Merge branch 'main' into dependabot/github_actions/actions/cache-4
This commit is contained in:
+2
-1
@@ -1,3 +1,4 @@
|
||||
# Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders
|
||||
code-scanning:
|
||||
- code-scanning/**/*
|
||||
- changed-files:
|
||||
- any-glob-to-any-file: code-scanning/**/*
|
||||
|
||||
@@ -5,12 +5,12 @@ permissions:
|
||||
pull-requests: write
|
||||
|
||||
on:
|
||||
- pull_request_target
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
triage:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/labeler@v4
|
||||
- uses: actions/labeler@v5
|
||||
with:
|
||||
repo-token: "${{ secrets.GITHUB_TOKEN }}"
|
||||
@@ -1,8 +1,9 @@
|
||||
name: Mark stale issues and pull requests
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "21 4 * * *"
|
||||
workflow_dispatch:
|
||||
# schedule:
|
||||
# - cron: "21 4 * * *"
|
||||
|
||||
jobs:
|
||||
stale:
|
||||
|
||||
@@ -15,9 +15,9 @@ jobs:
|
||||
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
|
||||
git config user.email "cschleiden@github.com"
|
||||
git config user.name "GitHub Actions"
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
node-version: '20'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/sync-ghes/package-lock.json
|
||||
- name: Check starter workflows for GHES compat
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
node-version: '20'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: script/validate-data/package-lock.json
|
||||
|
||||
|
||||
+1
-1
@@ -14,7 +14,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
@@ -24,12 +24,12 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# Run Synthetic tests within your GitHub workflow.
|
||||
# For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
|
||||
- name: Run Datadog Synthetic tests
|
||||
uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e
|
||||
uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
|
||||
with:
|
||||
api_key: ${{secrets.DD_API_KEY}}
|
||||
app_key: ${{secrets.DD_APP_KEY}}
|
||||
|
||||
@@ -41,9 +41,9 @@ jobs:
|
||||
# https://github.com/sigstore/cosign-installer
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
|
||||
with:
|
||||
cosign-release: 'v2.1.1'
|
||||
cosign-release: 'v2.2.4'
|
||||
|
||||
# Set up BuildKit Docker container builder to be able to build
|
||||
# multi-platform images and export cache
|
||||
|
||||
@@ -109,7 +109,7 @@ jobs:
|
||||
|
||||
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
|
||||
- name: Upload build artifacts
|
||||
uses: actions/upload-artifact@v3
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: MSIX Package
|
||||
path: ${{ env.Wap_Project_Directory }}\AppPackages
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
settings-path: ${{ github.workspace }} # location for the settings.xml file
|
||||
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
|
||||
|
||||
- name: Build with Gradle
|
||||
run: ./gradlew build
|
||||
|
||||
+6
-6
@@ -28,10 +28,10 @@ jobs:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
|
||||
# Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
|
||||
- name: Setup Gradle
|
||||
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
|
||||
|
||||
- name: Build with Gradle Wrapper
|
||||
run: ./gradlew build
|
||||
@@ -40,11 +40,11 @@ jobs:
|
||||
# If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
|
||||
#
|
||||
# - name: Setup Gradle
|
||||
# uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
# uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
|
||||
# with:
|
||||
# gradle-version: '8.5'
|
||||
# gradle-version: '8.9'
|
||||
#
|
||||
# - name: Build with Gradle 8.5
|
||||
# - name: Build with Gradle 8.9
|
||||
# run: gradle build
|
||||
|
||||
dependency-submission:
|
||||
@@ -64,4 +64,4 @@ jobs:
|
||||
# Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
|
||||
# See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
|
||||
- name: Generate and submit dependency graph
|
||||
uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
|
||||
uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
|
||||
|
||||
@@ -18,7 +18,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+1
-1
@@ -22,7 +22,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 17
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '17'
|
||||
distribution: 'temurin'
|
||||
|
||||
+2
-2
@@ -16,13 +16,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
cache: 'npm'
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
@@ -12,9 +12,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm test
|
||||
|
||||
@@ -26,9 +26,9 @@ jobs:
|
||||
packages: write
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
registry-url: $registry-url(npm)
|
||||
- run: npm ci
|
||||
- run: npm publish
|
||||
|
||||
+4
-4
@@ -12,9 +12,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm test
|
||||
|
||||
@@ -23,9 +23,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 16
|
||||
node-version: 20
|
||||
registry-url: https://registry.npmjs.org/
|
||||
- run: npm ci
|
||||
- run: npm publish
|
||||
|
||||
+46
-15
@@ -1,4 +1,4 @@
|
||||
# This workflow will upload a Python Package using Twine when a release is created
|
||||
# This workflow will upload a Python Package to PyPI when a release is created
|
||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
|
||||
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
@@ -16,24 +16,55 @@ permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
|
||||
release-build:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v3
|
||||
|
||||
- uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: '3.x'
|
||||
- name: Install dependencies
|
||||
python-version: "3.x"
|
||||
|
||||
- name: Build release distributions
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install build
|
||||
- name: Build package
|
||||
run: python -m build
|
||||
- name: Publish package
|
||||
uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
|
||||
# NOTE: put your own distribution build steps here.
|
||||
python -m pip install build
|
||||
python -m build
|
||||
|
||||
- name: Upload distributions
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
user: __token__
|
||||
password: ${{ secrets.PYPI_API_TOKEN }}
|
||||
name: release-dists
|
||||
path: dist/
|
||||
|
||||
pypi-publish:
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- release-build
|
||||
permissions:
|
||||
# IMPORTANT: this permission is mandatory for trusted publishing
|
||||
id-token: write
|
||||
|
||||
# Dedicated environments with protections for publishing are strongly recommended.
|
||||
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
|
||||
environment:
|
||||
name: pypi
|
||||
# OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status:
|
||||
# url: https://pypi.org/p/YOURPROJECT
|
||||
#
|
||||
# ALTERNATIVE: if your GitHub Release name is the PyPI project version string
|
||||
# ALTERNATIVE: exactly, uncomment the following line instead:
|
||||
# url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }}
|
||||
|
||||
steps:
|
||||
- name: Retrieve release distributions
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
name: release-dists
|
||||
path: dist/
|
||||
|
||||
- name: Publish release distributions to PyPI
|
||||
uses: pypa/gh-action-pypi-publish@release/v1
|
||||
with:
|
||||
packages-dir: dist/
|
||||
|
||||
+4
-2
@@ -30,7 +30,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
# Add or replace dependency steps here
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
|
||||
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or replace database setup steps here
|
||||
@@ -46,9 +46,11 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Ruby and gems
|
||||
uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
|
||||
uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1
|
||||
with:
|
||||
bundler-cache: true
|
||||
- name: Generate binstubs
|
||||
run: bundle binstubs bundler-audit brakeman rubocop
|
||||
# Add or replace any other lints here
|
||||
- name: Security audit dependencies
|
||||
run: bin/bundler-audit --update
|
||||
|
||||
+1
-1
@@ -22,7 +22,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
|
||||
+2
-2
@@ -12,13 +12,13 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
node-version: [14.x, 16.x, 18.x]
|
||||
node-version: [18.x, 20.x, 22.x]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v3
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
fail-build: true
|
||||
severity-cutoff: critical
|
||||
- name: Upload vulnerability report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||
|
||||
@@ -66,6 +66,6 @@ jobs:
|
||||
# The name of the sarif format result file The file is written only if this property is provided.
|
||||
sarif-result-file: "apisec-results.sarif"
|
||||
- name: Import results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ./apisec-results.sarif
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support documentation.
|
||||
#
|
||||
# Appknox: Leader in Mobile Application Security Testing Solutions <https://www.appknox.com/>
|
||||
#
|
||||
# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your
|
||||
# repository.
|
||||
#
|
||||
# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
|
||||
# <https://www.appknox.com/free-trial>.
|
||||
#
|
||||
# Instructions:
|
||||
#
|
||||
# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the
|
||||
# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token
|
||||
# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings
|
||||
# and create a token labeled GitHub
|
||||
#
|
||||
# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the
|
||||
# action executes, check the 'Security' tab for results
|
||||
|
||||
name: Appknox
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
jobs:
|
||||
appknox:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout Code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Grant execute permission for gradlew
|
||||
run: chmod +x gradlew
|
||||
|
||||
- name: Build the app
|
||||
run: ./gradlew build # Update this to build your Android or iOS application
|
||||
|
||||
- name: Appknox GitHub action
|
||||
uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4
|
||||
with:
|
||||
appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
|
||||
file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here
|
||||
risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL]
|
||||
sarif: Enable
|
||||
|
||||
- name: Upload SARIF to GHAS
|
||||
if: always()
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: report.sarif
|
||||
@@ -29,9 +29,9 @@ jobs:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
- name: Bandit Scan
|
||||
uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
|
||||
uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd
|
||||
with: # optional arguments
|
||||
# exit with 0, even with results found
|
||||
exit_zero: true # optional, default is DEFAULT
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
exit-code: 0
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines.
|
||||
# For more information about configuring your workflow,
|
||||
# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan
|
||||
|
||||
name: CI Black Duck security scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: write
|
||||
security-events: write
|
||||
actions: read
|
||||
|
||||
steps:
|
||||
- name: Checkout source
|
||||
uses: actions/checkout@v4
|
||||
- name: Black Duck SCA scan
|
||||
uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
|
||||
with:
|
||||
### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ----------
|
||||
blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
|
||||
blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
|
||||
|
||||
### ---------- COVERITY SCANNING: REQUIRED FIELDS ----------
|
||||
coverity_url: ${{ vars.COVERITY_URL }}
|
||||
coverity_user: ${{ secrets.COVERITY_USER }}
|
||||
coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
|
||||
|
||||
### ---------- POLARIS SCANNING: REQUIRED FIELDS ----------
|
||||
polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
|
||||
polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
|
||||
polaris_assessment_types: "SCA,SAST"
|
||||
|
||||
### ---------- SRM SCANNING: REQUIRED FIELDS ----------
|
||||
srm_url: ${{ vars.SRM_URL }}
|
||||
srm_apikey: ${{ secrets.SRM_API_KEY }}
|
||||
srm_assessment_types: "SCA,SAST"
|
||||
|
||||
@@ -53,6 +53,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: output.sarif.json
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
|
||||
additional_params: --report-format sarif --output-path .
