/deployments/tencent.yml index ba65fe5..3d22854 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -2,12 +2,12 @@ # # To configure this workflow: # -# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, +# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, # including deployment.yml, kustomization.yml, service.yml, etc. # -# 2. Set up secrets in your workspace: +# 2. Set up secrets in your workspace: # - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id -# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key +# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key # - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id # - TKE_REGISTRY_PASSWORD with TKE registry password # @@ -38,10 +38,10 @@ jobs: - name: Checkout uses: actions/checkout@v3 - + # Build - name: Build Docker image - run: | + run: | docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . - name: Login TKE Registry @@ -65,7 +65,7 @@ jobs: secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }} tke_region: ${{ env.TKE_REGION }} cluster_id: ${{ env.TKE_CLUSTER_ID }} - + - name: Switch to TKE context run: | kubectl config use-context ${TKE_CLUSTER_ID}-context-default From 417e1b988833bf9a2e61584d6ac86f0235e3116c Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Tue, 8 Nov 2022 14:09:19 +0100 Subject: [PATCH 10/36] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/zscan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 7f035f5..01c3b05 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -6,11 +6,11 @@ # The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) # and identifies security, privacy, and compliance-related vulnerabilities. ​ # -# Prerequisites: ​ +# Prerequisites: # * An active Zimperium zScan account is required. If you are not an existing Zimperium # zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. # * Either GitHub Advanced Security (GHAS) or a public repository is required to display -# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# issues and view the remediation information inside of GitHub code scanning alerts.​ # # For additional information and setup instructions # please visit: https://github.com/Zimperium/zScanMarketplace#readme From ff2f23cb02201f3dec599148501033e5b9e7f164 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 8 Nov 2022 16:05:26 +0200 Subject: [PATCH 11/36] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index bd1a9c2..74ee41e 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 + - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 762810aba56b19721e194f22cf5ee461b36eb635 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 8 Nov 2022 16:05:42 +0200 Subject: [PATCH 12/36] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 0089f10..12414a1 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 + - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 4050b957a2285c70272bc6bfdb4b2443847d09cf Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 8 Nov 2022 15:34:49 -0300 Subject: [PATCH 13/36] update soos dast version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c48..8723a8b 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@5b9c65687cee49aee1c776759f25561f908be565 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From a31c09a4f1fd94bb31fb3e8955e4c05c0b855cc1 Mon Sep 17 00:00:00 2001 From: Arjan Keeman Date: Tue, 15 Nov 2022 09:52:54 +0100 Subject: [PATCH 14/36] update deprecated syntax see https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- deployments/aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 9585844..af7d87d 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -75,7 +75,7 @@ jobs: # be deployed to ECS. docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT - name: Fill in the new image ID in the Amazon ECS task definition id: task-def From a749535e85718bb29553b8e7f6b5217e71a5ccd1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:10 +0100 Subject: [PATCH 15/36] Add lint workflow --- .github/workflows/lint.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..cd3fb3d --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,32 @@ +name: Lint + +on: + pull_request: + branches: + - main + +jobs: + + pre-commit: + name: pre-commit + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-python@v4 + with: + python-version: 3.8 + cache: 'pip' + + - name: Cache pre-commit + uses: actions/cache@v3 + with: + path: ~/.cache/pre-commit + key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} + + - name: Install pre-commit + run: pip3 install pre-commit + + - name: Run pre-commit + run: pre-commit run --all-files --show-diff-on-failure --color always \ No newline at end of file From 6cd7a70d9f1db1f8485ccb48d863ef766fa0fbc1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:19 +0100 Subject: [PATCH 16/36] Add pre-commit configuration file --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..7699e82 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace \ No newline at end of file From 5bc87732339ec6887dbd6275cb90686464b3de3c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:16:46 +0100 Subject: [PATCH 17/36] Remove pip cache --- .github/workflows/lint.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index cd3fb3d..76c82c2 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -17,7 +17,6 @@ jobs: - uses: actions/setup-python@v4 with: python-version: 3.8 - cache: 'pip' - name: Cache pre-commit uses: actions/cache@v3 From edcef6ec3eb410566c2f21feaae17d5c4eacef6c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 22 Nov 2022 19:23:58 +0000 Subject: [PATCH 18/36] update --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 11e305f..0e42bae 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -41,11 +41,11 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From d0d2da4fd3080c5a70fddd00f554a21a5aeef591 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:38:23 -0600 Subject: [PATCH 19/36] Astro: Update to use the detected package manager --- pages/astro.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 1d4ec5f..54d4672 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,12 +40,10 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "::set-output name=manager::yarn" echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "::set-output name=manager::npm" echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" exit 0 else echo "Unable to determine packager manager" @@ -57,9 +55,14 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - - run: npm install && npm run build + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - - uses: actions/upload-pages-artifact@v1 + - name: Build with Astro + run: ${{ steps.detect-package-manager.outputs.manager }} run build + working-directory: ${{ env.BUILD_PATH }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 with: path: ${{ env.BUILD_PATH }}/dist From 1ffc2dce9f0e0d25af6d872223730be7badd2a93 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:43:51 -0600 Subject: [PATCH 20/36] Pages: Update Node.js-based workflows to use non-deprecated mechanism for setting outputs See https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- pages/astro.yml | 8 ++++---- pages/gatsby.yml | 8 ++++---- pages/nextjs.yml | 12 ++++++------ pages/nuxtjs.yml | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 54d4672..9f845f3 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -38,12 +38,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 4f2857d..7db9291 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -39,12 +39,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 5c2bf67..7e39f83 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -34,14 +34,14 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 4178f18..660202e 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -34,12 +34,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" From c868fdbf8caaf8ec83c4b4e884a8546044d8c46b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 21:47:03 -0600 Subject: [PATCH 21/36] Pages: Configure Astro origin and base path using CLI arguments --- pages/astro.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 9f845f3..77f2924 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,10 +40,12 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "manager=yarn" >> $GITHUB_OUTPUT echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "manager=npm" >> $GITHUB_OUTPUT echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" @@ -55,11 +57,17 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json + - name: Setup Pages + id: pages + uses: actions/configure-pages@v2 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - name: Build with Astro - run: ${{ steps.detect-package-manager.outputs.manager }} run build + run: | + ${{ steps.detect-package-manager.outputs.runner }} astro build \ + --site "${{ steps.pages.outputs.origin }}" \ + --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact uses: actions/upload-pages-artifact@v1 From 2f81287648d16dc1cda091d44b06368c5e73af73 Mon Sep 17 00:00:00 2001 From: Nguyen Long Nhat <27698189+torn4dom4n@users.noreply.github.com> Date: Mon, 21 Nov 2022 01:17:23 +0700 Subject: [PATCH 22/36] Using node 18 --- pages/gatsby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 7db9291..a288d7d 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -53,7 +53,7 @@ jobs: - name: Setup Node uses: actions/setup-node@v3 with: - node-version: "16" + node-version: "18" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages From e493e52668ef051fc37be7453871d17470f56e0e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 17:48:50 +0530 Subject: [PATCH 23/36] Check only certain files --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7699e82..5d6f7eb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,5 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 + files: ^automation|ci|code-scanning|deployments|pages hooks: - - id: trailing-whitespace \ No newline at end of file + - id: trailing-whitespace From ec11d3549bcc7ca2a1df7f76461d31c70313d391 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 18:13:36 +0530 Subject: [PATCH 24/36] Check for only certain files --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d6f7eb..19bf39d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 - files: ^automation|ci|code-scanning|deployments|pages hooks: - id: trailing-whitespace + files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$ From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 06:55:46 +0000 Subject: [PATCH 25/36] Add instructions to test templates --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 7ff406f..1048694 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` * `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day + +## How to test templates before publishing + +### Disable template for public +The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +Example `properties.json` file: +```json +{ + "name": "Node.js", + "description": "Build and test a Node.js project with npm.", + "iconName": "nodejs", + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"], + "labels": ["preview"] +} +``` + +Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. + +### Enable template for public +Remove the `labels` array from `properties.json` file to publish the template to public From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 13:06:55 +0530 Subject: [PATCH 26/36] Apply suggestions from code review Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1048694..e455e13 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as ## How to test templates before publishing ### Disable template for public -The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL. Example `properties.json` file: ```json { @@ -66,7 +66,7 @@ Example `properties.json` file: } ``` -Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. +For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`. ### Enable template for public Remove the `labels` array from `properties.json` file to publish the template to public From db5c5c4b5e88807a37600118dc80be71301ba48b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:08:17 +0100 Subject: [PATCH 27/36] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/sonarqube.