diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml
new file mode 100644
index 0000000..696b4f8
--- /dev/null
+++ b/.github/auto_assign.yml
@@ -0,0 +1,17 @@
+# Set to true to add reviewers to pull requests
+addReviewers: true
+
+# Set to true to add assignees to pull requests
+addAssignees: false
+
+# A list of reviewers to be added to pull requests (GitHub user name)
+reviewers:
+ - phantsure
+ - anuragc617
+ - tiwarishub
+ - vsvipul
+ - bishal-pdmsft
+
+# A number of reviewers added to the pull request
+# Set 0 to add all the reviewers (default: 0)
+numberOfReviewers: 1
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
new file mode 100644
index 0000000..b8406e9
--- /dev/null
+++ b/.github/workflows/auto-assign-issues.yml
@@ -0,0 +1,15 @@
+name: Issue assignment
+
+on:
+ issues:
+ types: [opened]
+
+jobs:
+ auto-assign:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Auto-assign issue'
+ uses: pozil/auto-assign-issue@v1.4.0
+ with:
+ assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
+ numOfAssignee: 1
diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
new file mode 100644
index 0000000..4dcc612
--- /dev/null
+++ b/.github/workflows/auto-assign.yml
@@ -0,0 +1,10 @@
+name: 'Auto Assign'
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+
+jobs:
+ add-reviews:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: kentaro-m/auto-assign-action@v1.2.1
diff --git a/.github/workflows/sync_ghes.yaml b/.github/workflows/sync-ghes.yaml
similarity index 100%
rename from .github/workflows/sync_ghes.yaml
rename to .github/workflows/sync-ghes.yaml
diff --git a/CODEOWNERS b/CODEOWNERS
index 8866d17..91153de 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,3 +1,3 @@
* @actions/starter-workflows
-/code-scanning/ @actions/advanced-security-code-scanning
+/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
diff --git a/automation/greetings.yml b/automation/greetings.yml
index ee1cb11..18ba13f 100644
--- a/automation/greetings.yml
+++ b/automation/greetings.yml
@@ -1,6 +1,6 @@
name: Greetings
-on: [pull_request, issues]
+on: [pull_request_target, issues]
jobs:
greeting:
diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 7b6add3..2f68e66 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+ uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
with:
- cosign-release: 'v1.4.0'
+ cosign-release: 'v1.7.1'
# Workaround: https://github.com/docker/build-push-action/issues/461
@@ -72,7 +72,7 @@ jobs:
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
- uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+ uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
@@ -90,4 +90,4 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
- run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+ run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }}
diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index 170b3f6..00a78c7 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -105,7 +105,7 @@ jobs:
# Remove the pfx
- name: Remove the pfx
- run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
+ run: Remove-Item -path $env:Wap_Project_Directory\GitHubActionsWorkflow.pfx
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
diff --git a/ci/erlang.yml b/ci/erlang.yml
index 20e269f..984b83a 100644
--- a/ci/erlang.yml
+++ b/ci/erlang.yml
@@ -6,6 +6,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
diff --git a/ci/go.yml b/ci/go.yml
index 6f498a6..bb3ec96 100644
--- a/ci/go.yml
+++ b/ci/go.yml
@@ -16,7 +16,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: 1.17
+ go-version: 1.18
- name: Build
run: go build -v ./...
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 8e0d1e4..4642c75 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -13,6 +13,9 @@ on:
pull_request:
branches: [ $default-branch ]
+permissions:
+ contents: read
+
jobs:
build:
diff --git a/ci/ios.yml b/ci/ios.yml
index 5cec5e7..693a7d5 100644
--- a/ci/ios.yml
+++ b/ci/ios.yml
@@ -26,7 +26,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
@@ -37,7 +37,7 @@ jobs:
platform: ${{ 'iOS Simulator' }}
run: |
# xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
- device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'`
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
diff --git a/ci/msbuild.yml b/ci/msbuild.yml
index 3cd8f01..c50354e 100644
--- a/ci/msbuild.yml
+++ b/ci/msbuild.yml
@@ -15,6 +15,9 @@ env:
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
BUILD_CONFIGURATION: Release
+permissions:
+ contents: read
+
jobs:
build:
runs-on: windows-latest
diff --git a/ci/properties/rubyonrails.properties.json b/ci/properties/rubyonrails.properties.json
index 49b29a4..7a2c18a 100644
--- a/ci/properties/rubyonrails.properties.json
+++ b/ci/properties/rubyonrails.properties.json
@@ -1,5 +1,5 @@
{
- "name": "Ruby on Rails continuous integration",
+ "name": "Ruby on Rails",
"description": "Build, lint, and test a Rails application",
"iconName": "rails",
"categories": ["Continuous integration", "Ruby", "Rails"]
diff --git a/ci/python-publish.yml b/ci/python-publish.yml
index f55528c..ec70354 100644
--- a/ci/python-publish.yml
+++ b/ci/python-publish.yml
@@ -12,6 +12,9 @@ on:
release:
types: [published]
+permissions:
+ contents: read
+
jobs:
deploy:
diff --git a/ci/ruby.yml b/ci/ruby.yml
index 256aa14..81ea363 100644
--- a/ci/ruby.yml
+++ b/ci/ruby.yml
@@ -30,7 +30,7 @@ jobs:
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
# change this to (see https://github.com/ruby/setup-ruby#versioning):
# uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+ uses: ruby/setup-ruby@2b019609e2b0f1ea1a2bc8ca11cb82ab46ada124
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
index 64264e4..6f52d5d 100644
--- a/code-scanning/anchore.yml
+++ b/code-scanning/anchore.yml
@@ -40,6 +40,6 @@ jobs:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: Upload Anchore Scan Report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml
index 4737d06..5a9b751 100644
--- a/code-scanning/apisec-scan.yml
+++ b/code-scanning/apisec-scan.yml
@@ -64,6 +64,6 @@ jobs:
# The name of the sarif format result file The file is written only if this property is provided.
sarif-result-file: "apisec-results.sarif"
- name: Import results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./apisec-results.sarif
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
index 3237551..155208f 100644
--- a/code-scanning/brakeman.yml
+++ b/code-scanning/brakeman.yml
@@ -52,6 +52,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: output.sarif.json
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
index d86d4f9..297cae0 100644
--- a/code-scanning/checkmarx.yml
+++ b/code-scanning/checkmarx.yml
@@ -49,6 +49,6 @@ jobs:
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: cx.sarif
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
new file mode 100644
index 0000000..2e4ab3c
--- /dev/null
+++ b/code-scanning/clj-watson.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# clj-watson scans dependencies in a clojure deps.edn
+# seeking for vulnerable direct/transitive dependencies and
+# build a report with all the information needed to help you
+# understand how the vulnerability manifest in your software.
+# More details at https://github.com/clj-holmes/clj-watson
+
+name: clj-watson
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ clj-holmes:
+ name: Run clj-watson scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Dependency scan
+ uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
+ with:
+ clj-watson-sha: "65d928c"
+ clj-watson-tag: "v4.0.1"
+ database-strategy: github-advisory
+ aliases: clojure-lsp,test
+ deps-edn-path: deps.edn
+ suggest-fix: true
+ output-type: sarif
+ output-file: clj-watson-results.sarif
+ fail-on-result: false
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: ${{github.workspace}}/clj-watson-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml
index 0d6b3de..4a0cd73 100644
--- a/code-scanning/cloudrail.yml
+++ b/code-scanning/cloudrail.yml
@@ -50,7 +50,7 @@ jobs:
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
index 8100be8..b74e449 100644
--- a/code-scanning/codacy.yml
+++ b/code-scanning/codacy.yml
@@ -55,6 +55,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index cd9a683..a113b59 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -34,7 +34,7 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
- # Learn more about CodeQL language support at https://git.io/codeql-language-support
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
@@ -42,29 +42,31 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v1
+ uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+ # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
- # 📚 https://git.io/JvXDl
+ # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
+ # If the Autobuild fails above, remove it and uncomment the following three lines.
+ # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- #- run: |
- # make bootstrap
- # make release
+ # - run: |
+ # echo "Run, Build Application using script"
+ # ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ uses: github/codeql-action/analyze@v2
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
index bc65eb0..92707b1 100644
--- a/code-scanning/codescan.yml
+++ b/code-scanning/codescan.yml
@@ -17,8 +17,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
CodeScan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Checkout repository
@@ -37,6 +43,6 @@ jobs:
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: codescan.sarif
diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
new file mode 100644
index 0000000..8966511
--- /dev/null
+++ b/code-scanning/dependency-review.yml
@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v3
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v1
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index 1118c3d..0c65813 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -111,7 +111,7 @@ jobs:
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml
index e057348..bf11261 100644
--- a/code-scanning/devskim.yml
+++ b/code-scanning/devskim.yml
@@ -29,6 +29,6 @@ jobs:
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: devskim-results.sarif
diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml
new file mode 100644
index 0000000..9067a7d
--- /dev/null
+++ b/code-scanning/eslint.yml
@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# ESLint is a tool for identifying and reporting on patterns
+# found in ECMAScript/JavaScript code.
+# More details at https://github.com/eslint/eslint
+# and https://eslint.org
+
+name: ESLint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ eslint:
+ name: Run eslint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Install ESLint
+ run: |
+ npm install eslint@8.10.0
+ npm install @microsoft/eslint-formatter-sarif@2.1.7
+
+ - name: Run ESLint
+ run: npx eslint .
+ --config .eslintrc.js
+ --ext .js,.jsx,.ts,.tsx
+ --format @microsoft/eslint-formatter-sarif
+ --output-file eslint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: eslint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/flawfinder.yml b/code-scanning/flawfinder.yml
index 697e561..4ed8792 100644
--- a/code-scanning/flawfinder.yml
+++ b/code-scanning/flawfinder.yml
@@ -33,6 +33,6 @@ jobs:
output: 'flawfinder_results.sarif'
- name: Upload analysis results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
\ No newline at end of file
diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml
index 83f99c1..5e7c422 100644
--- a/code-scanning/fortify.yml
+++ b/code-scanning/fortify.yml
@@ -93,6 +93,6 @@ jobs:
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast.sarif
diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml
new file mode 100644
index 0000000..2f554e4
--- /dev/null
+++ b/code-scanning/hadolint.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# hadoint is a Dockerfile linter written in Haskell
+# that helps you build best practice Docker images.
+# More details at https://github.com/hadolint/hadolint
+
+name: Hadolint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ hadolint:
+ name: Run hadolint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Run hadolint
+ uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
+ with:
+ dockerfile: ./Dockerfile
+ format: sarif
+ output-file: hadolint-results.sarif
+ no-fail: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: hadolint-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml
index 81ebaa7..c432673 100644
--- a/code-scanning/kubesec.yml
+++ b/code-scanning/kubesec.yml
@@ -36,6 +36,6 @@ jobs:
exit-code: "0"
- name: Upload Kubesec scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kubesec-results.sarif
\ No newline at end of file
diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml
index ed424f1..64fe71a 100644
--- a/code-scanning/mayhem-for-api.yml
+++ b/code-scanning/mayhem-for-api.yml
@@ -61,6 +61,6 @@ jobs:
sarif-report: mapi.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: mapi.sarif
diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml
index 96655af..6d2bfb8 100644
--- a/code-scanning/mobsf.yml
+++ b/code-scanning/mobsf.yml
@@ -37,6 +37,6 @@ jobs:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml
index 13e58ef..863fbcb 100644
--- a/code-scanning/msvc.yml
+++ b/code-scanning/msvc.yml
@@ -53,7 +53,7 @@ jobs:
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml
new file mode 100644
index 0000000..e24e14a
--- /dev/null
+++ b/code-scanning/neuralegion.yml
@@ -0,0 +1,175 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Run a Nexploit Scan
+# This action runs a new security scan in Nexploit, or reruns an existing one.
+# Build Secure Apps & APIs. Fast.
+# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.
+# Automatically Tests Every Aspect of Your Apps & APIs
+# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports
+# Seamlessly integrates with the Tools and Workflows You Already Use
+#
+# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing.
+# Spin-Up, Configure and Control Scans with Code
+# One file. One command. One scan. No UI needed.
+#
+# Super-Fast Scans
+#
+# Interacts with applications and APIs, instead of just crawling them and guessing.
+# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.
+#
+# No False Positives
+#
+# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code.
+#
+# Comprehensive Security Testing
+#
+# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.
+#
+# More information is available on NeuraLegion’s:
+# * [Website](https://www.neuralegion.com/)
+# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart)
+# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw)
+# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+)
+#
+# Inputs
+#
+# `name`
+#
+# **Required**. Scan name.
+#
+# _Example:_ `name: GitHub scan ${{ github.sha }}`
+#
+# `api_token`
+#
+# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens).
+#
+# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}`
+#
+# `restart_scan`
+#
+# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
+#
+# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
+#
+# `discovery_types`
+#
+# **Required**. Array of discovery types. The following types are available:
+# * `archive` - uses an uploaded HAR-file for a scan
+# * `crawler` - uses a crawler to define the attack surface for a scan
+# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default.
+#
+# _Example:_
+#
+# ```yml
+# discovery_types: |
+# [ "crawler", "archive" ]
+# ```
+#
+# `file_id`
+#
+# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login).
+#
+# _Example:_
+#
+# ```
+# FILE_ID=$(nexploit-cli archive:upload \
+# --token ${{ secrets.NEXPLOIT_TOKEN }} \
+# --discard true \
+# ./example.har)
+# ```
+#
+# `crawler_urls`
+#
+# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface.
+#
+# _Example:_
+#
+# ```
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# ```
+#
+# `hosts_filter`
+#
+# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
+#
+# Outputs
+#
+# `url`
+#
+# Url of the resulting scan
+#
+# `id`
+#
+# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions:
+# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues)
+# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan)
+#
+# Example usage
+#
+# Start a new scan with parameters
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# discovery_types: |
+# [ "crawler", "archive" ]
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# file_id: LiYknMYSdbSZbqgMaC9Sj
+# hosts_filter: |
+# [ ]
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+# ```
+#
+# Restart an existing scan
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+
+
+name: "NeuraLegion"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ neuralegion_scan:
+ runs-on: ubuntu-18.04
+ name: A job to run a Nexploit scan
+ steps:
+ - uses: actions/checkout@v2
+ - name: Start Nexploit Scan 🏁
+ id: start
+ uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+ with:
+ api_token: ${{ secrets.NEURALEGION_TOKEN }}
+ name: GitHub scan ${{ github.sha }}
+ discovery_types: |
+ [ "crawler" ]
+ crawler_urls: |
+ [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
index 16ade3b..8c359b8 100644
--- a/code-scanning/njsscan.yml
+++ b/code-scanning/njsscan.yml
@@ -36,6 +36,6 @@ jobs:
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/nowsecure.yml b/code-scanning/nowsecure.yml
index fbca537..7b5ba8f 100644
--- a/code-scanning/nowsecure.yml
+++ b/code-scanning/nowsecure.yml
@@ -47,6 +47,6 @@ jobs:
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: NowSecure.sarif
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
index a6f6aa7..cbef5a2 100644
--- a/code-scanning/ossar.yml
+++ b/code-scanning/ossar.yml
@@ -17,10 +17,16 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: windows-latest
steps:
@@ -44,6 +50,6 @@ jobs:
# Upload results to the Security tab
- name: Upload OSSAR results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml
index cd88c34..a1e32c4 100644
--- a/code-scanning/pmd.yml
+++ b/code-scanning/pmd.yml
@@ -13,8 +13,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
pmd-code-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
@@ -31,6 +37,6 @@ jobs:
sourcePath: 'src/main/java'
analyzeModifiedFilesOnly: false
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: pmd-report.sarif
diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml
index e70dd96..1d72a9b 100644
--- a/code-scanning/powershell.yml
+++ b/code-scanning/powershell.yml
@@ -17,8 +17,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
@@ -37,6 +43,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
index 07be948..6f2031b 100644
--- a/code-scanning/prisma.yml
+++ b/code-scanning/prisma.yml
@@ -48,7 +48,7 @@ jobs:
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json
new file mode 100644
index 0000000..966314a
--- /dev/null
+++ b/code-scanning/properties/clj-watson.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "clj-watson",
+ "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.",
+ "iconName": "clj-watson",
+ "categories": [
+ "Code Scanning",
+ "Clojure"
+ ]
+}
diff --git a/code-scanning/properties/dependency-review.properties.json b/code-scanning/properties/dependency-review.properties.json
new file mode 100644
index 0000000..c195c73
--- /dev/null
+++ b/code-scanning/properties/dependency-review.properties.json
@@ -0,0 +1,16 @@
+{
+ "name": "Dependency Review",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository",
+ "iconName": "octicon mark-github",
+ "categories": [
+ "Dependency review",
+ "Dependency graph",
+ "Go",
+ "Java",
+ "JavaScript",
+ "TypeScript",
+ "Python",
+ "Ruby",
+ "Actions",
+ "PHP"]
+}
diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json
new file mode 100644
index 0000000..a84646a
--- /dev/null
+++ b/code-scanning/properties/eslint.properties.json
@@ -0,0 +1,11 @@
+{
+ "name": "ESLint",
+ "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
+ "iconName": "eslint",
+ "categories": [
+ "Code Scanning",
+ "JavaScript",
+ "EcmaScript",
+ "TypeScript"
+ ]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/hadolint.properties.json b/code-scanning/properties/hadolint.properties.json
new file mode 100644
index 0000000..b4f7141
--- /dev/null
+++ b/code-scanning/properties/hadolint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "Haskell Dockerfile Linter",
+ "description": "A smarter Dockerfile linter that helps you build best practice Docker images.",
+ "iconName": "hadolint",
+ "categories": ["Code Scanning", "Dockerfile"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/neuralegion.properties.json b/code-scanning/properties/neuralegion.properties.json
new file mode 100644
index 0000000..ee64a52
--- /dev/null
+++ b/code-scanning/properties/neuralegion.properties.json
@@ -0,0 +1,24 @@
+{
+ "name": "NeuraLegion",
+ "creator": "NeuraLegion",
+ "description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports",
+ "iconName": "neuralegion",
+ "categories": [
+ "Code Scanning",
+ "C",
+ "C#",
+ "C++",
+ "Go",
+ "Java",
+ "JavaScript",
+ "Kotlin",
+ "Objective C",
+ "PHP",
+ "Python",
+ "Ruby",
+ "Rust",
+ "Scala",
+ "Swift",
+ "TypeScript"
+ ]
+}
diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json
new file mode 100644
index 0000000..4737786
--- /dev/null
+++ b/code-scanning/properties/rust-clippy.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "rust-clippy",
+ "description": "A collection of lints to catch common mistakes and improve your Rust code.",
+ "iconName": "rust",
+ "categories": [
+ "Code Scanning",
+ "rust"
+ ]
+}
diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json
deleted file mode 100644
index 1cb36c9..0000000
--- a/code-scanning/properties/shiftleft.properties.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "name": "Scan",
- "creator": "ShiftLeft",
- "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
- "iconName": "shiftleft",
- "categories": ["Code Scanning"]
-}
\ No newline at end of file
diff --git a/code-scanning/properties/sobelow.properties.json b/code-scanning/properties/sobelow.properties.json
new file mode 100644
index 0000000..163e866
--- /dev/null
+++ b/code-scanning/properties/sobelow.properties.json
@@ -0,0 +1,11 @@
+{
+ "name": "Sobelow",
+ "creator": "nccgroup",
+ "description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.",
+ "iconName": "sobelow",
+ "categories": [
+ "Code Scanning",
+ "Elixir"
+ ]
+ }
+
\ No newline at end of file
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
new file mode 100644
index 0000000..9b88a78
--- /dev/null
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SonarCloud",
+ "creator": "Sonar",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
+ "iconName": "sonarcloud",
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
+}
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
index 4ab8001..ed458b2 100644
--- a/code-scanning/rubocop.yml
+++ b/code-scanning/rubocop.yml
@@ -47,6 +47,6 @@ jobs:
"
- name: Upload Sarif output
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: rubocop.sarif
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
new file mode 100644
index 0000000..e9c426a
--- /dev/null
+++ b/code-scanning/rust-clippy.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# rust-clippy is a tool that runs a bunch of lints to catch common
+# mistakes in your Rust code and help improve your Rust code.
+# More details at https://github.com/rust-lang/rust-clippy
+# and https://rust-lang.github.io/rust-clippy/
+
+name: rust-clippy analyze
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ rust-clippy-analyze:
+ name: Run rust-clippy analyzing
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Install Rust toolchain
+ uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1
+ with:
+ profile: minimal
+ toolchain: stable
+ components: clippy
+ override: true
+
+ - name: Install required cargo
+ run: cargo install clippy-sarif sarif-fmt
+
+ - name: Run rust-clippy
+ run:
+ cargo clippy
+ --all-features
+ --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: rust-clippy-results.sarif
+ wait-for-processing: true
\ No newline at end of file
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
index 0b2fa57..b6ee5ad 100644
--- a/code-scanning/securitycodescan.yml
+++ b/code-scanning/securitycodescan.yml
@@ -38,4 +38,4 @@ jobs:
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
index 86c3647..fae9885 100644
--- a/code-scanning/semgrep.yml
+++ b/code-scanning/semgrep.yml
@@ -42,7 +42,7 @@ jobs:
# Upload SARIF file generated in previous step
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml
deleted file mode 100644
index d1154d1..0000000
--- a/code-scanning/shiftleft.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Scan with GitHub's code scanning feature
-# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
-# Visit https://slscan.io/en/latest/integrations/code-scan for help
-name: SL Scan
-
-on:
- push:
- branches: [ $default-branch, $protected-branches ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [ $default-branch ]
- schedule:
- - cron: $cron-weekly
-
-jobs:
- Scan-Build:
- # Scan runs on ubuntu, mac and windows
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- # Instructions
- # 1. Setup JDK, Node.js, Python etc depending on your project type
- # 2. Compile or build the project before invoking scan
- # Example: mvn compile, or npm install or pip install goes here
- # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
-
- - name: Perform Scan
- uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
- env:
- WORKSPACE: ""
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- SCAN_AUTO_BUILD: true
- with:
- output: reports
- # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
- # type: credscan,java
- # type: python
-
- - name: Upload report
- uses: github/codeql-action/upload-sarif@v1
- with:
- sarif_file: reports
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 48ccbe9..0fbbf87 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -22,8 +22,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
@@ -43,6 +49,6 @@ jobs:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
index 2799bfc..a685323 100644
--- a/code-scanning/snyk-infrastructure.yml
+++ b/code-scanning/snyk-infrastructure.yml
@@ -21,8 +21,14 @@ on:
schedule:
- cron: $cron-weekly
+permissions:
+ contents: read
+
jobs:
snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
@@ -42,6 +48,6 @@ jobs:
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml
new file mode 100644
index 0000000..21cb6e7
--- /dev/null
+++ b/code-scanning/sobelow.yml
@@ -0,0 +1,40 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/
+#
+# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
+#
+# Instructions:
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Security" tab once the action has run.
+name: Sobelow
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+ - id: run-action
+ uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
+ - name: Upload report
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
new file mode 100644
index 0000000..ff388c8
--- /dev/null
+++ b/code-scanning/sonarcloud.yml
@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow helps you trigger a SonarCloud analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
+# Free for open source project.
+
+# 1. Login to SonarCloud.io using your GitHub account
+
+# 2. Import your project on SonarCloud
+# * Add your GitHub organization first, then add your repository as a new project.
+# * Please note that many languages are eligible for automatic analysis,
+# which means that the analysis will start automatically without the need to set up GitHub Actions.
+# * This behavior can be changed in Administration > Analysis Method.
