diff --git a/.github/labeler.yml b/.github/labeler.yml
index 2d04e26..fb08863 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,3 +1,4 @@
# Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders
code-scanning:
-- code-scanning/**/*
+- changed-files:
+ - any-glob-to-any-file: code-scanning/**/*
diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml
index 99fdbc5..2de6b88 100644
--- a/.github/workflows/labeler-triage.yml
+++ b/.github/workflows/labeler-triage.yml
@@ -5,12 +5,12 @@ permissions:
pull-requests: write
on:
-- pull_request_target
+ pull_request_target:
jobs:
triage:
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@v4
+ - uses: actions/labeler@v5
with:
- repo-token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
+ repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index ecdf037..f9f361d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,8 +1,9 @@
name: Mark stale issues and pull requests
on:
- schedule:
- - cron: "21 4 * * *"
+ workflow_dispatch:
+ # schedule:
+ # - cron: "21 4 * * *"
jobs:
stale:
diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml
index 6a3da68..5d39d18 100644
--- a/.github/workflows/sync-ghes.yaml
+++ b/.github/workflows/sync-ghes.yaml
@@ -15,9 +15,9 @@ jobs:
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
git config user.email "cschleiden@github.com"
git config user.name "GitHub Actions"
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: '16'
+ node-version: '20'
cache: 'npm'
cache-dependency-path: script/sync-ghes/package-lock.json
- name: Check starter workflows for GHES compat
diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml
index 43f5578..52988aa 100644
--- a/.github/workflows/validate-data.yaml
+++ b/.github/workflows/validate-data.yaml
@@ -12,9 +12,9 @@ jobs:
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: '16'
+ node-version: '20'
cache: 'npm'
cache-dependency-path: script/validate-data/package-lock.json
diff --git a/ci/android.yml b/ci/android.yml
index 80a33b4..fec1eb9 100644
--- a/ci/android.yml
+++ b/ci/android.yml
@@ -14,7 +14,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/ant.yml b/ci/ant.yml
index 517a37a..8cfe641 100644
--- a/ci/ant.yml
+++ b/ci/ant.yml
@@ -17,7 +17,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml
index 7056f87..a034c39 100644
--- a/ci/datadog-synthetics.yml
+++ b/ci/datadog-synthetics.yml
@@ -24,12 +24,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
# Run Synthetic tests within your GitHub workflow.
# For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
- name: Run Datadog Synthetic tests
- uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
+ uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
with:
api_key: ${{secrets.DD_API_KEY}}
app_key: ${{secrets.DD_APP_KEY}}
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 8a042a5..f8e709f 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
+ uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
with:
- cosign-release: 'v2.1.1'
+ cosign-release: 'v2.2.4'
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index ad99b56..a7b9152 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -109,7 +109,7 @@ jobs:
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: MSIX Package
path: ${{ env.Wap_Project_Directory }}\AppPackages
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 2af4616..20d17dc 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -30,7 +30,7 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Setup Gradle
- uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+ uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
- name: Build with Gradle
run: ./gradlew build
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 65a332b..40a40c1 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -28,10 +28,10 @@ jobs:
java-version: '17'
distribution: 'temurin'
- # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
+ # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
- name: Setup Gradle
- uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+ uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
- name: Build with Gradle Wrapper
run: ./gradlew build
@@ -40,11 +40,11 @@ jobs:
# If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
#
# - name: Setup Gradle
- # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+ # uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
# with:
- # gradle-version: '8.5'
+ # gradle-version: '8.9'
#
- # - name: Build with Gradle 8.5
+ # - name: Build with Gradle 8.9
# run: gradle build
dependency-submission:
@@ -64,4 +64,4 @@ jobs:
# Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
# See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
- name: Generate and submit dependency graph
- uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+ uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml
index 954e6c8..64b848b 100644
--- a/ci/maven-publish.yml
+++ b/ci/maven-publish.yml
@@ -18,7 +18,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/maven.yml b/ci/maven.yml
index 47816ee..7709373 100644
--- a/ci/maven.yml
+++ b/ci/maven.yml
@@ -22,7 +22,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
diff --git a/ci/node.js.yml b/ci/node.js.yml
index 688a227..d5ccc14 100644
--- a/ci/node.js.yml
+++ b/ci/node.js.yml
@@ -16,13 +16,13 @@ jobs:
strategy:
matrix:
- node-version: [14.x, 16.x, 18.x]
+ node-version: [18.x, 20.x, 22.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v3
+ uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml
index 0039895..ccdabd8 100644
--- a/ci/npm-grunt.yml
+++ b/ci/npm-grunt.yml
@@ -12,13 +12,13 @@ jobs:
strategy:
matrix:
- node-version: [14.x, 16.x, 18.x]
+ node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v3
+ uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml
index 19bed27..3a4ec12 100644
--- a/ci/npm-gulp.yml
+++ b/ci/npm-gulp.yml
@@ -12,13 +12,13 @@ jobs:
strategy:
matrix:
- node-version: [14.x, 16.x, 18.x]
+ node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v3
+ uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml
index 1899709..99531c0 100644
--- a/ci/npm-publish-github-packages.yml
+++ b/ci/npm-publish-github-packages.yml
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
- run: npm ci
- run: npm test
@@ -26,9 +26,9 @@ jobs:
packages: write
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
registry-url: $registry-url(npm)
- run: npm ci
- run: npm publish
diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml
index 0049296..2a4766d 100644
--- a/ci/npm-publish.yml
+++ b/ci/npm-publish.yml
@@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
- run: npm ci
- run: npm test
@@ -23,9 +23,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
registry-url: https://registry.npmjs.org/
- run: npm ci
- run: npm publish
diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index b7a704b..82f8dbd 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -1,4 +1,4 @@
-# This workflow will upload a Python Package using Twine when a release is created
+# This workflow will upload a Python Package to PyPI when a release is created
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
# This workflow uses actions that are not certified by GitHub.
@@ -16,24 +16,55 @@ permissions:
contents: read
jobs:
- deploy:
-
+ release-build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
- - name: Set up Python
- uses: actions/setup-python@v3
- with:
- python-version: '3.x'
- - name: Install dependencies
- run: |
- python -m pip install --upgrade pip
- pip install build
- - name: Build package
- run: python -m build
- - name: Publish package
- uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
- with:
- user: __token__
- password: ${{ secrets.PYPI_API_TOKEN }}
+ - uses: actions/checkout@v4
+
+ - uses: actions/setup-python@v5
+ with:
+ python-version: "3.x"
+
+ - name: Build release distributions
+ run: |
+ # NOTE: put your own distribution build steps here.
+ python -m pip install build
+ python -m build
+
+ - name: Upload distributions
+ uses: actions/upload-artifact@v4
+ with:
+ name: release-dists
+ path: dist/
+
+ pypi-publish:
+ runs-on: ubuntu-latest
+ needs:
+ - release-build
+ permissions:
+ # IMPORTANT: this permission is mandatory for trusted publishing
+ id-token: write
+
+ # Dedicated environments with protections for publishing are strongly recommended.
+ # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
+ environment:
+ name: pypi
+ # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status:
+ # url: https://pypi.org/p/YOURPROJECT
+ #
+ # ALTERNATIVE: if your GitHub Release name is the PyPI project version string
+ # ALTERNATIVE: exactly, uncomment the following line instead:
+ # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }}
+
+ steps:
+ - name: Retrieve release distributions
+ uses: actions/download-artifact@v4
+ with:
+ name: release-dists
+ path: dist/
+
+ - name: Publish release distributions to PyPI
+ uses: pypa/gh-action-pypi-publish@release/v1
+ with:
+ packages-dir: dist/
diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
index 23c242c..ad3ac88 100644
--- a/ci/rubyonrails.yml
+++ b/ci/rubyonrails.yml
@@ -30,7 +30,7 @@ jobs:
uses: actions/checkout@v4
# Add or replace dependency steps here
- name: Install Ruby and gems
- uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+ uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
with:
bundler-cache: true
# Add or replace database setup steps here
@@ -46,9 +46,11 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Ruby and gems
- uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+ uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
with:
bundler-cache: true
+ - name: Generate binstubs
+ run: bundle binstubs bundler-audit brakeman rubocop
# Add or replace any other lints here
- name: Security audit dependencies
run: bin/bundler-audit --update
diff --git a/ci/scala.yml b/ci/scala.yml
index 83b09f7..49ca1e7 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -22,7 +22,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
diff --git a/ci/webpack.yml b/ci/webpack.yml
index 9e967c0..1013845 100644
--- a/ci/webpack.yml
+++ b/ci/webpack.yml
@@ -12,13 +12,13 @@ jobs:
strategy:
matrix:
- node-version: [14.x, 16.x, 18.x]
+ node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v3
+ uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index 2bbc55e..8ada351 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -43,6 +43,6 @@ jobs:
fail-build: true
severity-cutoff: critical
- name: Upload vulnerability report
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 34defa9..f425ca8 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -66,6 +66,6 @@ jobs:
# The name of the sarif format result file The file is written only if this property is provided.
sarif-result-file: "apisec-results.sarif"
- name: Import results
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ./apisec-results.sarif
diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml
new file mode 100644
index 0000000..a5f62d9
--- /dev/null
+++ b/code-scanning/appknox.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support documentation.
