diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml deleted file mode 100644 index 7056f87..0000000 --- a/ci/datadog-synthetics.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow will trigger Datadog Synthetic tests within your Datadog organisation -# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# To get started: - -# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. -# 2. Start using the action within your workflow - -name: Run Datadog Synthetic tests - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - # Run Synthetic tests within your GitHub workflow. - # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e - with: - api_key: ${{secrets.DD_API_KEY}} - app_key: ${{secrets.DD_APP_KEY}} - test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy - - diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 0fecd23..9fdc851 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index bc64e5e..fc8cf2f 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..e650e2a 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project. diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json deleted file mode 100644 index 5a4f74d..0000000 --- a/ci/properties/datadog-synthetics.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Datadog Synthetics", - "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", - "iconName": "datadog", - "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] -} diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c..fcca708 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..4737d06 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 96b9897..d012bce 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,10 +17,18 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 1d44bf9..e8e2447 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -33,8 +33,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0..d8eaa92 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76..a6da087 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ba895fe..0604734 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -23,13 +23,13 @@ jobs: with: java-version: '11' distribution: 'temurin' - cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 + uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' + analyzeModifiedFilesOnly: false - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b..5b11482 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json index d51a6ad..c133cc1 100644 --- a/code-scanning/properties/detekt.properties.json +++ b/code-scanning/properties/detekt.properties.json @@ -3,7 +3,6 @@ "creator": "Detekt", "description": "Static code analysis for Kotlin", "iconName": "detekt", - "categories": ["Code Scanning", "Kotlin"] + "categories": ["Code Scanning", "Kotlin"], + "enterprise": false } - - \ No newline at end of file diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce28..d63b462 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387b..f99d441 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f..af220c0 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d7..f9b29fc 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd..073d1b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: diff --git a/icons/datadog.svg b/icons/datadog.svg deleted file mode 100644 index 91cb3b6..0000000 --- a/icons/datadog.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - - diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9edc70e..608e73d 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -21,6 +21,8 @@ interface WorkflowProperties { categories: string[] | null; creator?: string; + + enterprise?: boolean; } interface WorkflowsCheckResult { @@ -59,6 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && + workflowProperties.enterprise !== false && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = {