diff --git a/.github/labeler.yml b/.github/labeler.yml index 2d04e26..fb08863 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,3 +1,4 @@ # Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders code-scanning: -- code-scanning/**/* +- changed-files: + - any-glob-to-any-file: code-scanning/**/* diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml index 99fdbc5..2de6b88 100644 --- a/.github/workflows/labeler-triage.yml +++ b/.github/workflows/labeler-triage.yml @@ -5,12 +5,12 @@ permissions: pull-requests: write on: -- pull_request_target + pull_request_target: jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@v5 with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ecdf037..f9f361d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,8 +1,9 @@ name: Mark stale issues and pull requests on: - schedule: - - cron: "21 4 * * *" + workflow_dispatch: + # schedule: + # - cron: "21 4 * * *" jobs: stale: diff --git a/.github/workflows/sync-ghes.yaml b/.github/workflows/sync-ghes.yaml index 6a3da68..5d39d18 100644 --- a/.github/workflows/sync-ghes.yaml +++ b/.github/workflows/sync-ghes.yaml @@ -15,9 +15,9 @@ jobs: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* git config user.email "cschleiden@github.com" git config user.name "GitHub Actions" - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/sync-ghes/package-lock.json - name: Check starter workflows for GHES compat diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml index 43f5578..52988aa 100644 --- a/.github/workflows/validate-data.yaml +++ b/.github/workflows/validate-data.yaml @@ -12,9 +12,9 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' cache: 'npm' cache-dependency-path: script/validate-data/package-lock.json diff --git a/ci/android.yml b/ci/android.yml index 80a33b4..fec1eb9 100644 --- a/ci/android.yml +++ b/ci/android.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/ant.yml b/ci/ant.yml index 517a37a..8cfe641 100644 --- a/ci/ant.yml +++ b/ci/ant.yml @@ -17,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml index 7056f87..a034c39 100644 --- a/ci/datadog-synthetics.yml +++ b/ci/datadog-synthetics.yml @@ -24,12 +24,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 # Run Synthetic tests within your GitHub workflow. # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e + uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0 with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}} diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 8a042a5..f8e709f 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.4' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml index ad99b56..a7b9152 100644 --- a/ci/dotnet-desktop.yml +++ b/ci/dotnet-desktop.yml @@ -109,7 +109,7 @@ jobs: # Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: MSIX Package path: ${{ env.Wap_Project_Directory }}\AppPackages diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 2af4616..20d17dc 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,7 +30,7 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 - name: Build with Gradle run: ./gradlew build diff --git a/ci/gradle.yml b/ci/gradle.yml index 65a332b..40a40c1 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -28,10 +28,10 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 - name: Build with Gradle Wrapper run: ./gradlew build @@ -40,11 +40,11 @@ jobs: # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. # # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 # with: - # gradle-version: '8.5' + # gradle-version: '8.9' # - # - name: Build with Gradle 8.5 + # - name: Build with Gradle 8.9 # run: gradle build dependency-submission: @@ -64,4 +64,4 @@ jobs: # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index 954e6c8..64b848b 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/maven.yml b/ci/maven.yml index 47816ee..7709373 100644 --- a/ci/maven.yml +++ b/ci/maven.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' diff --git a/ci/node.js.yml b/ci/node.js.yml index 688a227..d5ccc14 100644 --- a/ci/node.js.yml +++ b/ci/node.js.yml @@ -16,13 +16,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index 0039895..ccdabd8 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 19bed27..3a4ec12 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml index 1899709..99531c0 100644 --- a/ci/npm-publish-github-packages.yml +++ b/ci/npm-publish-github-packages.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -26,9 +26,9 @@ jobs: packages: write steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: $registry-url(npm) - run: npm ci - run: npm publish diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 0049296..2a4766d 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 - run: npm ci - run: npm test @@ -23,9 +23,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 16 + node-version: 20 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish diff --git a/ci/python-publish.yml b/ci/python-publish.yml index b7a704b..82f8dbd 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -1,4 +1,4 @@ -# This workflow will upload a Python Package using Twine when a release is created +# This workflow will upload a Python Package to PyPI when a release is created # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries # This workflow uses actions that are not certified by GitHub. @@ -16,24 +16,55 @@ permissions: contents: read jobs: - deploy: - + release-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v3 - with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install build - - name: Build package - run: python -m build - - name: Publish package - uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 - with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.x" + + - name: Build release distributions + run: | + # NOTE: put your own distribution build steps here. + python -m pip install build + python -m build + + - name: Upload distributions + uses: actions/upload-artifact@v4 + with: + name: release-dists + path: dist/ + + pypi-publish: + runs-on: ubuntu-latest + needs: + - release-build + permissions: + # IMPORTANT: this permission is mandatory for trusted publishing + id-token: write + + # Dedicated environments with protections for publishing are strongly recommended. + # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules + environment: + name: pypi + # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: + # url: https://pypi.org/p/YOURPROJECT + # + # ALTERNATIVE: if your GitHub Release name is the PyPI project version string + # ALTERNATIVE: exactly, uncomment the following line instead: + # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} + + steps: + - name: Retrieve release distributions + uses: actions/download-artifact@v4 + with: + name: release-dists + path: dist/ + + - name: Publish release distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: dist/ diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml index 23c242c..ad3ac88 100644 --- a/ci/rubyonrails.yml +++ b/ci/rubyonrails.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@v4 # Add or replace dependency steps here - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true # Add or replace database setup steps here @@ -46,9 +46,11 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Install Ruby and gems - uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 with: bundler-cache: true + - name: Generate binstubs + run: bundle binstubs bundler-audit brakeman rubocop # Add or replace any other lints here - name: Security audit dependencies run: bin/bundler-audit --update diff --git a/ci/scala.yml b/ci/scala.yml index 83b09f7..49ca1e7 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' diff --git a/ci/webpack.yml b/ci/webpack.yml index 9e967c0..1013845 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -12,13 +12,13 @@ jobs: strategy: matrix: - node-version: [14.x, 16.x, 18.x] + node-version: [18.x, 20.x, 22.x] steps: - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2bbc55e..8ada351 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -43,6 +43,6 @@ jobs: fail-build: true severity-cutoff: critical - name: Upload vulnerability report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 34defa9..f425ca8 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -66,6 +66,6 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - name: Import results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./apisec-results.sarif diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml new file mode 100644 index 0000000..a5f62d9 --- /dev/null +++ b/code-scanning/appknox.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif diff --git a/code-scanning/bandit.yml b/code-scanning/bandit.yml index 1ee087c..a3858a3 100644 --- a/code-scanning/bandit.yml +++ b/code-scanning/bandit.yml @@ -29,9 +29,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd with: # optional arguments # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT diff --git a/code-scanning/bearer.yml b/code-scanning/bearer.yml index 7971be9..b384d82 100644 --- a/code-scanning/bearer.yml +++ b/code-scanning/bearer.yml @@ -38,6 +38,6 @@ jobs: exit-code: 0 # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/black-duck-security-scan-ci.yml b/code-scanning/black-duck-security-scan-ci.yml new file mode 100644 index 0000000..c6a132b --- /dev/null +++ b/code-scanning/black-duck-security-scan-ci.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# For more information about configuring your workflow, +# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan + +name: CI Black Duck security scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + actions: read + + steps: + - name: Checkout source + uses: actions/checkout@v4 + - name: Black Duck SCA scan + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + with: + ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + + ### ---------- COVERITY SCANNING: REQUIRED FIELDS ---------- + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + ### ---------- POLARIS SCANNING: REQUIRED FIELDS ---------- + polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- + srm_url: ${{ vars.SRM_URL }} + srm_apikey: ${{ secrets.SRM_API_KEY }} + srm_assessment_types: "SCA,SAST" + diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 0d1cb05..38e572c 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -53,6 +53,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 7feeb25..ae326bd 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -49,7 +49,7 @@ jobs: cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index b4a99f3..5406860 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -50,6 +50,6 @@ jobs: params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} # Upload the Report for CodeQL/Security Alerts - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: cx.sarif diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 87f11cb..49bca52 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -27,7 +27,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Scan code uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb @@ -38,7 +38,7 @@ jobs: fail-on-result: 'false' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-holmes-results.sarif wait-for-processing: true diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 59bfd41..ce0b70e 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -32,7 +32,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Dependency scan uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c @@ -48,7 +48,7 @@ jobs: fail-on-result: false - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/clj-watson-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 8273881..846c43d 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -50,7 +50,7 @@ jobs: cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded if: always() diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index c3cd9f5..2f2acc3 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -56,6 +56,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 6fdadb1..eeb0dce 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -9,7 +9,7 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" +name: "CodeQL Advanced" on: push: @@ -28,7 +28,6 @@ jobs: # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows security-events: write @@ -56,6 +55,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 @@ -76,6 +81,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' + shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ 'languages you are analyzing, replace this with the commands to build' \ diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index c4858c6..cb338df 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -44,6 +44,6 @@ jobs: organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: codescan.sarif diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 1950d3a..197779f 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -48,6 +48,6 @@ jobs: authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} #Upload the results to GitHub - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml index d5bb88f..35047d2 100644 --- a/code-scanning/crda.yml +++ b/code-scanning/crda.yml @@ -77,11 +77,11 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for redhat-actions/crda to upload SARIF results name: Scan project vulnerabilities with CRDA - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 # ******************************************************************* # Required: Instructions to setup project @@ -94,9 +94,9 @@ jobs: # # Example: # - name: Setup Node - # uses: actions/setup-node@v2 + # uses: actions/setup-node@v4 # with: - # node-version: '14' + # node-version: '20' # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md - name: Install CRDA CLI diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml index 8c8c8be..5a322a4 100644 --- a/code-scanning/credo.yml +++ b/code-scanning/credo.yml @@ -55,7 +55,7 @@ jobs: - name: credo-scan run: mix credo --format=sarif > credo_output.sarif - name: upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: credo_output.sarif diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index a892cf8..a98eabe 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -42,6 +42,6 @@ jobs: # Setting a SARIF output will generate a file named "datree.sarif" containing your test results cliArguments: "-o sarif" - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: datree.sarif diff --git a/code-scanning/debricked.yml b/code-scanning/debricked.yml new file mode 100644 index 0000000..79b0a07 --- /dev/null +++ b/code-scanning/debricked.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +##################################################################################################################################################################### +# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. # +# # +# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com # +# To learn more about Debricked or contact our team, visit https://debricked.com/ # +# # +# To run this workflow, complete the following set-up steps: # +# # +# 1. If you don’t have a Debricked account, create one by visiting https://debricked.com/app/en/register # +# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 # +# 3. In GitHub, navigate to the repository # +# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) # +# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” # +# 6. In the “Secrets” tab, click on “New repository secret” # +# 7. In the “Name” field, type the name of the secret # +# 8. In the “Secret” field, enter the value of the secret # +# 9. Click “Add secret” # +# 10. You should now be ready to use the workflow! # +##################################################################################################################################################################### + +name: Debricked Scan + +on: + push: + +permissions: + contents: read + +jobs: + vulnerabilities-scan: + name: Vulnerabilities scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: debricked/actions@v3 + env: + DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index 07aa7d1..5b18a5b 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@v3 + - uses: actions/setup-dotnet@v4 with: dotnet-version: | 5.0.x @@ -42,6 +42,6 @@ jobs: uses: microsoft/security-devops-action@v1.6.0 id: msdo - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 76a116b..2d6293b 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -111,7 +111,7 @@ jobs: )" > ${{ github.workspace }}/detekt.sarif.json # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: ${{ github.workspace }}/detekt.sarif.json diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index 98daab8..69ae85e 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -16,7 +16,7 @@ on: jobs: lint: name: DevSkim - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: actions: read contents: read @@ -29,6 +29,6 @@ jobs: uses: microsoft/DevSkim-Action@v1 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: devskim-results.sarif diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml index 670fe62..1ca7368 100644 --- a/code-scanning/endorlabs.yml +++ b/code-scanning/endorlabs.yml @@ -26,7 +26,7 @@ jobs: ### Use this section to define the build steps used by your software package. ### Endor Labs builds your software for you where possible but the required build tools must be made available. # - name: Setup Java - # uses: actions/setup-java@v3 + # uses: actions/setup-java@v4 # with: # distribution: 'microsoft' # java-version: '17' @@ -46,6 +46,6 @@ jobs: ci_run: "false" sarif_file: findings.sarif - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: findings.sarif diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 876ea2b..b0aaeb3 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -33,9 +33,11 @@ jobs: - name: Install ESLint run: | npm install eslint@8.10.0 - npm install @microsoft/eslint-formatter-sarif@2.1.7 + npm install @microsoft/eslint-formatter-sarif@3.1.0 - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx @@ -44,7 +46,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index a68d0a2..fac8a74 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -63,7 +63,7 @@ jobs: sarif-result-file: "ethicalcheck-results.sarif" - name: Upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ./ethicalcheck-results.sarif diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml index d564b68..d3898b6 100644 --- a/code-scanning/flawfinder.yml +++ b/code-scanning/flawfinder.yml @@ -33,6 +33,6 @@ jobs: output: 'flawfinder_results.sarif' - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{github.workspace}}/flawfinder_results.sarif \ No newline at end of file diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..fd7b723 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -4,95 +4,126 @@ # documentation. ################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # # # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # ################################################################################################################################################ -name: Fortify on Demand Scan +name: Fortify AST Scan -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +# Customize trigger events based on your DevSecOps process and/or policy on: - workflow_dispatch: push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly + workflow_dispatch: jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write + # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. - - name: Setup Java - uses: actions/setup-java@v3 + # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on + # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # documentation at https://github.com/fortify/github-action#readme for more information on the various + # configuration options and available sub-actions. + - name: Run Fortify Scan + # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example + # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases + # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. + uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 with: - java-version: 8 - distribution: 'temurin' - - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip + sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run + debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan + # is disabled). For SSC, run a Debricked scan and import results into SSC. env: - PACKAGE_OPTS: "-bt mvn" + ############################################################# + ##### Fortify on Demand configuration + ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) + ### Required configuration + FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret + FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; + FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. + FOD_PASSWORD: ${{secrets.FOD_PAT}} + # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} + # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} + ### Optional configuration + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: + # DO_SETUP: true # Setup FoD application, release & static scan configuration + # SETUP_ACTION: # Customize setup action + # Pass extra options to setup action: + # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" + # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options + # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b - with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./gh-fortify-sast.sarif + ############################################################# + ##### Fortify Hosted / Software Security Center & ScanCentral + ##### Remove this section if you're integrating with Fortify on Demand (see above) + ### Required configuration + SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret + SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets + SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled + DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled + SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled + ### Optional configuration + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: + # DO_SETUP: true # Set up SSC application & version + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options + # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 62eb9ec..12f8011 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -5,9 +5,9 @@ # Frogbot Scan and Fix does the following: # Automatically creates pull requests with fixes for vulnerable project dependencies. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan and Fix" on: @@ -23,11 +23,7 @@ jobs: steps: - uses: actions/checkout@v4 - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index a2e29fa..badcef0 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -5,9 +5,9 @@ # Frogbot Scan Pull Request does the following: # Automatically scans new pull requests for security vulnerabilities. # Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration name: "Frogbot Scan Pull Request" on: @@ -21,18 +21,14 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. - # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md + # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions environment: frogbot steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 env: # [Mandatory if the two conditions below are met] # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 2d901a4..eacbabb 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -41,7 +41,7 @@ jobs: no-fail: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: hadolint-results.sarif wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml new file mode 100644 index 0000000..4ff7ef7 --- /dev/null +++ b/code-scanning/jfrog-sast.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# JFrog SAST performs 1st party source code security analysis +# For more information, see +# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast + +name: "JFrog SAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + +env: + # [Mandatory] + # JFrog platform URL and access token for + # a JFrog platform instance with active + # JFrog Advanced Security subscription + JF_URL: ${{ secrets.JF_URL }} + JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Install and configure JFrog CLI + run: | + npm install -g jfrog-cli-v2-jf + echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin + + - name: Run JFrog SAST + run: | + jf audit --sast --format=sarif > jfrog_sast.sarif + + + - name: Upload output to generate autofix + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: jfrog_sast.sarif \ No newline at end of file diff --git a/code-scanning/jscrambler-code-integrity.yml b/code-scanning/jscrambler-code-integrity.yml index 69d7c42..64a998a 100644 --- a/code-scanning/jscrambler-code-integrity.yml +++ b/code-scanning/jscrambler-code-integrity.yml @@ -28,9 +28,9 @@ jobs: contents: read steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: 18 + node-version: 20 - run: npm ci - run: npm run build - name: Jscrambler Code Integrity diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 98fd8e0..4f11399 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -17,7 +17,7 @@ on: jobs: lint: name: Kubesec - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: actions: read contents: read @@ -36,6 +36,6 @@ jobs: exit-code: "0" - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 01ce719..7bb83e3 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: lintr-results.sarif wait-for-processing: true diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 9e533fe..36ed82a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -9,13 +9,11 @@ # # To use this workflow, you will need to: # -# 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup +# 1. Create a Mayhem account at https://app.mayhem.security # -# 2. Create a service account token `mapi organization service-account create -# ` +# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens # -# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN" # # 4. Update the "Start your API" step to run your API in the background before # starting the Mayhem for API scan, and update the `api-url` & `api-spec` @@ -51,16 +49,16 @@ jobs: run: ./run_your_api.sh & # <- ✏️ update this - name: Mayhem for API - uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + uses: ForAllSecure/mapi-action@v1 continue-on-error: true with: - mapi-token: ${{ secrets.MAPI_TOKEN }} + mayhem-token: ${{ secrets.MAYHEM_TOKEN }} api-url: http://localhost:8080 # <- ✏️ update this api-spec: http://localhost:8080/openapi.json # <- ✏️ update this duration: 60 sarif-report: mapi.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: mapi.sarif diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 9f876ae..05e014e 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -38,6 +38,6 @@ jobs: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index 0700989..1d7b31f 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -54,13 +54,13 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} # Upload SARIF file as an Artifact to download and view # - name: Upload SARIF as an Artifact - # uses: actions/upload-artifact@v3 + # uses: actions/upload-artifact@v4 # with: # name: sarif-file # path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml index e9189d5..218d16a 100644 --- a/code-scanning/neuralegion.yml +++ b/code-scanning/neuralegion.yml @@ -162,7 +162,7 @@ jobs: runs-on: ubuntu-18.04 name: A job to run a Nexploit scan steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Start Nexploit Scan 🏁 id: start uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8062259..767b967 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -37,6 +37,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml index 324a533..5cb6c29 100644 --- a/code-scanning/nowsecure.yml +++ b/code-scanning/nowsecure.yml @@ -47,6 +47,6 @@ jobs: group_id: {{ groupId }} # Update this to your desired Platform group ID - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: NowSecure.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index ad46e1d..0088a3f 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -40,7 +40,7 @@ jobs: # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: # - name: Install .NET - # uses: actions/setup-dotnet@v2 + # uses: actions/setup-dotnet@v4 # with: # dotnet-version: '3.1.x' @@ -51,6 +51,6 @@ jobs: # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index 58ca4f8..5ceaabc 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -51,7 +51,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: phpmd-results.sarif wait-for-processing: true diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ed5eec9..032f997 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' @@ -38,6 +38,6 @@ jobs: sourcePath: 'src/main/java' analyzeModifiedFilesOnly: false - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: pmd-report.sarif diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml index b2cd163..8d32ce1 100644 --- a/code-scanning/policy-validator-cfn.yaml +++ b/code-scanning/policy-validator-cfn.yaml @@ -20,7 +20,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. jobs: @@ -45,7 +46,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH}} @@ -57,11 +58,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH}} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -71,14 +73,26 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0 + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH}} - reference-policy: ${{ env.REFERENCE }} + reference-policy: ${{ env.REFERENCE_POLICY }} reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} region: ${{env.REGION }} # Print result from CHECK_NO_NEW_ACCESS check - name: Print the result for CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml index 1ca77b5..07f884f 100644 --- a/code-scanning/policy-validator-tf.yaml +++ b/code-scanning/policy-validator-tf.yaml @@ -21,7 +21,8 @@ env: AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON - ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. @@ -48,7 +49,7 @@ jobs: # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer ValidatePolicy check id: run-aws-validate-policy - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "VALIDATE_POLICY" template-path: ${{ env.TEMPLATE_PATH }} @@ -60,11 +61,12 @@ jobs: # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator - name: Run AWS AccessAnalyzer CheckAccessNotGranted check id: run-aws-check-access-not-granted - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_ACCESS_NOT_GRANTED" template-path: ${{ env.TEMPLATE_PATH }} actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} region: ${{ env.REGION }} # Print result from CHECK_ACCESS_NOT_GRANTED check - name: Print the result for CheckAccessNotGranted check @@ -74,7 +76,7 @@ jobs: # reference-policy is stored in GitHub secrets - name: Run AWS AccessAnalyzer CheckNoNewAccess check id: run-aws-check-no-new-access - uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0 + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 with: policy-check-type: "CHECK_NO_NEW_ACCESS" template-path: ${{ env.TEMPLATE_PATH }} @@ -85,3 +87,15 @@ jobs: - name: Print the result CheckNoNewAccess check if: success() || failure() run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 52f65a0..216f1dc 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -44,6 +44,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 4b84b21..5461f5c 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -49,7 +49,7 @@ jobs: # The service need to know the type of IaC being scanned template_type: 'CFT' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json new file mode 100644 index 0000000..8e8b1f2 --- /dev/null +++ b/code-scanning/properties/appknox.properties.json @@ -0,0 +1,21 @@ +{ + "name": "Appknox", + "creator": "Appknox", + "description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language", + "iconName": "appknox", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ] +} diff --git a/code-scanning/properties/black-duck-security-scan-ci.properties.json b/code-scanning/properties/black-duck-security-scan-ci.properties.json new file mode 100644 index 0000000..3e196fd --- /dev/null +++ b/code-scanning/properties/black-duck-security-scan-ci.properties.json @@ -0,0 +1,22 @@ +{ + "name": "Black Duck Security Scan Workflow", + "creator": "Black Duck Software, Inc.", + "description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results", + "iconName": "black-duck", + "categories": [ + "Code Scanning", + "C", + "C++", + "C#", + "Go", + "Java", + "JavaScript", + "Ruby", + "PHP", + "Swift", + "Kotlin", + "Python", + "VB.NET", + "Objective C" + ] +} diff --git a/code-scanning/properties/debricked.properties.json b/code-scanning/properties/debricked.properties.json new file mode 100644 index 0000000..f669f09 --- /dev/null +++ b/code-scanning/properties/debricked.properties.json @@ -0,0 +1,19 @@ +{ + "name": "Debricked Scan", + "creator": "OpenText", + "description": "Integrate with Debricked's state of the art AI-powered Software Composition Analysis to automate your security.", + "iconName": "debricked", + "categories": [ + "Code Scanning", + "Python", + "JavaScript", + "Java", + "PHP", + "Ruby", + "Go", + "Rust", + "Swift", + "C#", + "Objective-C" + ] +} diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json index 100b4bb..9a7511c 100644 --- a/code-scanning/properties/fortify.properties.json +++ b/code-scanning/properties/fortify.properties.json @@ -1,7 +1,7 @@ { - "name": "Fortify on Demand Scan", - "creator": "Micro Focus", - "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "name": "Fortify Scan", + "creator": "OpenText", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"] } diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json new file mode 100644 index 0000000..7ffa897 --- /dev/null +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -0,0 +1,16 @@ +{ + "name": "JFrog SAST", + "description": "Scan for security vulnerabilities in source code using JFrog SAST", + "iconName": "frogbot", + "categories": + [ + "Code Scanning", + "security", + "python", + "java", + "javascript", + "typescript", + "go" + ], + "creator": "JFrog" +} \ No newline at end of file diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index dddbfdd..a0563d9 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -33,6 +33,6 @@ jobs: uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 - name: Upload Security Analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index e039085..014b0a0 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: puppet-lint-results.sarif wait-for-processing: true diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml index feef351..a3e7af8 100644 --- a/code-scanning/rubocop.yml +++ b/code-scanning/rubocop.yml @@ -47,6 +47,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rubocop.sarif diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index 4f50c3e..e4b2508 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -49,7 +49,7 @@ jobs: continue-on-error: true - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: rust-clippy-results.sarif wait-for-processing: true diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 162c788..b5b838e 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -21,6 +21,8 @@ jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' permissions: # Needed to upload the results to code-scanning dashboard. security-events: write @@ -32,12 +34,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -56,10 +58,13 @@ jobs: # of the value entered here. publish_results: true + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif @@ -68,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index 5d5e87b..58cb9c6 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -38,4 +38,4 @@ jobs: uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 - name: Upload sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index f21aa9a..bbf787a 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -43,7 +43,7 @@ jobs: # Upload SARIF file generated in previous step - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: semgrep.sarif if: always() diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index edbea1d..c485691 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -50,6 +50,6 @@ jobs: image: your/image-to-test args: --file=Dockerfile - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index a5605a3..f1466b2 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -49,6 +49,6 @@ jobs: # or `main.tf` for a Terraform configuration file file: your-file-to-test.yaml - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif diff --git a/code-scanning/snyk-security.yml b/code-scanning/snyk-security.yml index 4941e00..b2fe77c 100644 --- a/code-scanning/snyk-security.yml +++ b/code-scanning/snyk-security.yml @@ -43,9 +43,9 @@ jobs: # For Snyk Open Source you must first set up the development environment for your application's dependencies # For example for Node - #- uses: actions/setup-node@v3 + #- uses: actions/setup-node@v4 # with: - # node-version: 16 + # node-version: 20 env: # This is where you will need to introduce the Snyk API token created with your Snyk account @@ -74,6 +74,6 @@ jobs: # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk-code.sarif diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 6dd4ffe..cfbf1f4 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -36,6 +36,6 @@ jobs: - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 41075e4..0e7f274 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -46,13 +46,12 @@ jobs: - name: Analyze with SonarCloud # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments for the sonarcloud scanner + # Additional arguments for the SonarScanner CLI args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory @@ -60,9 +59,9 @@ jobs: -Dsonar.organization= # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index b3e470e..4853c4e 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -36,15 +36,25 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Analysis - uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9 + uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} project_name: "" scan_mode: "baseline" target_url: "https://www.example.com/" - output_format: "sarif" + export_format: "Sarif" + export_file_type: "Json" + - name: Find and rename SARIF file since it is unique + run: | + file=$(find . -name "*.sarif.json" | head -n 1) + if [ -n "$file" ]; then + mv "$file" output.sarif.json + echo "Renamed $file to output.sarif.json" + else + echo "No SARIF file found" && exit 1 + fi - name: Upload SOOS DAST SARIF Report uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: results.sarif + sarif_file: output.sarif.json diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index cac0507..f1ceddb 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -46,7 +46,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index df50d9d..6e245d7 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -71,7 +71,7 @@ jobs: - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: workflowengine-results.sarif.json diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index c9a0edb..11fd8b7 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -55,7 +55,7 @@ jobs: # Sysdig inline scanner requires privileged rights run-as-user: root - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 #Upload SARIF file if: always() with: diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 388fc37..c8ef49c 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -32,7 +32,7 @@ jobs: sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index ec90221..ca2fe88 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -24,7 +24,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build - runs-on: "ubuntu-20.04" + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 @@ -43,6 +43,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 379493f..aa75128 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -42,7 +42,7 @@ jobs: - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - run: unzip -o pipeline-scan-LATEST.zip - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 8 distribution: 'temurin' @@ -53,7 +53,7 @@ jobs: uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be with: pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 32c977e..834d71f 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -62,7 +62,7 @@ jobs: # Set up the correct Java version for your project # Please comment out, if your project does not contain Java source code. - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' @@ -87,7 +87,7 @@ jobs: license: ${{ secrets.XANITIZER_LICENSE }} # Archiving the findings list reports - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Xanitizer-Reports path: | @@ -95,6 +95,6 @@ jobs: *-Findings-List.sarif # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Xanitizer-Findings-List.sarif diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 7a2fc00..523c495 