Compare commits

..

297 Commits

Author SHA1 Message Date
Sampark Sharma e526628119 Fix to resolve code scanning inclusions to ghes
Validate Data / validate-data (push) Has been cancelled
2022-02-23 10:33:02 +00:00
Atul Malaviya 300f303442 Added PR trigger (#1448) 2022-02-20 13:48:18 +05:30
Nick Fyson 8573ed9cf5 Merge pull request #1416 from arjundashrath/patch-8 2022-02-16 10:50:19 +00:00
Nick Fyson 48d70bb057 Merge branch 'main' into patch-8 2022-02-16 10:47:11 +00:00
Nick Fyson 5a06c8f464 Merge pull request #1404 from h0x0er/patch-7
Added github_token permissions in code-scanning/semgrep.yml
2022-02-16 10:07:51 +00:00
Nick Fyson 0c9bd866a7 Merge branch 'main' into patch-7 2022-02-16 10:00:27 +00:00
Nick Fyson e53dd812a5 Merge pull request #1424 from Devils-Knight/permks-7
Add token permissions for code-scanning/stackhawk.yml
2022-02-16 09:53:27 +00:00
Nick Fyson dc87bafe6f Merge branch 'main' into permks-7 2022-02-16 09:52:35 +00:00
Nick Fyson af74f124fb Merge pull request #1432 from Devils-Knight/permks-10
Add token permissions for code-scanning/njsscan.yml
2022-02-16 09:20:03 +00:00
Shubham malik 6706b36121 Update njsscan.yml 2022-02-15 16:04:39 +05:30
Shubham malik aa4aa29543 Update stackhawk.yml 2022-02-14 15:51:06 +05:30
arjundashrath 4333c79965 Update codacy.yml 2022-02-14 13:08:08 +05:30
h0x0er 14ce90e99f added github_token permissions 2022-02-14 11:13:30 +05:30
Chris Gavin 7fb1c31151 Merge pull request #1402 from actions/fix-enterprise-exclusions
Fix some workflows not being excluded from Enterprise syncing.
2022-02-11 17:02:20 +00:00
Chris Gavin 4579cb5c54 Fix some workflows not being excluded from Enterprise syncing. 2022-02-11 15:03:41 +00:00
Nick Fyson e9cc9b14bc Merge pull request #1397 from adangel/update-pmd
Update pmd to v1.2.0
2022-02-11 09:50:48 +00:00
Andreas Dangel d580918e06 Update pmd to v1.2.0
* Use pmd/pmd-github-action@967a81f8b6
   which is v1.2.0
* Remove "cache: maven" setting, which fails if no pom.xml file
   is existing
* Set parameter "analyzeModifiedFilesOnly: false" to prevent incomplete
   analysis results. See also https://github.com/pmd/pmd-github-action/issues/35
2022-02-10 18:10:25 +01:00
Nick Fyson 2e489c2619 Merge pull request #1368 from Devils-Knight/Permissions
Add token permissions for code-scanning/crunch42.yml
2022-02-04 14:38:09 +00:00
Nick Fyson 53217fe594 Merge branch 'main' into Permissions 2022-02-04 14:37:22 +00:00
Nick Fyson 64ccdd2a47 Merge pull request #1373 from h0x0er/main
Added GITHUB_TOKEN permission for code-scanning/anchore.yml
2022-02-04 10:45:44 +00:00
Nick Fyson c84eced9e9 Merge branch 'main' into main 2022-02-04 10:43:53 +00:00
Nick Fyson 8ec9e75aba Merge pull request #1377 from Devils-Knight/permissions
Add token permissions for code-scanning/checkmarx.yml
2022-02-04 10:26:09 +00:00
Nick Fyson 251b7bbc24 Merge branch 'main' into permissions 2022-02-04 10:25:18 +00:00
Bishal Prasad de41169eb0 Revert "Add Datadog Synthetics GitHub action to starter workflows (#1342)" (#1385)
This reverts commit f31e3a9c9d.
2022-02-04 09:45:26 +05:30
Daz DeBoer 98bd06c9ad Update for gradle/gradle-build-action@v2.1.3 (#1384) 2022-02-03 16:24:19 -05:00
h0x0er 7ea0d435cf Merge branch 'main' into main 2022-02-03 13:40:22 +05:30
Shubham malik d71bfc344e Create checkmarx.yml 2022-02-01 22:34:47 +05:30
Anurag Chauhan 5cdc69b0e1 Merge pull request #1374 from actions/code_scanning_desc
Fixing some code scanning workflows description
2022-02-01 16:45:07 +05:30
Anurag Chauhan 9ef177a834 Merge branch 'main' into code_scanning_desc 2022-02-01 16:44:05 +05:30
Daz DeBoer 776a960496 Update for gradle-build-action@v2.1.2 release (#1375) 2022-01-31 16:47:10 -05:00
Anurag Chauhan 890150c289 Fixing some code scanning workflows description 2022-01-31 10:48:11 +00:00
h0x0er 0e684da195 x
Merge branch 'main' of https://github.com/h0x0er/starter-workflows
2022-01-31 14:29:45 +05:30
h0x0er 34d35389d1 updated gh_token permissions for anchore/scan-action 2022-01-31 14:29:11 +05:30
h0x0er 8430b6f878 Update 2022-01-31 14:23:00 +05:30
Fedor Isakov c005c55b8b update google workflow (#1359) 2022-01-30 11:37:53 +05:30
Nick Fyson 2e8fec55f6 Merge pull request #1348 from Devils-Knight/starter-workflow 2022-01-28 22:04:00 +00:00
Nick Fyson e833ff06e4 Merge branch 'main' into starter-workflow 2022-01-28 22:00:17 +00:00
Aarnav Pai 1220bda7e4 Fix version of denoland/setup-deno (#1369)
* Fix version of `denoland/setup-deno`

* Update deno.yml
2022-01-27 10:51:47 -05:00
Shubham malik 4f0f3e716d Update crunch42.yml 2022-01-27 15:38:23 +05:30
Bishal Prasad 80404f48bc Rename node.js.yml to ci/node.js.yml 2022-01-27 10:28:39 +05:30
Bishal Prasad c0b5490590 Rename ci/bishal-node.js.yml to node.js.yml 2022-01-27 10:27:32 +05:30
Bishal Prasad 7a56117f98 Rename node.js.yml to bishal-node.js.yml 2022-01-27 10:27:08 +05:30
Shubham malik 3b8f20ff6f updated permission 2022-01-26 22:42:19 +05:30
Nick Fyson 63e7f499e9 Merge pull request #1363 from laurentsimon/patch-1
Scorecards: update hash for v1.0.2
2022-01-24 18:44:06 +00:00
laurentsimon 41e7dd427d Scorecards: update hash to v1.0.2
We fixed a small issue and need to update the hash
2022-01-24 08:27:33 -08:00
Andrew Wiltshire ffa80e095e fixed grammatical error in node.js.yml (#1358) 2022-01-20 09:00:56 +05:30
César Román a96d2407b5 fix(ci): pylint.yml (#1108)
ref: #636. `pylint` command does not work

I've had success running the modified command [here](https://github.com/thecesrom/incendium/blob/project/.github/workflows/pylint.yml).

Co-authored-by: Josh Gross <joshmgross@github.com>
2022-01-19 18:41:20 -05:00
Jason Freeberg ba97234b60 Fix indentation error (#1356) 2022-01-18 17:07:26 -05:00
Nick Fyson f2778053bd Merge pull request #1352 from laurentsimon/feat/scorecardicon
 Update scorecards icon
2022-01-18 11:06:49 +00:00
Nick Fyson 0a84296a2a Merge branch 'main' into feat/scorecardicon 2022-01-18 11:05:08 +00:00
André Arko 5635bf05bc Upgrade Rails workflow to true CI (#1353)
* Upgrade Rails workflow to true CI

The existing Rails CI example only runs linters, which is not continuous
integration. This change brings the Rails example workflow up to par
with the other web framework CI flows, like Django.

This example is optimized for Rails 7, which does not include NodeJS,
webpack, or yarn by default. No Rails application code changes are
required for this flow to run the tests, and both minitest and rspec are
supported via the `test` rake task.