+#
+# 3. Follow the SonarCloud in-product tutorial
+# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+# (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
+#
+# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarCloud, click on your avatar on top-right > My account > Security
+# or go directly to https://sonarcloud.io/account/security/)
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
+name: SonarCloud analysis
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ workflow_dispatch:
+
+permissions:
+ pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Analyze with SonarCloud
+
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+ # mandatory
+ -Dsonar.projectKey=
+ -Dsonar.organization=
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml
index c73eb17..c32334c 100644
--- a/code-scanning/synopsys-io.yml
+++ b/code-scanning/synopsys-io.yml
@@ -71,7 +71,7 @@ jobs:
- name: Upload SARIF file
if: ${{steps.prescription.outputs.sastScan == 'true' }}
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflowengine-results.sarif.json
diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml
index 92082e5..f075a80 100644
--- a/code-scanning/sysdig-scan.yml
+++ b/code-scanning/sysdig-scan.yml
@@ -54,7 +54,7 @@ jobs:
# Sysdig inline scanner requires privileged rights
run-as-user: root
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
#Upload SARIF file
if: always()
with:
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 10a77ab..6536fbe 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -32,7 +32,7 @@ jobs:
sarif_file: tfsec.sarif
- name: Upload SARIF file
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index d6633be..06b5cae 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -42,6 +42,6 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml
index 2ce3212..b8a5b37 100644
--- a/code-scanning/veracode.yml
+++ b/code-scanning/veracode.yml
@@ -52,7 +52,7 @@ jobs:
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
index c20c741..3462eaa 100644
--- a/code-scanning/xanitizer.yml
+++ b/code-scanning/xanitizer.yml
@@ -42,9 +42,15 @@ on:
- cron: $cron-weekly
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
xanitizer-security-analysis:
# Xanitizer runs on ubuntu-latest and windows-latest.
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
@@ -88,6 +94,6 @@ jobs:
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- - uses: github/codeql-action/upload-sarif@v1
+ - uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: Xanitizer-Findings-List.sarif
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index 841a2fd..d7c27d9 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -40,6 +40,9 @@ env:
ACR_EE_IMAGE: repo
ACR_EE_TAG: ${{ github.sha }}
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
diff --git a/deployments/aws.yml b/deployments/aws.yml
index fe5e076..47253bf 100644
--- a/deployments/aws.yml
+++ b/deployments/aws.yml
@@ -41,6 +41,9 @@ env:
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
+permissions:
+ contents: read
+
jobs:
deploy:
name: Deploy
diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml
index c882bde..8b69065 100644
--- a/deployments/azure-container-webapp.yml
+++ b/deployments/azure-container-webapp.yml
@@ -35,6 +35,9 @@ on:
- $default-branch
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -63,6 +66,8 @@ jobs:
file: ./Dockerfile
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml
index 948e7db..510abcd 100644
--- a/deployments/azure-kubernetes-service-helm.yml
+++ b/deployments/azure-kubernetes-service-helm.yml
@@ -9,17 +9,17 @@
# To configure this workflow:
#
# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
@@ -48,12 +48,10 @@ env:
CHART_OVERRIDE_PATH: "your-chart-override-path"
jobs:
- build:
+ buildImage:
permissions:
- actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
@@ -72,6 +70,20 @@ jobs:
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
@@ -85,7 +97,9 @@ jobs:
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
@@ -96,7 +110,30 @@ jobs:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
# Runs Helm to create manifest files
- name: Bake deployment
@@ -112,11 +149,11 @@ jobs:
# Deploys application based on manifest files from previous step
- name: Deploy application
- uses: Azure/k8s-deploy@v3.0
+ uses: Azure/k8s-deploy@v3.1
with:
action: deploy
manifests: ${{ steps.bake.outputs.manifestsBundle }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml
index 7c25319..0cf23ba 100644
--- a/deployments/azure-kubernetes-service-kompose.yml
+++ b/deployments/azure-kubernetes-service-kompose.yml
@@ -9,17 +9,17 @@
# To configure this workflow:
#
# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
# Set your dockerComposeFile and kompose-version to suit your configuration.
@@ -40,12 +40,10 @@ env:
DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
jobs:
- build:
+ buildImage:
permissions:
- actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
@@ -63,7 +61,21 @@ jobs:
- name: Build and push image to ACR
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
-
+
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
@@ -77,7 +89,9 @@ jobs:
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
@@ -88,7 +102,33 @@ jobs:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
# Runs Kompose to create manifest files
- name: Bake deployment
@@ -101,11 +141,11 @@ jobs:
# Deploys application based on manifest files from previous step
- name: Deploy application
- uses: Azure/k8s-deploy@v3.0
+ uses: Azure/k8s-deploy@v3.1
with:
action: deploy
manifests: ${{ steps.bake.outputs.manifestsBundle }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml
index f6928d0..14469db 100644
--- a/deployments/azure-kubernetes-service-kustomize.yml
+++ b/deployments/azure-kubernetes-service-kustomize.yml
@@ -9,17 +9,17 @@
# To configure this workflow:
#
# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
-# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
# Set your kustomizationPath and kubectl-version to suit your configuration.
@@ -46,12 +46,10 @@ env:
KUSTOMIZE_PATH: "your-kustomize-path"
jobs:
- build:
+ buildImage:
permissions:
- actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
@@ -69,6 +67,23 @@ jobs:
- name: Build and push image to ACR
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
@@ -83,7 +98,9 @@ jobs:
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
@@ -94,7 +111,33 @@ jobs:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
- secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+ secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
# Runs Kustomize to create manifest files
- name: Bake deployment
@@ -107,11 +150,11 @@ jobs:
# Deploys application based on manifest files from previous step
- name: Deploy application
- uses: Azure/k8s-deploy@v3.0
+ uses: Azure/k8s-deploy@v3.1
with:
action: deploy
manifests: ${{ steps.bake.outputs.manifestsBundle }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-kubernetes-service.yml b/deployments/azure-kubernetes-service.yml
index bb513d4..d04a2ac 100644
--- a/deployments/azure-kubernetes-service.yml
+++ b/deployments/azure-kubernetes-service.yml
@@ -8,8 +8,7 @@
#
# To configure this workflow:
#
-# 1. Set the following secrets in your repository (instructions for getting these
-# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
+# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
@@ -19,7 +18,7 @@
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
-# - SECRET_NAME (name of the secret associated with pulling your ACR image)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
@@ -43,12 +42,10 @@ env:
DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
jobs:
- build:
+ buildImage:
permissions:
- actions: read
contents: read
id-token: write
-
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
@@ -67,6 +64,20 @@ jobs:
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+ createSecret:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
@@ -80,7 +91,9 @@ jobs:
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
+ echo "::add-mask::${ACR_USERNAME}"
echo "::set-output name=username::${ACR_USERNAME}"
+ echo "::add-mask::${ACR_PASSWORD}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
@@ -93,13 +106,39 @@ jobs:
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage, createSecret]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v3
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.3
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v2.0
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+
# Deploys application based on given manifest file
- name: Deploys application
- uses: Azure/k8s-deploy@v3.0
+ uses: Azure/k8s-deploy@v3.1
with:
action: deploy
manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
- ${{ env.IMAGE_PULL_SECRET_NAME }}
+ ${{ env.IMAGE_PULL_SECRET_NAME }}
\ No newline at end of file
diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml
index 3357dc8..0b59686 100644
--- a/deployments/azure-webapps-dotnet-core.yml
+++ b/deployments/azure-webapps-dotnet-core.yml
@@ -30,6 +30,9 @@ on:
- $default-branch
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -63,6 +66,8 @@ jobs:
path: ${{env.DOTNET_ROOT}}/myapp
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml
index 5f58dbf..6e3df8d 100644
--- a/deployments/azure-webapps-java-jar.yml
+++ b/deployments/azure-webapps-java-jar.yml
@@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App
env:
AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
JAVA_VERSION: '11' # set this to the Java version to use
+ DISTRIBUTION: zulu # set this to the Java distribution
on:
push:
@@ -29,6 +30,9 @@ on:
- $default-branch
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -40,6 +44,7 @@ jobs:
uses: actions/setup-java@v3.0.0
with:
java-version: ${{ env.JAVA_VERSION }}
+ distribution: ${{ env.DISTRIBUTION }}
cache: 'maven'
- name: Build with Maven
@@ -52,6 +57,8 @@ jobs:
path: '${{ github.workspace }}/target/*.jar'
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml
index c967bdb..1480c92 100644
--- a/deployments/azure-webapps-node.yml
+++ b/deployments/azure-webapps-node.yml
@@ -28,6 +28,9 @@ env:
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
NODE_VERSION: '14.x' # set this to the node version to use
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -53,6 +56,8 @@ jobs:
path: .
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml
index 04f55f4..98e8dc7 100644
--- a/deployments/azure-webapps-php.yml
+++ b/deployments/azure-webapps-php.yml
@@ -30,6 +30,9 @@ env:
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
PHP_VERSION: '8.x' # set this to the PHP version to use
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -74,6 +77,8 @@ jobs:
path: .
