From 2e60d03ab7a47f3c73e7a5a95e75fdc1b2d6893c Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 12:38:39 +0530 Subject: [PATCH 1/8] Zscaler IaC Action Publish --- .../properties/zscaler.properties.json | 7 +++ code-scanning/zscaler.yml | 46 +++++++++++++++++++ icons/zscaler.svg | 3 ++ 3 files changed, 56 insertions(+) create mode 100644 code-scanning/properties/zscaler.properties.json create mode 100644 code-scanning/zscaler.yml create mode 100644 icons/zscaler.svg diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler.properties.json new file mode 100644 index 0000000..784a52b --- /dev/null +++ b/code-scanning/properties/zscaler.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Zscaler IaC Scan", + "creator": "Zscaler CWP Team", + "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", + "iconName": "zscaler", + "categories": ["Code Scanning","HCL"] +} \ No newline at end of file diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler.yml new file mode 100644 index 0000000..beea601 --- /dev/null +++ b/code-scanning/zscaler.yml @@ -0,0 +1,46 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +name: Zscanner IaC Scan +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + zscaler-iac-scan: + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v2 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + id : zscaler-iac-scan + with: + #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. + #Copy the client ID and client secret key generated during the onboarding process and configure. + #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZWP Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file diff --git a/icons/zscaler.svg b/icons/zscaler.svg new file mode 100644 index 0000000..3897442 --- /dev/null +++ b/icons/zscaler.svg @@ -0,0 +1,3 @@ + + + From 5e3bc9a2fd200fc324e4bff09889cc80465d1a08 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:26:19 +0530 Subject: [PATCH 2/8] Update zscaler-iac-scan.yml --- code-scanning/{zscaler.yml => zscaler-iac-scan.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename code-scanning/{zscaler.yml => zscaler-iac-scan.yml} (98%) diff --git a/code-scanning/zscaler.yml b/code-scanning/zscaler-iac-scan.yml similarity index 98% rename from code-scanning/zscaler.yml rename to code-scanning/zscaler-iac-scan.yml index beea601..e23a8d6 100644 --- a/code-scanning/zscaler.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,7 +7,7 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. -name: Zscanner IaC Scan +name: Zscaler IaC Scan on: push: branches: [ $default-branch, $protected-branches ] From 7a322529a7f2fe483452dad5b1941ca7742216e8 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 16:29:09 +0530 Subject: [PATCH 3/8] Update zscaler-iac-scan.properties.json --- .../{zscaler.properties.json => zscaler-iac-scan.properties.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename code-scanning/properties/{zscaler.properties.json => zscaler-iac-scan.properties.json} (100%) diff --git a/code-scanning/properties/zscaler.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json similarity index 100% rename from code-scanning/properties/zscaler.properties.json rename to code-scanning/properties/zscaler-iac-scan.properties.json From 3857754fa1839756e86ec089760bb20c7084c895 Mon Sep 17 00:00:00 2001 From: mvecha Date: Mon, 4 Apr 2022 17:55:47 +0530 Subject: [PATCH 4/8] Update zscaler-iac-scan.properties.json --- code-scanning/properties/zscaler-iac-scan.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index 784a52b..b643037 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -1,7 +1,7 @@ { "name": "Zscaler IaC Scan", - "creator": "Zscaler CWP Team", + "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","HCL"] + "categories": ["Code Scanning","Security"] } \ No newline at end of file From 74471dae6f1a513f17bdacfdce6fd69145a5271a Mon Sep 17 00:00:00 2001 From: mvecha Date: Tue, 5 Apr 2022 13:21:24 +0530 Subject: [PATCH 5/8] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index e23a8d6..a8424b7 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -16,14 +16,20 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name : Code Checkout uses: actions/checkout@v2 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@v0.2.0 + uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. From 73afccbbd54778fd08596f3fbe386823dcf15901 Mon Sep 17 00:00:00 2001 From: mvecha Date: Thu, 21 Apr 2022 15:20:01 +0530 Subject: [PATCH 6/8] Addressing PR Comments from Community --- .../properties/zscaler-iac-scan.properties.json | 2 +- code-scanning/zscaler-iac-scan.yml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/code-scanning/properties/zscaler-iac-scan.properties.json b/code-scanning/properties/zscaler-iac-scan.properties.json index b643037..274d17a 100644 --- a/code-scanning/properties/zscaler-iac-scan.properties.json +++ b/code-scanning/properties/zscaler-iac-scan.properties.json @@ -3,5 +3,5 @@ "creator": "Zscaler CWP", "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app", "iconName": "zscaler", - "categories": ["Code Scanning","Security"] + "categories": ["Code Scanning"] } \ No newline at end of file diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index a8424b7..195bb57 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -7,6 +7,14 @@ #which detects security misconfigurations in IaC templates and publishes the findings #under the code scanning alerts section within the repository. +#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues +#for further investigation. + name: Zscaler IaC Scan on: push: @@ -27,14 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name : Code Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name : Zscaler IAC Scan uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc id : zscaler-iac-scan with: - #Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process. - #Copy the client ID and client secret key generated during the onboarding process and configure. - #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} #This is the user region specified during the onboarding process within the ZWP Admin Portal. @@ -47,6 +52,6 @@ jobs: #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. - name: Upload SARIF file if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file From cfa93d0eecf7f1b230986ff509814b1ab1ad0ece Mon Sep 17 00:00:00 2001 From: Jeevan Reddy Ragula <90408178+jragula-zs@users.noreply.github.com> Date: Thu, 21 Apr 2022 15:26:09 +0530 Subject: [PATCH 7/8] Update zscaler-iac-scan.yml --- code-scanning/zscaler-iac-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/code-scanning/zscaler-iac-scan.yml b/code-scanning/zscaler-iac-scan.yml index 195bb57..c6020a5 100644 --- a/code-scanning/zscaler-iac-scan.yml +++ b/code-scanning/zscaler-iac-scan.yml @@ -12,8 +12,7 @@ #GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). #Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. -#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues -#for further investigation. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. name: Zscaler IaC Scan on: @@ -54,4 +53,4 @@ jobs: if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} \ No newline at end of file + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From 1c5c0f7c8a10324929bd35cc2fb63302ca57baef Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 22 Apr 2022 19:37:39 +0000 Subject: [PATCH 8/8] fix: upgrade @actions/core from 1.2.6 to 1.6.0 Snyk has created this PR to upgrade @actions/core from 1.2.6 to 1.6.0. See this package in npm: https://www.npmjs.com/package/@actions/core See this project in Snyk: https://app.snyk.io/org/cwp-2/project/fd2218da-0d06-448b-be57-a7d3e69b0389?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr --- script/validate-data/package-lock.json | 24 ++++++++++++++++++++---- script/validate-data/package.json | 2 +- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/script/validate-data/package-lock.json b/script/validate-data/package-lock.json index 8839d6a..cf7c70a 100644 --- a/script/validate-data/package-lock.json +++ b/script/validate-data/package-lock.json @@ -1,13 +1,24 @@ { - "name": "sync-ghes-actions", + "name": "validate-data", "version": "1.0.0", "lockfileVersion": 1, "requires": true, "dependencies": { "@actions/core": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", - "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz", + "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==", + "requires": { + "@actions/http-client": "^1.0.11" + } + }, + "@actions/http-client": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz", + "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==", + "requires": { + "tunnel": "0.0.6" + } }, "@types/js-yaml": { "version": "3.12.4", @@ -106,6 +117,11 @@ "yn": "3.1.1" } }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, "typescript": { "version": "3.9.2", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.2.tgz", diff --git a/script/validate-data/package.json b/script/validate-data/package.json index e6403ee..7936f4e 100644 --- a/script/validate-data/package.json +++ b/script/validate-data/package.json @@ -14,7 +14,7 @@ "typescript": "^3.9.2" }, "dependencies": { - "@actions/core": "^1.2.6", + "@actions/core": "^1.6.0", "js-yaml": "^3.13.1", "jsonschema": "^1.2.6" }