+#
+# Appknox: Leader in Mobile Application Security Testing Solutions
+#
+# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your
+# repository.
+#
+# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
+# .
+#
+# Instructions:
+#
+# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the
+# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token
+# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings
+# and create a token labeled GitHub
+#
+# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the
+# action executes, check the 'Security' tab for results
+
+name: Appknox
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+jobs:
+ appknox:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+
+ - name: Grant execute permission for gradlew
+ run: chmod +x gradlew
+
+ - name: Build the app
+ run: ./gradlew build # Update this to build your Android or iOS application
+
+ - name: Appknox GitHub action
+ uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4
+ with:
+ appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
+ file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here
+ risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL]
+ sarif: Enable
+
+ - name: Upload SARIF to GHAS
+ if: always()
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: report.sarif
diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml
index 1ee087c..a3858a3 100644
--- a/code-scanning/bandit.yml
+++ b/code-scanning/bandit.yml
@@ -29,9 +29,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
- name: Bandit Scan
- uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+ uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd
with: # optional arguments
# exit with 0, even with results found
exit_zero: true # optional, default is DEFAULT
diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml
index 7971be9..b384d82 100644
--- a/code-scanning/bearer.yml
+++ b/code-scanning/bearer.yml
@@ -38,6 +38,6 @@ jobs:
exit-code: 0
# Upload SARIF file generated in previous step
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml
new file mode 100644
index 0000000..c6a132b
--- /dev/null
+++ b/code-scanning/black-duck-security-scan-ci.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines.
+# For more information about configuring your workflow,
+# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan
+
+name: CI Black Duck security scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: write
+ security-events: write
+ actions: read
+
+ steps:
+ - name: Checkout source
+ uses: actions/checkout@v4
+ - name: Black Duck SCA scan
+ uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
+ with:
+ ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ----------
+ blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
+ blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
+
+ ### ---------- COVERITY SCANNING: REQUIRED FIELDS ----------
+ coverity_url: ${{ vars.COVERITY_URL }}
+ coverity_user: ${{ secrets.COVERITY_USER }}
+ coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
+
+ ### ---------- POLARIS SCANNING: REQUIRED FIELDS ----------
+ polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
+ polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+ polaris_assessment_types: "SCA,SAST"
+
+ ### ---------- SRM SCANNING: REQUIRED FIELDS ----------
+ srm_url: ${{ vars.SRM_URL }}
+ srm_apikey: ${{ secrets.SRM_API_KEY }}
+ srm_assessment_types: "SCA,SAST"
+
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index 0d1cb05..38e572c 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -53,6 +53,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: output.sarif.json
diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml
index 7feeb25..ae326bd 100644
--- a/code-scanning/checkmarx-one.yml
+++ b/code-scanning/checkmarx-one.yml
@@ -49,7 +49,7 @@ jobs:
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
additional_params: --report-format sarif --output-path .
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: cx_result.sarif
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index b4a99f3..5406860 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -50,6 +50,6 @@ jobs:
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: cx.sarif
diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml
index 87f11cb..49bca52 100644
--- a/code-scanning/clj-holmes.yml
+++ b/code-scanning/clj-holmes.yml
@@ -27,7 +27,7 @@ jobs:
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Scan code
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
@@ -38,7 +38,7 @@ jobs:
fail-on-result: 'false'
- name: Upload analysis results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
wait-for-processing: true
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
index 59bfd41..ce0b70e 100644
--- a/code-scanning/clj-watson.yml
+++ b/code-scanning/clj-watson.yml
@@ -32,7 +32,7 @@ jobs:
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Dependency scan
uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
@@ -48,7 +48,7 @@ jobs:
fail-on-result: false
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{github.workspace}}/clj-watson-results.sarif
wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml
index 8273881..846c43d 100644
--- a/code-scanning/cloudrail.yml
+++ b/code-scanning/cloudrail.yml
@@ -50,7 +50,7 @@ jobs:
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index c3cd9f5..2f2acc3 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -56,6 +56,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 6fdadb1..eeb0dce 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -9,7 +9,7 @@
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
-name: "CodeQL"
+name: "CodeQL Advanced"
on:
push:
@@ -28,7 +28,6 @@ jobs:
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
- timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write
@@ -56,6 +55,12 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4
+ # Add any setup steps before running the `github/codeql-action/init` action.
+ # This includes steps like installing compilers or runtimes (`actions/setup-node`
+ # or others). This is typically only required for manual builds.
+ # - name: Setup runtime (example)
+ # uses: actions/setup-example@v1
+
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
@@ -76,6 +81,7 @@ jobs:
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
+ shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index c4858c6..cb338df 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -44,6 +44,6 @@ jobs:
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: codescan.sarif
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
index 1950d3a..197779f 100644
--- a/code-scanning/contrast-scan.yml
+++ b/code-scanning/contrast-scan.yml
@@ -48,6 +48,6 @@ jobs:
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
#Upload the results to GitHub
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml
index d5bb88f..35047d2 100644
--- a/code-scanning/crda.yml
+++ b/code-scanning/crda.yml
@@ -77,11 +77,11 @@ jobs:
contents: read # for actions/checkout to fetch code
security-events: write # for redhat-actions/crda to upload SARIF results
name: Scan project vulnerabilities with CRDA
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
steps:
- name: Check out repository
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
# *******************************************************************
# Required: Instructions to setup project
@@ -94,9 +94,9 @@ jobs:
#
# Example:
# - name: Setup Node
- # uses: actions/setup-node@v2
+ # uses: actions/setup-node@v4
# with:
- # node-version: '14'
+ # node-version: '20'
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
- name: Install CRDA CLI
diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml
index 8c8c8be..5a322a4 100644
--- a/code-scanning/credo.yml
+++ b/code-scanning/credo.yml
@@ -55,7 +55,7 @@ jobs:
- name: credo-scan
run: mix credo --format=sarif > credo_output.sarif
- name: upload sarif
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: credo_output.sarif
diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml
index a892cf8..a98eabe 100644
--- a/code-scanning/datree.yml
+++ b/code-scanning/datree.yml
@@ -42,6 +42,6 @@ jobs:
# Setting a SARIF output will generate a file named "datree.sarif" containing your test results
cliArguments: "-o sarif"
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: datree.sarif
diff --git a/code-scanning/debricked.yml b/code-scanning/debricked.yml
new file mode 100644
index 0000000..79b0a07
--- /dev/null
+++ b/code-scanning/debricked.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+#####################################################################################################################################################################
+# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. #
+# #
+# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com #
+# To learn more about Debricked or contact our team, visit https://debricked.com/ #
+# #
+# To run this workflow, complete the following set-up steps: #
+# #
+# 1. If you don’t have a Debricked account, create one by visiting https://debricked.com/app/en/register #
+# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 #
+# 3. In GitHub, navigate to the repository #
+# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) #
+# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” #
+# 6. In the “Secrets” tab, click on “New repository secret” #
+# 7. In the “Name” field, type the name of the secret #
+# 8. In the “Secret” field, enter the value of the secret #
+# 9. Click “Add secret” #
+# 10. You should now be ready to use the workflow! #
+#####################################################################################################################################################################
+
+name: Debricked Scan
+
+on:
+ push:
+
+permissions:
+ contents: read
+
+jobs:
+ vulnerabilities-scan:
+ name: Vulnerabilities scan
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - uses: debricked/actions@v3
+ env:
+ DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml
index 07aa7d1..5b18a5b 100644
--- a/code-scanning/defender-for-devops.yml
+++ b/code-scanning/defender-for-devops.yml
@@ -33,7 +33,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-dotnet@v3
+ - uses: actions/setup-dotnet@v4
with:
dotnet-version: |
5.0.x
@@ -42,6 +42,6 @@ jobs:
uses: microsoft/security-devops-action@v1.6.0
id: msdo
- name: Upload results to Security tab
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index 76a116b..2d6293b 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -111,7 +111,7 @@ jobs:
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v2
+ - uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml
index 98daab8..69ae85e 100644
--- a/code-scanning/devskim.yml
+++ b/code-scanning/devskim.yml
@@ -16,7 +16,7 @@ on:
jobs:
lint:
name: DevSkim
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
permissions:
actions: read
contents: read
@@ -29,6 +29,6 @@ jobs:
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml
index 670fe62..1ca7368 100644
--- a/code-scanning/endorlabs.yml
+++ b/code-scanning/endorlabs.yml
@@ -26,7 +26,7 @@ jobs:
### Use this section to define the build steps used by your software package.
### Endor Labs builds your software for you where possible but the required build tools must be made available.
# - name: Setup Java
- # uses: actions/setup-java@v3
+ # uses: actions/setup-java@v4
# with:
# distribution: 'microsoft'
# java-version: '17'
@@ -46,6 +46,6 @@ jobs:
ci_run: "false"
sarif_file: findings.sarif
- name: Upload SARIF to github
- uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: findings.sarif
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
index 876ea2b..b0aaeb3 100644
--- a/code-scanning/eslint.yml
+++ b/code-scanning/eslint.yml
@@ -33,9 +33,11 @@ jobs:
- name: Install ESLint
run: |
npm install eslint@8.10.0
- npm install @microsoft/eslint-formatter-sarif@2.1.7
+ npm install @microsoft/eslint-formatter-sarif@3.1.0
- name: Run ESLint
+ env:
+ SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
run: npx eslint .
