Merge branch 'main' into dependabot/github_actions/actions/cache-4

This commit is contained in:
Anthony Zavala
2025-04-21 17:17:28 -07:00
committed by GitHub
123 changed files with 1315 additions and 509 deletions
+2 -1
View File
@@ -1,3 +1,4 @@
# Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders
code-scanning:
- code-scanning/**/*
- changed-files:
- any-glob-to-any-file: code-scanning/**/*
+3 -3
View File
@@ -5,12 +5,12 @@ permissions:
pull-requests: write
on:
- pull_request_target
pull_request_target:
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
- uses: actions/labeler@v5
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
repo-token: "${{ secrets.GITHUB_TOKEN }}"
+3 -2
View File
@@ -1,8 +1,9 @@
name: Mark stale issues and pull requests
on:
schedule:
- cron: "21 4 * * *"
workflow_dispatch:
# schedule:
# - cron: "21 4 * * *"
jobs:
stale:
+2 -2
View File
@@ -15,9 +15,9 @@ jobs:
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
git config user.email "cschleiden@github.com"
git config user.name "GitHub Actions"
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: '16'
node-version: '20'
cache: 'npm'
cache-dependency-path: script/sync-ghes/package-lock.json
- name: Check starter workflows for GHES compat
+2 -2
View File
@@ -12,9 +12,9 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: '16'
node-version: '20'
cache: 'npm'
cache-dependency-path: script/validate-data/package-lock.json
+1 -1
View File
@@ -14,7 +14,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
+1 -1
View File
@@ -17,7 +17,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
+2 -2
View File
@@ -24,12 +24,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
# Run Synthetic tests within your GitHub workflow.
# For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
- name: Run Datadog Synthetic tests
uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
with:
api_key: ${{secrets.DD_API_KEY}}
app_key: ${{secrets.DD_APP_KEY}}
+2 -2
View File
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
with:
cosign-release: 'v2.1.1'
cosign-release: 'v2.2.4'
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
+1 -1
View File
@@ -109,7 +109,7 @@ jobs:
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: MSIX Package
path: ${{ env.Wap_Project_Directory }}\AppPackages
+1 -1
View File
@@ -30,7 +30,7 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Setup Gradle
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
- name: Build with Gradle
run: ./gradlew build
+6 -6
View File
@@ -28,10 +28,10 @@ jobs:
java-version: '17'
distribution: 'temurin'
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
# Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
- name: Setup Gradle
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
- name: Build with Gradle Wrapper
run: ./gradlew build
@@ -40,11 +40,11 @@ jobs:
# If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
#
# - name: Setup Gradle
# uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
# uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
# with:
# gradle-version: '8.5'
# gradle-version: '8.9'
#
# - name: Build with Gradle 8.5
# - name: Build with Gradle 8.9
# run: gradle build
dependency-submission:
@@ -64,4 +64,4 @@ jobs:
# Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
# See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
+1 -1
View File
@@ -18,7 +18,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
+1 -1
View File
@@ -22,7 +22,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
+2 -2
View File
@@ -16,13 +16,13 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
node-version: [18.x, 20.x, 22.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
+2 -2
View File
@@ -12,13 +12,13 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
+2 -2
View File
@@ -12,13 +12,13 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
+4 -4
View File
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
- run: npm ci
- run: npm test
@@ -26,9 +26,9 @@ jobs:
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
registry-url: $registry-url(npm)
