From dd99cc07334b542d7991237f376d3791b470c643 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:19:57 +0200 Subject: [PATCH 1/6] Frogbot update (#1925) * Update Frogbot starter workflows * Update * Update Frogbot starter-workflows commit hash --- code-scanning/frogbot-scan-and-fix.yml | 39 ++++++++---------- code-scanning/frogbot-scan-pr.yml | 55 +++++++++----------------- 2 files changed, 35 insertions(+), 59 deletions(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 12414a1..96dcfb5 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -7,6 +7,9 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: +# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + name: "Frogbot Scan and Fix" on: push: @@ -21,36 +24,28 @@ jobs: steps: - uses: actions/checkout@v3 - # Install prerequisites - uncomment the relevant one + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - # - uses: actions/setup-go@v3 - # with: - # go-version: 1.17.x - - # - uses: actions/setup-java@v3 - # with: - # java-version: "11" - # distribution: "temurin" - - # - uses: actions/setup-node@v3 - # with: - # node-version: "16.x" - - - - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 + - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 env: # [Mandatory] - # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) - JF_URL: ${{ secrets.FROGBOT_URL }} + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service - JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if using npm] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index 74ee41e..fe7d125 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -7,6 +7,9 @@ # Uses JFrog Xray to scan the project. # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot +# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file: +# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + name: "Frogbot Scan Pull Request" on: pull_request_target: @@ -19,57 +22,35 @@ jobs: runs-on: ubuntu-latest # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. + # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md environment: frogbot steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - # Install prerequisites - uncomment the relevant ones + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - # - uses: actions/setup-go@v3 - # with: - # go-version: 1.17.x - - # - uses: actions/setup-java@v3 - # with: - # java-version: "11" - # distribution: "temurin" - - # - uses: actions/setup-node@v3 - # with: - # node-version: "16.x" - - # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 + - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716 env: # [Mandatory] - # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + # JFrog platform URL JF_URL: ${{ secrets.JF_URL }} - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD - JF_USER: ${{ secrets.JF_USER }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog password. Must be provided with JF_USER - JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} - # [Mandatory when using npm] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "npm i" - - # [Mandatory when using .NET] - # The command that installs the dependencies - # JF_INSTALL_DEPS_CMD: "dotnet restore" - - # The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} \ No newline at end of file From 5343fe6869403f9be2246dee0c94c3b6dafcc7c4 Mon Sep 17 00:00:00 2001 From: Milos Pantic <101411245+panticmilos@users.noreply.github.com> Date: Fri, 10 Feb 2023 09:04:29 +0100 Subject: [PATCH 2/6] Change event to pull_request_target (#1930) Co-authored-by: Sampark Sharma --- automation/label.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/label.yml b/automation/label.yml index a8a1bd7..4613569 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -6,7 +6,7 @@ # https://github.com/actions/labeler name: Labeler -on: [pull_request] +on: [pull_request_target] jobs: label: From d31bcb967ace062e1663d3e227bb04bcb83e33f6 Mon Sep 17 00:00:00 2001 From: Ouvill Date: Fri, 10 Feb 2023 17:05:33 +0900 Subject: [PATCH 3/6] fix update cosign version on docker-publish.yml (#1917) upgrade cosign version https://github.com/sigstore/cosign/releases/tag/v1.13.1 The current version is out of date and the following error occurs ``` getting signer: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key ``` Co-authored-by: Sampark Sharma --- ci/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 11dd662..d57b2f1 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -43,7 +43,7 @@ jobs: if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: - cosign-release: 'v1.11.0' + cosign-release: 'v1.13.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From 62569bfea96e8c89515a814c93df67a973323738 Mon Sep 17 00:00:00 2001 From: "Tajinder Singh (TJ)" Date: Wed, 15 Feb 2023 13:27:26 +0100 Subject: [PATCH 4/6] Add defender for devops workflow (#1940) * Created new workflow for defender for devops * Create defender-for-devops.properties.json * fixed pr comments * fixed linting issues * fixed linting issues * removed trailing white space * changed from preview to v1.6.0 --- code-scanning/defender-for-devops.yml | 43 +++++++++++++++++++ .../defender-for-devops.properties.json | 7 +++ 2 files changed, 50 insertions(+) create mode 100644 code-scanning/defender-for-devops.yml create mode 100644 code-scanning/properties/defender-for-devops.properties.json diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml new file mode 100644 index 0000000..c521f36 --- /dev/null +++ b/code-scanning/defender-for-devops.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action + +name: "Microsoft Defender For Devops" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-dotnet@v3 + with: + dotnet-version: | + 5.0.x + 6.0.x + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/code-scanning/properties/defender-for-devops.properties.json b/code-scanning/properties/defender-for-devops.properties.json new file mode 100644 index 0000000..23b01d3 --- /dev/null +++ b/code-scanning/properties/defender-for-devops.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft Defender For DevOps Scan", + "creator": "Microsoft", + "description": "Defender for devops helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for cloud dashbord.", + "iconName": "microsoft", + "categories": ["Code Scanning", "IaC","Docker Images", "Defender For DevOps", "EsLint", "Bandit", "Trivy", "BinSkim", "TemplateAnalyzer"] +} From 10f6091ee89f01509479e792e3f982ea3d615fdb Mon Sep 17 00:00:00 2001 From: Chris Carini <6374067+ChrisCarini@users.noreply.github.com> Date: Wed, 15 Feb 2023 22:09:52 -0800 Subject: [PATCH 5/6] Update scorecard.yml with latest releases (#1944) Update scorecard.yml with latest releases for ossf/scorecard-action & github/codeql-action/upload-sarif --- code-scanning/scorecard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml index 69cf948..19b9b00 100644 --- a/code-scanning/scorecard.yml +++ b/code-scanning/scorecard.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif results_format: sarif @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif From 1d039e1607c98d9b9a705102315b43896ad10633 Mon Sep 17 00:00:00 2001 From: "Tajinder Singh (TJ)" Date: Tue, 21 Feb 2023 13:50:42 +0100 Subject: [PATCH 6/6] fixed typo (#1942) * fixed typo * Update defender-for-devops.yml * update to valid categories * fixed request changes --- code-scanning/defender-for-devops.yml | 4 ++++ code-scanning/properties/defender-for-devops.properties.json | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/code-scanning/defender-for-devops.yml b/code-scanning/defender-for-devops.yml index c521f36..71971cd 100644 --- a/code-scanning/defender-for-devops.yml +++ b/code-scanning/defender-for-devops.yml @@ -11,6 +11,10 @@ # as well as Windows self hosted agents. ubuntu-latest support coming soon. # # For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github name: "Microsoft Defender For Devops" diff --git a/code-scanning/properties/defender-for-devops.properties.json b/code-scanning/properties/defender-for-devops.properties.json index 23b01d3..495fa26 100644 --- a/code-scanning/properties/defender-for-devops.properties.json +++ b/code-scanning/properties/defender-for-devops.properties.json @@ -1,7 +1,7 @@ { "name": "Microsoft Defender For DevOps Scan", "creator": "Microsoft", - "description": "Defender for devops helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for cloud dashbord.", + "description": "Defender for DevOps helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for Cloud dashboard.", "iconName": "microsoft", - "categories": ["Code Scanning", "IaC","Docker Images", "Defender For DevOps", "EsLint", "Bandit", "Trivy", "BinSkim", "TemplateAnalyzer"] + "categories": ["Code Scanning", "HCL","Dockerfile", "Python", "JavaScript", "EcmaScript", "TypeScript"] }