* add Rails icon

* use env vars, hopefully

* use the full hash for ruby/setup-ruby

* remove PORT since services cannot use it

* stop repeating identical step envs

* resolve env var declaration error

* update setup-ruby to the SHA of v1.92

* use setup-ruby SHA for lint job too

Co-authored-by: Bishal Prasad <bishal-pdmsft@github.com>
2022-01-18 02:04:33 +05:30
Bishal Prasad 11778e9eb0 Add check for GITHUB_TOKEN permissions (#1354) 2022-01-17 13:17:29 +05:30
Beth G f31e3a9c9d Add Datadog Synthetics GitHub action to starter workflows (#1342) 2022-01-15 11:41:46 +05:30
laurentsimon 94100d1d4a bump 2022-01-14 23:32:21 +00:00
laurentsimon b224dd8449 update icon 2022-01-14 23:32:21 +00:00
Manuel 588f02dade Switch java distribution from 'adopt' to 'temurin' (#1065)
adopt is rebranded into temurin
see https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/
2022-01-14 18:05:31 -05:00
Nick Fyson e873c3ca45 Merge pull request #1345 from laurentsimon/feat/scorecard-release
Scorecards: Updates for release
2022-01-14 12:15:31 +00:00
laurentsimon 1b10c28ff4 rem tabs and update comment 2022-01-14 03:00:11 +00:00
laurentsimon aa643dfa0c bump hash 2022-01-13 22:29:39 +00:00
shubham malik f78e23c19d Update trivy.yml 2022-01-13 11:12:14 +05:30
laurentsimon b0f310cefc update token name 2022-01-10 23:52:58 +00:00
laurentsimon 00e08539ca prepare release 2022-01-10 23:19:46 +00:00
Nick Fyson 51e7c8e1e6 Merge pull request #1302 from laurentsimon/feat/scorecard
Add scorecards config
2022-01-04 19:16:50 +00:00
laurentsimon d0dba5262b use v0.0.1 2022-01-04 18:26:32 +00:00
laurentsimon b73f59a3e8 add icon 2022-01-04 18:26:32 +00:00
laurentsimon 40772919fb updates 2022-01-04 18:26:32 +00:00
laurentsimon 7c57e8a703 updates 2022-01-04 18:26:32 +00:00
laurentsimon 07be376c3a updates 2022-01-04 18:26:32 +00:00
laurentsimon 48edda6aca reduce text 2022-01-04 18:26:32 +00:00
laurentsimon f38127b062 update text 2022-01-04 18:26:32 +00:00
laurentsimon 9e49744dc2 url 2022-01-04 18:26:32 +00:00
laurentsimon a894da71d1 pin actions 2022-01-04 18:26:32 +00:00
laurentsimon a00db4437c comments 2022-01-04 18:26:32 +00:00
laurentsimon 0e50194de8 use hash 2022-01-04 18:26:32 +00:00
laurentsimon 794e910e12 add scorecards config 2022-01-04 18:26:32 +00:00
Ana Armas Romero f9d17c0062 Merge pull request #1332 from DhavalPatelPersistent/main
Update checkmarx.yml attributes : "uses","project","teams","scanners","params".
2021-12-30 04:17:00 -08:00
DhavalPatelPersistent 97020d0adc Update checkmarx.yml
Point to SHA instead for master
2021-12-30 16:39:28 +05:30
DhavalPatelPersistent 0b45ddae0d Update / Add "uses","project","teams","scanners","params" attributes. 2021-12-24 15:55:11 +05:30
Nick Fyson 5104ac4274 Merge pull request #1324 from adangel/update-pmd
Update pmd to v1.1.0
2021-12-20 15:16:34 +00:00
Andreas Dangel 615c63babc Update pmd to v1.1.0
Use pmd/pmd-github-action@6d98898be0 which is v1.1.0
Use temurin as java distribution
2021-12-20 11:50:23 +01:00
Anurag Chauhan 619bd129a7 Merge pull request #1314 from actions/partner_templates
Merge partner templates to main branch
2021-12-17 22:11:22 +05:30
Anurag Chauhan 7eb13f680a Merge branch 'main' of https://github.com/actions/starter-workflows into partner_templates 2021-12-16 10:55:26 +00:00
Anurag Chauhan 73a17a51b5 deleting azure.yml 2021-12-16 10:55:17 +00:00
Matt Moore 00db25fc1e Enable keyless signing for private repos. (#1295)
Now that cosign 1.4 is out, we can perform keyless signing without panicking on private images (and without `--force` uploading to Rekor).