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: cx_result.sarif
|
||||
|
||||
@@ -50,6 +50,6 @@ jobs:
|
||||
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
|
||||
# Upload the Report for CodeQL/Security Alerts
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: cx.sarif
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Scan code
|
||||
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
fail-on-result: 'false'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Dependency scan
|
||||
uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
|
||||
@@ -48,7 +48,7 @@ jobs:
|
||||
fail-on-result: false
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-watson-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -50,7 +50,7 @@ jobs:
|
||||
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
|
||||
# is needed to ensure the SARIF file is uploaded
|
||||
if: always()
|
||||
|
||||
@@ -56,6 +56,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
# the `language` matrix defined below to confirm you have the correct set of
|
||||
# supported CodeQL languages.
|
||||
#
|
||||
name: "CodeQL"
|
||||
name: "CodeQL Advanced"
|
||||
|
||||
on:
|
||||
push:
|
||||
@@ -28,7 +28,6 @@ jobs:
|
||||
# - https://gh.io/using-larger-runners (GitHub.com only)
|
||||
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
|
||||
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
|
||||
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
|
||||
permissions:
|
||||
# required for all workflows
|
||||
security-events: write
|
||||
@@ -56,6 +55,12 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Add any setup steps before running the `github/codeql-action/init` action.
|
||||
# This includes steps like installing compilers or runtimes (`actions/setup-node`
|
||||
# or others). This is typically only required for manual builds.
|
||||
# - name: Setup runtime (example)
|
||||
# uses: actions/setup-example@v1
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v3
|
||||
@@ -76,6 +81,7 @@ jobs:
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
- if: matrix.build-mode == 'manual'
|
||||
shell: bash
|
||||
run: |
|
||||
echo 'If you are using a "manual" build mode for one or more of the' \
|
||||
'languages you are analyzing, replace this with the commands to build' \
|
||||
|
||||
@@ -44,6 +44,6 @@ jobs:
|
||||
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
|
||||
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: codescan.sarif
|
||||
|
||||
@@ -48,6 +48,6 @@ jobs:
|
||||
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
|
||||
#Upload the results to GitHub
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
|
||||
|
||||
@@ -77,11 +77,11 @@ jobs:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for redhat-actions/crda to upload SARIF results
|
||||
name: Scan project vulnerabilities with CRDA
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# *******************************************************************
|
||||
# Required: Instructions to setup project
|
||||
@@ -94,9 +94,9 @@ jobs:
|
||||
#
|
||||
# Example:
|
||||
# - name: Setup Node
|
||||
# uses: actions/setup-node@v2
|
||||
# uses: actions/setup-node@v4
|
||||
# with:
|
||||
# node-version: '14'
|
||||
# node-version: '20'
|
||||
|
||||
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
|
||||
- name: Install CRDA CLI
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
- name: credo-scan
|
||||
run: mix credo --format=sarif > credo_output.sarif
|
||||
- name: upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: credo_output.sarif
|
||||
|
||||
@@ -42,6 +42,6 @@ jobs:
|
||||
# Setting a SARIF output will generate a file named "datree.sarif" containing your test results
|
||||
cliArguments: "-o sarif"
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: datree.sarif
|
||||
|
||||
@@ -0,0 +1,43 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
#####################################################################################################################################################################
|
||||
# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. #
|
||||
# #
|
||||
# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com #
|
||||
# To learn more about Debricked or contact our team, visit https://debricked.com/ #
|
||||
# #
|
||||
# To run this workflow, complete the following set-up steps: #
|
||||
# #
|
||||
# 1. If you don’t have a Debricked account, create one by visiting https://debricked.com/app/en/register #
|
||||
# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 #
|
||||
# 3. In GitHub, navigate to the repository #
|
||||
# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) #
|
||||
# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” #
|
||||
# 6. In the “Secrets” tab, click on “New repository secret” #
|
||||
# 7. In the “Name” field, type the name of the secret #
|
||||
# 8. In the “Secret” field, enter the value of the secret #
|
||||
# 9. Click “Add secret” #
|
||||
# 10. You should now be ready to use the workflow! #
|
||||
#####################################################################################################################################################################
|
||||
|
||||
name: Debricked Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
vulnerabilities-scan:
|
||||
name: Vulnerabilities scan
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: debricked/actions@v3
|
||||
env:
|
||||
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-dotnet@v3
|
||||
- uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: |
|
||||
5.0.x
|
||||
@@ -42,6 +42,6 @@ jobs:
|
||||
uses: microsoft/security-devops-action@v1.6.0
|
||||
id: msdo
|
||||
- name: Upload results to Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
|
||||
|
||||
@@ -111,7 +111,7 @@ jobs:
|
||||
)" > ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Uploads results to GitHub repository using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
@@ -16,7 +16,7 @@ on:
|
||||
jobs:
|
||||
lint:
|
||||
name: DevSkim
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
@@ -29,6 +29,6 @@ jobs:
|
||||
uses: microsoft/DevSkim-Action@v1
|
||||
|
||||
- name: Upload DevSkim scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: devskim-results.sarif
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
### Use this section to define the build steps used by your software package.
|
||||
### Endor Labs builds your software for you where possible but the required build tools must be made available.
|
||||
# - name: Setup Java
|
||||
# uses: actions/setup-java@v3
|
||||
# uses: actions/setup-java@v4
|
||||
# with:
|
||||
# distribution: 'microsoft'
|
||||
# java-version: '17'
|
||||
@@ -46,6 +46,6 @@ jobs:
|
||||
ci_run: "false"
|
||||
sarif_file: findings.sarif
|
||||
- name: Upload SARIF to github
|
||||
uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: findings.sarif
|
||||
|
||||
@@ -33,9 +33,11 @@ jobs:
|
||||
- name: Install ESLint
|
||||
run: |
|
||||
npm install eslint@8.10.0
|
||||
npm install @microsoft/eslint-formatter-sarif@2.1.7
|
||||
npm install @microsoft/eslint-formatter-sarif@3.1.0
|
||||
|
||||
- name: Run ESLint
|
||||
env:
|
||||
SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
|
||||
run: npx eslint .
|
||||
--config .eslintrc.js
|
||||
--ext .js,.jsx,.ts,.tsx
|
||||
@@ -44,7 +46,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: eslint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -63,7 +63,7 @@ jobs:
|
||||
sarif-result-file: "ethicalcheck-results.sarif"
|
||||
|
||||
- name: Upload sarif file to repository
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ./ethicalcheck-results.sarif
|
||||
|
||||
|
||||
@@ -33,6 +33,6 @@ jobs:
|
||||
output: 'flawfinder_results.sarif'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
|
||||
+98
-67
@@ -4,95 +4,126 @@
|
||||
# documentation.
|
||||
|
||||
################################################################################################################################################
|
||||
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
|
||||
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
|
||||
# or contact our sales team, visit microfocus.com/appsecurity. #
|
||||
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
|
||||
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
|
||||
# #
|
||||
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
|
||||
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
|
||||
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
|
||||
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
|
||||
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
|
||||
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
|
||||
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
|
||||
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
|
||||
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
|
||||
# documentation. If you need additional assistance, please contact Fortify support. #
|
||||
################################################################################################################################################
|
||||
|
||||
name: Fortify on Demand Scan
|
||||
name: Fortify AST Scan
|
||||
|
||||
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
|
||||
# Customize trigger events based on your DevSecOps process and/or policy
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
FoD-SAST-Scan:
|
||||
# Use the appropriate runner for building your source code.
|
||||
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
|
||||
Fortify-AST-Scan:
|
||||
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
# pull-requests: write # Required if DO_PR_COMMENT is set to true
|
||||
|
||||
steps:
|
||||
# Check out source code
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Java is required to run the various Fortify utilities.
|
||||
# When scanning a Java application, please use the appropriate Java version for building your application.
|
||||
- name: Setup Java
|
||||
uses: actions/setup-java@v3
|
||||
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
|
||||
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
|
||||
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
|
||||
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
|
||||
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
|
||||
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
|
||||
# documentation at https://github.com/fortify/github-action#readme for more information on the various
|
||||
# configuration options and available sub-actions.
|
||||
- name: Run Fortify Scan
|
||||
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
|
||||
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
|
||||
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
|
||||
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
|
||||
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
|
||||
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
|
||||
with:
|
||||
java-version: 8
|
||||
distribution: 'temurin'
