Merge branch 'main' into users/shaopeng-gh/lintr
This commit is contained in:
@@ -0,0 +1,38 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, builds an image, performs a container image
|
||||
# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
|
||||
# submission API.
|
||||
|
||||
# For more information on the Anchore sbom-action usage
|
||||
# and parameters, see https://github.com/anchore/sbom-action. For more
|
||||
# information about the Anchore SBOM tool, Syft, see
|
||||
# https://github.com/anchore/syft
|
||||
name: Anchore Syft SBOM scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
Anchore-Build-Scan:
|
||||
permissions:
|
||||
contents: write # required to upload to the Dependency submission API
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
uses: actions/checkout@v3
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
|
||||
- name: Scan the image and upload dependency results
|
||||
uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
artifact-name: image.spdx.json
|
||||
dependency-snapshot: true
|
||||
@@ -34,7 +34,7 @@ jobs:
|
||||
|
||||
# Customize the ruby version depending on your needs
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: '2.7'
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@ jobs:
|
||||
- name: Scan code
|
||||
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
|
||||
with:
|
||||
rules-repository: 'git://org/private-rules-repo#main'
|
||||
# rules-repository: 'git://org/private-rules-repo#main'
|
||||
output-type: 'sarif'
|
||||
output-file: 'clj-holmes-results.sarif'
|
||||
fail-on-result: 'false'
|
||||
@@ -40,4 +40,4 @@ jobs:
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
|
||||
ait-for-processing: true
|
||||
wait-for-processing: true
|
||||
|
||||
@@ -17,4 +17,4 @@ jobs:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v3
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v1
|
||||
uses: actions/dependency-review-action@v2
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# Frogbot Scan and Fix does the following:
|
||||
# Automatically creates pull requests with fixes for vulnerable project dependencies.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
|
||||
name: "Frogbot Scan and Fix"
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
security-events: write
|
||||
jobs:
|
||||
create-fix-pull-requests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
# Install prerequisites - uncomment the relevant one
|
||||
|
||||
# - uses: actions/setup-go@v3
|
||||
# with:
|
||||
# go-version: 1.17.x
|
||||
|
||||
# - uses: actions/setup-java@v3
|
||||
# with:
|
||||
# java-version: "11"
|
||||
# distribution: "temurin"
|
||||
|
||||
# - uses: actions/setup-node@v3
|
||||
# with:
|
||||
# node-version: "16.x"
|
||||
|
||||
|
||||
- uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
JF_URL: ${{ secrets.FROGBOT_URL }}
|
||||
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}
|
||||
|
||||
# [Mandatory]
|
||||
# The GitHub token automatically generated for the job
|
||||
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# [Mandatory if using npm]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "npm i"
|
||||
@@ -0,0 +1,75 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# Frogbot Scan Pull Request does the following:
|
||||
# Automatically scans new pull requests for security vulnerabilities.
|
||||
# Uses JFrog Xray to scan the project.
|
||||
# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
|
||||
|
||||
name: "Frogbot Scan Pull Request"
|
||||
on:
|
||||
pull_request_target:
|
||||
types: [ opened, synchronize ]
|
||||
permissions:
|
||||
pull-requests: write
|
||||
contents: read
|
||||
jobs:
|
||||
scan-pull-request:
|
||||
runs-on: ubuntu-latest
|
||||
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
|
||||
# "frogbot" GitHub environment can approve the pull request to be scanned.
|
||||
environment: frogbot
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
# Install prerequisites - uncomment the relevant ones
|
||||
|
||||
# - uses: actions/setup-go@v3
|
||||
# with:
|
||||
# go-version: 1.17.x
|
||||
|
||||
# - uses: actions/setup-java@v3
|
||||
# with:
|
||||
# java-version: "11"
|
||||
# distribution: "temurin"
|
||||
|
||||
# - uses: actions/setup-node@v3
|
||||
# with:
|
||||
# node-version: "16.x"
|
||||
|
||||
# The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
|
||||
- uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab
|
||||
env:
|
||||
# [Mandatory]
|
||||
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
|
||||
JF_URL: ${{ secrets.JF_URL }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
|
||||
JF_USER: ${{ secrets.JF_USER }}
|
||||
|
||||
# [Mandatory if JF_ACCESS_TOKEN is not provided]
|
||||
# JFrog password. Must be provided with JF_USER
|
||||
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
|
||||
|
||||
# [Mandatory]
|
||||
# The GitHub token automatically generated for the job
|
||||
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
|
||||
# JFrog access token with 'read' permissions on Xray service
|
||||
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
|
||||
|
||||
# [Mandatory when using npm]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "npm i"
|
||||
|
||||
# [Mandatory when using .NET]
|
||||
# The command that installs the dependencies
|
||||
# JF_INSTALL_DEPS_CMD: "dotnet restore"
|
||||
|
||||
# The full template list with full optional environment variables can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Anchore Syft SBOM Scan",
|
||||
"organization": "Anchore",
|
||||
"description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile", "dependency-management"]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"name": "Frogbot Scan and Fix",
|
||||
"description": "Automatically creates pull requests with fixes for vulnerable project dependencies. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
|
||||
"iconName": "frogbot",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Go Module",
|
||||
"Maven POM",
|
||||
"NPM Config",
|
||||
"Gradle",
|
||||
"C#",
|
||||
"Python"
|
||||
],
|
||||
"creator": "JFrog"
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"name": "Frogbot Scan Pull Request",
|
||||
"description": "Automatically scans new pull requests for security vulnerabilities. Uses JFrog Xray to scan the project. Included as part of JFrog's free subscription.",
|
||||
"iconName": "frogbot",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Go Module",
|
||||
"Maven POM",
|
||||
"NPM Config",
|
||||
"Gradle",
|
||||
"C#",
|
||||
"Python"
|
||||
],
|
||||
"creator": "JFrog"
|
||||
}
|
||||
@@ -35,7 +35,7 @@ jobs:
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: 2.7
|
||||
bundler-cache: true
|
||||
|
||||
@@ -28,7 +28,7 @@ jobs:
|
||||
# If running on a self-hosted runner, check it meets the requirements
|
||||
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
|
||||
- name: Set up Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
uses: ruby/setup-ruby@0a29871fe2b0200a17a4497bae54fe5df0d973aa # v1.115.3
|
||||
with:
|
||||
ruby-version: 2.6
|
||||
|
||||
|
||||
@@ -25,12 +25,12 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
|
||||
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1
|
||||
uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # tag=v1.1.1
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
|
||||
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
@@ -57,6 +57,6 @@ jobs:
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
|
||||
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
Reference in New Issue
Block a user