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -51,6 +51,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 018e473..9c9b303 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -55,6 +55,6 @@ jobs: app_file: app-release-unsigned.apk - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: Zimperium.sarif diff --git a/deployments/azure-functions-app-dotnet.yml b/deployments/azure-functions-app-dotnet.yml index bf1169b..99ad945 100644 --- a/deployments/azure-functions-app-dotnet.yml +++ b/deployments/azure-functions-app-dotnet.yml @@ -42,7 +42,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/deployments/azure-functions-app-java-gradle.yml b/deployments/azure-functions-app-java-gradle.yml index 131e287..87d9ec0 100644 --- a/deployments/azure-functions-app-java-gradle.yml +++ b/deployments/azure-functions-app-java-gradle.yml @@ -28,6 +28,7 @@ permissions: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -47,8 +48,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} # Build function project with functions gradle plugin diff --git a/deployments/azure-functions-app-java.yml b/deployments/azure-functions-app-java.yml index e7b78c0..c487aff 100644 --- a/deployments/azure-functions-app-java.yml +++ b/deployments/azure-functions-app-java.yml @@ -25,6 +25,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure POM_XML_DIRECTORY: '.' # set this to the directory which contains pom.xml file + DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft') JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17') jobs: @@ -42,8 +43,9 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Java Sdk ${{ env.JAVA_VERSION }} - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: + distribution: ${{ env.DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: 'Restore Project Dependencies Using Mvn' diff --git a/deployments/azure-functions-app-nodejs.yml b/deployments/azure-functions-app-nodejs.yml index 6c2e45c..69d3d27 100644 --- a/deployments/azure-functions-app-nodejs.yml +++ b/deployments/azure-functions-app-nodejs.yml @@ -27,7 +27,7 @@ on: env: AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root - NODE_VERSION: '16.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') + NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') jobs: build-and-deploy: @@ -44,7 +44,7 @@ jobs: # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository - name: Setup Node ${{ env.NODE_VERSION }} Environment - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index b4bfafb..72eab26 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up .NET Core - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} @@ -59,7 +59,7 @@ jobs: run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: .net-app path: ${{env.DOTNET_ROOT}}/myapp @@ -75,7 +75,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: .net-app diff --git a/deployments/azure-webapps-java-jar-gradle.yml b/deployments/azure-webapps-java-jar-gradle.yml index 63a45cc..9957493 100644 --- a/deployments/azure-webapps-java-jar-gradle.yml +++ b/deployments/azure-webapps-java-jar-gradle.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} @@ -50,7 +50,7 @@ jobs: run: gradle build - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/build/libs/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 608fb8e..14580c6 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Java version - uses: actions/setup-java@v3.0.0 + uses: actions/setup-java@v4 with: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.DISTRIBUTION }} @@ -50,7 +50,7 @@ jobs: run: mvn clean install - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: java-app path: '${{ github.workspace }}/target/*.jar' @@ -66,7 +66,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: java-app diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 147d4e6..408c99e 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -25,7 +25,7 @@ on: env: AZURE_WEBAPP_NAME: your-app-name # set this to your application's name AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '14.x' # set this to the node version to use + NODE_VERSION: '20.x' # set this to the node version to use permissions: contents: read @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@v4 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -49,7 +49,7 @@ jobs: npm run test --if-present - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: node-app path: . @@ -65,7 +65,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: node-app diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 1182c2a..3391c83 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -70,7 +70,7 @@ jobs: run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: php-app path: . @@ -86,7 +86,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: php-app diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 656f95c..e4868c4 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -55,7 +55,7 @@ jobs: # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-app path: | @@ -73,7 +73,7 @@ jobs: steps: - name: Download artifact from build job - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-app path: . diff --git a/deployments/google-cloudrun-docker.yml b/deployments/google-cloudrun-docker.yml index bd748f8..70af95e 100644 --- a/deployments/google-cloudrun-docker.yml +++ b/deployments/google-cloudrun-docker.yml @@ -1,113 +1,95 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Authenticate Docker to Artifact Registry -# 3. Build a docker container -# 4. Publish it to Google Artifact Registry -# 5. Deploy it to Cloud Run +# This workflow build and push a Docker container to Google Artifact Registry +# and deploy it on Cloud Run when a commit is pushed to the $default-branch +# branch. # # To configure this workflow: # -# 1. Ensure the required Google Cloud APIs are enabled: +# 1. Enable the following Google Cloud APIs: # -# Cloud Run run.googleapis.com -# Artifact Registry artifactregistry.googleapis.com +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# 3. Ensure the required IAM permissions are granted +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. # -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: # -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Developer (roles/run.developer) # -# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources # -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). -# -# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# 3. Change the values in the "env" block to match your values. -name: Build and Deploy to Cloud Run +name: 'Build and Deploy to Cloud Run' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider jobs: deploy: - # Add 'id-token' with the intended permissions for workload identity federation + runs-on: 'ubuntu-latest' + permissions: contents: 'read' id-token: 'write' - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 with: - token_format: 'access_token' - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' - - # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) - - # Authenticate Docker to Google Cloud Artifact Registry - - name: Docker Auth - id: docker-auth - uses: 'docker/login-action@v1' + # BEGIN - Docker auth and build + # + # If you already have a container image, you can omit these steps. + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 with: username: 'oauth2accesstoken' - password: '${{ steps.auth.outputs.access_token }}' - registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.REGION }}-docker.pkg.dev' - - name: Build and Push Container + - name: 'Build and Push Container' run: |- - docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ - docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + docker build --tag "${DOCKER_TAG}" . + docker push "${DOCKER_TAG}" + - name: 'Deploy to Cloud Run' - # END - Docker auth and build + # END - Docker auth and build - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If using a pre-built image, update the image name here - image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a pre-built image, update the image name below: - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}' + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |2- + + echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google-cloudrun-source.yml b/deployments/google-cloudrun-source.yml index e6fcb52..6a9a551 100644 --- a/deployments/google-cloudrun-source.yml +++ b/deployments/google-cloudrun-source.yml @@ -1,95 +1,75 @@ -# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Deploy it to Cloud Run +# This workflow will deploy source code on Cloud Run when a commit is pushed to +# the $default-branch branch. # # To configure this workflow: # -# 1. Ensure the required Google Cloud APIs are enabled: +# 1. Enable the following Google Cloud APIs: # -# Cloud Run run.googleapis.com -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Build (cloudbuild.