|
||||
|
||||
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
|
||||
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
|
||||
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
|
||||
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
|
||||
# ScanCentral has additional options that should be set for PHP and Python projects
|
||||
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
|
||||
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
|
||||
- name: Download Fortify ScanCentral Client
|
||||
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
|
||||
- name: Package Code + Dependencies
|
||||
run: scancentral package $PACKAGE_OPTS -o package.zip
|
||||
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
|
||||
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
|
||||
# is disabled). For SSC, run a Debricked scan and import results into SSC.
|
||||
env:
|
||||
PACKAGE_OPTS: "-bt mvn"
|
||||
#############################################################
|
||||
##### Fortify on Demand configuration
|
||||
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
|
||||
### Required configuration
|
||||
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
|
||||
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
|
||||
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
|
||||
FOD_PASSWORD: ${{secrets.FOD_PAT}}
|
||||
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
|
||||
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
|
||||
### Optional configuration
|
||||
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
||||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
|
||||
# DO_SETUP: true # Setup FoD application, release & static scan configuration
|
||||
# SETUP_ACTION: <URL or file> # Customize setup action
|
||||
# Pass extra options to setup action:
|
||||
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
|
||||
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
|
||||
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
|
||||
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
||||
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
||||
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
||||
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
||||
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
||||
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
||||
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
||||
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
||||
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
||||
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
||||
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
||||
# EXPORT_ACTION: <URL or file> # Customize export action
|
||||
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
||||
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
||||
|
||||
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
|
||||
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
|
||||
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
|
||||
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
|
||||
- name: Download Fortify on Demand Universal CI Tool
|
||||
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
|
||||
- name: Perform SAST Scan
|
||||
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
|
||||
env:
|
||||
FOD_URL: "https://ams.fortify.com/"
|
||||
FOD_API_URL: "https://api.ams.fortify.com/"
|
||||
FOD_TENANT: ${{ secrets.FOD_TENANT }}
|
||||
FOD_USER: ${{ secrets.FOD_USER }}
|
||||
FOD_PAT: ${{ secrets.FOD_PAT }}
|
||||
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
|
||||
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
|
||||
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
|
||||
|
||||
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
|
||||
- name: Export results to GitHub-optimized SARIF
|
||||
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
|
||||
with:
|
||||
fod_base_url: "https://ams.fortify.com/"
|
||||
fod_tenant: ${{ secrets.FOD_TENANT }}
|
||||
fod_user: ${{ secrets.FOD_USER }}
|
||||
fod_password: ${{ secrets.FOD_PAT }}
|
||||
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
|
||||
|
||||
# Import Fortify on Demand results to GitHub Security Code Scanning
|
||||
- name: Import Results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ./gh-fortify-sast.sarif
|
||||
#############################################################
|
||||
##### Fortify Hosted / Software Security Center & ScanCentral
|
||||
##### Remove this section if you're integrating with Fortify on Demand (see above)
|
||||
### Required configuration
|
||||
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
|
||||
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
|
||||
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
|
||||
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
|
||||
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
|
||||
### Optional configuration
|
||||
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
|
||||
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
||||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
|
||||
# DO_SETUP: true # Set up SSC application & version
|
||||
# SETUP_ACTION: <URL or file> # Customize setup action
|
||||
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
|
||||
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
|
||||
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
|
||||
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
||||
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
||||
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
||||
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
||||
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
||||
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
||||
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
||||
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
||||
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
||||
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
||||
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
||||
# EXPORT_ACTION: <URL or file> # Customize export action
|
||||
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
||||
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
# Frogbot Scan and Fix does the following:
|
||||
# Automatically creates pull requests with fixes for vulnerable project dependencies.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
|
||||
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
|
||||
|
||||
name: "Frogbot Scan and Fix"
|
||||
on:
|
||||
@@ -23,11 +23,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
|
||||
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
|
||||
env:
|
||||
# [Mandatory if the two conditions below are met]
|
||||
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
# Frogbot Scan Pull Request does the following:
|
||||
# Automatically scans new pull requests for security vulnerabilities.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot
|
||||
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
|
||||
|
||||
name: "Frogbot Scan Pull Request"
|
||||
on:
|
||||
@@ -21,18 +21,14 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
|
||||
# "frogbot" GitHub environment can approve the pull request to be scanned.
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions
|
||||
environment: frogbot
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
- uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
|
||||
- uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2
|
||||
env:
|
||||
# [Mandatory if the two conditions below are met]
|
||||
# 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
|
||||
|
||||
@@ -41,7 +41,7 @@ jobs:
|
||||