- run: npm ci
- run: npm publish
+4 -4
View File
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
- run: npm ci
- run: npm test
@@ -23,9 +23,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
registry-url: https://registry.npmjs.org/
- run: npm ci
- run: npm publish
+50 -19
View File
@@ -1,4 +1,4 @@
# This workflow will upload a Python Package using Twine when a release is created
# This workflow will upload a Python Package to PyPI when a release is created
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
# This workflow uses actions that are not certified by GitHub.
@@ -16,24 +16,55 @@ permissions:
contents: read
jobs:
deploy:
release-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v3
with:
python-version: '3.x'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install build
- name: Build package
run: python -m build
- name: Publish package
uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Build release distributions
run: |
# NOTE: put your own distribution build steps here.
python -m pip install build
python -m build
- name: Upload distributions
uses: actions/upload-artifact@v4
with:
name: release-dists
path: dist/
pypi-publish:
runs-on: ubuntu-latest
needs:
- release-build
permissions:
# IMPORTANT: this permission is mandatory for trusted publishing
id-token: write
# Dedicated environments with protections for publishing are strongly recommended.
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
environment:
name: pypi
# OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status:
# url: https://pypi.org/p/YOURPROJECT
#
# ALTERNATIVE: if your GitHub Release name is the PyPI project version string
# ALTERNATIVE: exactly, uncomment the following line instead:
# url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }}
steps:
- name: Retrieve release distributions
uses: actions/download-artifact@v4
with:
name: release-dists
path: dist/
- name: Publish release distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: dist/
+4 -2
View File
@@ -30,7 +30,7 @@ jobs:
uses: actions/checkout@v4
# Add or replace dependency steps here
- name: Install Ruby and gems
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
with:
bundler-cache: true
# Add or replace database setup steps here
@@ -46,9 +46,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Ruby and gems
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
with:
bundler-cache: true
- name: Generate binstubs
run: bundle binstubs bundler-audit brakeman rubocop
# Add or replace any other lints here
- name: Security audit dependencies
run: bin/bundler-audit --update
+1 -1
View File
@@ -22,7 +22,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
+2 -2
View File
@@ -12,13 +12,13 @@ jobs:
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
+1 -1
View File
@@ -43,6 +43,6 @@ jobs:
fail-build: true
severity-cutoff: critical
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
+1 -1
View File
@@ -66,6 +66,6 @@ jobs:
# The name of the sarif format result file The file is written only if this property is provided.
sarif-result-file: "apisec-results.sarif"
- name: Import results
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ./apisec-results.sarif
+54
View File
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support documentation.
#
# Appknox: Leader in Mobile Application Security Testing Solutions <https://www.appknox.com/>
#
# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your
# repository.
#
# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
# <https://www.appknox.com/free-trial>.
#
# Instructions:
#
# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the
# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token
# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings
# and create a token labeled GitHub
#
# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the
# action executes, check the 'Security' tab for results
name: Appknox
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
jobs:
appknox:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build the app
run: ./gradlew build # Update this to build your Android or iOS application
- name: Appknox GitHub action
uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4
with:
appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here
risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL]
sarif: Enable
- name: Upload SARIF to GHAS
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: report.sarif
+2 -2
View File
@@ -29,9 +29,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Bandit Scan
uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd
with: # optional arguments
# exit with 0, even with results found
exit_zero: true # optional, default is DEFAULT
+1 -1
View File
@@ -38,6 +38,6 @@ jobs:
exit-code: 0
# Upload SARIF file generated in previous step
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines.
# For more information about configuring your workflow,
# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan
name: CI Black Duck security scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
security-events: write
actions: read
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Black Duck SCA scan
uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
with:
### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ----------
blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
### ---------- COVERITY SCANNING: REQUIRED FIELDS ----------
coverity_url: ${{ vars.COVERITY_URL }}
coverity_user: ${{ secrets.COVERITY_USER }}
coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
### ---------- POLARIS SCANNING: REQUIRED FIELDS ----------
polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
polaris_assessment_types: "SCA,SAST"
### ---------- SRM SCANNING: REQUIRED FIELDS ----------
srm_url: ${{ vars.SRM_URL }}
srm_apikey: ${{ secrets.SRM_API_KEY }}
srm_assessment_types: "SCA,SAST"
+1 -1
View File
@@ -53,6 +53,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: output.sarif.json
+1 -1
View File
@@ -49,7 +49,7 @@ jobs:
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
additional_params: --report-format sarif --output-path .
