diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
index 2f68e66..71aff41 100644
--- a/ci/docker-publish.yml
+++ b/ci/docker-publish.yml
@@ -41,9 +41,9 @@ jobs:
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
+ uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25
with:
- cosign-release: 'v1.7.1'
+ cosign-release: 'v1.9.0'
# Workaround: https://github.com/docker/build-push-action/issues/461
diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..3f1b732
--- /dev/null
+++ b/ci/go-ossf-slsa3-publish.yml
@@ -0,0 +1,35 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA Go releaser
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+permissions: read-all
+
+jobs:
+ build:
+ permissions:
+ id-token: write # To sign.
+ contents: write # To upload release assets.
+ actions: read # To read workflow path.
+ # If you need more configuration options, such as ldflag examples,
+ # visit https://github.com/slsa-framework/slsa-github-generator#golang-projects.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1
+ with:
+ # By default, the config file is .slsa-goreleaser.yml in the root directory.
+ # The format of the config file is described in
+ # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file.
+ go-version: 1.17
diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 9aeb2b8..42eae27 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -30,14 +30,14 @@ jobs:
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: publish
env:
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 4642c75..0c0f12c 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -29,6 +29,6 @@ jobs:
java-version: '11'
distribution: 'temurin'
- name: Build with Gradle
- uses: gradle/gradle-build-action@0d13054264b0bb894ded474f08ebb30921341cee
+ uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
with:
arguments: build
diff --git a/ci/properties/go-ossf-slsa3-publish.properties.json b/ci/properties/go-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000..2d58eaf
--- /dev/null
+++ b/ci/properties/go-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "SLSA Go releaser",
+ "creator": "Open Source Security Foundation (OpenSSF)",
+ "description": "Compile your Go project using a SLSA3 compliant builder",
+ "iconName": "go-ossf-slsa3-publish",
+ "categories": ["Continuous integration", "Go"]
+}
diff --git a/ci/scala.yml b/ci/scala.yml
index c985f74..6f80a22 100644
--- a/ci/scala.yml
+++ b/ci/scala.yml
@@ -21,5 +21,6 @@ jobs:
with:
java-version: '11'
distribution: 'temurin'
+ cache: 'sbt'
- name: Run tests
run: sbt test
diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml
new file mode 100644
index 0000000..61ffd7a
--- /dev/null
+++ b/code-scanning/contrast-scan.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
+# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
+# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
+# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
+
+# Pre-requisites:
+# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
+# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+name: Scan analyze workflow
+jobs:
+ build-and-scan:
+ permissions:
+ contents: read # for actions/checkout
+ security-events: write # for github/codeql-action/upload-sarif
+ runs-on: ubuntu-latest
+ # check out project
+ steps:
+ - uses: actions/checkout@v3
+ # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
+ # -name: Build Project
+ # ...
+ # Scan Artifact
+ - name: Contrast Scan Action
+ uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
+ with:
+ artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
+ apiKey: ${{ secrets.CONTRAST_API_KEY }}
+ orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
+ authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
+ #Upload the results to GitHub
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml
new file mode 100644
index 0000000..d5bb88f
--- /dev/null
+++ b/code-scanning/crda.yml
@@ -0,0 +1,126 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow performs a static analysis of your source code using
+# Red Hat CodeReady Dependency Analytics.
+
+# Scans are triggered:
+# 1. On every push to default and protected branches
+# 2. On every Pull Request targeting the default branch
+# 3. On a weekly schedule
+# 4. Manually, on demand, via the "workflow_dispatch" event
+
+# đ The CRDA Starter workflow will:
+# - Checkout your repository
+# - Setup the required tool stack
+# - Install the CRDA command line tool
+# - Auto detect the manifest file and install the project's dependencies
+# - Perform the security scan using CRDA
+# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
+# - Optionally upload the SARIF file as an artifact for the future reference
+
+# âšī¸ Configure your repository and the workflow with the following steps:
+# 1. Setup the tool stack based on the project's requirement.
+# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
+# 2. (Optional) CRDA action attempt to detect the language and install the
+# required dependencies for your project. If your project doesn't aligns
+# with the default dependency installation command mentioned here
+# https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# Use the required inputs to setup the same
+# 3. (Optional) CRDA action attempts to detect the manifest file if it is
+# present in the root of the project and named as per the default mentioned
+# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# If it deviates from the default, use the required inputs to setup the same
+# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
+# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
+# 5. (Optional) Upload SARIF file as an Artifact to download and view
+# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
+
+# đ Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
+
+name: CRDA Scan
+
+# Controls when the workflow will run
+on:
+ # TODO: Customize trigger events based on your DevSecOps processes
+ #
+ # This workflow is made to run with OpenShift starter workflow
+ # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
+ # However, if you want to run this workflow as a standalone workflow, please
+ # uncomment the 'push' trigger below and configure it based on your requirements.
+ #
+ workflow_call:
+ secrets:
+ CRDA_KEY:
+ required: false
+ SNYK_TOKEN:
+ required: false
+ workflow_dispatch:
+
+ # push:
+ # branches: [ $default-branch, $protected-branches ]
+
+ # pull_request_target is used to securely share secret to the PR's workflow run.
+ # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+ pull_request_target:
+ branches: [ $default-branch ]
+ types: [ assigned, opened, synchronize, reopened, labeled, edited ]
+
+permissions:
+ contents: read
+
+jobs:
+ crda-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for redhat-actions/crda to upload SARIF results
+ name: Scan project vulnerabilities with CRDA
+ runs-on: ubuntu-20.04
+ steps:
+
+ - name: Check out repository
+ uses: actions/checkout@v2
+
+ # *******************************************************************
+ # Required: Instructions to setup project
+ # 1. Setup Go, Java, Node.js or Python depending on your project type
+ # 2. Setup Actions are listed below, choose one from them:
+ # - Go: https://github.com/actions/setup-go
+ # - Java: https://github.com/actions/setup-java
+ # - Node.js: https://github.com/actions/setup-node
+ # - Python: https://github.com/actions/setup-python
+ #
+ # Example:
+ # - name: Setup Node
+ # uses: actions/setup-node@v2
+ # with:
+ # node-version: '14'
+
+ # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
+ - name: Install CRDA CLI
+ uses: redhat-actions/openshift-tools-installer@v1
+ with:
+ source: github
+ github_pat: ${{ github.token }}
+ # Choose the desired version of the CRDA CLI
+ crda: "latest"
+
+ ######################################################################################
+ # https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # By default, CRDA will detect the manifest file and install the required dependencies
+ # using the standard command for the project type.
+ # If your project doesn't aligns with the defaults mentioned in this action, you will
+ # need to set few inputs that are described here:
+ # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
+ # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
+ # process to get a SNYK_TOKEN or a CRDA_KEY
+ - name: CRDA Scan
+ id: scan
+ uses: redhat-actions/crda@v1
+ with:
+ crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
+ # snyk_token: ${{ secrets.SNYK_TOKEN }}
+ # upload_artifact: false # Set this to false to skip artifact upload
diff --git a/code-scanning/properties/contrast-scan.properties.json b/code-scanning/properties/contrast-scan.properties.json
new file mode 100644
index 0000000..67369b8
--- /dev/null
+++ b/code-scanning/properties/contrast-scan.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Contrast Scan",
+ "creator": "Contrast Security Inc",
+ "description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
+ "iconName": "contrast",
+ "categories": ["Code Scanning", "java", "javascript", "dotnet"]
+}
\ No newline at end of file
diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json
new file mode 100644
index 0000000..9e1a7ac
--- /dev/null
+++ b/code-scanning/properties/crda.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Red Hat CodeReady Dependency Analytics",
+ "creator": "Red Hat",
+ "description": "Scan your project's dependencies with CodeReady Dependency Analytics.",
+ "iconName": "openshift",
+ "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"]
+}
diff --git a/code-scanning/properties/puppet-lint.properties.json b/code-scanning/properties/puppet-lint.properties.json
new file mode 100644
index 0000000..62ebd9e
--- /dev/null
+++ b/code-scanning/properties/puppet-lint.properties.json
@@ -0,0 +1,6 @@
+{
+ "name": "puppet-lint",
+ "description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
+ "iconName": "puppet-lint",
+ "categories": [ "Code Scanning", "Puppet" ]
+}
\ No newline at end of file
diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml
new file mode 100644
index 0000000..801b90b
--- /dev/null
+++ b/code-scanning/puppet-lint.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
+# https://puppet.com/docs/puppet/7/style_guide.html
+# Puppet Lint validates only code style; it does not validate syntax.
+# To test syntax, use Puppet's puppet parser validate command.
+# More details at https://github.com/puppetlabs/puppet-lint/
+
+name: puppet-lint
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ puppet-lint:
+ name: Run puppet-lint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
+ with:
+ ruby-version: 2.7
+ bundler-cache: true
+
+ - name: Install puppet-lint
+ run: gem install puppet-lint
+
+ - name: Run puppet-lint
+ run: puppet-lint . --sarif > puppet-lint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: puppet-lint-results.sarif
+ wait-for-processing: true
diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 6536fbe..77f8156 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@v3
- name: Run tfsec
- uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+ uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
sarif_file: tfsec.sarif
diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index 06b5cae..63be947 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -33,7 +33,7 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+ uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
diff --git a/deployments/openshift.yml b/deployments/openshift.yml
index 5775cb0..8504059 100644
--- a/deployments/openshift.yml
+++ b/deployments/openshift.yml
@@ -54,15 +54,30 @@ env:
on:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+ workflow_dispatch:
push:
# Edit to the branch(es) you want to build and deploy on each push.
branches: [ $default-branch ]
jobs:
+ # đī¸ EDIT if you want to run vulnerability check on your project before deploying
+ # the application. Please uncomment the below CRDA scan job and configure to run it in
+ # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab.
+ # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows
+
+ crda-scan:
+ uses: ./.github/workflows/crda.yml
+ secrets:
+ CRDA_KEY: ${{ secrets.CRDA_KEY }}
+ # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
+
openshift-ci-cd:
+ # đī¸ Uncomment this if you are using CRDA scan step above
+ # needs: crda-scan
name: Build and deploy to OpenShift
- # ubuntu-20.04 can also be used.
- runs-on: ubuntu-18.04
+ runs-on: ubuntu-20.04
environment: production
outputs:
diff --git a/icons/contrast.svg b/icons/contrast.svg
new file mode 100644
index 0000000..7680157
--- /dev/null
+++ b/icons/contrast.svg
@@ -0,0 +1,16 @@
+
+
+
diff --git a/icons/go-ossf-slsa3-publish.svg b/icons/go-ossf-slsa3-publish.svg
new file mode 100644
index 0000000..ea77468
--- /dev/null
+++ b/icons/go-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+
+
diff --git a/icons/puppet-lint.svg b/icons/puppet-lint.svg
new file mode 100644
index 0000000..4e5d4d0
--- /dev/null
+++ b/icons/puppet-lint.svg
@@ -0,0 +1,95 @@
+
+
+
+