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# 3. Ensure the required IAM permissions are granted +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. # -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: # -# Cloud Build -# roles/cloudbuild.builds.editor +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Source Developer (roles/run.sourceDeveloper) # -# Cloud Storage -# roles/storage.objectAdmin +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources. # -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the SERVICE and REGION environment variables (below). -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy -# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege +# 3. Change the values in the "env" block to match your values. -name: Deploy to Cloud Run from Source +name: 'Deploy to Cloud Run from Source' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name jobs: deploy: - # Add 'id-token' with the intended permissions for workload identity federation + runs-on: 'ubuntu-latest' + permissions: contents: 'read' id-token: 'write' - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v0' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 with: - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 + - name: 'Deploy to Cloud Run' + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If required, update to the appropriate source folder - source: ./ + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a different source folder, update the image name below: + source: './' - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |- + echo ${{ steps.deploy.outputs.url }} diff --git a/deployments/google.yml b/deployments/google.yml index deb9877..4be4dc4 100644 --- a/deployments/google.yml +++ b/deployments/google.yml @@ -1,91 +1,116 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch. +# This workflow will build a docker container, publish it to Google Container +# Registry, and deploy it to GKE when there is a push to the $default-branch +# branch. # # To configure this workflow: # -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# 1. Enable the following Google Cloud APIs: # -# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# - Artifact Registry (artifactregistry.googleapis.com) +# - Google Kubernetes Engine (container.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) # -# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. # -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize +# 2. Ensure that your repository contains the necessary configuration for your +# Google Kubernetes Engine cluster, including deployment.yml, +# kustomization.yml, service.yml, etc. +# +# 3. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Kubernetes Engine Developer (roles/container.developer) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources +# +# 5. Change the values in the "env" block to match your values. -name: Build and Deploy to GKE +name: 'Build and Deploy to GKE' on: push: - branches: [ $default-branch ] + branches: + - '$default-branch' env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - REPOSITORY: samples # TODO: update to Artifact Registry docker repository - IMAGE: static-site + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + GAR_LOCATION: 'us-central1' # TODO: update to your region + GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name + GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone + DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name + REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name + IMAGE: 'static-site' + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider jobs: setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production + name: 'Setup, Build, Publish, and Deploy' + runs-on: 'ubuntu-latest' + environment: 'production' permissions: contents: 'read' id-token: 'write' steps: - - name: Checkout - uses: actions/checkout@v4 + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 - # Configure Workload Identity Federation and generate an access token. - - id: 'auth' - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0' - with: - token_format: 'access_token' - workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' - service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' - # Alternative option - authentication via credentials json - # - id: 'auth' - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + # Authenticate Docker to Google Cloud Artifact Registry + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' - - name: Docker configuration - run: |- - echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev - # Get the GKE credentials so we can deploy to the cluster - - name: Set up GKE credentials - uses: google-github-actions/get-gke-credentials@v0 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} + # Get the GKE credentials so we can deploy to the cluster + - name: 'Set up GKE credentials' + uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2 + with: + cluster_name: '${{ env.GKE_CLUSTER }}' + location: '${{ env.GKE_ZONE }}' - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - # Push the Docker image to Google Artifact Registry - - name: Publish - run: |- - docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - # replacing the image name in the k8s template - ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide + # Build the Docker image + - name: 'Build and push Docker container' + run: |- + DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}" + + docker build \ + --tag "${DOCKER_TAG}" \ + --build-arg GITHUB_SHA="${GITHUB_SHA}" \ + --build-arg GITHUB_REF="${GITHUB_REF}" \ + . + + docker push "${DOCKER_TAG}" + + # Set up kustomize + - name: 'Set up Kustomize' + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: 'Deploy to GKE' + run: |- + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/deployments/octopusdeploy.yml b/deployments/octopusdeploy.yml new file mode 100644 index 0000000..686ebd5 --- /dev/null +++ b/deployments/octopusdeploy.yml @@ -0,0 +1,112 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by separate terms of service, +# privacy policy, and support documentation. +# +# This workflow will build and publish a Docker container which is then deployed through Octopus Deploy. +# +# The build job in this workflow currently assumes that there is a Dockerfile that generates the relevant application image. +# If required, this job can be modified to generate whatever alternative build artifact is required for your deployment. +# +# This workflow assumes you have already created a Project in Octopus Deploy. +# For instructions see https://octopus.com/docs/projects/setting-up-projects +# +# To configure this workflow: +# +# 1. Decide where you are going to host your image. +# This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below. +# +# 2. Create and configure an OIDC credential for a service account in Octopus. +# This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository. +# https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions +# +# 3. Configure your Octopus project details below: +# OCTOPUS_URL: update to your Octopus Instance Url +# OCTOPUS_SERVICE_ACCOUNT: update to your service account Id +# OCTOPUS_SPACE: update to the name of the space your project is configured in +# OCTOPUS_PROJECT: update to the name of your Octopus project +# OCTOPUS_ENVIRONMENT: update to the name of the environment to recieve the first deployment + + +name: 'Build and Deploy to Octopus Deploy' + +on: + push: + branches: + - '$default-branch' + +jobs: + build: + name: Build + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + env: + DOCKER_REGISTRY: ghcr.io # TODO: Update to your docker registry uri + DOCKER_REGISTRY_USERNAME: ${{ github.actor }} # TODO: Update to your docker registry username + DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # TODO: Update to your docker registry password + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.DOCKER_REGISTRY }} + username: ${{ env.DOCKER_REGISTRY_USERNAME }} + password: ${{ env.DOCKER_REGISTRY_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} + tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}} + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + deploy: + name: Deploy + permissions: + id-token: write + runs-on: ubuntu-latest + needs: [ build ] + env: + OCTOPUS_URL: 'https://your-octopus-url' # TODO: update to your Octopus Instance url + OCTOPUS_SERVICE_ACCOUNT: 'your-service-account-id' # TODO: update to your service account Id + OCTOPUS_SPACE: 'your-space' # TODO: update to the name of the space your project is configured in + OCTOPUS_PROJECT: 'your-project' # TODO: update to the name of your Octopus project + OCTOPUS_ENVIRONMENT: 'your-environment' # TODO: update to the name of the environment to recieve the first deployment + + steps: + - name: Log in to Octopus Deploy + uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 + with: + server: '${{ env.OCTOPUS_URL }}' + service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}' + + - name: Create Release + id: create_release + uses: OctopusDeploy/create-release-action@fea7e7b45c38c021b6bc5a14bd7eaa2ed5269214 #v3.2.2 + with: + project: '${{ env.OCTOPUS_PROJECT }}' + space: '${{ env.OCTOPUS_SPACE }}' + packages: '*:${{ needs.build.outputs.image_tag }}' + + - name: Deploy Release + uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 + with: + project: '${{ env.OCTOPUS_PROJECT }}' + space: '${{ env.OCTOPUS_SPACE }}' + release_number: '${{ steps.create_release.outputs.release_number }}' + environments: ${{ env.OCTOPUS_ENVIRONMENT }} diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 1c3fc43..eed3934 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -67,17 +67,17 @@ jobs: # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows - crda-scan: - uses: ./.github/workflows/crda.yml - secrets: - CRDA_KEY: ${{ secrets.CRDA_KEY }} - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + #crda-scan: + # uses: ./.github/workflows/crda.yml + # secrets: + # CRDA_KEY: ${{ secrets.CRDA_KEY }} + # # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY openshift-ci-cd: # 🖊️ Uncomment this if you are using CRDA scan step above # needs: crda-scan name: Build and deploy to OpenShift - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest environment: production outputs: diff --git a/deployments/properties/octopusdeploy.properties.json b/deployments/properties/octopusdeploy.properties.json new file mode 100644 index 0000000..3743ea7 --- /dev/null +++ b/deployments/properties/octopusdeploy.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Build and Deploy with Octopus Deploy", + "description": "Build a docker container, create a release in Octopus Deploy and deploy it to your environment.", + "creator": "Octopus Deploy", + "iconName": "octopusdeploy", + "categories": ["Deployment", "Containers", "Dockerfile"] +} diff --git a/icons/appknox.svg b/icons/appknox.svg new file mode 100644 index 0000000..36148e7 --- /dev/null +++ b/icons/appknox.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/icons/black-duck.svg b/icons/black-duck.svg new file mode 100644 index 0000000..2afce62 --- /dev/null +++ b/icons/black-duck.svg @@ -0,0 +1,219 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/debricked.svg b/icons/debricked.svg new file mode 100644 index 0000000..cb8a3d5 --- /dev/null +++ b/icons/debricked.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/fortify.svg b/icons/fortify.svg index 45a0d77..7033960 100644 --- a/icons/fortify.svg +++ b/icons/fortify.svg @@ -1 +1,29 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/octopusdeploy.svg b/icons/octopusdeploy.svg new file mode 100644 index 0000000..28545cc --- /dev/null +++ b/icons/octopusdeploy.svg @@ -0,0 +1,11 @@ + + + + + diff --git a/pages/hugo.yml b/pages/hugo.yml index 141ad91..b4f316a 100644 --- a/pages/hugo.yml +++ b/pages/hugo.yml @@ -31,7 +31,7 @@ jobs: build: runs-on: ubuntu-latest env: - HUGO_VERSION: 0.124.1 + HUGO_VERSION: 0.128.0 steps: - name: Install Hugo CLI run: | @@ -50,9 +50,8 @@ jobs: run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" - name: Build with Hugo env: - # For maximum backward compatibility with Hugo modules + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache HUGO_ENVIRONMENT: production - HUGO_ENV: production run: | hugo \ --minify \ diff --git a/pages/jekyll.yml b/pages/jekyll.yml index f07bc39..4dd1c20 100644 --- a/pages/jekyll.yml +++ b/pages/jekyll.yml @@ -34,7 +34,8 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Ruby - uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0 + # https://github.com/ruby/setup-ruby/releases/tag/v1.207.0 + uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 with: ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index f53d220..99c746b 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -156,13 +156,22 @@ async function checkWorkflow( await exec("git", ["checkout", "ghes"]); // In order to sync from main, we might need to remove some workflows, add some - // and modify others. The lazy approach is to delete all workflows first, and then + // and modify others. The lazy approach is to delete all workflows first (except from read-only folders), and then // just bring the compatible ones over from the main branch. We let git figure out // whether it's a deletion, add, or modify and commit the new state. console.log("Remove all workflows"); await exec("rm", ["-fr", ...settings.folders]); await exec("rm", ["-fr", "../../icons"]); + // Bring back the read-only folders + console.log("Restore read-only folders"); + for (let i = 0; i < settings.readOnlyFolders.length; i++) { + await exec("git", [ + "checkout", + settings.readOnlyFolders[i] + ]); + } + console.log("Sync changes from main for compatible workflows"); await exec("git", [ "checkout", @@ -171,10 +180,13 @@ async function checkWorkflow( ...Array.prototype.concat.apply( [], result.compatibleWorkflows.map((x) => { - const r = [ - join(x.folder, `${x.id}.yml`), - join(x.folder, "properties", `${x.id}.properties.json`), - ]; + const r = []; + + // Don't touch read-only folders + if (!settings.readOnlyFolders.includes(x.folder)) { + r.push(join(x.folder, `${x.id}.yml`)); + r.push(join(x.folder, "properties", `${x.id}.properties.json`)); + }; if (x.iconType === "svg") { r.push(join("../../icons", `${x.iconName}.svg`)); @@ -184,6 +196,27 @@ async function checkWorkflow( }) ), ]); + + // The v4 versions of upload and download artifact are not yet supported on GHES + console.group("Updating all compatible workflows to use v3 of the artifact actions"); + for (const workflow of result.compatibleWorkflows) { + const path = join(workflow.folder, `${workflow.id}.yml`); + console.log(`Updating ${path}`); + const contents = await fs.readFile(path, "utf8"); + + if (contents.includes("actions/upload-artifact@v4") || contents.includes("actions/download-artifact@v4")) { + console.log("Found v4 artifact actions, updating to v3"); + } else { + continue; + } + + let updatedContents = contents.replace(/actions\/upload-artifact@v4/g, "actions/upload-artifact@v3"); + updatedContents = updatedContents.replace(/actions\/download-artifact@v4/g, "actions/download-artifact@v3"); + + await fs.writeFile(path, updatedContents); + } + console.groupEnd(); + } catch (e) { console.error("Unhandled error while syncing workflows", e); process.exitCode = 1; diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index 41d6bcd..ce18eb6 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -5,6 +5,9 @@ "../../code-scanning", "../../pages" ], + "readOnlyFolders": [ + "../../pages" + ], "enabledActions": [ "actions/cache", "actions/checkout",