--config .eslintrc.js
--ext .js,.jsx,.ts,.tsx
@@ -44,7 +46,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: eslint-results.sarif
- wait-for-processing: true
\ No newline at end of file
+ wait-for-processing: true
diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml
index a68d0a2..fac8a74 100644
--- a/code-scanning/ethicalcheck.yml
+++ b/code-scanning/ethicalcheck.yml
@@ -63,7 +63,7 @@ jobs:
sarif-result-file: "ethicalcheck-results.sarif"
- name: Upload sarif file to repository
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ./ethicalcheck-results.sarif
diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml
index d564b68..d3898b6 100644
--- a/code-scanning/flawfinder.yml
+++ b/code-scanning/flawfinder.yml
@@ -33,6 +33,6 @@ jobs:
output: 'flawfinder_results.sarif'
- name: Upload analysis results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
\ No newline at end of file
diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml
index c52b70e..fd7b723 100644
--- a/code-scanning/fortify.yml
+++ b/code-scanning/fortify.yml
@@ -4,95 +4,126 @@
# documentation.
################################################################################################################################################
-# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
-# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
-# or contact our sales team, visit microfocus.com/appsecurity. #
+# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
+# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
# #
-# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
-# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
-# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
-# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
-# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
-# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
+# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
+# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
+# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
+# documentation. If you need additional assistance, please contact Fortify support. #
################################################################################################################################################
-name: Fortify on Demand Scan
+name: Fortify AST Scan
-# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
+# Customize trigger events based on your DevSecOps process and/or policy
on:
- workflow_dispatch:
push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
+ workflow_dispatch:
jobs:
- FoD-SAST-Scan:
- # Use the appropriate runner for building your source code.
- # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
+ Fortify-AST-Scan:
+ # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
+ # pull-requests: write # Required if DO_PR_COMMENT is set to true
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4
- # Java is required to run the various Fortify utilities.
- # When scanning a Java application, please use the appropriate Java version for building your application.
- - name: Setup Java
- uses: actions/setup-java@v3
+ # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
+ # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
+ # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
+ # The Fortify GitHub Action provides many customization capabilities, but in case further customization is
+ # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
+ # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
+ # documentation at https://github.com/fortify/github-action#readme for more information on the various
+ # configuration options and available sub-actions.
+ - name: Run Fortify Scan
+ # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
+ # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
+ # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
+ # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
+ # of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
+ uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
with:
- java-version: 8
- distribution: 'temurin'
-
- # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
- # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
- # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
- # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
- # ScanCentral has additional options that should be set for PHP and Python projects
- # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
- # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- - name: Download Fortify ScanCentral Client
- uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
- - name: Package Code + Dependencies
- run: scancentral package $PACKAGE_OPTS -o package.zip
+ sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
+ debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
+ # is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
- PACKAGE_OPTS: "-bt mvn"
+ #############################################################
+ ##### Fortify on Demand configuration
+ ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
+ ### Required configuration
+ FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
+ FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
+ FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
+ FOD_PASSWORD: ${{secrets.FOD_PAT}}
+ # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
+ # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
+ ### Optional configuration
+ # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
+ # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:
+ # DO_SETUP: true # Setup FoD application, release & static scan configuration
+ # SETUP_ACTION: # Customize setup action
+ # Pass extra options to setup action:
+ # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
+ # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
+ # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
+ # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
+ # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
+ # POLICY_CHECK_ACTION: # Customize security policy checks
+ # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
+ # DO_JOB_SUMMARY: true # Generate workflow job summary
+ # JOB_SUMMARY_ACTION: # Customize job summary
+ # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
+ # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
+ # PR_COMMENT_ACTION: # Customize PR comments
+ # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
+ # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
+ # EXPORT_ACTION: # Customize export action
+ # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
+ # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions
- # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
- # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
- # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
- # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- - name: Download Fortify on Demand Universal CI Tool
- uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
- - name: Perform SAST Scan
- run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
- env:
- FOD_URL: "https://ams.fortify.com/"
- FOD_API_URL: "https://api.ams.fortify.com/"
- FOD_TENANT: ${{ secrets.FOD_TENANT }}
- FOD_USER: ${{ secrets.FOD_USER }}
- FOD_PAT: ${{ secrets.FOD_PAT }}
- FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
- FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
- FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
-
- # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- - name: Export results to GitHub-optimized SARIF
- uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
- with:
- fod_base_url: "https://ams.fortify.com/"
- fod_tenant: ${{ secrets.FOD_TENANT }}
- fod_user: ${{ secrets.FOD_USER }}
- fod_password: ${{ secrets.FOD_PAT }}
- fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
-
- # Import Fortify on Demand results to GitHub Security Code Scanning
- - name: Import Results
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: ./gh-fortify-sast.sarif
+ #############################################################
+ ##### Fortify Hosted / Software Security Center & ScanCentral
+ ##### Remove this section if you're integrating with Fortify on Demand (see above)
+ ### Required configuration
+ SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
+ SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
+ SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
+ DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
+ SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
+ ### Optional configuration
+ # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
+ # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
+ # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /:
+ # DO_SETUP: true # Set up SSC application & version
+ # SETUP_ACTION: # Customize setup action
+ # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
+ # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
+ # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
+ # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
+ # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
+ # POLICY_CHECK_ACTION: # Customize security policy checks
+ # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
+ # DO_JOB_SUMMARY: true # Generate workflow job summary
+ # JOB_SUMMARY_ACTION: # Customize job summary
+ # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
+ # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
+ # PR_COMMENT_ACTION: # Customize PR comments
+ # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
+ # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
+ # EXPORT_ACTION: # Customize export action
+ # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
+ # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
index 62eb9ec..12f8011 100644
--- a/code-scanning/frogbot-scan-and-fix.yml
+++ b/code-scanning/frogbot-scan-and-fix.yml
@@ -5,9 +5,9 @@
# Frogbot Scan and Fix does the following:
# Automatically creates pull requests with fixes for vulnerable project dependencies.
# Uses JFrog Xray to scan the project.
-# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
-# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
name: "Frogbot Scan and Fix"
on:
@@ -23,11 +23,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- # IMPORTANT:
- # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
- # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
-
- - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
+ - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
index a2e29fa..badcef0 100644
--- a/code-scanning/frogbot-scan-pr.yml
+++ b/code-scanning/frogbot-scan-pr.yml
@@ -5,9 +5,9 @@
# Frogbot Scan Pull Request does the following:
# Automatically scans new pull requests for security vulnerabilities.
# Uses JFrog Xray to scan the project.
-# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
-# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
name: "Frogbot Scan Pull Request"
on:
@@ -21,18 +21,14 @@ jobs:
runs-on: ubuntu-latest
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
# "frogbot" GitHub environment can approve the pull request to be scanned.
- # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
+ # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions
environment: frogbot
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- # IMPORTANT:
- # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
- # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
-
- - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
+ - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
env:
# [Mandatory if the two conditions below are met]
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
index 2d901a4..eacbabb 100644
--- a/code-scanning/hadolint.yml
+++ b/code-scanning/hadolint.yml
@@ -41,7 +41,7 @@ jobs:
no-fail: true
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: hadolint-results.sarif
wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml
new file mode 100644
index 0000000..4ff7ef7
--- /dev/null
+++ b/code-scanning/jfrog-sast.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# JFrog SAST performs 1st party source code security analysis
+# For more information, see
+# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast
+
+name: "JFrog SAST Scan"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch, $protected-branches ]
+ schedule:
+ - cron: $cron-weekly
+
+env:
+ # [Mandatory]
+ # JFrog platform URL and access token for
+ # a JFrog platform instance with active
+ # JFrog Advanced Security subscription
+ JF_URL: ${{ secrets.JF_URL }}
+ JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ - name: Setup Node.js
+ uses: actions/setup-node@v4
+
+ - name: Install and configure JFrog CLI
+ run: |
+ npm install -g jfrog-cli-v2-jf
+ echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin
+
+ - name: Run JFrog SAST
+ run: |
+ jf audit --sast --format=sarif > jfrog_sast.sarif
+
+
+ - name: Upload output to generate autofix
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: jfrog_sast.sarif
\ No newline at end of file
diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml
index 69d7c42..64a998a 100644
--- a/code-scanning/jscrambler-code-integrity.yml
+++ b/code-scanning/jscrambler-code-integrity.yml
@@ -28,9 +28,9 @@ jobs:
contents: read
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-node@v3
+ - uses: actions/setup-node@v4
with:
- node-version: 18
+ node-version: 20
- run: npm ci
- run: npm run build
- name: Jscrambler Code Integrity
diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml
index 98fd8e0..4f11399 100644
--- a/code-scanning/kubesec.yml
+++ b/code-scanning/kubesec.yml
@@ -17,7 +17,7 @@ on:
jobs:
lint:
name: Kubesec
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
permissions:
actions: read
contents: read
@@ -36,6 +36,6 @@ jobs:
exit-code: "0"
- name: Upload Kubesec scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: kubesec-results.sarif
\ No newline at end of file
diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml
index 01ce719..7bb83e3 100644
--- a/code-scanning/lintr.yml
+++ b/code-scanning/lintr.yml
@@ -49,7 +49,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: lintr-results.sarif
wait-for-processing: true
diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml
index 9e533fe..36ed82a 100644
--- a/code-scanning/mayhem-for-api.yml
+++ b/code-scanning/mayhem-for-api.yml
@@ -9,13 +9,11 @@
#
# To use this workflow, you will need to:
#
-# 1. Create a Mayhem for API account at
-# https://mayhem4api.forallsecure.com/signup
+# 1. Create a Mayhem account at https://app.mayhem.security
#
-# 2. Create a service account token `mapi organization service-account create
-# `
+# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens
#
-# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN"
+# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN"
#
# 4. Update the "Start your API" step to run your API in the background before
# starting the Mayhem for API scan, and update the `api-url` & `api-spec`
@@ -51,16 +49,16 @@ jobs:
run: ./run_your_api.sh & # <- ✏️ update this
- name: Mayhem for API
- uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010
+ uses: ForAllSecure/mapi-action@v1
continue-on-error: true
with:
- mapi-token: ${{ secrets.MAPI_TOKEN }}
+ mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
api-url: http://localhost:8080 # <- ✏️ update this
api-spec: http://localhost:8080/openapi.json # <- ✏️ update this
duration: 60
sarif-report: mapi.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: mapi.sarif
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 9f876ae..05e014e 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -38,6 +38,6 @@ jobs:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 0700989..1d7b31f 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -54,13 +54,13 @@ jobs:
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
- # uses: actions/upload-artifact@v3
+ # uses: actions/upload-artifact@v4
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml
index e9189d5..218d16a 100644
--- a/code-scanning/neuralegion.yml
+++ b/code-scanning/neuralegion.yml
@@ -162,7 +162,7 @@ jobs:
runs-on: ubuntu-18.04
name: A job to run a Nexploit scan
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
- name: Start Nexploit Scan 🏁
id: start
uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index 8062259..767b967 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -37,6 +37,6 @@ jobs:
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml
index 324a533..5cb6c29 100644
--- a/code-scanning/nowsecure.yml
+++ b/code-scanning/nowsecure.yml
@@ -47,6 +47,6 @@ jobs:
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: NowSecure.sarif
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index ad46e1d..0088a3f 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -40,7 +40,7 @@ jobs:
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
- # uses: actions/setup-dotnet@v2
+ # uses: actions/setup-dotnet@v4
# with:
# dotnet-version: '3.1.x'
@@ -51,6 +51,6 @@ jobs:
# Upload results to the Security tab
- name: Upload OSSAR results
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml
index 58ca4f8..5ceaabc 100644
--- a/code-scanning/phpmd.yml
+++ b/code-scanning/phpmd.yml
@@ -51,7 +51,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: phpmd-results.sarif
wait-for-processing: true
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index ed5eec9..032f997 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -26,7 +26,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
@@ -38,6 +38,6 @@ jobs:
sourcePath: 'src/main/java'
analyzeModifiedFilesOnly: false
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: pmd-report.sarif
diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml
index b2cd163..8d32ce1 100644
--- a/code-scanning/policy-validator-cfn.yaml
+++ b/code-scanning/policy-validator-cfn.yaml
@@ -20,7 +20,8 @@ env:
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
- ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
jobs:
@@ -45,7 +46,7 @@ jobs:
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
id: run-aws-validate-policy
- uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+ uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "VALIDATE_POLICY"
template-path: ${{ env.TEMPLATE_PATH}}
@@ -57,11 +58,12 @@ jobs:
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
id: run-aws-check-access-not-granted
- uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+ uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ env.TEMPLATE_PATH}}
actions: ${{ env.ACTIONS }}
+ resources: ${{ env.RESOURCES }}
region: ${{ env.REGION }}
# Print result from CHECK_ACCESS_NOT_GRANTED check
- name: Print the result for CheckAccessNotGranted check
@@ -71,14 +73,26 @@ jobs:
# reference-policy is stored in GitHub secrets
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
id: run-aws-check-no-new-access
- uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+ uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
with:
policy-check-type: "CHECK_NO_NEW_ACCESS"
template-path: ${{ env.TEMPLATE_PATH}}
- reference-policy: ${{ env.REFERENCE }}
+ reference-policy: ${{ env.REFERENCE_POLICY }}
reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
region: ${{env.REGION }}
# Print result from CHECK_NO_NEW_ACCESS check
- name: Print the result for CheckNoNewAccess check
if: success() || failure()
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
+ # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
+ id: run-aws-check-no-public-access
+ uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
+ with:
+ policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_NO_PUBLIC_ACCESS check
+ - name: Print the result for CheckNoPublicAccess check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml
index 1ca77b5..07f884f 100644
--- a/code-scanning/policy-validator-tf.yaml
+++ b/code-scanning/policy-validator-tf.yaml
@@ -21,7 +21,8 @@ env:
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
- ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
@@ -48,7 +49,7 @@ jobs:
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
id: run-aws-validate-policy
- uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "VALIDATE_POLICY"
template-path: ${{ env.TEMPLATE_PATH }}
@@ -60,11 +61,12 @@ jobs:
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
id: run-aws-check-access-not-granted
- uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ env.TEMPLATE_PATH }}
actions: ${{ env.ACTIONS }}
+ resources: ${{ env.RESOURCES }}
region: ${{ env.REGION }}
# Print result from CHECK_ACCESS_NOT_GRANTED check
- name: Print the result for CheckAccessNotGranted check
@@ -74,7 +76,7 @@ jobs:
# reference-policy is stored in GitHub secrets
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
id: run-aws-check-no-new-access
- uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
with:
policy-check-type: "CHECK_NO_NEW_ACCESS"
template-path: ${{ env.TEMPLATE_PATH }}
@@ -85,3 +87,15 @@ jobs:
- name: Print the result CheckNoNewAccess check
if: success() || failure()
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
+ # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
+ id: run-aws-check-no-public-access
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_NO_PUBLIC_ACCESS check
+ - name: Print the result for CheckNoPublicAccess check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index 52f65a0..216f1dc 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -44,6 +44,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 4b84b21..5461f5c 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -49,7 +49,7 @@ jobs:
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json
new file mode 100644
index 0000000..8e8b1f2
--- /dev/null
+++ b/code-scanning/properties/appknox.properties.json
@@ -0,0 +1,21 @@
+{
+ "name": "Appknox",
+ "creator": "Appknox",
+ "description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language",
+ "iconName": "appknox",
+ "categories": [
+ "Code Scanning",
+ "Java",
+ "Kotlin",
+ "Scala",
+ "Swift",
+ "Objective C",
+ "C",
+ "C++",
+ "C#",
+ "Rust",
+ "JavaScript",
+ "TypeScript",
+ "Node"
+ ]
+}
diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json
new file mode 100644
index 0000000..3e196fd
--- /dev/null
+++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json
@@ -0,0 +1,22 @@
+{
+ "name": "Black Duck Security Scan Workflow",
+ "creator": "Black Duck Software, Inc.",
+ "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results",
+ "iconName": "black-duck",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C++",
+ "C#",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Ruby",
+ "PHP",
+ "Swift",
+ "Kotlin",
+ "Python",
+ "VB.NET",
+ "Objective C"
+ ]
+}
diff --git a/code-scanning/properties/debricked.properties.json b/code-scanning/properties/debricked.properties.json
new file mode 100644
index 0000000..f669f09
--- /dev/null
+++ b/code-scanning/properties/debricked.properties.json
@@ -0,0 +1,19 @@
+{
+ "name": "Debricked Scan",
+ "creator": "OpenText",
+ "description": "Integrate with Debricked's state of the art AI-powered Software Composition Analysis to automate your security.",
+ "iconName": "debricked",
+ "categories": [
+ "Code Scanning",
+ "Python",
+ "JavaScript",
+ "Java",
+ "PHP",
+ "Ruby",
+ "Go",
+ "Rust",
+ "Swift",
+ "C#",
+ "Objective-C"
+ ]
+}
diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json
index 100b4bb..9a7511c 100644
--- a/code-scanning/properties/fortify.properties.json
+++ b/code-scanning/properties/fortify.properties.json
@@ -1,7 +1,7 @@
{
- "name": "Fortify on Demand Scan",
- "creator": "Micro Focus",
- "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
+ "name": "Fortify Scan",
+ "creator": "OpenText",
+ "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.",
"iconName": "fortify",
- "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
+ "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"]
}
diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json
new file mode 100644
index 0000000..7ffa897
--- /dev/null
+++ b/code-scanning/properties/jfrog-sast.properties.json
@@ -0,0 +1,16 @@
+{
+ "name": "JFrog SAST",
+ "description": "Scan for security vulnerabilities in source code using JFrog SAST",
+ "iconName": "frogbot",
+ "categories":
+ [
+ "Code Scanning",
+ "security",
+ "python",
+ "java",
+ "javascript",
+ "typescript",
+ "go"
+ ],
+ "creator": "JFrog"
+}
\ No newline at end of file
diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml
index dddbfdd..a0563d9 100644
--- a/code-scanning/psalm.yml
+++ b/code-scanning/psalm.yml
@@ -33,6 +33,6 @@ jobs:
uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
- name: Upload Security Analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
index e039085..014b0a0 100644
--- a/code-scanning/puppet-lint.yml
+++ b/code-scanning/puppet-lint.yml
@@ -49,7 +49,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: puppet-lint-results.sarif
wait-for-processing: true
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index feef351..a3e7af8 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -47,6 +47,6 @@ jobs:
"
- name: Upload Sarif output
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rubocop.sarif
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
index 4f50c3e..e4b2508 100644
--- a/code-scanning/rust-clippy.yml
+++ b/code-scanning/rust-clippy.yml
@@ -49,7 +49,7 @@ jobs:
continue-on-error: true
- name: Upload analysis results to GitHub
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results.sarif
wait-for-processing: true
diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml
index 162c788..b5b838e 100644
--- a/code-scanning/scorecard.yml
+++ b/code-scanning/scorecard.yml
@@ -21,6 +21,8 @@ jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
+ # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+ if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
@@ -32,12 +34,12 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+ uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
@@ -56,10 +58,13 @@ jobs:
# of the value entered here.
publish_results: true
+ # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+ # file_mode: git
+
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+ uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
@@ -68,6 +73,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
index 5d5e87b..58cb9c6 100644
--- a/code-scanning/securitycodescan.yml
+++ b/code-scanning/securitycodescan.yml
@@ -38,4 +38,4 @@ jobs:
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index f21aa9a..bbf787a 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -43,7 +43,7 @@ jobs:
# Upload SARIF file generated in previous step
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index edbea1d..c485691 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -50,6 +50,6 @@ jobs:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index a5605a3..f1466b2 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -49,6 +49,6 @@ jobs:
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml
index 4941e00..b2fe77c 100644
--- a/code-scanning/snyk-security.yml
+++ b/code-scanning/snyk-security.yml
@@ -43,9 +43,9 @@ jobs:
# For Snyk Open Source you must first set up the development environment for your application's dependencies
# For example for Node
- #- uses: actions/setup-node@v3
+ #- uses: actions/setup-node@v4
# with:
- # node-version: 16
+ # node-version: 20
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
@@ -74,6 +74,6 @@ jobs:
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-code.sarif
diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml
index 6dd4ffe..cfbf1f4 100644
--- a/code-scanning/sobelow.yml
+++ b/code-scanning/sobelow.yml
@@ -36,6 +36,6 @@ jobs:
- id: run-action
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
- name: Upload report
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 41075e4..0e7f274 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -46,13 +46,12 @@ jobs:
- name: Analyze with SonarCloud
# You can pin the exact commit or the version.
- # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ # uses: SonarSource/sonarcloud-github-action@v2.2.0
+ uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
- # Additional arguments for the sonarcloud scanner
+ # Additional arguments for the SonarScanner CLI
args:
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
# mandatory
@@ -60,9 +59,9 @@ jobs:
-Dsonar.organization=
# Comma-separated paths to directories containing main source files.
#-Dsonar.sources= # optional, default is project base directory
- # When you need the analysis to take place in a directory other than the one from which it was launched
- #-Dsonar.projectBaseDir= # optional, default is .
# Comma-separated paths to directories containing test source files.
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
#-Dsonar.verbose= # optional, default is false
+ # When you need the analysis to take place in a directory other than the one from which it was launched, default is .
+ projectBaseDir: .
diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index b3e470e..4853c4e 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -36,15 +36,25 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run SOOS DAST Analysis
- uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9
+ uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa
with:
client_id: ${{ secrets.SOOS_CLIENT_ID }}
api_key: ${{ secrets.SOOS_API_KEY }}
project_name: ""
scan_mode: "baseline"
target_url: "https://www.example.com/"
- output_format: "sarif"
+ export_format: "Sarif"
+ export_file_type: "Json"
+ - name: Find and rename SARIF file since it is unique
+ run: |
+ file=$(find . -name "*.sarif.json" | head -n 1)
+ if [ -n "$file" ]; then
+ mv "$file" output.sarif.json
+ echo "Renamed $file to output.sarif.json"
+ else
+ echo "No SARIF file found" && exit 1
+ fi
- name: Upload SOOS DAST SARIF Report
uses: github/codeql-action/upload-sarif@v3
with:
- sarif_file: results.sarif
+ sarif_file: output.sarif.json
diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml
index cac0507..f1ceddb 100644
--- a/code-scanning/stackhawk.yml
+++ b/code-scanning/stackhawk.yml
@@ -46,7 +46,7 @@ jobs:
contents: read # for actions/checkout to fetch code
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
name: StackHawk
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
index df50d9d..6e245d7 100644
--- a/code-scanning/synopsys-io.yml
+++ b/code-scanning/synopsys-io.yml
@@ -71,7 +71,7 @@ jobs:
- name: Upload SARIF file
if: ${{steps.prescription.outputs.sastScan == 'true' }}
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflowengine-results.sarif.json
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index c9a0edb..11fd8b7 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -55,7 +55,7 @@ jobs:
# Sysdig inline scanner requires privileged rights
run-as-user: root
- - uses: github/codeql-action/upload-sarif@v2
+ - uses: github/codeql-action/upload-sarif@v3
#Upload SARIF file
if: always()
with:
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 388fc37..c8ef49c 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -32,7 +32,7 @@ jobs:
sarif_file: tfsec.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index ec90221..ca2fe88 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -24,7 +24,7 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
- runs-on: "ubuntu-20.04"
+ runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
@@ -43,6 +43,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index 379493f..aa75128 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -42,7 +42,7 @@ jobs:
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- - uses: actions/setup-java@v3
+ - uses: actions/setup-java@v4
with:
java-version: 8
distribution: 'temurin'
@@ -53,7 +53,7 @@ jobs:
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- - uses: github/codeql-action/upload-sarif@v2
+ - uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index 32c977e..834d71f 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -62,7 +62,7 @@ jobs:
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
with:
java-version: 11
distribution: 'temurin'
@@ -87,7 +87,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: Xanitizer-Reports
path: |
@@ -95,6 +95,6 @@ jobs:
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v2
+ - uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: Xanitizer-Findings-List.sarif
diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml
index 7a2fc00..523c495 100644
--- a/code-scanning/zscaler-iac-scan.yml
+++ b/code-scanning/zscaler-iac-scan.yml
@@ -51,6 +51,6 @@ jobs:
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
- name: Upload SARIF file
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml
index 018e473..9c9b303 100644
--- a/code-scanning/zscan.yml
+++ b/code-scanning/zscan.yml
@@ -55,6 +55,6 @@ jobs:
app_file: app-release-unsigned.apk
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: Zimperium.sarif
diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml
index bf1169b..99ad945 100644
--- a/deployments/azure-functions-app-dotnet.yml
+++ b/deployments/azure-functions-app-dotnet.yml
@@ -42,7 +42,7 @@ jobs:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
- name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
- uses: actions/setup-dotnet@v3
+ uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml
index 131e287..87d9ec0 100644
--- a/deployments/azure-functions-app-java-gradle.yml
+++ b/deployments/azure-functions-app-java-gradle.yml
@@ -28,6 +28,7 @@ permissions:
env:
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file
+ DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
jobs:
@@ -47,8 +48,9 @@ jobs:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v4
with:
+ distribution: ${{ env.DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
# Build function project with functions gradle plugin
diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml
index e7b78c0..c487aff 100644
--- a/deployments/azure-functions-app-java.yml
+++ b/deployments/azure-functions-app-java.yml
@@ -25,6 +25,7 @@ on:
env:
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file
+ DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
jobs:
@@ -42,8 +43,9 @@ jobs:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
- uses: actions/setup-java@v1
+ uses: actions/setup-java@v4
with:
+ distribution: ${{ env.DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
- name: 'Restore Project Dependencies Using Mvn'
diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml
index 6c2e45c..69d3d27 100644
--- a/deployments/azure-functions-app-nodejs.yml
+++ b/deployments/azure-functions-app-nodejs.yml
@@ -27,7 +27,7 @@ on:
env:
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
- NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
+ NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
jobs:
build-and-deploy:
@@ -44,7 +44,7 @@ jobs:
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
- name: Setup Node ${{ env.NODE_VERSION }} Environment
- uses: actions/setup-node@v3
+ uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index b4bfafb..72eab26 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -40,7 +40,7 @@ jobs:
- uses: actions/checkout@v4
- name: Set up .NET Core
- uses: actions/setup-dotnet@v2
+ uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
@@ -59,7 +59,7 @@ jobs:
run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: .net-app
path: ${{env.DOTNET_ROOT}}/myapp
@@ -75,7 +75,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v3
+ uses: actions/download-artifact@v4
with:
name: .net-app
diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml
index 63a45cc..9957493 100644
--- a/deployments/azure-webapps-java-jar-gradle.yml
+++ b/deployments/azure-webapps-java-jar-gradle.yml
@@ -40,7 +40,7 @@ jobs:
- uses: actions/checkout@v4
- name: Set up Java version
- uses: actions/setup-java@v3.0.0
+ uses: actions/setup-java@v4
with:
java-version: ${{ env.JAVA_VERSION }}
distribution: ${{ env.DISTRIBUTION }}
@@ -50,7 +50,7 @@ jobs:
run: gradle build
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: java-app
path: '${{ github.workspace }}/build/libs/*.jar'
@@ -66,7 +66,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v3
+ uses: actions/download-artifact@v4
with:
name: java-app
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index 608fb8e..14580c6 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -40,7 +40,7 @@ jobs:
- uses: actions/checkout@v4
- name: Set up Java version
- uses: actions/setup-java@v3.0.0
+ uses: actions/setup-java@v4
with:
java-version: ${{ env.JAVA_VERSION }}
distribution: ${{ env.DISTRIBUTION }}
@@ -50,7 +50,7 @@ jobs:
run: mvn clean install
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: java-app
path: '${{ github.workspace }}/target/*.jar'
@@ -66,7 +66,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v3
+ uses: actions/download-artifact@v4
with:
name: java-app
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index 147d4e6..408c99e 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -25,7 +25,7 @@ on:
env:
AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
- NODE_VERSION: '14.x' # set this to the node version to use
+ NODE_VERSION: '20.x' # set this to the node version to use
permissions:
contents: read
@@ -37,7 +37,7 @@ jobs:
- uses: actions/checkout@v4
- name: Set up Node.js
- uses: actions/setup-node@v3
+ uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
@@ -49,7 +49,7 @@ jobs:
npm run test --if-present
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: node-app
path: .
@@ -65,7 +65,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v3
+ uses: actions/download-artifact@v4
with:
name: node-app
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 1182c2a..3391c83 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -70,7 +70,7 @@ jobs:
run: composer validate --no-check-publish && composer install --prefer-dist --no-progress
- name: Upload artifact for deployment job
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: php-app
path: .
@@ -86,7 +86,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v3
+ uses: actions/download-artifact@v4
with:
name: php-app
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index 656f95c..e4868c4 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -55,7 +55,7 @@ jobs:
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
- name: Upload artifact for deployment jobs
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: python-app
path: |
@@ -73,7 +73,7 @@ jobs:
steps:
- name: Download artifact from build job
- uses: actions/download-artifact@v3
+ uses: actions/download-artifact@v4
with:
name: python-app
path: .
diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml
index bd748f8..70af95e 100644
--- a/deployments/google-cloudrun-docker.yml
+++ b/deployments/google-cloudrun-docker.yml
@@ -1,113 +1,95 @@
-# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch
-#
-# Overview:
-#
-# 1. Authenticate to Google Cloud
-# 2. Authenticate Docker to Artifact Registry
-# 3. Build a docker container
-# 4. Publish it to Google Artifact Registry
-# 5. Deploy it to Cloud Run
+# This workflow build and push a Docker container to Google Artifact Registry
+# and deploy it on Cloud Run when a commit is pushed to the $default-branch
+# branch.
#
# To configure this workflow:
#
-# 1. Ensure the required Google Cloud APIs are enabled:
+# 1. Enable the following Google Cloud APIs:
#
-# Cloud Run run.googleapis.com
-# Artifact Registry artifactregistry.googleapis.com
+# - Artifact Registry (artifactregistry.googleapis.com)
+# - Cloud Run (run.googleapis.com)
+# - IAM Credentials API (iamcredentials.googleapis.com)
#
-# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+# You can learn more about enabling APIs at
+# https://support.google.com/googleapi/answer/6158841.
#
-# 3. Ensure the required IAM permissions are granted
+# 2. Create and configure a Workload Identity Provider for GitHub:
+# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation.
#
-# Cloud Run
-# roles/run.admin
-# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+# Depending on how you authenticate, you will need to grant an IAM principal
+# permissions on Google Cloud:
#
-# Artifact Registry
-# roles/artifactregistry.admin (project or repository level)
+# - Artifact Registry Administrator (roles/artifactregistry.admin)
+# - Cloud Run Developer (roles/run.developer)
#
-# NOTE: You should always follow the principle of least privilege when assigning IAM roles
+# You can learn more about setting IAM permissions at
+# https://cloud.google.com/iam/docs/manage-access-other-resources
#
-# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
-#
-# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
-#
-# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
-#
-# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
-#
-# Further reading:
-# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
-# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
-# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
-# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+# 3. Change the values in the "env" block to match your values.
-name: Build and Deploy to Cloud Run
+name: 'Build and Deploy to Cloud Run'
on:
push:
- branches: [ $default-branch ]
+ branches:
+ - '$default-branch'
env:
- PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
- GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
- SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
- REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+ PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID
+ REGION: 'us-central1' # TODO: update to your region
+ SERVICE: 'my-service' # TODO: update to your service name
+ WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider
jobs:
deploy:
- # Add 'id-token' with the intended permissions for workload identity federation
+ runs-on: 'ubuntu-latest'
+
permissions:
contents: 'read'
id-token: 'write'
- runs-on: ubuntu-latest
steps:
- - name: Checkout
- uses: actions/checkout@v2
+ - name: 'Checkout'
+ uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
- - name: Google Auth
- id: auth
- uses: 'google-github-actions/auth@v0'
+ # Configure Workload Identity Federation and generate an access token.
+ #
+ # See https://github.com/google-github-actions/auth for more options,
+ # including authenticating via a JSON credentials file.
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
with:
- token_format: 'access_token'
- workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
- service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+ workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
- # NOTE: Alternative option - authentication via credentials json
- # - name: Google Auth
- # id: auth
- # uses: 'google-github-actions/auth@v0'
- # with:
- # credentials_json: '${{ secrets.GCP_CREDENTIALS }}''
-
- # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)
-
- # Authenticate Docker to Google Cloud Artifact Registry
- - name: Docker Auth
- id: docker-auth
- uses: 'docker/login-action@v1'
+ # BEGIN - Docker auth and build
+ #
+ # If you already have a container image, you can omit these steps.
+ - name: 'Docker Auth'
+ uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3
with:
username: 'oauth2accesstoken'
- password: '${{ steps.auth.outputs.access_token }}'
- registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
+ password: '${{ steps.auth.outputs.auth_token }}'
+ registry: '${{ env.REGION }}-docker.pkg.dev'
- - name: Build and Push Container
+ - name: 'Build and Push Container'
run: |-
- docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./
- docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
+ DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
+ docker build --tag "${DOCKER_TAG}" .
+ docker push "${DOCKER_TAG}"
+ - name: 'Deploy to Cloud Run'
- # END - Docker auth and build
+ # END - Docker auth and build
- - name: Deploy to Cloud Run
- id: deploy
- uses: google-github-actions/deploy-cloudrun@v0
+ uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
with:
- service: ${{ env.SERVICE }}
- region: ${{ env.REGION }}
- # NOTE: If using a pre-built image, update the image name here
- image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
+ service: '${{ env.SERVICE }}'
+ region: '${{ env.REGION }}'
+ # NOTE: If using a pre-built image, update the image name below:
- # If required, use the Cloud Run url output in later steps
- - name: Show Output
- run: echo ${{ steps.deploy.outputs.url }}
+ image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}'
+ # If required, use the Cloud Run URL output in later steps
+ - name: 'Show output'
+ run: |2-
+
+ echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml
index e6fcb52..6a9a551 100644
--- a/deployments/google-cloudrun-source.yml
+++ b/deployments/google-cloudrun-source.yml
@@ -1,95 +1,75 @@
-# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch
-#
-# Overview:
-#
-# 1. Authenticate to Google Cloud
-# 2. Deploy it to Cloud Run
+# This workflow will deploy source code on Cloud Run when a commit is pushed to
+# the $default-branch branch.
#
# To configure this workflow:
#
-# 1. Ensure the required Google Cloud APIs are enabled:
+# 1. Enable the following Google Cloud APIs:
#
-# Cloud Run run.googleapis.com
-# Cloud Build cloudbuild.googleapis.com
-# Artifact Registry artifactregistry.googleapis.com
+# - Artifact Registry (artifactregistry.googleapis.com)
+# - Cloud Build (cloudbuild.googleapis.com)
+# - Cloud Run (run.googleapis.com)
+# - IAM Credentials API (iamcredentials.googleapis.com)
#
-# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+# You can learn more about enabling APIs at
+# https://support.google.com/googleapi/answer/6158841.
#
-# 3. Ensure the required IAM permissions are granted
+# 2. Create and configure a Workload Identity Provider for GitHub:
+# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation.
#
-# Cloud Run
-# roles/run.admin
-# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
+# Depending on how you authenticate, you will need to grant an IAM principal
+# permissions on Google Cloud:
#
-# Cloud Build
-# roles/cloudbuild.builds.editor
+# - Artifact Registry Administrator (roles/artifactregistry.admin)
+# - Cloud Run Source Developer (roles/run.sourceDeveloper)
#
-# Cloud Storage
-# roles/storage.objectAdmin
+# You can learn more about setting IAM permissions at
+# https://cloud.google.com/iam/docs/manage-access-other-resources.
#
-# Artifact Registry
-# roles/artifactregistry.admin (project or repository level)
-#
-# NOTE: You should always follow the principle of least privilege when assigning IAM roles
-#
-# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
-#
-# 5. Change the values for the SERVICE and REGION environment variables (below).
