diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..3f1b732
--- /dev/null
+++ b/ci/go-ossf-slsa3-publish.yml
@@ -0,0 +1,35 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA Go releaser
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ build:
+ permissions:
+ id-token: write # To sign.
+ contents: write # To upload release assets.
+ actions: read # To read workflow path.
+ # If you need more configuration options, such as ldflag examples,
+ # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1
+ with:
+ # By default, the config file is .slsa-goreleaser.yml in the root directory.
+ # The format of the config file is described in
+ # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file.
+ go-version: 1.17
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 9aeb2b8..42eae27 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 4642c75..0c0f12c 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -29,6 +29,6 @@ jobs:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..2d58eaf
--- /dev/null
+++ b/ci/properties/go-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Go releaser",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Compile your Go project using a SLSA3 compliant builder",
+ "iconName": "go-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go"]
+}
diff --git a/ci/scala.yml b/ci/scala.yml
index c985f74..6f80a22 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -21,5 +21,6 @@ jobs:
with:
java-version: '11'
distribution: 'temurin'
+ cache: 'sbt'
- name: Run tests
run: sbt test
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
new file mode 100644
index 0000000..61ffd7a
--- /dev/null
+++ b/code-scanning/contrast-scan.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
+# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
+# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
+# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
+
+# Pre-requisites:
+# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
+# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+name: Scan analyze workflow
+jobs:
+ build-and-scan:
+ permissions:
+ contents: read # for actions/checkout
+ security-events: write # for github/codeql-action/upload-sarif
+ runs-on: ubuntu-latest
+ # check out project
+ steps:
+ - uses: actions/checkout@v3
+ # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
+ # -name: Build Project
+ # ...
+ # Scan Artifact
+ - name: Contrast Scan Action
+ uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
+ with:
+ artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
+ apiKey: ${{ secrets.CONTRAST_API_KEY }}
+ orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
+ authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
+ #Upload the results to GitHub
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json
new file mode 100644
index 0000000..67369b8
--- /dev/null
+++ b/code-scanning/properties/contrast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Contrast Scan",
+ "creator": "Contrast Security Inc",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
+ "iconName": "contrast",
+ "categories": ["Code Scanning", "java", "javascript", "dotnet"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json
new file mode 100644
index 0000000..62ebd9e
--- /dev/null
+++ b/code-scanning/properties/puppet-lint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "puppet-lint",
+ "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
+ "iconName": "puppet-lint",
+ "categories": [ "Code Scanning", "Puppet" ]
+}
\ No newline at end of file
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
new file mode 100644
index 0000000..801b90b
--- /dev/null
+++ b/code-scanning/puppet-lint.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
+# https://puppet.com/docs/puppet/7/style_guide.html
+# Puppet Lint validates only code style; it does not validate syntax.
+# To test syntax, use Puppet's puppet parser validate command.
+# More details at https://github.com/puppetlabs/puppet-lint/
+
+name: puppet-lint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ puppet-lint:
+ name: Run puppet-lint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ with:
+ ruby-version: 2.7
+ bundler-cache: true
+
+ - name: Install puppet-lint
+ run: gem install puppet-lint
+
+ - name: Run puppet-lint
+ run: puppet-lint . --sarif > puppet-lint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: puppet-lint-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 6536fbe..77f8156 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@v3
- name: Run tfsec
- uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+ uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index 06b5cae..63be947 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -33,7 +33,7 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+ uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
diff --git a/icons/contrast.svg b/icons/contrast.svg
new file mode 100644
index 0000000..7680157
--- /dev/null
+++ b/icons/contrast.svg
@@ -0,0 +1,16 @@
+
+
+
diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/go-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg
new file mode 100644
index 0000000..4e5d4d0
--- /dev/null
+++ b/icons/puppet-lint.svg
@@ -0,0 +1,95 @@
+
+
+
+