From 6e8e5830e94403d54495f803067dd7653dabb0d2 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 11 Feb 2022 16:56:36 +0530 Subject: [PATCH 01/10] added token permissions --- deployments/azure-container-webapp.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index 57fe362..b6f339f 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,6 +35,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 4657e39b91e5b80beea6f0cd14159141080b1f7d Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:39:54 +0530 Subject: [PATCH 02/10] Update azure-webapps-python.yml --- deployments/azure-webapps-python.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index 8605e0a..6c43c1e 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From bd76c74da653b228e83d45fea3d40d65a6197095 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 15:51:52 +0530 Subject: [PATCH 03/10] Update azure-webapps-php.yml --- deployments/azure-webapps-php.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index a2dd57b..a4442cf 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -30,6 +30,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root PHP_VERSION: '8.x' # set this to the PHP version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -74,6 +77,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 53a9402455e3e377c93f0da9193a0f88b43645a7 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:39:47 +0530 Subject: [PATCH 04/10] Update azure-webapps-dotnet-core.yml --- deployments/azure-webapps-dotnet-core.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index ed45e22..758c6fa 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: path: ${{env.DOTNET_ROOT}}/myapp deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 7b765747a5254b76a9408811ce5753c98f92a15f Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:41:42 +0530 Subject: [PATCH 05/10] Update azure-webapps-java-jar.yml --- deployments/azure-webapps-java-jar.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 210fd90..50d2679 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -52,6 +55,8 @@ jobs: path: '${{ github.workspace }}/target/*.jar' deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From 5e58bc6ef64e268fc508e06ed061209248c11423 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:47:46 +0530 Subject: [PATCH 06/10] Update azure-webapps-node.yml --- deployments/azure-webapps-node.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index b6089d4..07cd361 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -28,6 +28,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root NODE_VERSION: '14.x' # set this to the node version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -53,6 +56,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: From b6633ec292d288db36de6e7d68e525bb129492c3 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Tue, 26 Apr 2022 22:00:20 -0700 Subject: [PATCH 07/10] Add starter workflow for hadolint --- code-scanning/hadolint.yml | 46 ++++++ .../properties/hadolint.properties.json | 6 + icons/hadolint.svg | 131 ++++++++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 code-scanning/hadolint.yml create mode 100644 code-scanning/properties/hadolint.properties.json create mode 100644 icons/hadolint.svg diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml new file mode 100644 index 0000000..f941b95 --- /dev/null +++ b/code-scanning/hadolint.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hado-lint + uses: hadolint/hadolint-action@v2.1.0 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json new file mode 100644 index 0000000..b4f7141 --- /dev/null +++ b/code-scanning/properties/hadolint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Haskell Dockerfile Linter", + "description": "A smarter Dockerfile linter that helps you build best practice Docker images.", + "iconName": "hadolint", + "categories": ["Code Scanning", "Dockerfile"] +} \ No newline at end of file diff --git a/icons/hadolint.svg b/icons/hadolint.svg new file mode 100644 index 0000000..048b86c --- /dev/null +++ b/icons/hadolint.svg @@ -0,0 +1,131 @@ + + + + From ee2bbcf8d8f90b72461d884114f1f2f427779fb1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 2 May 2022 01:53:59 -0700 Subject: [PATCH 08/10] update step name --- code-scanning/hadolint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index f941b95..fbbf914 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,11 +27,12 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + steps: - name: Checkout code uses: actions/checkout@v3 - - name: Run hado-lint + - name: Run hadolint uses: hadolint/hadolint-action@v2.1.0 with: dockerfile: ./Dockerfile From fc57d752748ceaef22641be7fa94b6a17e691e13 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 9 May 2022 11:16:42 -0700 Subject: [PATCH 09/10] use action commitment sha --- code-scanning/hadolint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index fbbf914..2f554e4 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@v3 - name: Run hadolint - uses: hadolint/hadolint-action@v2.1.0 + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 with: dockerfile: ./Dockerfile format: sarif From a3f4ca426faa51fdc07d753951ef8aa85bfb635a Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Mon, 16 May 2022 13:44:34 -0700 Subject: [PATCH 10/10] Fixing typo in dependency-review-action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..8966511 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement