diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml new file mode 100644 index 0000000..d90f68c --- /dev/null +++ b/code-scanning/anchore.yml @@ -0,0 +1,39 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Anchore-Build-Scan: + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled + uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + with: + image: "localbuild/testimage:latest" + acs-report-enable: true + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml new file mode 100644 index 0000000..ae5215a --- /dev/null +++ b/code-scanning/brakeman.yml @@ -0,0 +1,51 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + brakeman-scan: + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: output.sarif.json diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml new file mode 100644 index 0000000..ee97108 --- /dev/null +++ b/code-scanning/checkmarx.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b + with: + project: GithubActionTest + team: '\CxServer\SP\Checkmarx' + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cx.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml new file mode 100644 index 0000000..50185ad --- /dev/null +++ b/code-scanning/codacy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v2 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml new file mode 100644 index 0000000..5886843 --- /dev/null +++ b/code-scanning/codescan.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + CodeScan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Cache files + uses: actions/cache@v2 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: codescan.sarif diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml new file mode 100644 index 0000000..1d44bf9 --- /dev/null +++ b/code-scanning/crunch42.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts +# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a free 42Crunch account at https://platform.42crunch.com/register +# +# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, +# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# +# If you have any questions or need help contact https://support.42crunch.com + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rest-api-static-security-testing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml new file mode 100644 index 0000000..a8610c3 --- /dev/null +++ b/code-scanning/detekt.yml @@ -0,0 +1,118 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your Kotlin source code using +# Detekt. +# +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event +# +# The workflow should work with no modifications, but you might like to use a +# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# environment variable. +name: Scan with Detekt + +on: + # Triggers the workflow on push or pull request events but only for default and protected branches + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Release tag associated with version of Detekt to be installed + # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 + DETEKT_RELEASE_TAG: v1.15.0 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + name: Scan + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Gets the download URL associated with the $DETEKT_RELEASE_TAG + - name: Get Detekt download URL + id: detekt_info + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + query getReleaseAssetDownloadUrl($tagName: String!) { + repository(name: "detekt", owner: "detekt") { + release(tagName: $tagName) { + releaseAssets(name: "detekt", first: 1) { + nodes { + downloadUrl + } + } + tagCommit { + oid + } + } + } + } + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) + echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + + # Sets up the detekt cli + - name: Setup Detekt + run: | + dest=$( mktemp -d ) + curl --request GET \ + --url ${{ steps.detekt_info.outputs.download_url }} \ + --silent \ + --location \ + --output $dest/detekt + chmod a+x $dest/detekt + echo $dest >> $GITHUB_PATH + + # Performs static analysis using Detekt + - name: Run Detekt + continue-on-error: true + run: | + detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json + + # Modifies the SARIF output produced by Detekt so that absolute URIs are relative + # This is so we can easily map results onto their source files + # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA + - name: Make artifact location URIs relative + continue-on-error: true + run: | + echo "$( + jq \ + --arg github_workspace ${{ github.workspace }} \ + '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ + ${{ github.workspace }}/detekt.sarif.json + )" > ${{ github.workspace }}/detekt.sarif.json + + # Uploads results to GitHub repository using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/detekt.sarif.json + checkout_path: ${{ github.workspace }} diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml new file mode 100644 index 0000000..8077f76 --- /dev/null +++ b/code-scanning/njsscan.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + njsscan: + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml new file mode 100644 index 0000000..b5aefa4 --- /dev/null +++ b/code-scanning/ossar.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml new file mode 100644 index 0000000..5323d1b --- /dev/null +++ b/code-scanning/prisma.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + prisma_cloud_iac_scan: + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v2 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json new file mode 100644 index 0000000..d997da4 --- /dev/null +++ b/code-scanning/properties/anchore.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Anchore Container Scan", + "creator": "Indeni Cloudrail", + "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "iconName": "anchore", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/brakeman.properties.json b/code-scanning/properties/brakeman.properties.json new file mode 100644 index 0000000..5597919 --- /dev/null +++ b/code-scanning/properties/brakeman.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Brakeman", + "creator": "Brakeman", + "description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.", + "iconName": "brakeman", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/checkmarx.properties.json b/code-scanning/properties/checkmarx.properties.json new file mode 100644 index 0000000..473a103 --- /dev/null +++ b/code-scanning/properties/checkmarx.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CxSAST", + "creator": "Checkmarx", + "description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.", + "iconName": "checkmarx", + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file diff --git a/code-scanning/properties/codacy.properties.json b/code-scanning/properties/codacy.properties.json new file mode 100644 index 0000000..4ee4362 --- /dev/null +++ b/code-scanning/properties/codacy.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Codacy Security Scan", + "creator": "Codacy", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "codacy", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} \ No newline at end of file diff --git a/code-scanning/properties/codescan.properties.json b/code-scanning/properties/codescan.properties.json new file mode 100644 index 0000000..74b66ca --- /dev/null +++ b/code-scanning/properties/codescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "CodeScan", + "creator": "CodeScan Enterprises, LLC", + "description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.", + "iconName": "codescan", + "categories": ["Code Scanning", "javascript", "apex"] +} \ No newline at end of file diff --git a/code-scanning/properties/crunch42.properties.json b/code-scanning/properties/crunch42.properties.json new file mode 100644 index 0000000..82ae816 --- /dev/null +++ b/code-scanning/properties/crunch42.properties.json @@ -0,0 +1,7 @@ +{ + "name": "42Crunch API Security Audit", + "creator": "42Crunch", + "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.", + "iconName": "42crunch", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json new file mode 100644 index 0000000..d51a6ad --- /dev/null +++ b/code-scanning/properties/detekt.properties.json @@ -0,0 +1,9 @@ +{ + "name": "Detekt", + "creator": "Detekt", + "description": "Static code analysis for Kotlin", + "iconName": "detekt", + "categories": ["Code Scanning", "Kotlin"] +} + + \ No newline at end of file diff --git a/code-scanning/properties/njsscan.properties.json b/code-scanning/properties/njsscan.properties.json new file mode 100644 index 0000000..c6510a1 --- /dev/null +++ b/code-scanning/properties/njsscan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "njsscan", + "creator": "NodeJSScan", + "description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.", + "iconName": "njsscan", + "categories": ["Code Scanning", "JavaScript", "TypeScript"] +} \ No newline at end of file diff --git a/code-scanning/properties/ossar.properties.json b/code-scanning/properties/ossar.properties.json new file mode 100644 index 0000000..d295205 --- /dev/null +++ b/code-scanning/properties/ossar.properties.json @@ -0,0 +1,7 @@ +{ + "name": "OSSAR", + "creator": "GitHub", + "description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).", + "iconName": "octicon mark-github", + "categories": ["Code Scanning", "python", "javascript"] +} \ No newline at end of file diff --git a/code-scanning/properties/prisma.properties.json b/code-scanning/properties/prisma.properties.json new file mode 100644 index 0000000..7d8be17 --- /dev/null +++ b/code-scanning/properties/prisma.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Prisma Cloud IaC Scan", + "creator": "Palo Alto Prisma Cloud", + "description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues", + "iconName": "prisma", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/rubocop.properties.json b/code-scanning/properties/rubocop.properties.json new file mode 100644 index 0000000..79f026b --- /dev/null +++ b/code-scanning/properties/rubocop.properties.json @@ -0,0 +1,7 @@ +{ + "name": "RuboCop Linting", + "creator": "arthurnn", + "description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.", + "iconName": "rubocop", + "categories": ["Code Scanning", "ruby"] +} \ No newline at end of file diff --git a/code-scanning/properties/securitycodescan.properties.json b/code-scanning/properties/securitycodescan.properties.json new file mode 100644 index 0000000..aa57969 --- /dev/null +++ b/code-scanning/properties/securitycodescan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SecurityCodeScan", + "creator": "@security-code-scan", + "description": "Vulnerability Patterns Detector for C# and VB.NET", + "iconName": "securitycodescan", + "categories": ["Code Scanning", "C#", "Visual Basic .NET"] +} \ No newline at end of file diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json new file mode 100644 index 0000000..5f74ed5 --- /dev/null +++ b/code-scanning/properties/semgrep.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Semgrep", + "creator": "Returntocorp", + "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.", + "iconName": "semgrep", + "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"] +} \ No newline at end of file diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json new file mode 100644 index 0000000..1cb36c9 --- /dev/null +++ b/code-scanning/properties/shiftleft.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Scan", + "creator": "ShiftLeft", + "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", + "iconName": "shiftleft", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-container.properties.json b/code-scanning/properties/snyk-container.properties.json new file mode 100644 index 0000000..0b1ddb4 --- /dev/null +++ b/code-scanning/properties/snyk-container.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Container", + "creator": "Snyk", + "description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning", "dockerfile"] +} \ No newline at end of file diff --git a/code-scanning/properties/snyk-infrastructure.properties.json b/code-scanning/properties/snyk-infrastructure.properties.json new file mode 100644 index 0000000..3680109 --- /dev/null +++ b/code-scanning/properties/snyk-infrastructure.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Snyk Infrastructure as Code", + "creator": "Snyk", + "description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.", + "iconName": "snyk", + "categories": ["Code Scanning"] +} \ No newline at end of file diff --git a/code-scanning/properties/trivy.properties.json b/code-scanning/properties/trivy.properties.json new file mode 100644 index 0000000..4f9613c --- /dev/null +++ b/code-scanning/properties/trivy.properties.json @@ -0,0 +1,8 @@ +{ + "name": "Trivy", + "creator": "Aqua Security", + "description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.", + "iconName": "trivy", + "categories": ["Code Scanning", "dockerfile"], + "enterprise_requirements": ["docker"] +} \ No newline at end of file diff --git a/code-scanning/properties/xanitizer.properties.json b/code-scanning/properties/xanitizer.properties.json new file mode 100644 index 0000000..6e578c3 --- /dev/null +++ b/code-scanning/properties/xanitizer.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Xanitizer", + "creator": "RIGS IT", + "description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).", + "iconName": "xanitizer", + "categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"] +} \ No newline at end of file diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml new file mode 100644 index 0000000..373d5b6 --- /dev/null +++ b/code-scanning/rubocop.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# pulled from repo +name: "Rubocop" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rubocop.sarif diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml new file mode 100644 index 0000000..3063c7a --- /dev/null +++ b/code-scanning/securitycodescan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature +# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET + +name: SecurityCodeScan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + SCS: + runs-on: windows-latest + steps: + - uses: actions/checkout@v2 + - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 + - uses: microsoft/setup-msbuild@v1.0.2 + + - name: Set up projects for analysis + uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: dotnet build --no-restore + + - name: Convert sarif for uploading to GitHub + uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 + + - name: Upload sarif + uses: github/codeql-action/upload-sarif@v1 diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml new file mode 100644 index 0000000..827387b --- /dev/null +++ b/code-scanning/semgrep.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v2 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml new file mode 100644 index 0000000..48b86d3 --- /dev/null +++ b/code-scanning/shiftleft.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml new file mode 100644 index 0000000..8ff2c9a --- /dev/null +++ b/code-scanning/snyk-container.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml new file mode 100644 index 0000000..b79bf34 --- /dev/null +++ b/code-scanning/snyk-infrastructure.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml new file mode 100644 index 0000000..f778492 --- /dev/null +++ b/code-scanning/trivy.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + build: + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml new file mode 100644 index 0000000..3bfb9ed --- /dev/null +++ b/code-scanning/xanitizer.yml @@ -0,0 +1,92 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + workflow_dispatch: + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v2 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v2 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: Xanitizer-Findings-List.sarif diff --git a/icons/42crunch.svg b/icons/42crunch.svg new file mode 100644 index 0000000..96cd102 --- /dev/null +++ b/icons/42crunch.svg @@ -0,0 +1,19 @@ + + + + + + + + diff --git a/icons/anchore.svg b/icons/anchore.svg new file mode 100644 index 0000000..2381f20 --- /dev/null +++ b/icons/anchore.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/brakeman.svg b/icons/brakeman.svg new file mode 100644 index 0000000..ce91881 --- /dev/null +++ b/icons/brakeman.svg @@ -0,0 +1,464 @@ + +image/svg+xml \ No newline at end of file diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg new file mode 100644 index 0000000..6bf5ad3 --- /dev/null +++ b/icons/checkmarx.svg @@ -0,0 +1,14 @@ + + + + + + diff --git a/icons/codacy.svg b/icons/codacy.svg new file mode 100644 index 0000000..736d60c --- /dev/null +++ b/icons/codacy.svg @@ -0,0 +1,16 @@ + + + +codacy-white + + + + + + + + + + + diff --git a/icons/codescan.svg b/icons/codescan.svg new file mode 100644 index 0000000..5a44c2a --- /dev/null +++ b/icons/codescan.svg @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/detekt.svg b/icons/detekt.svg new file mode 100644 index 0000000..1526170 --- /dev/null +++ b/icons/detekt.svg @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/njsscan.svg b/icons/njsscan.svg new file mode 100644 index 0000000..a9989e8 --- /dev/null +++ b/icons/njsscan.svg @@ -0,0 +1,755 @@ + + + + diff --git a/icons/prisma.svg b/icons/prisma.svg new file mode 100644 index 0000000..dfb5fdf --- /dev/null +++ b/icons/prisma.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/icons/rubocop.svg b/icons/rubocop.svg new file mode 100644 index 0000000..3add056 --- /dev/null +++ b/icons/rubocop.svg @@ -0,0 +1 @@ + diff --git a/icons/securitycodescan.svg b/icons/securitycodescan.svg new file mode 100644 index 0000000..db0181a --- /dev/null +++ b/icons/securitycodescan.svg @@ -0,0 +1,3 @@ + + + diff --git a/icons/semgrep.svg b/icons/semgrep.svg new file mode 100644 index 0000000..1a3e2a9 --- /dev/null +++ b/icons/semgrep.svg @@ -0,0 +1,4 @@ + + + + diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg new file mode 100644 index 0000000..f8e944a --- /dev/null +++ b/icons/shiftleft.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/icons/snyk.svg b/icons/snyk.svg new file mode 100644 index 0000000..8a934ac --- /dev/null +++ b/icons/snyk.svg @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/trivy.svg b/icons/trivy.svg new file mode 100644 index 0000000..ba2d477 --- /dev/null +++ b/icons/trivy.svg @@ -0,0 +1,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/icons/xanitizer.svg b/icons/xanitizer.svg new file mode 100644 index 0000000..1d5fe16 --- /dev/null +++ b/icons/xanitizer.svg @@ -0,0 +1,50 @@ + +image/svg+xml \ No newline at end of file