Merge branch 'main' into main
This commit is contained in:
@@ -0,0 +1,52 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github.
|
||||
# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action.
|
||||
# Contrast Scan currently supports Java, JavaScript and .NET artifacts.
|
||||
# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action
|
||||
|
||||
# Pre-requisites:
|
||||
# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action.
|
||||
# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER.
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
name: Scan analyze workflow
|
||||
jobs:
|
||||
build-and-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout
|
||||
security-events: write # for github/codeql-action/upload-sarif
|
||||
runs-on: ubuntu-latest
|
||||
# check out project
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
# Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here.
|
||||
# -name: Build Project
|
||||
# ...
|
||||
# Scan Artifact
|
||||
- name: Contrast Scan Action
|
||||
uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1
|
||||
with:
|
||||
artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact
|
||||
apiKey: ${{ secrets.CONTRAST_API_KEY }}
|
||||
orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}
|
||||
authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}
|
||||
#Upload the results to GitHub
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output
|
||||
@@ -0,0 +1,126 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow performs a static analysis of your source code using
|
||||
# Red Hat CodeReady Dependency Analytics.
|
||||
|
||||
# Scans are triggered:
|
||||
# 1. On every push to default and protected branches
|
||||
# 2. On every Pull Request targeting the default branch
|
||||
# 3. On a weekly schedule
|
||||
# 4. Manually, on demand, via the "workflow_dispatch" event
|
||||
|
||||
# 💁 The CRDA Starter workflow will:
|
||||
# - Checkout your repository
|
||||
# - Setup the required tool stack
|
||||
# - Install the CRDA command line tool
|
||||
# - Auto detect the manifest file and install the project's dependencies
|
||||
# - Perform the security scan using CRDA
|
||||
# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
|
||||
# - Optionally upload the SARIF file as an artifact for the future reference
|
||||
|
||||
# ℹ️ Configure your repository and the workflow with the following steps:
|
||||
# 1. Setup the tool stack based on the project's requirement.
|
||||
# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
|
||||
# 2. (Optional) CRDA action attempt to detect the language and install the
|
||||
# required dependencies for your project. If your project doesn't aligns
|
||||
# with the default dependency installation command mentioned here
|
||||
# https://github.com/redhat-actions/crda/#3-installing-dependencies.
|
||||
# Use the required inputs to setup the same
|
||||
# 3. (Optional) CRDA action attempts to detect the manifest file if it is
|
||||
# present in the root of the project and named as per the default mentioned
|
||||
# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
|
||||
# If it deviates from the default, use the required inputs to setup the same
|
||||
# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
|
||||
# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
|
||||
# 5. (Optional) Upload SARIF file as an Artifact to download and view
|
||||
# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
|
||||
|
||||
# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
|
||||
|
||||
name: CRDA Scan
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
# TODO: Customize trigger events based on your DevSecOps processes
|
||||
#
|
||||
# This workflow is made to run with OpenShift starter workflow
|
||||
# https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
|
||||
# However, if you want to run this workflow as a standalone workflow, please
|
||||
# uncomment the 'push' trigger below and configure it based on your requirements.
|
||||
#
|
||||
workflow_call:
|
||||
secrets:
|
||||
CRDA_KEY:
|
||||
required: false
|
||||
SNYK_TOKEN:
|
||||
required: false
|
||||
workflow_dispatch:
|
||||
|
||||
# push:
|
||||
# branches: [ $default-branch, $protected-branches ]
|
||||
|
||||
# pull_request_target is used to securely share secret to the PR's workflow run.
|
||||
# For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
||||
pull_request_target:
|
||||
branches: [ $default-branch ]
|
||||
types: [ assigned, opened, synchronize, reopened, labeled, edited ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
crda-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for redhat-actions/crda to upload SARIF results
|
||||
name: Scan project vulnerabilities with CRDA
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# *******************************************************************
|
||||
# Required: Instructions to setup project
|
||||
# 1. Setup Go, Java, Node.js or Python depending on your project type
|
||||
# 2. Setup Actions are listed below, choose one from them:
|
||||
# - Go: https://github.com/actions/setup-go
|
||||
# - Java: https://github.com/actions/setup-java
|
||||
# - Node.js: https://github.com/actions/setup-node
|
||||
# - Python: https://github.com/actions/setup-python
|
||||
#
|
||||
# Example:
|
||||
# - name: Setup Node
|
||||
# uses: actions/setup-node@v2
|
||||
# with:
|
||||
# node-version: '14'
|
||||
|
||||
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
|
||||
- name: Install CRDA CLI
|
||||
uses: redhat-actions/openshift-tools-installer@v1
|
||||
with:
|
||||
source: github
|
||||
github_pat: ${{ github.token }}
|
||||
# Choose the desired version of the CRDA CLI
|
||||
crda: "latest"
|
||||
|
||||
######################################################################################
|
||||
# https://github.com/redhat-actions/crda/blob/main/README.md
|
||||
#
|
||||
# By default, CRDA will detect the manifest file and install the required dependencies
|
||||
# using the standard command for the project type.
|
||||
# If your project doesn't aligns with the defaults mentioned in this action, you will
|
||||
# need to set few inputs that are described here:
|
||||
# https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
|
||||
# Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
|
||||
# process to get a SNYK_TOKEN or a CRDA_KEY
|
||||
- name: CRDA Scan
|
||||
id: scan
|
||||
uses: redhat-actions/crda@v1
|
||||
with:
|
||||
crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
|
||||
# snyk_token: ${{ secrets.SNYK_TOKEN }}
|
||||
# upload_artifact: false # Set this to false to skip artifact upload
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Contrast Scan",
|
||||
"creator": "Contrast Security Inc",
|
||||
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerabilities to the repository.",
|
||||
"iconName": "contrast",
|
||||
"categories": ["Code Scanning", "java", "javascript", "dotnet"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Red Hat CodeReady Dependency Analytics",
|
||||
"creator": "Red Hat",
|
||||
"description": "Scan your project's dependencies with CodeReady Dependency Analytics.",
|
||||
"iconName": "openshift",
|
||||
"categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"]
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "puppet-lint",
|
||||
"description": "Puppet Lint tests Puppet code against the recommended Puppet language style guide.",
|
||||
"iconName": "puppet-lint",
|
||||
"categories": [ "Code Scanning", "Puppet" ]
|
||||
}
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
|
||||
# https://puppet.com/docs/puppet/7/style_guide.html
|
||||
# Puppet Lint validates only code style; it does not validate syntax.
|
||||
# To test syntax, use Puppet's puppet parser validate command.
|
||||
# More details at https://github.com/puppetlabs/puppet-lint/
|
||||
|
||||
name: puppet-lint
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
puppet-lint:
|
||||
name: Run puppet-lint scanning
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read # for checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
with:
|
||||
ruby-version: 2.7
|
||||
bundler-cache: true
|
||||
|
||||
- name: Install puppet-lint
|
||||
run: gem install puppet-lint
|
||||
|
||||
- name: Run puppet-lint
|
||||
run: puppet-lint . --sarif > puppet-lint-results.sarif
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload analysis results to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: puppet-lint-results.sarif
|
||||
wait-for-processing: true
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run tfsec
|
||||
uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
|
||||
uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
|
||||
with:
|
||||
sarif_file: tfsec.sarif
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
|
||||
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
|
||||
Reference in New Issue
Block a user