no-fail: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: hadolint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# JFrog SAST performs 1st party source code security analysis
|
||||
# For more information, see
|
||||
# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast
|
||||
|
||||
name: "JFrog SAST Scan"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL and access token for
|
||||
# a JFrog platform instance with active
|
||||
# JFrog Advanced Security subscription
|
||||
JF_URL: ${{ secrets.JF_URL }}
|
||||
JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@v4
|
||||
|
||||
- name: Install and configure JFrog CLI
|
||||
run: |
|
||||
npm install -g jfrog-cli-v2-jf
|
||||
echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin
|
||||
|
||||
- name: Run JFrog SAST
|
||||
run: |
|
||||
jf audit --sast --format=sarif > jfrog_sast.sarif
|
||||
|
||||
|
||||
- name: Upload output to generate autofix
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: jfrog_sast.sarif
|
||||
@@ -28,9 +28,9 @@ jobs:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v3
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 18
|
||||
node-version: 20
|
||||
- run: npm ci
|
||||
- run: npm run build
|
||||
- name: Jscrambler Code Integrity
|
||||
|
||||
@@ -17,7 +17,7 @@ on:
|
||||
jobs:
|
||||
lint:
|
||||
name: Kubesec
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
@@ -36,6 +36,6 @@ jobs:
|
||||
exit-code: "0"
|
||||
|
||||
- name: Upload Kubesec scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: kubesec-results.sarif
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: lintr-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -9,13 +9,11 @@
|
||||
#
|
||||
# To use this workflow, you will need to:
|
||||
#
|
||||
# 1. Create a Mayhem for API account at
|
||||
# https://mayhem4api.forallsecure.com/signup
|
||||
# 1. Create a Mayhem account at https://app.mayhem.security
|
||||
#
|
||||
# 2. Create a service account token `mapi organization service-account create
|
||||
# <org-name> <service-account-name>`
|
||||
# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens
|
||||
#
|
||||
# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN"
|
||||
# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN"
|
||||
#
|
||||
# 4. Update the "Start your API" step to run your API in the background before
|
||||
# starting the Mayhem for API scan, and update the `api-url` & `api-spec`
|
||||
@@ -51,16 +49,16 @@ jobs:
|
||||
run: ./run_your_api.sh & # <- ✏️ update this
|
||||
|
||||
- name: Mayhem for API
|
||||
uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010
|
||||
uses: ForAllSecure/mapi-action@v1
|
||||
continue-on-error: true
|
||||
with:
|
||||
mapi-token: ${{ secrets.MAPI_TOKEN }}
|
||||
mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
|
||||
api-url: http://localhost:8080 # <- ✏️ update this
|
||||
api-spec: http://localhost:8080/openapi.json # <- ✏️ update this
|
||||
duration: 60
|
||||
sarif-report: mapi.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: mapi.sarif
|
||||
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
args: . --sarif --output results.sarif || true
|
||||
|
||||
- name: Upload mobsfscan report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -54,13 +54,13 @@ jobs:
|
||||
|
||||
# Upload SARIF file to GitHub Code Scanning Alerts
|
||||
- name: Upload SARIF to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
# Upload SARIF file as an Artifact to download and view
|
||||
# - name: Upload SARIF as an Artifact
|
||||
# uses: actions/upload-artifact@v3
|
||||
# uses: actions/upload-artifact@v4
|
||||
# with:
|
||||
# name: sarif-file
|
||||
# path: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
@@ -162,7 +162,7 @@ jobs:
|
||||
runs-on: ubuntu-18.04
|
||||
name: A job to run a Nexploit scan
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
- name: Start Nexploit Scan 🏁
|
||||
id: start
|
||||
uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
|
||||
|
||||
@@ -37,6 +37,6 @@ jobs:
|
||||
with:
|
||||
args: '. --sarif --output results.sarif || true'
|
||||
- name: Upload njsscan report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -47,6 +47,6 @@ jobs:
|
||||
group_id: {{ groupId }} # Update this to your desired Platform group ID
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: NowSecure.sarif
|
||||
|
||||
@@ -40,7 +40,7 @@ jobs:
|
||||
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
|
||||
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
|
||||
# - name: Install .NET
|
||||
# uses: actions/setup-dotnet@v2
|
||||
# uses: actions/setup-dotnet@v4
|
||||
# with:
|
||||
# dotnet-version: '3.1.x'
|
||||
|
||||
@@ -51,6 +51,6 @@ jobs:
|
||||
|
||||
# Upload results to the Security tab
|
||||
- name: Upload OSSAR results
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|
||||
|
||||
@@ -51,7 +51,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: phpmd-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -26,7 +26,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: '11'
|
||||
distribution: 'temurin'
|
||||
@@ -38,6 +38,6 @@ jobs:
|
||||
sourcePath: 'src/main/java'
|
||||
analyzeModifiedFilesOnly: false
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: pmd-report.sarif
|
||||
|
||||
@@ -20,7 +20,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
jobs:
|
||||
@@ -45,7 +46,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
@@ -57,11 +58,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -71,14 +73,26 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH}}
|
||||
reference-policy: ${{ env.REFERENCE }}
|
||||
reference-policy: ${{ env.REFERENCE_POLICY }}
|
||||
reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
|
||||
region: ${{env.REGION }}
|
||||
# Print result from CHECK_NO_NEW_ACCESS check
|
||||
- name: Print the result for CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -21,7 +21,8 @@ env:
|
||||
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
|
||||
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
|
||||
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
|
||||
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
|
||||
|
||||
@@ -48,7 +49,7 @@ jobs:
|
||||
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer ValidatePolicy check
|
||||
id: run-aws-validate-policy
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "VALIDATE_POLICY"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -60,11 +61,12 @@ jobs:
|
||||
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
|
||||
id: run-aws-check-access-not-granted
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
actions: ${{ env.ACTIONS }}
|
||||
resources: ${{ env.RESOURCES }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_ACCESS_NOT_GRANTED check
|
||||
- name: Print the result for CheckAccessNotGranted check
|
||||
@@ -74,7 +76,7 @@ jobs:
|
||||
# reference-policy is stored in GitHub secrets
|
||||
- name: Run AWS AccessAnalyzer CheckNoNewAccess check
|
||||
id: run-aws-check-no-new-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_NEW_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
@@ -85,3 +87,15 @@ jobs:
|
||||
- name: Print the result CheckNoNewAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
|
||||
# Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
|
||||
- name: Run AWS AccessAnalyzer CheckNoPublicAccess check
|
||||
id: run-aws-check-no-public-access
|
||||
uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
|
||||
with:
|
||||
policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
|
||||
template-path: ${{ env.TEMPLATE_PATH }}
|
||||
region: ${{ env.REGION }}
|
||||
# Print result from CHECK_NO_PUBLIC_ACCESS check
|
||||
- name: Print the result for CheckNoPublicAccess check
|
||||
if: success() || failure()
|
||||
run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
|
||||
|
||||
@@ -44,6 +44,6 @@ jobs:
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
# The service need to know the type of IaC being scanned
|
||||
template_type: 'CFT'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
# Results are generated only on a success or failure
|
||||
# this is required since GitHub by default won't run the next step
|
||||
# when the previous one has failed.
|
||||
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
"name": "Appknox",
|
||||
"creator": "Appknox",
|
||||
"description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language",
|
||||
"iconName": "appknox",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Kotlin",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"Objective C",
|
||||
"C",
|
||||
"C++",
|
||||
"C#",
|
||||
"Rust",
|
||||
"JavaScript",
|
||||
"TypeScript",
|
||||
"Node"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
{
|
||||
"name": "Black Duck Security Scan Workflow",
|
||||
"creator": "Black Duck Software, Inc.",
|
||||
"description": "The Black Duck Security Scan GitHub Action allows you to configure your pipeline to run Black Duck Security Scan and take action on the security results",
|
||||
"iconName": "black-duck",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"C",
|
||||
"C++",
|
||||
"C#",
|
||||
"Go",
|
||||
"Java",
|
||||
"JavaScript",
|
||||
"Ruby",
|
||||
"PHP",
|
||||
"Swift",
|
||||
"Kotlin",
|
||||
"Python",
|
||||
"VB.NET",
|
||||
"Objective C"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"name": "Debricked Scan",
|
||||
"creator": "OpenText",
|
||||
"description": "Integrate with Debricked's state of the art AI-powered Software Composition Analysis to automate your security.",
|
||||
"iconName": "debricked",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Python",
|
||||
"JavaScript",
|
||||
"Java",
|
||||
"PHP",
|
||||
"Ruby",
|
||||
"Go",
|
||||
"Rust",
|
||||
"Swift",
|
||||
"C#",
|
||||
"Objective-C"
|
||||
]
|
||||
}
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Fortify on Demand Scan",
|
||||
"creator": "Micro Focus",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
|
||||
"name": "Fortify Scan",
|
||||
"creator": "OpenText",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.",
|
||||
"iconName": "fortify",
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"name": "JFrog SAST",
|
||||
"description": "Scan for security vulnerabilities in source code using JFrog SAST",
|
||||
"iconName": "frogbot",
|
||||
"categories":
|
||||
[
|
||||
"Code Scanning",
|
||||
"security",
|
||||
"python",
|
||||
"java",
|
||||
"javascript",
|
||||
"typescript",
|
||||
"go"
|
||||
],
|
||||
"creator": "JFrog"
|
||||
}
|
||||
@@ -33,6 +33,6 @@ jobs:
|
||||
uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
|
||||
|
||||
- name: Upload Security Analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: puppet-lint-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -47,6 +47,6 @@ jobs:
|
||||
"
|
||||
|
||||
- name: Upload Sarif output
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: rubocop.sarif
|
||||
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: rust-clippy-results.sarif
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -21,6 +21,8 @@ jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
|
||||
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
|
||||
permissions:
|
||||
# Needed to upload the results to code-scanning dashboard.
|
||||
security-events: write
|
||||
@@ -32,12 +34,12 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
|
||||
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
@@ -56,10 +58,13 @@ jobs:
|
||||
# of the value entered here.
|
||||
publish_results: true
|
||||
|
||||
# (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
|
||||
# file_mode: git
|
||||
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
|
||||
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
@@ -68,6 +73,6 @@ jobs:
|
||||
# Upload the results to GitHub's code scanning dashboard (optional).
|
||||
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -38,4 +38,4 @@ jobs:
|
||||
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
|
||||
|
||||
- name: Upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: semgrep.sarif
|
||||
if: always()
|
||||
|
||||
@@ -50,6 +50,6 @@ jobs:
|
||||
image: your/image-to-test
|
||||
args: --file=Dockerfile
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
@@ -49,6 +49,6 @@ jobs:
|
||||
# or `main.tf` for a Terraform configuration file
|
||||
file: your-file-to-test.yaml
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
|
||||
@@ -43,9 +43,9 @@ jobs:
|
||||
|
||||
# For Snyk Open Source you must first set up the development environment for your application's dependencies
|
||||
# For example for Node
|
||||
#- uses: actions/setup-node@v3
|
||||
#- uses: actions/setup-node@v4
|
||||
# with:
|
||||
# node-version: 16
|
||||
# node-version: 20
|
||||
|
||||
env:
|
||||
# This is where you will need to introduce the Snyk API token created with your Snyk account
|
||||
@@ -74,6 +74,6 @@ jobs:
|
||||
|
||||
# Push the Snyk Code results into GitHub Code Scanning tab
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: snyk-code.sarif
|
||||
|
||||
@@ -36,6 +36,6 @@ jobs:
|
||||
- id: run-action
|
||||
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
|
||||
- name: Upload report
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -46,13 +46,12 @@ jobs:
|
||||
- name: Analyze with SonarCloud
|
||||
|
||||
# You can pin the exact commit or the version.
|
||||
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
|
||||
# uses: SonarSource/sonarcloud-github-action@v2.2.0
|
||||
uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
|
||||
with:
|
||||
# Additional arguments for the sonarcloud scanner
|
||||
# Additional arguments for the SonarScanner CLI
|
||||
args:
|
||||
# Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
|
||||
# mandatory
|
||||
@@ -60,9 +59,9 @@ jobs:
|
||||
-Dsonar.organization=
|
||||
# Comma-separated paths to directories containing main source files.
|
||||
#-Dsonar.sources= # optional, default is project base directory
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched
|
||||
#-Dsonar.projectBaseDir= # optional, default is .
|
||||
# Comma-separated paths to directories containing test source files.
|
||||
#-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
|
||||
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
|
||||
#-Dsonar.verbose= # optional, default is false
|
||||
# When you need the analysis to take place in a directory other than the one from which it was launched, default is .
|
||||
projectBaseDir: .
|
||||
|
||||
@@ -36,15 +36,25 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Run SOOS DAST Analysis
|
||||
uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9
|
||||
uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa
|
||||
with:
|
||||
client_id: ${{ secrets.SOOS_CLIENT_ID }}
|
||||
api_key: ${{ secrets.SOOS_API_KEY }}
|
||||
project_name: "<YOUR-PROJECT-NAME>"
|
||||
scan_mode: "baseline"
|
||||
target_url: "https://www.example.com/"
|
||||
output_format: "sarif"
|
||||
export_format: "Sarif"
|
||||
export_file_type: "Json"
|
||||
- name: Find and rename SARIF file since it is unique
|
||||
run: |
|
||||
file=$(find . -name "*.sarif.json" | head -n 1)
|
||||
if [ -n "$file" ]; then
|
||||
mv "$file" output.sarif.json
|
||||
echo "Renamed $file to output.sarif.json"
|
||||
else
|
||||
echo "No SARIF file found" && exit 1
|
||||
fi
|
||||
- name: Upload SOOS DAST SARIF Report
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: output.sarif.json
|
||||
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
|
||||
name: StackHawk
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
@@ -71,7 +71,7 @@ jobs:
|
||||
|
||||
- name: Upload SARIF file
|
||||
if: ${{steps.prescription.outputs.sastScan == 'true' }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: workflowengine-results.sarif.json
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
# Sysdig inline scanner requires privileged rights
|
||||
run-as-user: root
|
||||
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
#Upload SARIF file
|
||||
if: always()
|
||||
with:
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
@@ -24,7 +24,7 @@ jobs:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Build
|
||||
runs-on: "ubuntu-20.04"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
|
||||
- run: unzip -o pipeline-scan-LATEST.zip
|
||||
|
||||
- uses: actions/setup-java@v3
|
||||
- uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 8
|
||||
distribution: 'temurin'
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
|
||||
with:
|
||||
pipeline-results-json: results.json
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: veracode-results.sarif
|
||||
|
||||
@@ -62,7 +62,7 @@ jobs:
|
||||
# Set up the correct Java version for your project
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
java-version: 11
|
||||
distribution: 'temurin'
|
||||
@@ -87,7 +87,7 @@ jobs:
|
||||
license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
|
||||
# Archiving the findings list reports
|
||||
- uses: actions/upload-artifact@v3
|
||||
- uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: Xanitizer-Reports
|
||||
path: |
|
||||
@@ -95,6 +95,6 @@ jobs:
|
||||
*-Findings-List.sarif
|
||||
|
||||
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v2
|
||||
- uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: Xanitizer-Findings-List.sarif
|
||||
|
||||
@@ -51,6 +51,6 @@ jobs:
|
||||
#Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
|
||||
- name: Upload SARIF file
|
||||
if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}
|
||||
|
||||
@@ -55,6 +55,6 @@ jobs:
|
||||
app_file: app-release-unsigned.apk
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: Zimperium.sarif
|
||||
|
||||
@@ -42,7 +42,7 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
|
||||
uses: actions/setup-dotnet@v3
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ permissions:
|
||||
env:
|
||||
AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
|
||||
BUILD_GRADLE_DIRECTORY: '.' # set this to the directory which contains build.gradle file
|
||||
DISTRIBUTION: 'zulu' # set this to the java version to use (e.g. 'zulu', 'temurin', 'microsoft')
|
||||
JAVA_VERSION: '8' # set this to the java version to use (e.g. '8', '11', '17')
|
||||
|
||||
jobs:
|
||||
@@ -47,8 +48,9 @@ jobs:
|
||||
# creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
|
||||
|
||||
- name: Setup Java Sdk ${{ env.JAVA_VERSION }}
|
||||
uses: actions/setup-java@v1
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: ${{ env.DISTRIBUTION }}
|
||||
java-version: ${{ env.JAVA_VERSION }}
|
||||
|
||||
# Build function project with functions gradle plugin
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user