-#
-# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
-#
-# Further reading:
-# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity
-# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
-# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code
-# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+# 3. Change the values in the "env" block to match your values.
-name: Deploy to Cloud Run from Source
+name: 'Deploy to Cloud Run from Source'
on:
push:
- branches: [ $default-branch ]
+ branches:
+ - '$default-branch'
env:
- PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
- SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
- REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+ PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID
+ REGION: 'us-central1' # TODO: update to your region
+ SERVICE: 'my-service' # TODO: update to your service name
jobs:
deploy:
- # Add 'id-token' with the intended permissions for workload identity federation
+ runs-on: 'ubuntu-latest'
+
permissions:
contents: 'read'
id-token: 'write'
- runs-on: ubuntu-latest
steps:
- - name: Checkout
- uses: actions/checkout@v2
+ - name: 'Checkout'
+ uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
- - name: Google Auth
- id: auth
- uses: 'google-github-actions/auth@v0'
+ # Configure Workload Identity Federation and generate an access token.
+ #
+ # See https://github.com/google-github-actions/auth for more options,
+ # including authenticating via a JSON credentials file.
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
with:
- workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
- service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
+ workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider
- # NOTE: Alternative option - authentication via credentials json
- # - name: Google Auth
- # id: auth
- # uses: 'google-github-actions/auth@v0'
- # with:
- # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
-
- - name: Deploy to Cloud Run
- id: deploy
- uses: google-github-actions/deploy-cloudrun@v0
+ - name: 'Deploy to Cloud Run'
+ uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
with:
- service: ${{ env.SERVICE }}
- region: ${{ env.REGION }}
- # NOTE: If required, update to the appropriate source folder
- source: ./
+ service: '${{ env.SERVICE }}'
+ region: '${{ env.REGION }}'
+ # NOTE: If using a different source folder, update the image name below:
+ source: './'
- # If required, use the Cloud Run url output in later steps
- - name: Show Output
- run: echo ${{ steps.deploy.outputs.url }}
+ # If required, use the Cloud Run URL output in later steps
+ - name: 'Show output'
+ run: |-
+ echo ${{ steps.deploy.outputs.url }}
diff --git a/deployments/google.yml b/deployments/google.yml
index deb9877..4be4dc4 100644
--- a/deployments/google.yml
+++ b/deployments/google.yml
@@ -1,91 +1,116 @@
-# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch.
+# This workflow will build a docker container, publish it to Google Container
+# Registry, and deploy it to GKE when there is a push to the $default-branch
+# branch.
#
# To configure this workflow:
#
-# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc.
+# 1. Enable the following Google Cloud APIs:
#
-# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+# - Artifact Registry (artifactregistry.googleapis.com)
+# - Google Kubernetes Engine (container.googleapis.com)
+# - IAM Credentials API (iamcredentials.googleapis.com)
#
-# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below).
+# You can learn more about enabling APIs at
+# https://support.google.com/googleapi/answer/6158841.
#
-# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize
+# 2. Ensure that your repository contains the necessary configuration for your
+# Google Kubernetes Engine cluster, including deployment.yml,
+# kustomization.yml, service.yml, etc.
+#
+# 3. Create and configure a Workload Identity Provider for GitHub:
+# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation.
+#
+# Depending on how you authenticate, you will need to grant an IAM principal
+# permissions on Google Cloud:
+#
+# - Artifact Registry Administrator (roles/artifactregistry.admin)
+# - Kubernetes Engine Developer (roles/container.developer)
+#
+# You can learn more about setting IAM permissions at
+# https://cloud.google.com/iam/docs/manage-access-other-resources
+#
+# 5. Change the values in the "env" block to match your values.
-name: Build and Deploy to GKE
+name: 'Build and Deploy to GKE'
on:
push:
- branches: [ $default-branch ]
+ branches:
+ - '$default-branch'
env:
- PROJECT_ID: ${{ secrets.GKE_PROJECT }}
- GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry
- GKE_CLUSTER: cluster-1 # TODO: update to cluster name
- GKE_ZONE: us-central1-c # TODO: update to cluster zone
- DEPLOYMENT_NAME: gke-test # TODO: update to deployment name
- REPOSITORY: samples # TODO: update to Artifact Registry docker repository
- IMAGE: static-site
+ PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID
+ GAR_LOCATION: 'us-central1' # TODO: update to your region
+ GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name
+ GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone
+ DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name
+ REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name
+ IMAGE: 'static-site'
+ WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider
jobs:
setup-build-publish-deploy:
- name: Setup, Build, Publish, and Deploy
- runs-on: ubuntu-latest
- environment: production
+ name: 'Setup, Build, Publish, and Deploy'
+ runs-on: 'ubuntu-latest'
+ environment: 'production'
permissions:
contents: 'read'
id-token: 'write'
steps:
- - name: Checkout
- uses: actions/checkout@v4
+ - name: 'Checkout'
+ uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
- # Configure Workload Identity Federation and generate an access token.
- - id: 'auth'
- name: 'Authenticate to Google Cloud'
- uses: 'google-github-actions/auth@v0'
- with:
- token_format: 'access_token'
- workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
- service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+ # Configure Workload Identity Federation and generate an access token.
+ #
+ # See https://github.com/google-github-actions/auth for more options,
+ # including authenticating via a JSON credentials file.
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
+ with:
+ workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
- # Alternative option - authentication via credentials json
- # - id: 'auth'
- # uses: 'google-github-actions/auth@v0'
- # with:
- # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+ # Authenticate Docker to Google Cloud Artifact Registry
+ - name: 'Docker Auth'
+ uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3
+ with:
+ username: 'oauth2accesstoken'
+ password: '${{ steps.auth.outputs.auth_token }}'
+ registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
- - name: Docker configuration
- run: |-
- echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev
- # Get the GKE credentials so we can deploy to the cluster
- - name: Set up GKE credentials
- uses: google-github-actions/get-gke-credentials@v0
- with:
- cluster_name: ${{ env.GKE_CLUSTER }}
- location: ${{ env.GKE_ZONE }}
+ # Get the GKE credentials so we can deploy to the cluster
+ - name: 'Set up GKE credentials'
+ uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2
+ with:
+ cluster_name: '${{ env.GKE_CLUSTER }}'
+ location: '${{ env.GKE_ZONE }}'
- # Build the Docker image
- - name: Build
- run: |-
- docker build \
- --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \
- --build-arg GITHUB_SHA="$GITHUB_SHA" \
- --build-arg GITHUB_REF="$GITHUB_REF" \
- .
- # Push the Docker image to Google Artifact Registry
- - name: Publish
- run: |-
- docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"
- # Set up kustomize
- - name: Set up Kustomize
- run: |-
- curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
- chmod u+x ./kustomize
- # Deploy the Docker image to the GKE cluster
- - name: Deploy
- run: |-
- # replacing the image name in the k8s template
- ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA
- ./kustomize build . | kubectl apply -f -
- kubectl rollout status deployment/$DEPLOYMENT_NAME
- kubectl get services -o wide
+ # Build the Docker image
+ - name: 'Build and push Docker container'
+ run: |-
+ DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}"
+
+ docker build \
+ --tag "${DOCKER_TAG}" \
+ --build-arg GITHUB_SHA="${GITHUB_SHA}" \
+ --build-arg GITHUB_REF="${GITHUB_REF}" \
+ .
+
+ docker push "${DOCKER_TAG}"
+
+ # Set up kustomize
+ - name: 'Set up Kustomize'
+ run: |-
+ curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz
+ chmod u+x ./kustomize
+
+ # Deploy the Docker image to the GKE cluster
+ - name: 'Deploy to GKE'
+ run: |-
+ # replacing the image name in the k8s template
+ ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA
+ ./kustomize build . | kubectl apply -f -
+ kubectl rollout status deployment/$DEPLOYMENT_NAME
+ kubectl get services -o wide
diff --git a/deployments/octopusdeploy.yml b/deployments/octopusdeploy.yml
new file mode 100644
index 0000000..686ebd5
--- /dev/null
+++ b/deployments/octopusdeploy.yml
@@ -0,0 +1,112 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by separate terms of service,
+# privacy policy, and support documentation.
+#
+# This workflow will build and publish a Docker container which is then deployed through Octopus Deploy.
+#
+# The build job in this workflow currently assumes that there is a Dockerfile that generates the relevant application image.
+# If required, this job can be modified to generate whatever alternative build artifact is required for your deployment.
+#
+# This workflow assumes you have already created a Project in Octopus Deploy.
+# For instructions see https://octopus.com/docs/projects/setting-up-projects
+#
+# To configure this workflow:
+#
+# 1. Decide where you are going to host your image.
+# This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below.
+#
+# 2. Create and configure an OIDC credential for a service account in Octopus.
+# This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository.
+# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions
+#
+# 3. Configure your Octopus project details below:
+# OCTOPUS_URL: update to your Octopus Instance Url
+# OCTOPUS_SERVICE_ACCOUNT: update to your service account Id
+# OCTOPUS_SPACE: update to the name of the space your project is configured in
+# OCTOPUS_PROJECT: update to the name of your Octopus project
+# OCTOPUS_ENVIRONMENT: update to the name of the environment to recieve the first deployment
+
+
+name: 'Build and Deploy to Octopus Deploy'
+
+on:
+ push:
+ branches:
+ - '$default-branch'
+
+jobs:
+ build:
+ name: Build
+ runs-on: ubuntu-latest
+ permissions:
+ packages: write
+ contents: read
+ env:
+ DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri
+ DOCKER_REGISTRY_USERNAME: ${{ github.actor }} # TODO: Update to your docker registry username
+ DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # TODO: Update to your docker registry password
+ outputs:
+ image_tag: ${{ steps.meta.outputs.version }}
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ - name: Log in to the Container registry
+ uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+ with:
+ registry: ${{ env.DOCKER_REGISTRY }}
+ username: ${{ env.DOCKER_REGISTRY_USERNAME }}
+ password: ${{ env.DOCKER_REGISTRY_PASSWORD }}
+
+ - name: Extract metadata (tags, labels) for Docker
+ id: meta
+ uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+ with:
+ images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }}
+ tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}}
+
+ - name: Build and push Docker image
+ id: push
+ uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+ with:
+ context: .
+ push: true
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ deploy:
+ name: Deploy
+ permissions:
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [ build ]
+ env:
+ OCTOPUS_URL: 'https://your-octopus-url' # TODO: update to your Octopus Instance url
+ OCTOPUS_SERVICE_ACCOUNT: 'your-service-account-id' # TODO: update to your service account Id
+ OCTOPUS_SPACE: 'your-space' # TODO: update to the name of the space your project is configured in
+ OCTOPUS_PROJECT: 'your-project' # TODO: update to the name of your Octopus project
+ OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment
+
+ steps:
+ - name: Log in to Octopus Deploy
+ uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2
+ with:
+ server: '${{ env.OCTOPUS_URL }}'
+ service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}'
+
+ - name: Create Release
+ id: create_release
+ uses: OctopusDeploy/create-release-action@fea7e7b45c38c021b6bc5a14bd7eaa2ed5269214 #v3.2.2
+ with:
+ project: '${{ env.OCTOPUS_PROJECT }}'
+ space: '${{ env.OCTOPUS_SPACE }}'
+ packages: '*:${{ needs.build.outputs.image_tag }}'
+
+ - name: Deploy Release
+ uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1
+ with:
+ project: '${{ env.OCTOPUS_PROJECT }}'
+ space: '${{ env.OCTOPUS_SPACE }}'
+ release_number: '${{ steps.create_release.outputs.release_number }}'
+ environments: ${{ env.OCTOPUS_ENVIRONMENT }}
diff --git a/deployments/openshift.yml b/deployments/openshift.yml
index 1c3fc43..eed3934 100644
--- a/deployments/openshift.yml
+++ b/deployments/openshift.yml
@@ -67,17 +67,17 @@ jobs:
# TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab.
# For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows
- crda-scan:
- uses: ./.github/workflows/crda.yml
- secrets:
- CRDA_KEY: ${{ secrets.CRDA_KEY }}
- # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
+ #crda-scan:
+ # uses: ./.github/workflows/crda.yml
+ # secrets:
+ # CRDA_KEY: ${{ secrets.CRDA_KEY }}
+ # # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
openshift-ci-cd:
# 🖊️ Uncomment this if you are using CRDA scan step above
# needs: crda-scan
name: Build and deploy to OpenShift
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
environment: production
outputs:
diff --git a/deployments/properties/octopusdeploy.properties.json b/deployments/properties/octopusdeploy.properties.json
new file mode 100644
index 0000000..3743ea7
--- /dev/null
+++ b/deployments/properties/octopusdeploy.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Build and Deploy with Octopus Deploy",
+ "description": "Build a docker container, create a release in Octopus Deploy and deploy it to your environment.",
+ "creator": "Octopus Deploy",
+ "iconName": "octopusdeploy",
+ "categories": ["Deployment", "Containers", "Dockerfile"]
+}
diff --git a/icons/appknox.svg b/icons/appknox.svg
new file mode 100644
index 0000000..36148e7
--- /dev/null
+++ b/icons/appknox.svg
@@ -0,0 +1,10 @@
+
diff --git a/icons/black-duck.svg b/icons/black-duck.svg
new file mode 100644
index 0000000..2afce62
--- /dev/null
+++ b/icons/black-duck.svg
@@ -0,0 +1,219 @@
+
+
diff --git a/icons/debricked.svg b/icons/debricked.svg
new file mode 100644
index 0000000..cb8a3d5
--- /dev/null
+++ b/icons/debricked.svg
@@ -0,0 +1,3 @@
+
diff --git a/icons/fortify.svg b/icons/fortify.svg
index 45a0d77..7033960 100644
--- a/icons/fortify.svg
+++ b/icons/fortify.svg
@@ -1 +1,29 @@
-
\ No newline at end of file
+
diff --git a/icons/octopusdeploy.svg b/icons/octopusdeploy.svg
new file mode 100644
index 0000000..28545cc
--- /dev/null
+++ b/icons/octopusdeploy.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/pages/hugo.yml b/pages/hugo.yml
index 141ad91..b4f316a 100644
--- a/pages/hugo.yml
+++ b/pages/hugo.yml
@@ -31,7 +31,7 @@ jobs:
build:
runs-on: ubuntu-latest
env:
- HUGO_VERSION: 0.124.1
+ HUGO_VERSION: 0.128.0
steps:
- name: Install Hugo CLI
run: |
@@ -50,9 +50,8 @@ jobs:
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
- name: Build with Hugo
env:
- # For maximum backward compatibility with Hugo modules
+ HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache
HUGO_ENVIRONMENT: production
- HUGO_ENV: production
run: |
hugo \
--minify \
diff --git a/pages/jekyll.yml b/pages/jekyll.yml
index f07bc39..4dd1c20 100644
--- a/pages/jekyll.yml
+++ b/pages/jekyll.yml
@@ -34,7 +34,8 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Ruby
- uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0
+ # https://github.com/ruby/setup-ruby/releases/tag/v1.207.0
+ uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4
with:
ruby-version: '3.1' # Not needed with a .ruby-version file
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts
index f53d220..99c746b 100755
--- a/script/sync-ghes/index.ts
+++ b/script/sync-ghes/index.ts
@@ -156,13 +156,22 @@ async function checkWorkflow(
await exec("git", ["checkout", "ghes"]);
// In order to sync from main, we might need to remove some workflows, add some
- // and modify others. The lazy approach is to delete all workflows first, and then
+ // and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then
// just bring the compatible ones over from the main branch. We let git figure out
// whether it's a deletion, add, or modify and commit the new state.
console.log("Remove all workflows");
await exec("rm", ["-fr", ...settings.folders]);
await exec("rm", ["-fr", "../../icons"]);
+ // Bring back the read-only folders
+ console.log("Restore read-only folders");
+ for (let i = 0; i < settings.readOnlyFolders.length; i++) {
+ await exec("git", [
+ "checkout",
+ settings.readOnlyFolders[i]
+ ]);
+ }
+
console.log("Sync changes from main for compatible workflows");
await exec("git", [
"checkout",
@@ -171,10 +180,13 @@ async function checkWorkflow(
...Array.prototype.concat.apply(
[],
result.compatibleWorkflows.map((x) => {
- const r = [
- join(x.folder, `${x.id}.yml`),
- join(x.folder, "properties", `${x.id}.properties.json`),
- ];
+ const r = [];
+
+ // Don't touch read-only folders
+ if (!settings.readOnlyFolders.includes(x.folder)) {
+ r.push(join(x.folder, `${x.id}.yml`));
+ r.push(join(x.folder, "properties", `${x.id}.properties.json`));
+ };
if (x.iconType === "svg") {
r.push(join("../../icons", `${x.iconName}.svg`));
@@ -184,6 +196,27 @@ async function checkWorkflow(
})
),
]);
+
+ // The v4 versions of upload and download artifact are not yet supported on GHES
+ console.group("Updating all compatible workflows to use v3 of the artifact actions");
+ for (const workflow of result.compatibleWorkflows) {
+ const path = join(workflow.folder, `${workflow.id}.yml`);
+ console.log(`Updating ${path}`);
+ const contents = await fs.readFile(path, "utf8");
+
+ if (contents.includes("actions/upload-artifact@v4") || contents.includes("actions/download-artifact@v4")) {
+ console.log("Found v4 artifact actions, updating to v3");
+ } else {
+ continue;
+ }
+
+ let updatedContents = contents.replace(/actions\/upload-artifact@v4/g, "actions/upload-artifact@v3");
+ updatedContents = updatedContents.replace(/actions\/download-artifact@v4/g, "actions/download-artifact@v3");
+
+ await fs.writeFile(path, updatedContents);
+ }
+ console.groupEnd();
+
} catch (e) {
console.error("Unhandled error while syncing workflows", e);
process.exitCode = 1;
diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json
index 41d6bcd..ce18eb6 100644
--- a/script/sync-ghes/settings.json
+++ b/script/sync-ghes/settings.json
@@ -5,6 +5,9 @@
"../../code-scanning",
"../../pages"
],
+ "readOnlyFolders": [
+ "../../pages"
+ ],
"enabledActions": [
"actions/cache",
"actions/checkout",