diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000..3f1b732 --- /dev/null +++ b/ci/go-ossf-slsa3-publish.yml @@ -0,0 +1,35 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + # If you need more configuration options, such as ldflag examples, + # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 + with: + # By default, the config file is .slsa-goreleaser.yml in the root directory. + # The format of the config file is described in + # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file. + go-version: 1.17 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 9aeb2b8..42eae27 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index 4642c75..0c0f12c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -29,6 +29,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee + uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 with: arguments: build diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json new file mode 100644 index 0000000..2d58eaf --- /dev/null +++ b/ci/properties/go-ossf-slsa3-publish.properties.json @@ -0,0 +1,7 @@ +{ + "name": "SLSA Go releaser", + "creator": "Open Source Security Foundation (OpenSSF)", + "description": "Compile your Go project using a SLSA3 compliant builder", + "iconName": "go-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go"] +} diff --git a/ci/scala.yml b/ci/scala.yml index c985f74..6f80a22 100644 --- a/ci/scala.yml +++ b/ci/scala.yml @@ -21,5 +21,6 @@ jobs: with: java-version: '11' distribution: 'temurin' + cache: 'sbt' - name: Run tests run: sbt test diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml new file mode 100644 index 0000000..61ffd7a --- /dev/null +++ b/code-scanning/contrast-scan.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +name: Scan analyze workflow +jobs: + build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v3 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json new file mode 100644 index 0000000..67369b8 --- /dev/null +++ b/code-scanning/properties/contrast-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Contrast Scan", + "creator": "Contrast Security Inc", + "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.", + "iconName": "contrast", + "categories": ["Code Scanning", "java", "javascript", "dotnet"] +} \ No newline at end of file diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json new file mode 100644 index 0000000..62ebd9e --- /dev/null +++ b/code-scanning/properties/puppet-lint.properties.json @@ -0,0 +1,6 @@ +{ + "name": "puppet-lint", + "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.", + "iconName": "puppet-lint", + "categories": [ "Code Scanning", "Puppet" ] +} \ No newline at end of file diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml new file mode 100644 index 0000000..801b90b --- /dev/null +++ b/code-scanning/puppet-lint.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 6536fbe..77f8156 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v3 - name: Run tfsec - uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index 06b5cae..63be947 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -33,7 +33,7 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'template' diff --git a/icons/contrast.svg b/icons/contrast.svg new file mode 100644 index 0000000..7680157 --- /dev/null +++ b/icons/contrast.svg @@ -0,0 +1,16 @@ + + + + + + + + diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg new file mode 100644 index 0000000..ea77468 --- /dev/null +++ b/icons/go-ossf-slsa3-publish.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg new file mode 100644 index 0000000..4e5d4d0 --- /dev/null +++ b/icons/puppet-lint.svg @@ -0,0 +1,95 @@ + + + + + + + + + +