Merge branch 'main' into patch-2

This commit is contained in:
James M. Greene
2023-07-13 09:37:46 -05:00
committed by GitHub
44 changed files with 828 additions and 112 deletions
+1 -1
View File
@@ -35,7 +35,7 @@ jobs:
# Customize the ruby version depending on your needs
- name: Setup Ruby
uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
with:
ruby-version: '2.7'
+4 -3
View File
@@ -28,7 +28,8 @@ jobs:
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: ubuntu-latest
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
@@ -56,11 +57,11 @@ jobs:
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
+61
View File
@@ -0,0 +1,61 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.
# https://github.com/rrrene/credo
#
# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
#
# Instructions:
# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
# and review the "Security" tab once the action has run.
name: Credo
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
security-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
otp: [version]
elixir: [version]
steps:
- uses: actions/checkout@v3
- uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
with:
otp-version: ${{matrix.otp}}
elixir-version: ${{matrix.elixir}}
- name: get dependencies
run: mix deps.get
- name: compile dependencies
run: mix deps.compile
- name: compile
run: mix compile
- name: credo-scan
run: mix credo --format=sarif > credo_output.sarif
- name: upload sarif
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: credo_output.sarif
+1 -1
View File
@@ -77,7 +77,7 @@ jobs:
fi
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
echo "download_url=$DETEKT_DOWNLOAD_URL" >> $GITHUB_OUTPUT
# Sets up the detekt cli
- name: Setup Detekt
+51
View File
@@ -0,0 +1,51 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Endor Labs
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
scan:
permissions:
security-events: write # Used to upload sarif artifact to GitHub
contents: read # Used to checkout a private repository by actions/checkout.
actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required.
id-token: write # Used for keyless authentication to Endor Labs
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
#### Package Build Instructions
### Use this section to define the build steps used by your software package.
### Endor Labs builds your software for you where possible but the required build tools must be made availible.
# - name: Setup Java
# uses: actions/setup-java@v3
# with:
# distribution: 'microsoft'
# java-version: '17'
# - name: Build Package
# run: mvn clean install
- name: Endor Labs scan pull request
if: github.event_name == 'pull_request'
uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
with:
namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
sarif_file: findings.sarif
- name: Endor Labs scan monitor
if: github.event_name == 'push'
uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
with:
namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
ci_run: "false"
sarif_file: findings.sarif
- name: Upload SARIF to github
uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
with:
sarif_file: findings.sarif
+27 -9
View File
@@ -7,8 +7,7 @@
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file:
# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
name: "Frogbot Scan and Fix"
on:
@@ -26,10 +25,17 @@ jobs:
# IMPORTANT:
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
# 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
- uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716
- uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
# 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
#
# The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
# JF_INSTALL_DEPS_CMD: ""
# [Mandatory]
# JFrog platform URL
JF_URL: ${{ secrets.JF_URL }}
@@ -38,14 +44,26 @@ jobs:
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
# JF_USER: ${{ secrets.JF_USER }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Optional]
# If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
# in Artifactory, which proxies https://releases.jfrog.io/artifactory
# The 'frogbot' executable and other tools it needs will be downloaded through this repository.
# JF_RELEASES_REPO: ""
# [Optional]
# Frogbot will download the project dependencies, if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""
+27 -9
View File
@@ -7,8 +7,7 @@
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file:
# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
name: "Frogbot Scan Pull Request"
on:
@@ -31,10 +30,17 @@ jobs:
# IMPORTANT:
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
# 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
- uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716
- uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
# 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
#
# The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
# JF_INSTALL_DEPS_CMD: ""
# [Mandatory]
# JFrog platform URL
JF_URL: ${{ secrets.JF_URL }}
@@ -43,14 +49,26 @@ jobs:
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
# JF_USER: ${{ secrets.JF_USER }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Optional]
# If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
# in Artifactory, which proxies https://releases.jfrog.io/artifactory
# The 'frogbot' executable and other tools it needs will be downloaded through this repository.
# JF_RELEASES_REPO: ""
# [Optional]
# Frogbot will download the project dependencies, if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""
@@ -2,7 +2,7 @@
"name": "CodeQL Analysis",
"creator": "GitHub",
"enterprise": true,
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.",
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"]
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"]
}
@@ -0,0 +1,7 @@
{
"name": "Credo Scan",
"creator": "Credo",
"description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.",
"iconName": "code",
"categories": ["Code Scanning", "Elixir"]
}
@@ -0,0 +1,7 @@
{
"name": "Endor Labs scan",
"creator": "Endor Labs",
"description": "Identify, prioritize and address open source and code governance issues with Endor Labs.",
"iconName": "endorlabs",
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ]
}
@@ -0,0 +1,10 @@
{
"name": "Psalm Security Scan",
"creator": "psalm",
"description": "Psalm is a static analysis tool for finding errors in PHP applications",
"iconName": "psalm",
"categories": [
"Code Scanning",
"PHP"
]
}
+38
View File
@@ -0,0 +1,38 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Psalm Security Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
php-security:
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Psalm Security Scan
uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
- name: Upload Security Analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
+1 -1
View File
@@ -36,7 +36,7 @@ jobs:
uses: actions/checkout@v3
- name: Setup Ruby
uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
with:
ruby-version: 2.7
bundler-cache: true
+1 -1
View File
@@ -28,7 +28,7 @@ jobs:
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
with:
ruby-version: 2.6