From 4f0f3e716db32badb9a62be949ebaa26967d0bca Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Thu, 27 Jan 2022 15:38:23 +0530 Subject: [PATCH 01/19] Update crunch42.yml --- code-scanning/crunch42.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/crunch42.yml b/code-scanning/crunch42.yml index 1d44bf9..e8e2447 100644 --- a/code-scanning/crunch42.yml +++ b/code-scanning/crunch42.yml @@ -33,8 +33,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 8430b6f878f9e8318ab48462eeed25731396f568 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 31 Jan 2022 14:23:00 +0530 Subject: [PATCH 02/19] Update --- code-scanning/anchore.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c..fcca708 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 34d35389d179c8f3da46255ed31976853cb6ebcb Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 31 Jan 2022 14:23:00 +0530 Subject: [PATCH 03/19] updated gh_token permissions for anchore/scan-action --- code-scanning/anchore.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index d90f68c..fcca708 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -20,8 +20,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout the code @@ -36,4 +42,4 @@ jobs: - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From d71bfc344e4081dfbeb2fcca7cd8839ae5d06e31 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 1 Feb 2022 22:34:47 +0530 Subject: [PATCH 04/19] Create checkmarx.yml --- code-scanning/checkmarx.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 96b9897..d012bce 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -17,10 +17,18 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) From 98bd06c9adbcd9070c1ae4916193a9a898b2a7fa Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 3 Feb 2022 14:24:19 -0700 Subject: [PATCH 05/19] Update for gradle/gradle-build-action@v2.1.3 (#1384) --- ci/gradle-publish.yml | 4 ++-- ci/gradle.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index 0fecd23..9fdc851 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -30,14 +30,14 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: diff --git a/ci/gradle.yml b/ci/gradle.yml index bc64e5e..fc8cf2f 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -26,6 +26,6 @@ jobs: java-version: '11' distribution: 'temurin' - name: Build with Gradle - uses: gradle/gradle-build-action@bc3340afc5e3cc44f2321809ac090d731c13c514 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build From de41169eb0a60341cf326c9b790a79a99e147793 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Fri, 4 Feb 2022 09:45:26 +0530 Subject: [PATCH 06/19] Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385) This reverts commit f31e3a9c9dda4c8027904038d1e7e1c54695dc7d. --- ci/datadog-synthetics.yml | 38 ------------------- .../datadog-synthetics.properties.json | 6 --- icons/datadog.svg | 4 -- 3 files changed, 48 deletions(-) delete mode 100644 ci/datadog-synthetics.yml delete mode 100644 ci/properties/datadog-synthetics.properties.json delete mode 100644 icons/datadog.svg diff --git a/ci/datadog-synthetics.yml b/ci/datadog-synthetics.yml deleted file mode 100644 index 7056f87..0000000 --- a/ci/datadog-synthetics.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow will trigger Datadog Synthetic tests within your Datadog organisation -# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# To get started: - -# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. -# 2. Start using the action within your workflow - -name: Run Datadog Synthetic tests - -on: - push: - branches: [ $default-branch ] - pull_request: - branches: [ $default-branch ] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - # Run Synthetic tests within your GitHub workflow. - # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@2b56dc0cca9daa14ab69c0d1d6844296de8f941e - with: - api_key: ${{secrets.DD_API_KEY}} - app_key: ${{secrets.DD_APP_KEY}} - test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy - - diff --git a/ci/properties/datadog-synthetics.properties.json b/ci/properties/datadog-synthetics.properties.json deleted file mode 100644 index 5a4f74d..0000000 --- a/ci/properties/datadog-synthetics.properties.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "Datadog Synthetics", - "description": "Run Datadog Synthetic tests within your GitHub Actions workflow", - "iconName": "datadog", - "categories": ["Continuous integration", "JavaScript", "TypeScript", "Testing"] -} diff --git a/icons/datadog.svg b/icons/datadog.svg deleted file mode 100644 index 91cb3b6..0000000 --- a/icons/datadog.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - - From d580918e060b0b513a57c8644e9712cd51e021bd Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Thu, 10 Feb 2022 18:08:47 +0100 Subject: [PATCH 07/19] Update pmd to v1.2.0 * Use pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 which is v1.2.0 * Remove "cache: maven" setting, which fails if no pom.xml file is existing * Set parameter "analyzeModifiedFilesOnly: false" to prevent incomplete analysis results. See also https://github.com/pmd/pmd-github-action/issues/35 --- code-scanning/pmd.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index ba895fe..0604734 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -23,13 +23,13 @@ jobs: with: java-version: '11' distribution: 'temurin' - cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@6d98898be0d59f46ec37dafcea33d8f8f55acfd1 + uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' + analyzeModifiedFilesOnly: false - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: From 4579cb5c54c0244e7ae7935f290bc26d979761ee Mon Sep 17 00:00:00 2001 From: Chris Gavin Date: Fri, 11 Feb 2022 15:03:41 +0000 Subject: [PATCH 08/19] Fix some workflows not being excluded from Enterprise syncing. --- code-scanning/properties/detekt.properties.json | 5 ++--- script/sync-ghes/index.ts | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/properties/detekt.properties.json b/code-scanning/properties/detekt.properties.json index d51a6ad..c133cc1 100644 --- a/code-scanning/properties/detekt.properties.json +++ b/code-scanning/properties/detekt.properties.json @@ -3,7 +3,6 @@ "creator": "Detekt", "description": "Static code analysis for Kotlin", "iconName": "detekt", - "categories": ["Code Scanning", "Kotlin"] + "categories": ["Code Scanning", "Kotlin"], + "enterprise": false } - - \ No newline at end of file diff --git a/script/sync-ghes/index.ts b/script/sync-ghes/index.ts index 9edc70e..608e73d 100755 --- a/script/sync-ghes/index.ts +++ b/script/sync-ghes/index.ts @@ -21,6 +21,8 @@ interface WorkflowProperties { categories: string[] | null; creator?: string; + + enterprise?: boolean; } interface WorkflowsCheckResult { @@ -59,6 +61,7 @@ async function checkWorkflows( const enabled = !isPartnerWorkflow && + workflowProperties.enterprise !== false && (await checkWorkflow(workflowFilePath, enabledActions)); const workflowDesc: WorkflowDesc = { From 14ce90e99f9db28d05cc0a81e2b63370e034db38 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:13:30 +0530 Subject: [PATCH 09/19] added github_token permissions --- code-scanning/semgrep.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index 827387b..f99d441 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -19,8 +19,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Scan runs-on: ubuntu-latest steps: From b90ea0582ae3866c2a11e47fc3708e4d97a5ad3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:43:26 +0530 Subject: [PATCH 10/19] Update veracode.yml --- code-scanning/veracode.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index e38fffd..073d1b6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -17,10 +17,16 @@ on: - cron: $cron-weekly # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter build-and-pipeline-scan: # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: From d8a2673986720cf4f579448519c77a37d861d53e Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 12:59:51 +0530 Subject: [PATCH 11/19] Update prisma.yml --- code-scanning/prisma.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 5323d1b..5b11482 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: From 4333c79965dc3415883fbb3d4c4b2d4e6d6f2e3f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:08:08 +0530 Subject: [PATCH 12/19] Update codacy.yml --- code-scanning/codacy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 50185ad..4892930 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Codacy Security Scan runs-on: ubuntu-latest steps: From ab9bdce2e320816516a6b28bf58c3f503daa0bb3 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:19:56 +0530 Subject: [PATCH 13/19] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 3aa06ca..4737d06 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -42,8 +42,13 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -61,4 +66,4 @@ jobs: - name: Import results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./apisec-results.sarif \ No newline at end of file + sarif_file: ./apisec-results.sarif From aa4aa29543b6a72c397d9285abd94d91c41984fd Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Mon, 14 Feb 2022 15:51:06 +0530 Subject: [PATCH 14/19] Update stackhawk.yml --- code-scanning/stackhawk.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/stackhawk.yml b/code-scanning/stackhawk.yml index 9701b1f..af220c0 100644 --- a/code-scanning/stackhawk.yml +++ b/code-scanning/stackhawk.yml @@ -37,8 +37,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info name: StackHawk runs-on: ubuntu-20.04 steps: From 6706b36121ab6c4b497c145160f85b056fe12347 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:04:39 +0530 Subject: [PATCH 15/19] Update njsscan.yml --- code-scanning/njsscan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index 8077f76..a6da087 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest name: njsscan code scanning steps: From 3394a8e62f54f84b23c843b970d4ca143013db12 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Tue, 15 Feb 2022 16:38:05 +0530 Subject: [PATCH 16/19] Update mobsf.yml --- code-scanning/mobsf.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 689a1a0..d8eaa92 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -33,4 +39,4 @@ jobs: - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif From 6a5dc3a7538ff504a39f33cc73855ad4dedcf3e0 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:50:23 +0530 Subject: [PATCH 17/19] Update sysdig-scan.yml --- code-scanning/sysdig-scan.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index 49841d7..f9b29fc 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -13,10 +13,17 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: @@ -51,4 +58,4 @@ jobs: #Upload SARIF file if: always() with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarifReport }} From ed9202263d2954cd84dc11e0068ea5744268e8ab Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 18 Feb 2022 01:00:27 +0000 Subject: [PATCH 18/19] Update hash for scorecard's v1.0.4 release --- code-scanning/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 618ce28..d63b462 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2 + uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4 with: results_file: results.sarif results_format: sarif From 300f303442f956de563b7f301f652d94acb60cde Mon Sep 17 00:00:00 2001 From: Atul Malaviya Date: Sun, 20 Feb 2022 02:18:18 -0600 Subject: [PATCH 19/19] Added PR trigger (#1448) --- ci/msbuild.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 29b6ace..e650e2a 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -1,6 +1,10 @@ name: MSBuild -on: [push] +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] env: # Path to the solution file relative to the root of the project.