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: cx_result.sarif
+1 -1
View File
@@ -50,6 +50,6 @@ jobs:
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: cx.sarif
+2 -2
View File
@@ -27,7 +27,7 @@ jobs:
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Scan code
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
@@ -38,7 +38,7 @@ jobs:
fail-on-result: 'false'
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
wait-for-processing: true
+2 -2
View File
@@ -32,7 +32,7 @@ jobs:
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Dependency scan
uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
@@ -48,7 +48,7 @@ jobs:
fail-on-result: false
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{github.workspace}}/clj-watson-results.sarif
wait-for-processing: true
+1 -1
View File
@@ -50,7 +50,7 @@ jobs:
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
+1 -1
View File
@@ -56,6 +56,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+8 -2
View File
@@ -9,7 +9,7 @@
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
name: "CodeQL Advanced"
on:
push:
@@ -28,7 +28,6 @@ jobs:
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write
@@ -56,6 +55,12 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4
# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
@@ -76,6 +81,7 @@ jobs:
# ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
+1 -1
View File
@@ -44,6 +44,6 @@ jobs:
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: codescan.sarif
+1 -1
View File
@@ -48,6 +48,6 @@ jobs:
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
#Upload the results to GitHub
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
+4 -4
View File
@@ -77,11 +77,11 @@ jobs:
contents: read # for actions/checkout to fetch code
security-events: write # for redhat-actions/crda to upload SARIF results
name: Scan project vulnerabilities with CRDA
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v4
# *******************************************************************
# Required: Instructions to setup project
@@ -94,9 +94,9 @@ jobs:
#
# Example:
# - name: Setup Node
# uses: actions/setup-node@v2
# uses: actions/setup-node@v4
# with:
# node-version: '14'
# node-version: '20'
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
- name: Install CRDA CLI
+1 -1
View File
@@ -55,7 +55,7 @@ jobs:
- name: credo-scan
run: mix credo --format=sarif > credo_output.sarif
- name: upload sarif
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: credo_output.sarif
+1 -1
View File
@@ -42,6 +42,6 @@ jobs:
# Setting a SARIF output will generate a file named "datree.sarif" containing your test results
cliArguments: "-o sarif"
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: datree.sarif
+43
View File
@@ -0,0 +1,43 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#####################################################################################################################################################################
# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. #
# #
# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com #
# To learn more about Debricked or contact our team, visit https://debricked.com/ #
# #
# To run this workflow, complete the following set-up steps: #
# #
# 1. If you dont have a Debricked account, create one by visiting https://debricked.com/app/en/register #
# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 #
# 3. In GitHub, navigate to the repository #
# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) #
# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” #
# 6. In the “Secrets” tab, click on “New repository secret” #
# 7. In the “Name” field, type the name of the secret #
# 8. In the “Secret” field, enter the value of the secret #
# 9. Click “Add secret” #
# 10. You should now be ready to use the workflow! #
#####################################################################################################################################################################
name: Debricked Scan
on:
push:
permissions:
contents: read
jobs:
vulnerabilities-scan:
name: Vulnerabilities scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: debricked/actions@v3
env:
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
+2 -2
View File
@@ -33,7 +33,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v3
- uses: actions/setup-dotnet@v4
with:
dotnet-version: |
5.0.x
@@ -42,6 +42,6 @@ jobs:
uses: microsoft/security-devops-action@v1.6.0
id: msdo
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+1 -1
View File
@@ -111,7 +111,7 @@ jobs:
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v2
- uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
+2 -2
View File
@@ -16,7 +16,7 @@ on:
jobs:
lint:
name: DevSkim
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
@@ -29,6 +29,6 @@ jobs:
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
+2 -2
View File
@@ -26,7 +26,7 @@ jobs:
### Use this section to define the build steps used by your software package.
### Endor Labs builds your software for you where possible but the required build tools must be made available.
# - name: Setup Java
# uses: actions/setup-java@v3
# uses: actions/setup-java@v4
# with:
# distribution: 'microsoft'
# java-version: '17'
@@ -46,6 +46,6 @@ jobs:
ci_run: "false"
sarif_file: findings.sarif
- name: Upload SARIF to github
uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: findings.sarif
+5 -3
View File
@@ -33,9 +33,11 @@ jobs:
- name: Install ESLint
run: |
npm install eslint@8.10.0
npm install @microsoft/eslint-formatter-sarif@2.1.7
npm install @microsoft/eslint-formatter-sarif@3.1.0
- name: Run ESLint
env:
SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
run: npx eslint .