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 23f79da..68585a9 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Analyze with SonarQube + - name: Analyze with SonarQube # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 @@ -52,7 +52,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) # mandatory -Dsonar.projectKey= @@ -63,4 +63,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false From 0cd0541922d9efdce53b33f9c49b01d6cd6ca54b Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:13:18 +0100 Subject: [PATCH 28/36] added SHA to action definition --- code-scanning/sonarqube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarqube.yml b/code-scanning/sonarqube.yml index 68585a9..f01b9dc 100644 --- a/code-scanning/sonarqube.yml +++ b/code-scanning/sonarqube.yml @@ -45,7 +45,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarqube-scan-action@v1.1.0 - uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 3408b65a7132d3f0ffa75a4e7a42aa2849f04a1d Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:38:34 +1300 Subject: [PATCH 29/36] Update Go version to 1.19 Go 1.18 will be at end of life sometime within the coming months (Q1 2023). Go 1.19 will be around until Q3 2023, by which point 1.20 will have been released. --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 4d95674..e89f6c9 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.18 + go-version: 1.19 - name: Build run: go build -v ./... From 7a584505f5655db11a8c6f01d1913bc7ab3b0a50 Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Thu, 8 Dec 2022 14:41:48 +1300 Subject: [PATCH 30/36] Fixed misspelling of "privileged" --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 0a98861..05cb4b1 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:19:36 +0200 Subject: [PATCH 31/36] add Datree --- code-scanning/datree.yml | 44 +++++++++++++++++++ .../properties/datree.properties.json | 7 +++ icons/datree.svg | 1 + 3 files changed, 52 insertions(+) create mode 100644 code-scanning/datree.yml create mode 100644 code-scanning/properties/datree.properties.json create mode 100644 icons/datree.svg diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml new file mode 100644 index 0000000..682ab5d --- /dev/null +++ b/code-scanning/datree.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Datree policy check + continue-on-error: true + uses: hadar-co/action-datree@main + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: datree.sarif \ No newline at end of file diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json new file mode 100644 index 0000000..99e07a5 --- /dev/null +++ b/code-scanning/properties/datree.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datree", + "creator": "Datree", + "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", + "iconName": "datree", + "categories": ["Code Scanning", "YAML"] +} \ No newline at end of file diff --git a/icons/datree.svg b/icons/datree.svg new file mode 100644 index 0000000..ca986c6 --- /dev/null +++ b/icons/datree.svg @@ -0,0 +1 @@ + \ No newline at end of file From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:37:43 +0200 Subject: [PATCH 32/36] add Datree --- code-scanning/datree.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 682ab5d..df301c7 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -12,10 +12,10 @@ name: Datree on: push: - branches: [ main ] + branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [ $default-branch ] jobs: datree: From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:23:25 +0200 Subject: [PATCH 33/36] fix workflow --- code-scanning/datree.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index df301c7..44afd69 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -17,6 +17,9 @@ on: # The branches below must be a subset of the branches above branches: [ $default-branch ] +permissions: + contents: read + jobs: datree: permissions: @@ -27,7 +30,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Datree policy check continue-on-error: true - uses: hadar-co/action-datree@main + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. @@ -41,4 +44,4 @@ jobs: - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: datree.sarif \ No newline at end of file + sarif_file: datree.sarif From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:24:28 +0200 Subject: [PATCH 34/36] fix workflow --- code-scanning/properties/datree.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json index 99e07a5..b7c695c 100644 --- a/code-scanning/properties/datree.properties.json +++ b/code-scanning/properties/datree.properties.json @@ -4,4 +4,4 @@ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", "iconName": "datree", "categories": ["Code Scanning", "YAML"] -} \ No newline at end of file +} From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Thu, 8 Dec 2022 09:57:36 +0200 Subject: [PATCH 35/36] Update code-scanning/datree.yml Co-authored-by: Sampark Sharma --- code-scanning/datree.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 44afd69..2e44682 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -34,7 +34,7 @@ jobs: env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. - DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} with: # Add the path to the configuration file/s that you would like to test. # See https://github.com/datreeio/action-datree#usage for all available options. From 89d867e0d8e0e6a099005135a107deee089c5a32 Mon Sep 17 00:00:00 2001 From: Simon Engledew Date: Tue, 13 Dec 2022 10:30:16 +0000 Subject: [PATCH 36/36] Fix code-scanning filtering for relative paths --- script/sync-ghes/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index a320d36..f53d220 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -61,7 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && - (workflowProperties.enterprise === true || folder !== 'code-scanning') && + (workflowProperties.enterprise === true || basename(folder) !== 'code-scanning') && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = {