From 42dcf88eb9dde18e9c0b9e05840c92d47d26a28c Mon Sep 17 00:00:00 2001
From: anaarmas <54946499+anaarmas@users.noreply.github.com>
Date: Fri, 19 Nov 2021 16:41:15 +0100
Subject: [PATCH 1/4] add detekt workflow
---
code-scanning/detekt.yml | 109 ++++++++++++++++++
.../properties/detekt.properties.json | 9 ++
icons/detekt.svg | 32 +++++
3 files changed, 150 insertions(+)
create mode 100644 code-scanning/detekt.yml
create mode 100644 code-scanning/properties/detekt.properties.json
create mode 100644 icons/detekt.svg
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
new file mode 100644
index 0000000..0edc8b5
--- /dev/null
+++ b/code-scanning/detekt.yml
@@ -0,0 +1,109 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow performs a static analysis of your Kotlin source code using
+# Detekt.
+#
+# Scans are triggered:
+# 1. On every push to default and protected branches
+# 2. On every Pull Request targeting the default branch
+# 3. On a weekly schedule
+# 4. Manually, on demand, via the "workflow_dispatch" event
+#
+# The workflow should work with no modifications, but you might like to use a
+# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
+# environment variable.
+name: Scan with Detekt
+
+on:
+ # Triggers the workflow on push or pull request events but only for default and protected branches
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+env:
+ # Release tag associated with version of Detekt to be installed
+ # SARIF support (required for this workflow) was introduced in Detekt v1.15.0
+ DETEKT_RELEASE_TAG: v1.15.0
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+ # This workflow contains a single job called "scan"
+ scan:
+ name: Scan
+ # The type of runner that the job will run on
+ runs-on: ubuntu-latest
+
+ # Steps represent a sequence of tasks that will be executed as part of the job
+ steps:
+ # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+ - uses: actions/checkout@v2
+
+ # Gets the download URL associated with the $DETEKT_RELEASE_TAG
+ - name: Get Detekt download URL
+ id: detekt_info
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
+ query getReleaseAssetDownloadUrl($tagName: String!) {
+ repository(name: "detekt", owner: "detekt") {
+ release(tagName: $tagName) {
+ # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable?
+ releaseAssets(name: "detekt", first: 1) {
+ nodes {
+ downloadUrl
+ }
+ }
+ }
+ }
+ }
+ ' | \
+ jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' )
+ echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
+
+ # Sets up the detekt cli
+ - name: Setup Detekt
+ run: |
+ dest=$( mktemp -d )
+ curl --request GET \
+ --url ${{ steps.detekt_info.outputs.download_url }} \
+ --silent \
+ --location \
+ --output $dest/detekt
+ chmod a+x $dest/detekt
+ echo $dest >> $GITHUB_PATH
+
+ # Performs static analysis using Detekt
+ - name: Run Detekt
+ continue-on-error: true
+ run: |
+ detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json
+
+ # Modifies the SARIF output produced by Detekt so that absolute URIs are relative
+ # This is so we can easily map results onto their source files
+ # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA
+ - name: Make artifact location URIs relative
+ continue-on-error: true
+ run: |
+ echo "$(
+ jq \
+ --arg github_workspace ${{ github.workspace }} \
+ '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \
+ ${{ github.workspace }}/detekt.sarif.json
+ )" > ${{ github.workspace }}/detekt.sarif.json
+
+ # Uploads results to GitHub repository using the upload-sarif action
+ - uses: github/codeql-action/upload-sarif@v1
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: ${{ github.workspace }}/detekt.sarif.json
+ checkout_path: ${{ github.workspace }}
diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json
new file mode 100644
index 0000000..d51a6ad
--- /dev/null
+++ b/code-scanning/properties/detekt.properties.json
@@ -0,0 +1,9 @@
+{
+ "name": "Detekt",
+ "creator": "Detekt",
+ "description": "Static code analysis for Kotlin",
+ "iconName": "detekt",
+ "categories": ["Code Scanning", "Kotlin"]
+}
+
+
\ No newline at end of file
diff --git a/icons/detekt.svg b/icons/detekt.svg
new file mode 100644
index 0000000..1526170
--- /dev/null
+++ b/icons/detekt.svg
@@ -0,0 +1,32 @@
+
From 52edf1b58088d3acb5c1444b65bf9988e1d1b498 Mon Sep 17 00:00:00 2001
From: anaarmas <54946499+anaarmas@users.noreply.github.com>
Date: Fri, 19 Nov 2021 16:55:27 +0100
Subject: [PATCH 2/4] add a bunch of code scanning workflows
---
code-scanning/42crunch.yml | 53 ++
code-scanning/anchore.yml | 39 +
code-scanning/brakeman.yml | 51 ++
code-scanning/checkmarx.yml | 44 +
code-scanning/codacy.yml | 54 ++
code-scanning/codescan.yml | 42 +
code-scanning/njsscan.yml | 35 +
code-scanning/ossar.yml | 49 ++
code-scanning/prisma.yml | 54 ++
.../properties/42crunch.properties.json | 7 +
.../properties/anchore.properties.json | 7 +
.../properties/brakeman.properties.json | 7 +
.../properties/checkmarx.properties.json | 7 +
.../properties/codacy.properties.json | 7 +
.../properties/codescan.properties.json | 7 +
.../properties/njsscan.properties.json | 7 +
.../properties/ossar.properties.json | 7 +
.../properties/prisma.properties.json | 7 +
.../properties/rubocop.properties.json | 7 +
.../securitycodescan.properties.json | 7 +
.../properties/semgrep.properties.json | 7 +
.../properties/shiftleft.properties.json | 7 +
.../properties/snyk-container.properties.json | 7 +
.../snyk-infrastructure.properties.json | 7 +
.../properties/trivy.properties.json | 8 +
.../properties/xanitizer.properties.json | 7 +
code-scanning/rubocop.yml | 52 ++
code-scanning/securitycodescan.yml | 41 +
code-scanning/semgrep.yml | 42 +
code-scanning/shiftleft.yml | 47 ++
code-scanning/snyk-container.yml | 48 ++
code-scanning/snyk-infrastructure.yml | 47 ++
code-scanning/trivy.yml | 41 +
code-scanning/xanitizer.yml | 92 +++
icons/42crunch.svg | 19 +
icons/anchore.svg | 1 +
icons/brakeman.svg | 464 +++++++++++
icons/checkmarx.svg | 14 +
icons/codacy.svg | 16 +
icons/codescan.svg | 69 ++
icons/njsscan.svg | 755 ++++++++++++++++++
icons/prisma.svg | 16 +
icons/rubocop.svg | 1 +
icons/securitycodescan.svg | 3 +
icons/semgrep.svg | 4 +
icons/shiftleft.svg | 6 +
icons/snyk.svg | 31 +
icons/trivy.svg | 93 +++
icons/xanitizer.svg | 50 ++
49 files changed, 2493 insertions(+)
create mode 100644 code-scanning/42crunch.yml
create mode 100644 code-scanning/anchore.yml
create mode 100644 code-scanning/brakeman.yml
create mode 100644 code-scanning/checkmarx.yml
create mode 100644 code-scanning/codacy.yml
create mode 100644 code-scanning/codescan.yml
create mode 100644 code-scanning/njsscan.yml
create mode 100644 code-scanning/ossar.yml
create mode 100644 code-scanning/prisma.yml
create mode 100644 code-scanning/properties/42crunch.properties.json
create mode 100644 code-scanning/properties/anchore.properties.json
create mode 100644 code-scanning/properties/brakeman.properties.json
create mode 100644 code-scanning/properties/checkmarx.properties.json
create mode 100644 code-scanning/properties/codacy.properties.json
create mode 100644 code-scanning/properties/codescan.properties.json
create mode 100644 code-scanning/properties/njsscan.properties.json
create mode 100644 code-scanning/properties/ossar.properties.json
create mode 100644 code-scanning/properties/prisma.properties.json
create mode 100644 code-scanning/properties/rubocop.properties.json
create mode 100644 code-scanning/properties/securitycodescan.properties.json
create mode 100644 code-scanning/properties/semgrep.properties.json
create mode 100644 code-scanning/properties/shiftleft.properties.json
create mode 100644 code-scanning/properties/snyk-container.properties.json
create mode 100644 code-scanning/properties/snyk-infrastructure.properties.json
create mode 100644 code-scanning/properties/trivy.properties.json
create mode 100644 code-scanning/properties/xanitizer.properties.json
create mode 100644 code-scanning/rubocop.yml
create mode 100644 code-scanning/securitycodescan.yml
create mode 100644 code-scanning/semgrep.yml
create mode 100644 code-scanning/shiftleft.yml
create mode 100644 code-scanning/snyk-container.yml
create mode 100644 code-scanning/snyk-infrastructure.yml
create mode 100644 code-scanning/trivy.yml
create mode 100644 code-scanning/xanitizer.yml
create mode 100644 icons/42crunch.svg
create mode 100644 icons/anchore.svg
create mode 100644 icons/brakeman.svg
create mode 100644 icons/checkmarx.svg
create mode 100644 icons/codacy.svg
create mode 100644 icons/codescan.svg
create mode 100644 icons/njsscan.svg
create mode 100644 icons/prisma.svg
create mode 100644 icons/rubocop.svg
create mode 100644 icons/securitycodescan.svg
create mode 100644 icons/semgrep.svg
create mode 100644 icons/shiftleft.svg
create mode 100644 icons/snyk.svg
create mode 100644 icons/trivy.svg
create mode 100644 icons/xanitizer.svg
diff --git a/code-scanning/42crunch.yml b/code-scanning/42crunch.yml
new file mode 100644
index 0000000..1d44bf9
--- /dev/null
+++ b/code-scanning/42crunch.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow locates REST API file contracts
+# (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
+# and runs 200+ security checks on them using 42Crunch Security Audit technology.
+#
+# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+#
+# To use this workflow, you will need to complete the following setup steps.
+#
+# 1. Create a free 42Crunch account at https://platform.42crunch.com/register
+#
+# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+# to create an API Token on the 42Crunch platform
+#
+# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm,
+# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow
+#
+# If you have any questions or need help contact https://support.42crunch.com
+
+name: "42Crunch REST API Static Security Testing"
+
+# follow standard Code Scanning triggers
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ rest-api-static-security-testing:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: 42Crunch REST API Static Security Testing
+ uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
+ with:
+ # Please create free account at https://platform.42crunch.com/register
+ # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+ api-token: ${{ secrets.API_TOKEN }}
+ # Fail if any OpenAPI file scores lower than 75
+ min-score: 75
+ # Upload results to Github code scanning
+ upload-to-code-scanning: true
+ # Github token for uploading the results
+ github-token: ${{ github.token }}
diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml
new file mode 100644
index 0000000..d90f68c
--- /dev/null
+++ b/code-scanning/anchore.yml
@@ -0,0 +1,39 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature. For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Container Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ Anchore-Build-Scan:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@v2
+ - name: Build the Docker image
+ run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+ - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
+ uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
+ with:
+ image: "localbuild/testimage:latest"
+ acs-report-enable: true
+ - name: Upload Anchore Scan Report
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: results.sarif
\ No newline at end of file
diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
new file mode 100644
index 0000000..ae5215a
--- /dev/null
+++ b/code-scanning/brakeman.yml
@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ brakeman-scan:
+ name: Brakeman Scan
+ runs-on: ubuntu-latest
+ steps:
+ # Checkout the repository to the GitHub Actions runner
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ # Customize the ruby version depending on your needs
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ with:
+ ruby-version: '2.7'
+
+ - name: Setup Brakeman
+ env:
+ BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+ run: |
+ gem install brakeman --version $BRAKEMAN_VERSION
+
+ # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+ - name: Scan
+ continue-on-error: true
+ run: |
+ brakeman -f sarif -o output.sarif.json .
+
+ # Upload the SARIF file generated in the previous step
+ - name: Upload SARIF
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: output.sarif.json
diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml
new file mode 100644
index 0000000..ee97108
--- /dev/null
+++ b/code-scanning/checkmarx.yml
@@ -0,0 +1,44 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action
+
+name: CxFlow
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
+jobs:
+ # This workflow contains a single job called "build"
+ build:
+ # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
+ runs-on: ubuntu-latest
+
+ # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
+ steps:
+ # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+ - uses: actions/checkout@v2
+ # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
+ - name: Checkmarx CxFlow Action
+ uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b
+ with:
+ project: GithubActionTest
+ team: '\CxServer\SP\Checkmarx'
+ checkmarx_url: ${{ secrets.CHECKMARX_URL }}
+ checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
+ checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
+ checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
+ # Upload the Report for CodeQL/Security Alerts
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: cx.sarif
diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml
new file mode 100644
index 0000000..50185ad
--- /dev/null
+++ b/code-scanning/codacy.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, performs a Codacy security scan
+# and integrates the results with the
+# GitHub Advanced Security code scanning feature. For more information on
+# the Codacy security scan action usage and parameters, see
+# https://github.com/codacy/codacy-analysis-cli-action.
+# For more information on Codacy Analysis CLI in general, see
+# https://github.com/codacy/codacy-analysis-cli.