--config .eslintrc.js
--ext .js,.jsx,.ts,.tsx
@@ -44,7 +46,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: eslint-results.sarif
wait-for-processing: true
wait-for-processing: true
+1 -1
View File
@@ -63,7 +63,7 @@ jobs:
sarif-result-file: "ethicalcheck-results.sarif"
- name: Upload sarif file to repository
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ./ethicalcheck-results.sarif
+1 -1
View File
@@ -33,6 +33,6 @@ jobs:
output: 'flawfinder_results.sarif'
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
+98 -67
View File
@@ -4,95 +4,126 @@
# documentation.
################################################################################################################################################
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
# or contact our sales team, visit microfocus.com/appsecurity. #
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
# #
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
# documentation. If you need additional assistance, please contact Fortify support. #
################################################################################################################################################
name: Fortify on Demand Scan
name: Fortify AST Scan
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
# Customize trigger events based on your DevSecOps process and/or policy
on:
workflow_dispatch:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
workflow_dispatch:
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
Fortify-AST-Scan:
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
# pull-requests: write # Required if DO_PR_COMMENT is set to true
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
uses: actions/setup-java@v3
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
# documentation at https://github.com/fortify/github-action#readme for more information on the various
# configuration options and available sub-actions.
- name: Run Fortify Scan
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
with:
java-version: 8
distribution: 'temurin'
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
PACKAGE_OPTS: "-bt mvn"
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
FOD_PASSWORD: ${{secrets.FOD_PAT}}
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# Pass extra options to setup action:
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
env:
FOD_URL: "https://ams.fortify.com/"
FOD_API_URL: "https://api.ams.fortify.com/"
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export results to GitHub-optimized SARIF
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
with:
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.FOD_TENANT }}
fod_user: ${{ secrets.FOD_USER }}
fod_password: ${{ secrets.FOD_PAT }}
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast.sarif
#############################################################
##### Fortify Hosted / Software Security Center & ScanCentral
##### Remove this section if you're integrating with Fortify on Demand (see above)
### Required configuration
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
### Optional configuration
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Set up SSC application & version
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
+3 -7
View File
@@ -5,9 +5,9 @@
# Frogbot Scan and Fix does the following:
# Automatically creates pull requests with fixes for vulnerable project dependencies.
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
name: "Frogbot Scan and Fix"
on:
@@ -23,11 +23,7 @@ jobs:
steps:
- uses: actions/checkout@v4
# IMPORTANT:
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
+5 -9
View File
@@ -5,9 +5,9 @@
# Frogbot Scan Pull Request does the following:
# Automatically scans new pull requests for security vulnerabilities.
# Uses JFrog Xray to scan the project.
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
name: "Frogbot Scan Pull Request"
on:
@@ -21,18 +21,14 @@ jobs:
runs-on: ubuntu-latest
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
# "frogbot" GitHub environment can approve the pull request to be scanned.
# Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
# Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions
environment: frogbot
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
# IMPORTANT:
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
+1 -1
View File
@@ -41,7 +41,7 @@ jobs:
no-fail: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: hadolint-results.sarif
wait-for-processing: true
+54
View File
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# JFrog SAST performs 1st party source code security analysis
# For more information, see
# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast
name: "JFrog SAST Scan"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch, $protected-branches ]
schedule:
- cron: $cron-weekly
env:
# [Mandatory]
# JFrog platform URL and access token for
# a JFrog platform instance with active
# JFrog Advanced Security subscription
JF_URL: ${{ secrets.JF_URL }}
JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
- name: Install and configure JFrog CLI
run: |
npm install -g jfrog-cli-v2-jf
echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin
- name: Run JFrog SAST
run: |
jf audit --sast --format=sarif > jfrog_sast.sarif
- name: Upload output to generate autofix
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: jfrog_sast.sarif
+2 -2
View File
@@ -28,9 +28,9 @@ jobs:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
- run: npm ci
- run: npm run build
- name: Jscrambler Code Integrity
+2 -2
View File
@@ -17,7 +17,7 @@ on:
jobs:
lint:
name: Kubesec
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
@@ -36,6 +36,6 @@ jobs:
exit-code: "0"
- name: Upload Kubesec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: kubesec-results.sarif
+1 -1
View File
@@ -49,7 +49,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: lintr-results.sarif
wait-for-processing: true
+6 -8
View File
@@ -9,13 +9,11 @@
#
# To use this workflow, you will need to:
#
# 1. Create a Mayhem for API account at
# https://mayhem4api.forallsecure.com/signup
# 1. Create a Mayhem account at https://app.mayhem.security
#
# 2. Create a service account token `mapi organization service-account create
# <org-name> <service-account-name>`
# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens
#
# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN"
# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN"
#
# 4. Update the "Start your API" step to run your API in the background before
# starting the Mayhem for API scan, and update the `api-url` & `api-spec`
@@ -51,16 +49,16 @@ jobs:
run: ./run_your_api.sh & # <- ✏️ update this
- name: Mayhem for API
uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010
uses: ForAllSecure/mapi-action@v1
continue-on-error: true
with:
mapi-token: ${{ secrets.MAPI_TOKEN }}
mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
api-url: http://localhost:8080 # <- ✏️ update this
api-spec: http://localhost:8080/openapi.json # <- ✏️ update this
duration: 60
sarif-report: mapi.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: mapi.sarif
+1 -1
View File
@@ -38,6 +38,6 @@ jobs:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+2 -2
View File
@@ -54,13 +54,13 @@ jobs:
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
# uses: actions/upload-artifact@v3
# uses: actions/upload-artifact@v4
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
+1 -1
View File
@@ -162,7 +162,7 @@ jobs:
runs-on: ubuntu-18.04
name: A job to run a Nexploit scan
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Start Nexploit Scan 🏁
id: start
uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+1 -1
View File
@@ -37,6 +37,6 @@ jobs:
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+1 -1
View File
@@ -47,6 +47,6 @@ jobs:
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: NowSecure.sarif
+2 -2
View File
@@ -40,7 +40,7 @@ jobs:
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
# uses: actions/setup-dotnet@v2
# uses: actions/setup-dotnet@v4
# with:
# dotnet-version: '3.1.x'
@@ -51,6 +51,6 @@ jobs:
# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
+1 -1
View File
@@ -51,7 +51,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: phpmd-results.sarif
wait-for-processing: true
+2 -2
View File
@@ -26,7 +26,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
@@ -38,6 +38,6 @@ jobs:
sourcePath: 'src/main/java'
analyzeModifiedFilesOnly: false
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: pmd-report.sarif
+19 -5
View File
@@ -20,7 +20,8 @@ env:
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
jobs:
@@ -45,7 +46,7 @@ jobs:
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
id: run-aws-validate-policy
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "VALIDATE_POLICY"
template-path: ${{ env.TEMPLATE_PATH}}
@@ -57,11 +58,12 @@ jobs:
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
id: run-aws-check-access-not-granted
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ env.TEMPLATE_PATH}}
actions: ${{ env.ACTIONS }}
resources: ${{ env.RESOURCES }}
region: ${{ env.REGION }}
# Print result from CHECK_ACCESS_NOT_GRANTED check
- name: Print the result for CheckAccessNotGranted check
@@ -71,14 +73,26 @@ jobs:
# reference-policy is stored in GitHub secrets
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
id: run-aws-check-no-new-access
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "CHECK_NO_NEW_ACCESS"
template-path: ${{ env.TEMPLATE_PATH}}
reference-policy: ${{ env.REFERENCE }}
reference-policy: ${{ env.REFERENCE_POLICY }}
reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
region: ${{env.REGION }}
# Print result from CHECK_NO_NEW_ACCESS check
- name: Print the result for CheckNoNewAccess check
if: success() || failure()
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
id: run-aws-check-no-public-access
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
template-path: ${{ env.TEMPLATE_PATH }}
region: ${{ env.REGION }}
# Print result from CHECK_NO_PUBLIC_ACCESS check
- name: Print the result for CheckNoPublicAccess check
if: success() || failure()
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
+18 -4
View File
@@ -21,7 +21,8 @@ env:
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
@@ -48,7 +49,7 @@ jobs:
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
id: run-aws-validate-policy
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "VALIDATE_POLICY"
template-path: ${{ env.TEMPLATE_PATH }}
@@ -60,11 +61,12 @@ jobs:
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
id: run-aws-check-access-not-granted
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ env.TEMPLATE_PATH }}
actions: ${{ env.ACTIONS }}
resources: ${{ env.RESOURCES }}
region: ${{ env.REGION }}
# Print result from CHECK_ACCESS_NOT_GRANTED check
- name: Print the result for CheckAccessNotGranted check
@@ -74,7 +76,7 @@ jobs:
# reference-policy is stored in GitHub secrets
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
id: run-aws-check-no-new-access
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "CHECK_NO_NEW_ACCESS"
template-path: ${{ env.TEMPLATE_PATH }}
@@ -85,3 +87,15 @@ jobs:
- name: Print the result CheckNoNewAccess check
if: success() || failure()
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
id: run-aws-check-no-public-access
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
template-path: ${{ env.TEMPLATE_PATH }}
region: ${{ env.REGION }}
# Print result from CHECK_NO_PUBLIC_ACCESS check
- name: Print the result for CheckNoPublicAccess check
if: success() || failure()
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
+1 -1
View File
@@ -44,6 +44,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+1 -1
View File
@@ -49,7 +49,7 @@ jobs:
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
@@ -0,0 +1,21 @@
{
"name": "Appknox",
"creator": "Appknox",
"description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language",
"iconName": "appknox",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C",
"C",
"C++",
"C#",
"Rust",
"JavaScript",
"TypeScript",
"Node"
]
}
@@ -0,0 +1,22 @@
{
"name": "Black Duck Security Scan Workflow",
"creator": "Black Duck Software, Inc.",
"description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results",
"iconName": "black-duck",
"categories": [
"Code Scanning",
"C",
"C++",
"C#",
"Go",
"Java",
"JavaScript",
"Ruby",
"PHP",
"Swift",
"Kotlin",
"Python",
"VB.NET",
"Objective C"
]
}
@@ -0,0 +1,19 @@
{
"name": "Debricked Scan",
"creator": "OpenText",
"description": "Integrate with Debricked's state of the art AI-powered Software Composition Analysis to automate your security.",
"iconName": "debricked",
"categories": [
"Code Scanning",
"Python",
"JavaScript",
"Java",
"PHP",
"Ruby",
"Go",
"Rust",
"Swift",
"C#",
"Objective-C"
]
}
@@ -1,7 +1,7 @@
{
"name": "Fortify on Demand Scan",
"creator": "Micro Focus",
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
"name": "Fortify Scan",
"creator": "OpenText",
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.",
"iconName": "fortify",
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
"categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"]
}
@@ -0,0 +1,16 @@
{
"name": "JFrog SAST",
"description": "Scan for security vulnerabilities in source code using JFrog SAST",
"iconName": "frogbot",
"categories":
[
"Code Scanning",
"security",
"python",
"java",
"javascript",
"typescript",
"go"
],
"creator": "JFrog"
}
+1 -1
View File
@@ -33,6 +33,6 @@ jobs:
uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
- name: Upload Security Analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+1 -1
View File
@@ -49,7 +49,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: puppet-lint-results.sarif
wait-for-processing: true
+1 -1
View File
@@ -47,6 +47,6 @@ jobs:
"
- name: Upload Sarif output
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rubocop.sarif
+1 -1
View File
@@ -49,7 +49,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results.sarif
wait-for-processing: true
+9 -4
View File
@@ -21,6 +21,8 @@ jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
@@ -32,12 +34,12 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
@@ -56,10 +58,13 @@ jobs:
# of the value entered here.
publish_results: true
# (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
# file_mode: git
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
@@ -68,6 +73,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+1 -1
View File
@@ -38,4 +38,4 @@ jobs:
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
+1 -1
View File
@@ -43,7 +43,7 @@ jobs:
# Upload SARIF file generated in previous step
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()
+1 -1
View File
@@ -50,6 +50,6 @@ jobs:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
+1 -1
View File
@@ -49,6 +49,6 @@ jobs:
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
+3 -3
View File
@@ -43,9 +43,9 @@ jobs:
# For Snyk Open Source you must first set up the development environment for your application's dependencies
# For example for Node
#- uses: actions/setup-node@v3
#- uses: actions/setup-node@v4
# with:
# node-version: 16
# node-version: 20
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
@@ -74,6 +74,6 @@ jobs:
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-code.sarif
+1 -1
View File
@@ -36,6 +36,6 @@ jobs:
- id: run-action
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
- name: Upload report
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
+5 -6
View File
@@ -46,13 +46,12 @@ jobs:
- name: Analyze with SonarCloud
# You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
# uses: SonarSource/sonarcloud-github-action@v2.2.0
uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
# Additional arguments for the SonarScanner CLI
args:
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
# mandatory
@@ -60,9 +59,9 @@ jobs:
-Dsonar.organization=
# Comma-separated paths to directories containing main source files.
#-Dsonar.sources= # optional, default is project base directory
# When you need the analysis to take place in a directory other than the one from which it was launched
#-Dsonar.projectBaseDir= # optional, default is .
# Comma-separated paths to directories containing test source files.
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
#-Dsonar.verbose= # optional, default is false
# When you need the analysis to take place in a directory other than the one from which it was launched, default is .
projectBaseDir: .
+13 -3
View File
@@ -36,15 +36,25 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Analysis
uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9
uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
project_name: "<YOUR-PROJECT-NAME>"
scan_mode: "baseline"
target_url: "https://www.example.com/"
output_format: "sarif"
export_format: "Sarif"
export_file_type: "Json"
- name: Find and rename SARIF file since it is unique
run: |
file=$(find . -name "*.sarif.json" | head -n 1)
if [ -n "$file" ]; then
mv "$file" output.sarif.json
echo "Renamed $file to output.sarif.json"
else
echo "No SARIF file found" && exit 1
fi
- name: Upload SOOS DAST SARIF Report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
sarif_file: output.sarif.json
+1 -1
View File
@@ -46,7 +46,7 @@ jobs:
contents: read # for actions/checkout to fetch code
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
name: StackHawk
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
+1 -1
View File
@@ -71,7 +71,7 @@ jobs:
- name: Upload SARIF file
if: ${{steps.prescription.outputs.sastScan == 'true' }}
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflowengine-results.sarif.json
+1 -1
View File
@@ -55,7 +55,7 @@ jobs:
# Sysdig inline scanner requires privileged rights
run-as-user: root
- uses: github/codeql-action/upload-sarif@v2
- uses: github/codeql-action/upload-sarif@v3
#Upload SARIF file
if: always()
with:
+1 -1
View File
@@ -32,7 +32,7 @@ jobs:
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
+2 -2
View File
@@ -24,7 +24,7 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-20.04"
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
@@ -43,6 +43,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
+2 -2
View File
@@ -42,7 +42,7 @@ jobs:
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- uses: actions/setup-java@v3
- uses: actions/setup-java@v4
with:
java-version: 8
distribution: 'temurin'
@@ -53,7 +53,7 @@ jobs:
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- uses: github/codeql-action/upload-sarif@v2
- uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
+3 -3
View File
@@ -62,7 +62,7 @@ jobs:
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
java-version: 11
distribution: 'temurin'
@@ -87,7 +87,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@v4
with:
name: Xanitizer-Reports
path: |
@@ -95,6 +95,6 @@ jobs:
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v2
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: Xanitizer-Findings-List.sarif
+1 -1
View File
@@ -51,6 +51,6 @@ jobs:
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
- name: Upload SARIF file
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
+1 -1
View File
@@ -55,6 +55,6 @@ jobs:
app_file: app-release-unsigned.apk
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: Zimperium.sarif
+1 -1
View File
@@ -42,7 +42,7 @@ jobs:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
- name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
uses: actions/setup-dotnet@v3
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
@@ -28,6 +28,7 @@ permissions:
env:
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file
DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
jobs:
@@ -47,8 +48,9 @@ jobs:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
uses: actions/setup-java@v1
uses: actions/setup-java@v4
with:
distribution: ${{ env.DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
# Build function project with functions gradle plugin

Some files were not shown because too many files have changed in this diff Show More