diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 4fbc9f0..a3d2eed 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -40,6 +40,7 @@ jobs: with: image: "localbuild/testimage:latest" acs-report-enable: true + fail-build: false - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/properties/pyre.properties.json b/code-scanning/properties/pyre.properties.json new file mode 100644 index 0000000..bc12321 --- /dev/null +++ b/code-scanning/properties/pyre.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pyre", + "creator": "Meta", + "description": "Pyre is a performant type checker for Python compliant with PEP 484. Pyre can analyze codebases with millions of lines of code incrementally – providing instantaneous feedback to developers as they write code.", + "iconName": "pyre", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/properties/pysa.properties.json b/code-scanning/properties/pysa.properties.json new file mode 100644 index 0000000..1a61c40 --- /dev/null +++ b/code-scanning/properties/pysa.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Pysa", + "creator": "Meta", + "description": "Python Static Analyzer (Pysa) is a security-focused static analysis tool that tracks flows of data from where they originate to where they terminate in a dangerous location.", + "iconName": "pysa", + "categories": ["Code Scanning", "Python"] +} diff --git a/code-scanning/pyre.yml b/code-scanning/pyre.yml new file mode 100644 index 0000000..3c32e8b --- /dev/null +++ b/code-scanning/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' diff --git a/code-scanning/pysa.yml b/code-scanning/pysa.yml new file mode 100644 index 0000000..a9e3c81 --- /dev/null +++ b/code-scanning/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true diff --git a/icons/pyre.svg b/icons/pyre.svg new file mode 100644 index 0000000..2af14c0 --- /dev/null +++ b/icons/pyre.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file diff --git a/icons/pysa.svg b/icons/pysa.svg new file mode 100644 index 0000000..ed60fb1 --- /dev/null +++ b/icons/pysa.svg @@ -0,0 +1 @@ + \ No newline at end of file