+
+name: Codacy Security Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ codacy-security-scan:
+ name: Codacy Security Scan
+ runs-on: ubuntu-latest
+ steps:
+ # Checkout the repository to the GitHub Actions runner
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
+ - name: Run Codacy Analysis CLI
+ uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
+ with:
+ # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
+ # You can also omit the token and run the tools that support default configurations
+ project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+ verbose: true
+ output: results.sarif
+ format: sarif
+ # Adjust severity of non-security issues
+ gh-code-scanning-compat: true
+ # Force 0 exit code to allow SARIF file generation
+ # This will handover control about PR rejection to the GitHub side
+ max-allowed-issues: 2147483647
+
+ # Upload the SARIF file generated in the previous step
+ - name: Upload SARIF results file
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: results.sarif
diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml
new file mode 100644
index 0000000..5886843
--- /dev/null
+++ b/code-scanning/codescan.yml
@@ -0,0 +1,42 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow requires that you have an existing account with codescan.io
+# For more information about configuring your workflow,
+# read our documentation at https://github.com/codescan-io/codescan-scanner-action
+name: CodeScan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ CodeScan:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v2
+ - name: Cache files
+ uses: actions/cache@v2
+ with:
+ path: |
+ ~/.sonar
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Run Analysis
+ uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
+ with:
+ login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
+ organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
+ projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: codescan.sarif
diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml
new file mode 100644
index 0000000..8077f76
--- /dev/null
+++ b/code-scanning/njsscan.yml
@@ -0,0 +1,35 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates njsscan with GitHub's Code Scanning feature
+# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
+
+name: njsscan sarif
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ njsscan:
+ runs-on: ubuntu-latest
+ name: njsscan code scanning
+ steps:
+ - name: Checkout the code
+ uses: actions/checkout@v2
+ - name: nodejsscan scan
+ id: njsscan
+ uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
+ with:
+ args: '. --sarif --output results.sarif || true'
+ - name: Upload njsscan report
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: results.sarif
diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml
new file mode 100644
index 0000000..b5aefa4
--- /dev/null
+++ b/code-scanning/ossar.yml
@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates a collection of open source static analysis tools
+# with GitHub code scanning. For documentation, or to provide feedback, visit
+# https://github.com/github/ossar-action
+name: OSSAR
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ OSSAR-Scan:
+ # OSSAR runs on windows-latest.
+ # ubuntu-latest and macos-latest support coming soon
+ runs-on: windows-latest
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v2
+
+ # Ensure a compatible version of dotnet is installed.
+ # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
+ # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
+ # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
+ # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
+ # - name: Install .NET
+ # uses: actions/setup-dotnet@v1
+ # with:
+ # dotnet-version: '3.1.x'
+
+ # Run open source static analysis tools
+ - name: Run OSSAR
+ uses: github/ossar-action@v1
+ id: ossar
+
+ # Upload results to the Security tab
+ - name: Upload OSSAR results
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: ${{ steps.ossar.outputs.sarifFile }}
diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml
new file mode 100644
index 0000000..5323d1b
--- /dev/null
+++ b/code-scanning/prisma.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow that checks for security issues using
+# the Prisma Cloud Infrastructure as Code Scan Action on
+# the IaC files present in the repository.
+# The results are uploaded to GitHub Security Code Scanning
+#
+# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
+
+name: Prisma Cloud IaC Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ prisma_cloud_iac_scan:
+ runs-on: ubuntu-latest
+ name: Run Prisma Cloud IaC Scan to check
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ - id: iac-scan
+ name: Run Scan on CFT files in the repository
+ uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
+ with:
+ # You will need Prisma Cloud API Access Token
+ # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
+ prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
+ access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
+ secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
+ # Scan sources on Prisma Cloud are uniquely identified by their name
+ asset_name: 'my-asset-name'
+ # The service need to know the type of IaC being scanned
+ template_type: 'CFT'
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v1
+ # Results are generated only on a success or failure
+ # this is required since GitHub by default won't run the next step
+ # when the previous one has failed.
+ # And alternative it to add `continue-on-error: true` to the previous step
+ if: success() || failure()
+ with:
+ # The SARIF Log file name is configurable on scan action
+ # therefore the file name is best read from the steps output
+ sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/42crunch.properties.json
new file mode 100644
index 0000000..9fbeca9
--- /dev/null
+++ b/code-scanning/properties/42crunch.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "42Crunch API Security Audit",
+ "creator": "42crunch",
+ "description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.",
+ "iconName": "42crunch",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json
new file mode 100644
index 0000000..d997da4
--- /dev/null
+++ b/code-scanning/properties/anchore.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Anchore Container Scan",
+ "creator": "Indeni Cloudrail",
+ "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
+ "iconName": "anchore",
+ "categories": ["Code Scanning", "dockerfile"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/brakeman.properties.json b/code-scanning/properties/brakeman.properties.json
new file mode 100644
index 0000000..5597919
--- /dev/null
+++ b/code-scanning/properties/brakeman.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Brakeman",
+ "creator": "Brakeman",
+ "description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.",
+ "iconName": "brakeman",
+ "categories": ["Code Scanning", "ruby"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/checkmarx.properties.json b/code-scanning/properties/checkmarx.properties.json
new file mode 100644
index 0000000..473a103
--- /dev/null
+++ b/code-scanning/properties/checkmarx.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "CxSAST",
+ "creator": "Checkmarx",
+ "description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.",
+ "iconName": "checkmarx",
+ "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/codacy.properties.json b/code-scanning/properties/codacy.properties.json
new file mode 100644
index 0000000..4ee4362
--- /dev/null
+++ b/code-scanning/properties/codacy.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Codacy Security Scan",
+ "creator": "Codacy",
+ "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
+ "iconName": "codacy",
+ "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/codescan.properties.json b/code-scanning/properties/codescan.properties.json
new file mode 100644
index 0000000..74b66ca
--- /dev/null
+++ b/code-scanning/properties/codescan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "CodeScan",
+ "creator": "CodeScan Enterprises, LLC",
+ "description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.",
+ "iconName": "codescan",
+ "categories": ["Code Scanning", "javascript", "apex"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/njsscan.properties.json b/code-scanning/properties/njsscan.properties.json
new file mode 100644
index 0000000..c6510a1
--- /dev/null
+++ b/code-scanning/properties/njsscan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "njsscan",
+ "creator": "NodeJSScan",
+ "description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.",
+ "iconName": "njsscan",
+ "categories": ["Code Scanning", "JavaScript", "TypeScript"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/ossar.properties.json b/code-scanning/properties/ossar.properties.json
new file mode 100644
index 0000000..d295205
--- /dev/null
+++ b/code-scanning/properties/ossar.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "OSSAR",
+ "creator": "GitHub",
+ "description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).",
+ "iconName": "octicon mark-github",
+ "categories": ["Code Scanning", "python", "javascript"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/prisma.properties.json b/code-scanning/properties/prisma.properties.json
new file mode 100644
index 0000000..7d8be17
--- /dev/null
+++ b/code-scanning/properties/prisma.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Prisma Cloud IaC Scan",
+ "creator": "Palo Alto Prisma Cloud",
+ "description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues",
+ "iconName": "prisma",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/rubocop.properties.json b/code-scanning/properties/rubocop.properties.json
new file mode 100644
index 0000000..79f026b
--- /dev/null
+++ b/code-scanning/properties/rubocop.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "RuboCop Linting",
+ "creator": "arthurnn",
+ "description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.",
+ "iconName": "rubocop",
+ "categories": ["Code Scanning", "ruby"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/securitycodescan.properties.json b/code-scanning/properties/securitycodescan.properties.json
new file mode 100644
index 0000000..aa57969
--- /dev/null
+++ b/code-scanning/properties/securitycodescan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SecurityCodeScan",
+ "creator": "@security-code-scan",
+ "description": "Vulnerability Patterns Detector for C# and VB.NET",
+ "iconName": "securitycodescan",
+ "categories": ["Code Scanning", "C#", "Visual Basic .NET"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/semgrep.properties.json b/code-scanning/properties/semgrep.properties.json
new file mode 100644
index 0000000..5f74ed5
--- /dev/null
+++ b/code-scanning/properties/semgrep.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Semgrep",
+ "creator": "Returntocorp",
+ "description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
+ "iconName": "semgrep",
+ "categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json
new file mode 100644
index 0000000..1cb36c9
--- /dev/null
+++ b/code-scanning/properties/shiftleft.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Scan",
+ "creator": "ShiftLeft",
+ "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
+ "iconName": "shiftleft",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/snyk-container.properties.json b/code-scanning/properties/snyk-container.properties.json
new file mode 100644
index 0000000..0b1ddb4
--- /dev/null
+++ b/code-scanning/properties/snyk-container.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Snyk Container",
+ "creator": "Snyk",
+ "description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.",
+ "iconName": "snyk",
+ "categories": ["Code Scanning", "dockerfile"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/snyk-infrastructure.properties.json b/code-scanning/properties/snyk-infrastructure.properties.json
new file mode 100644
index 0000000..3680109
--- /dev/null
+++ b/code-scanning/properties/snyk-infrastructure.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Snyk Infrastructure as Code",
+ "creator": "Snyk",
+ "description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.",
+ "iconName": "snyk",
+ "categories": ["Code Scanning"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/trivy.properties.json b/code-scanning/properties/trivy.properties.json
new file mode 100644
index 0000000..4f9613c
--- /dev/null
+++ b/code-scanning/properties/trivy.properties.json
@@ -0,0 +1,8 @@
+{
+ "name": "Trivy",
+ "creator": "Aqua Security",
+ "description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.",
+ "iconName": "trivy",
+ "categories": ["Code Scanning", "dockerfile"],
+ "enterprise_requirements": ["docker"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/xanitizer.properties.json b/code-scanning/properties/xanitizer.properties.json
new file mode 100644
index 0000000..6e578c3
--- /dev/null
+++ b/code-scanning/properties/xanitizer.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Xanitizer",
+ "creator": "RIGS IT",
