Merge remote-tracking branch 'origin/master'
This commit is contained in:
@@ -0,0 +1,39 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, builds an image, performs a container image
|
||||
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
|
||||
# code scanning feature. For more information on the Anchore scan action usage
|
||||
# and parameters, see https://github.com/anchore/scan-action. For more
|
||||
# information on Anchore's container image scanning tool Grype, see
|
||||
# https://github.com/anchore/grype
|
||||
name: Anchore Container Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
Anchore-Build-Scan:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
uses: actions/checkout@v2
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
|
||||
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
|
||||
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
acs-report-enable: true
|
||||
- name: Upload Anchore Scan Report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -0,0 +1,51 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Brakeman with GitHub's Code Scanning feature
|
||||
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
|
||||
|
||||
name: Brakeman Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
brakeman-scan:
|
||||
name: Brakeman Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Customize the ruby version depending on your needs
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
with:
|
||||
ruby-version: '2.7'
|
||||
|
||||
- name: Setup Brakeman
|
||||
env:
|
||||
BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
|
||||
run: |
|
||||
gem install brakeman --version $BRAKEMAN_VERSION
|
||||
|
||||
# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
|
||||
- name: Scan
|
||||
continue-on-error: true
|
||||
run: |
|
||||
brakeman -f sarif -o output.sarif.json .
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: output.sarif.json
|
||||
@@ -0,0 +1,44 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action
|
||||
|
||||
name: CxFlow
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
|
||||
jobs:
|
||||
# This workflow contains a single job called "build"
|
||||
build:
|
||||
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
|
||||
steps:
|
||||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
|
||||
- uses: actions/checkout@v2
|
||||
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
|
||||
- name: Checkmarx CxFlow Action
|
||||
uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b
|
||||
with:
|
||||
project: GithubActionTest
|
||||
team: '\CxServer\SP\Checkmarx'
|
||||
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
|
||||
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
|
||||
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
|
||||
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
|
||||
# Upload the Report for CodeQL/Security Alerts
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: cx.sarif
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, performs a Codacy security scan
|
||||
# and integrates the results with the
|
||||
# GitHub Advanced Security code scanning feature. For more information on
|
||||
# the Codacy security scan action usage and parameters, see
|
||||
# https://github.com/codacy/codacy-analysis-cli-action.
|
||||
# For more information on Codacy Analysis CLI in general, see
|
||||
# https://github.com/codacy/codacy-analysis-cli.
|
||||
|
||||
name: Codacy Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
codacy-security-scan:
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
|
||||
- name: Run Codacy Analysis CLI
|
||||
uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
|
||||
with:
|
||||
# Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
|
||||
# You can also omit the token and run the tools that support default configurations
|
||||
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
|
||||
verbose: true
|
||||
output: results.sarif
|
||||
format: sarif
|
||||
# Adjust severity of non-security issues
|
||||
gh-code-scanning-compat: true
|
||||
# Force 0 exit code to allow SARIF file generation
|
||||
# This will handover control about PR rejection to the GitHub side
|
||||
max-allowed-issues: 2147483647
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -0,0 +1,42 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow requires that you have an existing account with codescan.io
|
||||
# For more information about configuring your workflow,
|
||||
# read our documentation at https://github.com/codescan-io/codescan-scanner-action
|
||||
name: CodeScan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
CodeScan:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
- name: Cache files
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: |
|
||||
~/.sonar
|
||||
key: ${{ runner.os }}-sonar
|
||||
restore-keys: ${{ runner.os }}-sonar
|
||||
- name: Run Analysis
|
||||
uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
|
||||
with:
|
||||
login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
|
||||
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
|
||||
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: codescan.sarif
|
||||
@@ -0,0 +1,53 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow locates REST API file contracts
|
||||
# (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
|
||||
# and runs 200+ security checks on them using 42Crunch Security Audit technology.
|
||||
#
|
||||
# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
#
|
||||
# To use this workflow, you will need to complete the following setup steps.
|
||||
#
|
||||
# 1. Create a free 42Crunch account at https://platform.42crunch.com/register
|
||||
#
|
||||
# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
# to create an API Token on the 42Crunch platform
|
||||
#
|
||||
# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm,
|
||||
# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow
|
||||
#
|
||||
# If you have any questions or need help contact https://support.42crunch.com
|
||||
|
||||
name: "42Crunch REST API Static Security Testing"
|
||||
|
||||
# follow standard Code Scanning triggers
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
rest-api-static-security-testing:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: 42Crunch REST API Static Security Testing
|
||||
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
|
||||
with:
|
||||
# Please create free account at https://platform.42crunch.com/register
|
||||
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
api-token: ${{ secrets.API_TOKEN }}
|
||||
# Fail if any OpenAPI file scores lower than 75
|
||||
min-score: 75
|
||||
# Upload results to Github code scanning
|
||||
upload-to-code-scanning: true
|
||||
# Github token for uploading the results
|
||||
github-token: ${{ github.token }}
|
||||
@@ -0,0 +1,118 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow performs a static analysis of your Kotlin source code using
|
||||
# Detekt.
|
||||
#
|
||||
# Scans are triggered:
|
||||
# 1. On every push to default and protected branches
|
||||
# 2. On every Pull Request targeting the default branch
|
||||
# 3. On a weekly schedule
|
||||
# 4. Manually, on demand, via the "workflow_dispatch" event
|
||||
#
|
||||
# The workflow should work with no modifications, but you might like to use a
|
||||
# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
|
||||
# environment variable.
|
||||
name: Scan with Detekt
|
||||
|
||||
on:
|
||||
# Triggers the workflow on push or pull request events but only for default and protected branches
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
# Release tag associated with version of Detekt to be installed
|
||||
# SARIF support (required for this workflow) was introduced in Detekt v1.15.0
|
||||
DETEKT_RELEASE_TAG: v1.15.0
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
jobs:
|
||||
# This workflow contains a single job called "scan"
|
||||
scan:
|
||||
name: Scan
|
||||
# The type of runner that the job will run on
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps represent a sequence of tasks that will be executed as part of the job
|
||||
steps:
|
||||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
|
||||
- name: Get Detekt download URL
|
||||
id: detekt_info
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
|
||||
query getReleaseAssetDownloadUrl($tagName: String!) {
|
||||
repository(name: "detekt", owner: "detekt") {
|
||||
release(tagName: $tagName) {
|
||||
releaseAssets(name: "detekt", first: 1) {
|
||||
nodes {
|
||||
downloadUrl
|
||||
}
|
||||
}
|
||||
tagCommit {
|
||||
oid
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
' 1> gh_response.json
|
||||
|
||||
DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
|
||||
if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
|
||||
echo "Release tag doesn't match expected commit SHA"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
|
||||
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
|
||||
|
||||
# Sets up the detekt cli
|
||||
- name: Setup Detekt
|
||||
run: |
|
||||
dest=$( mktemp -d )
|
||||
curl --request GET \
|
||||
--url ${{ steps.detekt_info.outputs.download_url }} \
|
||||
--silent \
|
||||
--location \
|
||||
--output $dest/detekt
|
||||
chmod a+x $dest/detekt
|
||||
echo $dest >> $GITHUB_PATH
|
||||
|
||||
# Performs static analysis using Detekt
|
||||
- name: Run Detekt
|
||||
continue-on-error: true
|
||||
run: |
|
||||
detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Modifies the SARIF output produced by Detekt so that absolute URIs are relative
|
||||
# This is so we can easily map results onto their source files
|
||||
# This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA
|
||||
- name: Make artifact location URIs relative
|
||||
continue-on-error: true
|
||||
run: |
|
||||
echo "$(
|
||||
jq \
|
||||
--arg github_workspace ${{ github.workspace }} \
|
||||
'. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \
|
||||
${{ github.workspace }}/detekt.sarif.json
|
||||
)" > ${{ github.workspace }}/detekt.sarif.json
|
||||
|
||||
# Uploads results to GitHub repository using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
# Path to SARIF file relative to the root of the repository
|
||||
sarif_file: ${{ github.workspace }}/detekt.sarif.json
|
||||
checkout_path: ${{ github.workspace }}
|
||||
@@ -0,0 +1,35 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates njsscan with GitHub's Code Scanning feature
|
||||
# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
|
||||
|
||||
name: njsscan sarif
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
njsscan:
|
||||
runs-on: ubuntu-latest
|
||||
name: njsscan code scanning
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
uses: actions/checkout@v2
|
||||
- name: nodejsscan scan
|
||||
id: njsscan
|
||||
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
|
||||
with:
|
||||
args: '. --sarif --output results.sarif || true'
|
||||
- name: Upload njsscan report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -0,0 +1,49 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates a collection of open source static analysis tools
|
||||
# with GitHub code scanning. For documentation, or to provide feedback, visit
|
||||
# https://github.com/github/ossar-action
|
||||
name: OSSAR
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
OSSAR-Scan:
|
||||
# OSSAR runs on windows-latest.
|
||||
# ubuntu-latest and macos-latest support coming soon
|
||||
runs-on: windows-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Ensure a compatible version of dotnet is installed.
|
||||
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
|
||||
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
|
||||
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
|
||||
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
|
||||
# - name: Install .NET
|
||||
# uses: actions/setup-dotnet@v1
|
||||
# with:
|
||||
# dotnet-version: '3.1.x'
|
||||
|
||||
# Run open source static analysis tools
|
||||
- name: Run OSSAR
|
||||
uses: github/ossar-action@v1
|
||||
id: ossar
|
||||
|
||||
# Upload results to the Security tab
|
||||
- name: Upload OSSAR results
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow that checks for security issues using
|
||||
# the Prisma Cloud Infrastructure as Code Scan Action on
|
||||
# the IaC files present in the repository.
|
||||
# The results are uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
|
||||
|
||||
name: Prisma Cloud IaC Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
prisma_cloud_iac_scan:
|
||||
runs-on: ubuntu-latest
|
||||
name: Run Prisma Cloud IaC Scan to check
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
- id: iac-scan
|
||||
name: Run Scan on CFT files in the repository
|
||||
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
|
||||
with:
|
||||
# You will need Prisma Cloud API Access Token
|
||||
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
|
||||
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
|
||||
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
|
||||
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
|
||||
# Scan sources on Prisma Cloud are uniquely identified by their name
|
||||
asset_name: 'my-asset-name'
|
||||
# The service need to know the type of IaC being scanned
|
||||
template_type: 'CFT'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
# Results are generated only on a success or failure
|
||||
# this is required since GitHub by default won't run the next step
|
||||
# when the previous one has failed.
|
||||
# And alternative it to add `continue-on-error: true` to the previous step
|
||||
if: success() || failure()
|
||||
with:
|
||||
# The SARIF Log file name is configurable on scan action
|
||||
# therefore the file name is best read from the steps output
|
||||
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Anchore Container Scan",
|
||||
"creator": "Indeni Cloudrail",
|
||||
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Brakeman",
|
||||
"creator": "Brakeman",
|
||||
"description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.",
|
||||
"iconName": "brakeman",
|
||||
"categories": ["Code Scanning", "ruby"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "CxSAST",
|
||||
"creator": "Checkmarx",
|
||||
"description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.",
|
||||
"iconName": "checkmarx",
|
||||
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Codacy Security Scan",
|
||||
"creator": "Codacy",
|
||||
"description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
|
||||
"iconName": "codacy",
|
||||
"categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "CodeScan",
|
||||
"creator": "CodeScan Enterprises, LLC",
|
||||
"description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.",
|
||||
"iconName": "codescan",
|
||||
"categories": ["Code Scanning", "javascript", "apex"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "42Crunch API Security Audit",
|
||||
"creator": "42Crunch",
|
||||
"description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.",
|
||||
"iconName": "42crunch",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"name": "Detekt",
|
||||
"creator": "Detekt",
|
||||
"description": "Static code analysis for Kotlin",
|
||||
"iconName": "detekt",
|
||||
"categories": ["Code Scanning", "Kotlin"]
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "njsscan",
|
||||
"creator": "NodeJSScan",
|
||||
"description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.",
|
||||
"iconName": "njsscan",
|
||||
"categories": ["Code Scanning", "JavaScript", "TypeScript"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "OSSAR",
|
||||
"creator": "GitHub",
|
||||
"description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": ["Code Scanning", "python", "javascript"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Prisma Cloud IaC Scan",
|
||||
"creator": "Palo Alto Prisma Cloud",
|
||||
"description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues",
|
||||
"iconName": "prisma",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "RuboCop Linting",
|
||||
"creator": "arthurnn",
|
||||
"description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.",
|
||||
"iconName": "rubocop",
|
||||
"categories": ["Code Scanning", "ruby"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "SecurityCodeScan",
|
||||
"creator": "@security-code-scan",
|
||||
"description": "Vulnerability Patterns Detector for C# and VB.NET",
|
||||
"iconName": "securitycodescan",
|
||||
"categories": ["Code Scanning", "C#", "Visual Basic .NET"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Semgrep",
|
||||
"creator": "Returntocorp",
|
||||
"description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
|
||||
"iconName": "semgrep",
|
||||
"categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Scan",
|
||||
"creator": "ShiftLeft",
|
||||
"description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
|
||||
"iconName": "shiftleft",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Snyk Container",
|
||||
"creator": "Snyk",
|
||||
"description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.",
|
||||
"iconName": "snyk",
|
||||
"categories": ["Code Scanning", "dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Snyk Infrastructure as Code",
|
||||
"creator": "Snyk",
|
||||
"description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.",
|
||||
"iconName": "snyk",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"name": "Trivy",
|
||||
"creator": "Aqua Security",
|
||||
"description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.",
|
||||
"iconName": "trivy",
|
||||
"categories": ["Code Scanning", "dockerfile"],
|
||||
"enterprise_requirements": ["docker"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Xanitizer",
|
||||
"creator": "RIGS IT",
|
||||
"description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).",
|
||||
"iconName": "xanitizer",
|
||||
"categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"]
|
||||
}
|
||||
@@ -0,0 +1,52 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# pulled from repo
|
||||
name: "Rubocop"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
rubocop:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# If running on a self-hosted runner, check it meets the requirements
|
||||
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
|
||||
- name: Set up Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
with:
|
||||
ruby-version: 2.6
|
||||
|
||||
# This step is not necessary if you add the gem to your Gemfile
|
||||
- name: Install Code Scanning integration
|
||||
run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
|
||||
|
||||
- name: Install dependencies
|
||||
run: bundle install
|
||||
|
||||
- name: Rubocop run
|
||||
run: |
|
||||
bash -c "
|
||||
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
|
||||
[[ $? -ne 2 ]]
|
||||
"
|
||||
|
||||
- name: Upload Sarif output
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: rubocop.sarif
|
||||
@@ -0,0 +1,41 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
|
||||
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET
|
||||
|
||||
name: SecurityCodeScan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
SCS:
|
||||
runs-on: windows-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
|
||||
- uses: microsoft/setup-msbuild@v1.0.2
|
||||
|
||||
- name: Set up projects for analysis
|
||||
uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
|
||||
|
||||
- name: Restore dependencies
|
||||
run: dotnet restore
|
||||
|
||||
- name: Build
|
||||
run: dotnet build --no-restore
|
||||
|
||||
- name: Convert sarif for uploading to GitHub
|
||||
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
|
||||
|
||||
- name: Upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
@@ -0,0 +1,42 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow file requires a free account on Semgrep.dev to
|
||||
# manage rules, file ignores, notifications, and more.
|
||||
#
|
||||
# See https://semgrep.dev/docs
|
||||
|
||||
name: Semgrep
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
name: Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout project source
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# Scan code using project's configuration on https://semgrep.dev/manage
|
||||
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
|
||||
with:
|
||||
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
|
||||
publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
|
||||
generateSarif: "1"
|
||||
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: semgrep.sarif
|
||||
if: always()
|
||||
@@ -0,0 +1,47 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Scan with GitHub's code scanning feature
|
||||
# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
|
||||
# Visit https://slscan.io/en/latest/integrations/code-scan for help
|
||||
name: SL Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
Scan-Build:
|
||||
# Scan runs on ubuntu, mac and windows
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
# Instructions
|
||||
# 1. Setup JDK, Node.js, Python etc depending on your project type
|
||||
# 2. Compile or build the project before invoking scan
|
||||
# Example: mvn compile, or npm install or pip install goes here
|
||||
# 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
|
||||
|
||||
- name: Perform Scan
|
||||
uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
|
||||
env:
|
||||
WORKSPACE: ""
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
SCAN_AUTO_BUILD: true
|
||||
with:
|
||||
output: reports
|
||||
# Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
|
||||
# type: credscan,java
|
||||
# type: python
|
||||
|
||||
- name: Upload report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: reports
|
||||
@@ -0,0 +1,48 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow which checks out the code, builds a container
|
||||
# image using Docker and scans that image for vulnerabilities using
|
||||
# Snyk. The results are then uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more examples, including how to limit scans to only high-severity
|
||||
# issues, monitor images for newly disclosed vulnerabilities in Snyk and
|
||||
# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
|
||||
|
||||
name: Snyk Container
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
snyk:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Build a Docker image
|
||||
run: docker build -t your/image-to-test .
