Merge branch 'main' into add-credo-workflow
This commit is contained in:
@@ -0,0 +1,47 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle.
|
||||
# MSDO installs, configures and runs the latest versions of static analysis tools
|
||||
# (including, but not limited to, SDL/security and compliance tools).
|
||||
#
|
||||
# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue,
|
||||
# as well as Windows self hosted agents. ubuntu-latest support coming soon.
|
||||
#
|
||||
# For more information about the action , check out https://github.com/microsoft/security-devops-action
|
||||
#
|
||||
# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration
|
||||
# and provide permission before this can report data back to azure.
|
||||
# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
|
||||
|
||||
name: "Microsoft Defender For Devops"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
MSDO:
|
||||
# currently only windows latest is supported
|
||||
runs-on: windows-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/setup-dotnet@v3
|
||||
with:
|
||||
dotnet-version: |
|
||||
5.0.x
|
||||
6.0.x
|
||||
- name: Run Microsoft Security DevOps
|
||||
uses: microsoft/security-devops-action@v1.6.0
|
||||
id: msdo
|
||||
- name: Upload results to Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
|
||||
@@ -7,6 +7,9 @@
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
|
||||
# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file:
|
||||
# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
name: "Frogbot Scan and Fix"
|
||||
on:
|
||||
push:
|
||||
@@ -21,36 +24,28 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# Install prerequisites - uncomment the relevant one
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
# - uses: actions/setup-go@v3
|
||||
# with:
|
||||
# go-version: 1.17.x
|
||||
|
||||
# - uses: actions/setup-java@v3
|
||||
# with:
|
||||
# java-version: "11"
|
||||
# distribution: "temurin"
|
||||
|
||||
# - uses: actions/setup-node@v3
|
||||
# with:
|
||||
# node-version: "16.x"
|
||||
|
||||
|
||||
- uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694
|
||||
- uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
JF_URL: ${{ secrets.FROGBOT_URL }}
|
||||
# JFrog platform URL
|
||||
JF_URL: ${{ secrets.JF_URL }}
|
||||
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
|
||||
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
|
||||
|
||||
# [Mandatory]
|
||||
# The GitHub token automatically generated for the job
|
||||
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# [Mandatory if using npm]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "npm i"
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
|
||||
# JF_USER: ${{ secrets.JF_USER }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog password. Must be provided with JF_USER
|
||||
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
|
||||
@@ -7,6 +7,9 @@
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
|
||||
# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file:
|
||||
# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
name: "Frogbot Scan Pull Request"
|
||||
on:
|
||||
pull_request_target:
|
||||
@@ -19,57 +22,35 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
|
||||
# "frogbot" GitHub environment can approve the pull request to be scanned.
|
||||
# Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
|
||||
environment: frogbot
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
# Install prerequisites - uncomment the relevant ones
|
||||
# IMPORTANT:
|
||||
# 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
|
||||
# 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
|
||||
|
||||
# - uses: actions/setup-go@v3
|
||||
# with:
|
||||
# go-version: 1.17.x
|
||||
|
||||
# - uses: actions/setup-java@v3
|
||||
# with:
|
||||
# java-version: "11"
|
||||
# distribution: "temurin"
|
||||
|
||||
# - uses: actions/setup-node@v3
|
||||
# with:
|
||||
# node-version: "16.x"
|
||||
|
||||
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
|
||||
- uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694
|
||||
- uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
# JFrog platform URL
|
||||
JF_URL: ${{ secrets.JF_URL }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
|
||||
JF_USER: ${{ secrets.JF_USER }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog password. Must be provided with JF_USER
|
||||
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
|
||||
|
||||
# [Mandatory]
|
||||
# The GitHub token automatically generated for the job
|
||||
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
|
||||
# JF_USER: ${{ secrets.JF_USER }}
|
||||
|
||||
# [Mandatory when using npm]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "npm i"
|
||||
|
||||
# [Mandatory when using .NET]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "dotnet restore"
|
||||
|
||||
# The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog password. Must be provided with JF_USER
|
||||
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Microsoft Defender For DevOps Scan",
|
||||
"creator": "Microsoft",
|
||||
"description": "Defender for DevOps helps integrate multiple tools with GitHub Advanced Security and sends the results to Defender for Cloud dashboard.",
|
||||
"iconName": "microsoft",
|
||||
"categories": ["Code Scanning", "HCL","Dockerfile", "Python", "JavaScript", "EcmaScript", "TypeScript"]
|
||||
}
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
|
||||
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
@@ -67,6 +67,6 @@ jobs:
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
|
||||
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
Reference in New Issue
Block a user