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml
index af6a9dd..50f4823 100644
--- a/deployments/azure-webapps-python.yml
+++ b/deployments/azure-webapps-python.yml
@@ -29,6 +29,9 @@ on:
- $default-branch
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
@@ -61,6 +64,8 @@ jobs:
!venv/
deploy:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
needs: build
environment:
diff --git a/deployments/tencent.yml b/deployments/tencent.yml
index 2bf2a68..4e9e9f6 100644
--- a/deployments/tencent.yml
+++ b/deployments/tencent.yml
@@ -27,6 +27,9 @@ env:
TKE_CLUSTER_ID: cls-mywebapp
DEPLOYMENT_NAME: tke-test
+permissions:
+ contents: read
+
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
diff --git a/deployments/terraform.yml b/deployments/terraform.yml
index 96e44e0..53efe48 100644
--- a/deployments/terraform.yml
+++ b/deployments/terraform.yml
@@ -50,6 +50,9 @@ on:
- $default-branch
pull_request:
+permissions:
+ contents: read
+
jobs:
terraform:
name: 'Terraform'
@@ -82,10 +85,10 @@ jobs:
# Generates an execution plan for Terraform
- name: Terraform Plan
- run: terraform plan
+ run: terraform plan -input=false
# On push to $default-branch, build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push'
- run: terraform apply -auto-approve
+ run: terraform apply -auto-approve -input=false
diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg
new file mode 100644
index 0000000..74459e5
--- /dev/null
+++ b/icons/clj-watson.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/eslint.svg b/icons/eslint.svg
new file mode 100644
index 0000000..23964aa
--- /dev/null
+++ b/icons/eslint.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/hadolint.svg b/icons/hadolint.svg
new file mode 100644
index 0000000..048b86c
--- /dev/null
+++ b/icons/hadolint.svg
@@ -0,0 +1,131 @@
+
+
+
diff --git a/icons/neuralegion.svg b/icons/neuralegion.svg
new file mode 100644
index 0000000..0534225
--- /dev/null
+++ b/icons/neuralegion.svg
@@ -0,0 +1,57 @@
+
+
+
diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg
deleted file mode 100644
index f8e944a..0000000
--- a/icons/shiftleft.svg
+++ /dev/null
@@ -1,6 +0,0 @@
-
diff --git a/icons/sobelow.svg b/icons/sobelow.svg
new file mode 100644
index 0000000..4d243ea
--- /dev/null
+++ b/icons/sobelow.svg
@@ -0,0 +1,20 @@
+
+
+
diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg
new file mode 100644
index 0000000..5f946d2
--- /dev/null
+++ b/icons/sonarcloud.svg
@@ -0,0 +1,20 @@
+
+
+
diff --git a/script/validate-data/index.ts b/script/validate-data/index.ts
index 7dce3d1..4bd260d 100755
--- a/script/validate-data/index.ts
+++ b/script/validate-data/index.ts
@@ -1,7 +1,7 @@
#!/usr/bin/env npx ts-node
import { promises as fs } from "fs";
import { safeLoad } from "js-yaml";
-import { basename, extname, join } from "path";
+import { basename, extname, join, dirname } from "path";
import { Validator as validator } from "jsonschema";
import { endGroup, error, info, setFailed, startGroup } from '@actions/core';
@@ -14,6 +14,7 @@ interface WorkflowWithErrors {
interface WorkflowProperties {
name: string;
description: string;
+ creator: string;
iconName: string;
categories: string[];
}
@@ -40,7 +41,7 @@ const propertiesSchema = {
}
}
-async function checkWorkflows(folders: string[], allowed_categories: string[]): Promise {
+async function checkWorkflows(folders: string[], allowed_categories: object[]): Promise {
const result: WorkflowWithErrors[] = []
const workflow_template_names = new Set()
for (const folder of folders) {
@@ -69,7 +70,7 @@ async function checkWorkflows(folders: string[], allowed_categories: string[]):
return result;
}
-async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: string[]): Promise {
+async function checkWorkflow(workflowPath: string, propertiesPath: string, allowed_categories: object[]): Promise {
let workflowErrors: WorkflowWithErrors = {
id: workflowPath,
name: null,
@@ -104,9 +105,19 @@ async function checkWorkflow(workflowPath: string, propertiesPath: string, allow
}
}
- if (!workflowPath.endsWith("blank.yml") && (!properties.categories ||
- !properties.categories.some(category => allowed_categories.some(ac => ac.toLowerCase() == category.toLowerCase())))) {
- workflowErrors.errors.push(`Workflow does not contain at least one allowed category - ${allowed_categories}`)
+ var path = dirname(workflowPath)
+ var folder_categories = allowed_categories.find( category => category["path"] == path)["categories"]
+ if (!workflowPath.endsWith("blank.yml")) {
+ if(!properties.categories || properties.categories.length == 0) {
+ workflowErrors.errors.push(`Workflow categories cannot be null or empty`)
+ }
+ else if(!folder_categories.some(category => properties.categories[0].toLowerCase() == category.toLowerCase())) {
+ workflowErrors.errors.push(`The first category in properties.json categories for workflow in ${basename(path)} folder must be one of "${folder_categories}. Either move the workflow to an appropriate directory or change the category."`)
+ }
+ }
+
+ if(basename(path).toLowerCase() == 'deployments' && !properties.creator) {
+ workflowErrors.errors.push(`The "creator" in properties.json must be present.`)
}
} catch (e) {
workflowErrors.errors.push(e.toString())
diff --git a/script/validate-data/settings.json b/script/validate-data/settings.json
index ce89e36..852f575 100644
--- a/script/validate-data/settings.json
+++ b/script/validate-data/settings.json
@@ -5,10 +5,22 @@
"../../deployments",
"../../code-scanning"
],
- "allowed_categories" : [
- "Continuous integration",
- "Deployment",
- "Code Scanning",
- "Automation"
+ "allowed_categories": [
+ {
+ "path": "../../ci",
+ "categories": ["Continuous integration"]
+ },
+ {
+ "path": "../../automation",
+ "categories": ["Automation"]
+ },
+ {
+ "path": "../../deployments",
+ "categories": ["Deployment"]
+ },
+ {
+ "path": "../../code-scanning",
+ "categories": ["Code Scanning", "Dependency review"]
+ }
]
-}
\ No newline at end of file
+}