|
||||
- name: Run Snyk to check Docker image for vulnerabilities
|
||||
# Snyk can be used to break the build when it detects vulnerabilities.
|
||||
# In this case we want to upload the issues to GitHub Code Scanning
|
||||
continue-on-error: true
|
||||
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
|
||||
env:
|
||||
# In order to use the Snyk Action you will need to have a Snyk API token.
|
||||
# More details in https://github.com/snyk/actions#getting-your-snyk-token
|
||||
# or you can signup for free at https://snyk.io/login
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
with:
|
||||
image: your/image-to-test
|
||||
args: --file=Dockerfile
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
@@ -0,0 +1,47 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow which checks out your Infrastructure as Code Configuration files,
|
||||
# such as Kubernetes, Helm & Terraform and scans them for any security issues.
|
||||
# The results are then uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more examples, including how to limit scans to only high-severity issues
|
||||
# and fail PR checks, see https://github.com/snyk/actions/
|
||||
|
||||
name: Snyk Infrastructure as Code
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
snyk:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Run Snyk to check configuration files for security issues
|
||||
# Snyk can be used to break the build when it detects security issues.
|
||||
# In this case we want to upload the issues to GitHub Code Scanning
|
||||
continue-on-error: true
|
||||
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
|
||||
env:
|
||||
# In order to use the Snyk Action you will need to have a Snyk API token.
|
||||
# More details in https://github.com/snyk/actions#getting-your-snyk-token
|
||||
# or you can signup for free at https://snyk.io/login
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
with:
|
||||
# Add the path to the configuration file that you would like to test.
|
||||
# For example `deployment.yaml` for a Kubernetes deployment manifest
|
||||
# or `main.tf` for a Terraform configuration file
|
||||
file: your-file-to-test.yaml
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
@@ -0,0 +1,41 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: build
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: "ubuntu-18.04"
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
@@ -0,0 +1,92 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
|
||||
# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
|
||||
#
|
||||
# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
|
||||
#
|
||||
# To use this basic workflow, you will need to complete the following setup steps:
|
||||
#
|
||||
# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
|
||||
# Licenses are free of charge for open source projects and for educational usage.
|
||||
# To get more information about the Xanitizer licenses and how to obtain a license file,
|
||||
# please consult https://www.xanitizer.com/xanitizer-pricing/.
|
||||
#
|
||||
# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
|
||||
# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
|
||||
#
|
||||
# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
|
||||
# Example:
|
||||
# - name: Xanitizer Security Analysis
|
||||
# uses: RIGS-IT/xanitizer-action@v1
|
||||
# with:
|
||||
# license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
#
|
||||
# 4. As a static application security testing (SAST) tool,
|
||||
# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
|
||||
# So you have to install all used libraries and build your project before running the security analysis,
|
||||
# e.g. via `mvn compile` for Java or `npm install` for JavaScript
|
||||
|
||||
name: "Xanitizer Security Analysis"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
xanitizer-security-analysis:
|
||||
# Xanitizer runs on ubuntu-latest and windows-latest.
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
# Check out the repository
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Set up the correct Java version for your project
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: 11
|
||||
|
||||
# Compile the code for Java projects and get all libraries, e.g. via Maven
|
||||
# Please adapt, if your project uses another build system to compile Java source code.
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Compile Java code
|
||||
run: mvn -B compile
|
||||
|
||||
# Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
|
||||
# Please adapt to run `npm install` in the correct directories.
|
||||
# Please adapt, if your project uses another package manager for getting JavaScript libraries.
|
||||
# Please comment out, if your project does not use a package manager for getting JavaScript libraries.
|
||||
- name: Install JavaScript libraries
|
||||
run: npm install
|
||||
|
||||
# Run the security analysis with default settings
|
||||
- name: Xanitizer Security Analysis
|
||||
uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316
|
||||
with:
|
||||
license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
|
||||
# Archiving the findings list reports
|
||||
- uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: Xanitizer-Reports
|
||||
path: |
|
||||
*-Findings-List.pdf
|
||||
*-Findings-List.sarif
|
||||
|
||||
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: Xanitizer-Findings-List.sarif
|
||||
Reference in New Issue
Block a user