+ "description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).",
+ "iconName": "xanitizer",
+ "categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"]
+}
\ No newline at end of file
diff --git a/code-scanning/rubocop.yml b/code-scanning/rubocop.yml
new file mode 100644
index 0000000..373d5b6
--- /dev/null
+++ b/code-scanning/rubocop.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# pulled from repo
+name: "Rubocop"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ rubocop:
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v2
+
+ # If running on a self-hosted runner, check it meets the requirements
+ # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+ - name: Set up Ruby
+ uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ with:
+ ruby-version: 2.6
+
+ # This step is not necessary if you add the gem to your Gemfile
+ - name: Install Code Scanning integration
+ run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+
+ - name: Install dependencies
+ run: bundle install
+
+ - name: Rubocop run
+ run: |
+ bash -c "
+ bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+ [[ $? -ne 2 ]]
+ "
+
+ - name: Upload Sarif output
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: rubocop.sarif
diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml
new file mode 100644
index 0000000..3063c7a
--- /dev/null
+++ b/code-scanning/securitycodescan.yml
@@ -0,0 +1,41 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
+# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET
+
+name: SecurityCodeScan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ SCS:
+ runs-on: windows-latest
+ steps:
+ - uses: actions/checkout@v2
+ - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
+ - uses: microsoft/setup-msbuild@v1.0.2
+
+ - name: Set up projects for analysis
+ uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
+
+ - name: Restore dependencies
+ run: dotnet restore
+
+ - name: Build
+ run: dotnet build --no-restore
+
+ - name: Convert sarif for uploading to GitHub
+ uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
+
+ - name: Upload sarif
+ uses: github/codeql-action/upload-sarif@v1
diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml
new file mode 100644
index 0000000..827387b
--- /dev/null
+++ b/code-scanning/semgrep.yml
@@ -0,0 +1,42 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow file requires a free account on Semgrep.dev to
+# manage rules, file ignores, notifications, and more.
+#
+# See https://semgrep.dev/docs
+
+name: Semgrep
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ semgrep:
+ name: Scan
+ runs-on: ubuntu-latest
+ steps:
+ # Checkout project source
+ - uses: actions/checkout@v2
+
+ # Scan code using project's configuration on https://semgrep.dev/manage
+ - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
+ with:
+ publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+ publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
+ generateSarif: "1"
+
+ # Upload SARIF file generated in previous step
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: semgrep.sarif
+ if: always()
diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml
new file mode 100644
index 0000000..48b86d3
--- /dev/null
+++ b/code-scanning/shiftleft.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Scan with GitHub's code scanning feature
+# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
+# Visit https://slscan.io/en/latest/integrations/code-scan for help
+name: SL Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ Scan-Build:
+ # Scan runs on ubuntu, mac and windows
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ # Instructions
+ # 1. Setup JDK, Node.js, Python etc depending on your project type
+ # 2. Compile or build the project before invoking scan
+ # Example: mvn compile, or npm install or pip install goes here
+ # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
+
+ - name: Perform Scan
+ uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
+ env:
+ WORKSPACE: ""
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ SCAN_AUTO_BUILD: true
+ with:
+ output: reports
+ # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
+ # type: credscan,java
+ # type: python
+
+ - name: Upload report
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: reports
diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
new file mode 100644
index 0000000..8ff2c9a
--- /dev/null
+++ b/code-scanning/snyk-container.yml
@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out the code, builds a container
+# image using Docker and scans that image for vulnerabilities using
+# Snyk. The results are then uploaded to GitHub Security Code Scanning
+#
+# For more examples, including how to limit scans to only high-severity
+# issues, monitor images for newly disclosed vulnerabilities in Snyk and
+# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
+
+name: Snyk Container
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ snyk:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Build a Docker image
+ run: docker build -t your/image-to-test .
+ - name: Run Snyk to check Docker image for vulnerabilities
+ # Snyk can be used to break the build when it detects vulnerabilities.
+ # In this case we want to upload the issues to GitHub Code Scanning
+ continue-on-error: true
+ uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
+ env:
+ # In order to use the Snyk Action you will need to have a Snyk API token.
+ # More details in https://github.com/snyk/actions#getting-your-snyk-token
+ # or you can signup for free at https://snyk.io/login
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+ with:
+ image: your/image-to-test
+ args: --file=Dockerfile
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: snyk.sarif
diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml
new file mode 100644
index 0000000..b79bf34
--- /dev/null
+++ b/code-scanning/snyk-infrastructure.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out your Infrastructure as Code Configuration files,
+# such as Kubernetes, Helm & Terraform and scans them for any security issues.
+# The results are then uploaded to GitHub Security Code Scanning
+#
+# For more examples, including how to limit scans to only high-severity issues
+# and fail PR checks, see https://github.com/snyk/actions/
+
+name: Snyk Infrastructure as Code
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ snyk:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Run Snyk to check configuration files for security issues
+ # Snyk can be used to break the build when it detects security issues.
+ # In this case we want to upload the issues to GitHub Code Scanning
+ continue-on-error: true
+ uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
+ env:
+ # In order to use the Snyk Action you will need to have a Snyk API token.
+ # More details in https://github.com/snyk/actions#getting-your-snyk-token
+ # or you can signup for free at https://snyk.io/login
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+ with:
+ # Add the path to the configuration file that you would like to test.
+ # For example `deployment.yaml` for a Kubernetes deployment manifest
+ # or `main.tf` for a Terraform configuration file
+ file: your-file-to-test.yaml
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: snyk.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
new file mode 100644
index 0000000..f778492
--- /dev/null
+++ b/code-scanning/trivy.yml
@@ -0,0 +1,41 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: build
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+jobs:
+ build:
+ name: Build
+ runs-on: "ubuntu-18.04"
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Build an image from Dockerfile
+ run: |
+ docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+ with:
+ image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+ format: 'template'
+ template: '@/contrib/sarif.tpl'
+ output: 'trivy-results.sarif'
+ severity: 'CRITICAL,HIGH'
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: 'trivy-results.sarif'
diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml
new file mode 100644
index 0000000..3bfb9ed
--- /dev/null
+++ b/code-scanning/xanitizer.yml
@@ -0,0 +1,92 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
+# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
+#
+# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
+#
+# To use this basic workflow, you will need to complete the following setup steps:
+#
+# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
+# Licenses are free of charge for open source projects and for educational usage.
+# To get more information about the Xanitizer licenses and how to obtain a license file,
+# please consult https://www.xanitizer.com/xanitizer-pricing/.
+#
+# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
+# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
+#
+# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
+# Example:
+# - name: Xanitizer Security Analysis
+# uses: RIGS-IT/xanitizer-action@v1
+# with:
+# license: ${{ secrets.XANITIZER_LICENSE }}
+#
+# 4. As a static application security testing (SAST) tool,
+# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
+# So you have to install all used libraries and build your project before running the security analysis,
+# e.g. via `mvn compile` for Java or `npm install` for JavaScript
+
+name: "Xanitizer Security Analysis"
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+ workflow_dispatch:
+
+jobs:
+ xanitizer-security-analysis:
+ # Xanitizer runs on ubuntu-latest and windows-latest.
+ runs-on: ubuntu-latest
+
+ steps:
+ # Check out the repository
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ # Set up the correct Java version for your project
+ # Please comment out, if your project does not contain Java source code.
+ - name: Set up JDK 11
+ uses: actions/setup-java@v1
+ with:
+ java-version: 11
+
+ # Compile the code for Java projects and get all libraries, e.g. via Maven
+ # Please adapt, if your project uses another build system to compile Java source code.
+ # Please comment out, if your project does not contain Java source code.
+ - name: Compile Java code
+ run: mvn -B compile
+
+ # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
+ # Please adapt to run `npm install` in the correct directories.
+ # Please adapt, if your project uses another package manager for getting JavaScript libraries.
+ # Please comment out, if your project does not use a package manager for getting JavaScript libraries.
+ - name: Install JavaScript libraries
+ run: npm install
+
+ # Run the security analysis with default settings
+ - name: Xanitizer Security Analysis
+ uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316
+ with:
+ license: ${{ secrets.XANITIZER_LICENSE }}
+
+ # Archiving the findings list reports
+ - uses: actions/upload-artifact@v2
+ with:
+ name: Xanitizer-Reports
+ path: |
+ *-Findings-List.pdf
+ *-Findings-List.sarif
+
+ # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
+ - uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: Xanitizer-Findings-List.sarif
diff --git a/icons/42crunch.svg b/icons/42crunch.svg
new file mode 100644
index 0000000..96cd102
--- /dev/null
+++ b/icons/42crunch.svg
@@ -0,0 +1,19 @@
+
+
+
diff --git a/icons/anchore.svg b/icons/anchore.svg
new file mode 100644
index 0000000..2381f20
--- /dev/null
+++ b/icons/anchore.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/icons/brakeman.svg b/icons/brakeman.svg
new file mode 100644
index 0000000..ce91881
--- /dev/null
+++ b/icons/brakeman.svg
@@ -0,0 +1,464 @@
+
+
\ No newline at end of file
diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg
new file mode 100644
index 0000000..6bf5ad3
--- /dev/null
+++ b/icons/checkmarx.svg
@@ -0,0 +1,14 @@
+
+
+
diff --git a/icons/codacy.svg b/icons/codacy.svg
new file mode 100644
index 0000000..736d60c
--- /dev/null
+++ b/icons/codacy.svg
@@ -0,0 +1,16 @@
+
+
+
diff --git a/icons/codescan.svg b/icons/codescan.svg
new file mode 100644
index 0000000..5a44c2a
--- /dev/null
+++ b/icons/codescan.svg
@@ -0,0 +1,69 @@
+
+
+
diff --git a/icons/njsscan.svg b/icons/njsscan.svg
new file mode 100644
index 0000000..a9989e8
--- /dev/null
+++ b/icons/njsscan.svg
@@ -0,0 +1,755 @@
+
+
+
diff --git a/icons/prisma.svg b/icons/prisma.svg
new file mode 100644
index 0000000..dfb5fdf
--- /dev/null
+++ b/icons/prisma.svg
@@ -0,0 +1,16 @@
+
diff --git a/icons/rubocop.svg b/icons/rubocop.svg
new file mode 100644
index 0000000..3add056
--- /dev/null
+++ b/icons/rubocop.svg
@@ -0,0 +1 @@
+
diff --git a/icons/securitycodescan.svg b/icons/securitycodescan.svg
new file mode 100644
index 0000000..db0181a
--- /dev/null
+++ b/icons/securitycodescan.svg
@@ -0,0 +1,3 @@
+
+
+
diff --git a/icons/semgrep.svg b/icons/semgrep.svg
new file mode 100644
index 0000000..1a3e2a9
--- /dev/null
+++ b/icons/semgrep.svg
@@ -0,0 +1,4 @@
+
diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg
new file mode 100644
index 0000000..f8e944a
--- /dev/null
+++ b/icons/shiftleft.svg
@@ -0,0 +1,6 @@
+
diff --git a/icons/snyk.svg b/icons/snyk.svg
new file mode 100644
index 0000000..8a934ac
--- /dev/null
+++ b/icons/snyk.svg
@@ -0,0 +1,31 @@
+
+
diff --git a/icons/trivy.svg b/icons/trivy.svg
new file mode 100644
index 0000000..ba2d477
--- /dev/null
+++ b/icons/trivy.svg
@@ -0,0 +1,93 @@
+
+
+
diff --git a/icons/xanitizer.svg b/icons/xanitizer.svg
new file mode 100644
index 0000000..1d5fe16
--- /dev/null
+++ b/icons/xanitizer.svg
@@ -0,0 +1,50 @@
+
+
\ No newline at end of file
From 0debae5ec754be64d660b4f9992796fa31f4f0db Mon Sep 17 00:00:00 2001
From: anaarmas <54946499+anaarmas@users.noreply.github.com>
Date: Tue, 23 Nov 2021 09:37:32 +0100
Subject: [PATCH 3/4] fix crunch42 template id so it overrides old template as
required
---
code-scanning/{42crunch.yml => crunch42.yml} | 0
.../{42crunch.properties.json => crunch42.properties.json} | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename code-scanning/{42crunch.yml => crunch42.yml} (100%)
rename code-scanning/properties/{42crunch.properties.json => crunch42.properties.json} (90%)
diff --git a/code-scanning/42crunch.yml b/code-scanning/crunch42.yml
similarity index 100%
rename from code-scanning/42crunch.yml
rename to code-scanning/crunch42.yml
diff --git a/code-scanning/properties/42crunch.properties.json b/code-scanning/properties/crunch42.properties.json
similarity index 90%
rename from code-scanning/properties/42crunch.properties.json
rename to code-scanning/properties/crunch42.properties.json
index 9fbeca9..82ae816 100644
--- a/code-scanning/properties/42crunch.properties.json
+++ b/code-scanning/properties/crunch42.properties.json
@@ -1,6 +1,6 @@
{
"name": "42Crunch API Security Audit",
- "creator": "42crunch",
+ "creator": "42Crunch",
"description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.",
"iconName": "42crunch",
"categories": ["Code Scanning"]
From c4dadecc05874dd13684bcea151993acf42199f7 Mon Sep 17 00:00:00 2001
From: anaarmas <54946499+anaarmas@users.noreply.github.com>
Date: Tue, 23 Nov 2021 21:14:53 +0100
Subject: [PATCH 4/4] find a way to pin the SHA for detekt workflow template
---
code-scanning/detekt.yml | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index 0edc8b5..a8610c3 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -53,21 +53,30 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
- DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
+ gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
query getReleaseAssetDownloadUrl($tagName: String!) {
repository(name: "detekt", owner: "detekt") {
release(tagName: $tagName) {
- # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable?
releaseAssets(name: "detekt", first: 1) {
nodes {
downloadUrl
}
}
+ tagCommit {
+ oid
+ }
}
}
}
- ' | \
- jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' )
+ ' 1> gh_response.json
+
+ DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
+ if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
+ echo "Release tag doesn't match expected commit SHA"
+ exit 1
+ fi
+
+ DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
# Sets up the detekt cli