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
2021-12-13 15:17:02 -05:00
Anurag Chauhan 5bd8eb4344 Merge branch 'main' of https://github.com/actions/starter-workflows into partner_templates 2021-12-09 11:32:59 +00:00
Anurag Chauhan 9c27271e2f Merge pull request #1298 from actions/anuragc617/fix_az_order
Renaming azure template to fix the order
2021-12-08 12:48:11 +05:30
Anurag Chauhan 17c64f97fe resolving comments 2021-12-08 05:01:06 +00:00
Anurag Chauhan c059d06679 renaming azure template to fix the order 2021-12-07 14:16:20 +00:00
Ana Armas Romero 432e3e3e74 Merge pull request #1278 from actions/veracode_workflow
Add veracode workflow
2021-12-07 11:52:25 +01:00
Ana Armas Romero 75ecfa0bae Merge branch 'main' into veracode_workflow 2021-12-07 11:50:58 +01:00
anaarmas 1c56988c5d remove unnecessary uses of the upload-artifact action and improve input file name 2021-12-07 11:35:26 +01:00
Matt Moore 60d206d090 Have the starter docker-publish action sign digests. (#1255)
* Have the starter `docker-publish` action sign digests.

This change installs `sigstore/cosign` using the `cosign-installer` action,
and uses sigstore's "keyless" signing process to sign the resulting image
digest using the action's identity token (see: `id-token: write`).

Signed-off-by: Matt Moore <mattomata@gmail.com>

* Fully qualify the digest, add setup-buildx-action as workaround

* Drop --force, add public repo check

* Use built-in 'private' bit
2021-12-06 22:35:19 +05:30
Nick Fyson d67515a20c Merge pull request #1200 from abirismyname/adding-pmd-workflow
Adding pmd
2021-12-03 18:42:12 +00:00
Abir Majumdar 4e6641ed74 Updating pmd logo 2021-12-03 13:19:43 -05:00
Nick Fyson f46fcd0e80 Merge branch 'main' into adding-pmd-workflow 2021-12-03 16:13:55 +00:00
Abir Majumdar 649bca8dab Updating logo and adding sha to workflow 2021-12-03 10:33:18 -05:00
Daz DeBoer f7b1f1515d Use gradle-build-action in starter workflows (#1237)
The `gradle-build-action` provides enhanced execution and caching functionality for Gradle.
This change updates starter workflows to use `v2.0.0` of `gradle-build-action`.

Improvements over invoking Gradle directly include:
- Easier to run the workflow with a particular Gradle version
- More sophisticated and more efficient caching of Gradle User Home between invocations
- Detailed reporting of cache usage and cache configuration options
- Automatic capture of Build Scan links

Co-authored-by: Josh Gross <joshmgross@github.com>
2021-12-02 17:22:55 -05:00
Abir Majumdar 2863ef2206 Merge branch 'main' into adding-pmd-workflow 2021-12-02 08:46:08 -05:00
Marcel Wagner 9920cac8e9 Update text flow for cmake comment (#1054) 2021-12-02 09:21:29 +05:30
Jason Freeberg a48ef3a643 Update azure-webapps-node.yml (#1282) 2021-12-01 20:52:36 -05:00
Abir Majumdar 435b265ae0 Removing dupe 2021-12-01 17:02:40 -05:00
Abir Majumdar 3fd42f21fc Merge branch 'main' into adding-pmd-workflow 2021-12-01 16:05:16 -05:00
Abir Majumdar d2bba6f2d9 Adding icon 2021-12-01 16:03:49 -05:00
Abir Majumdar ce771c75d8 Referencing new official PMD github action 2021-12-01 15:50:22 -05:00
Myles Borins 4238ac653e chore: split npm publish into 2 workflows (#1281)
Currently we suggest that folks dual publish to both npm + gpr.

There are a large number of edge cases related to doing this and IMHO it is
not the best practice. Let's make two separate workflows.
2021-12-01 14:38:35 -05:00
Nick Fyson 7ebee84fa6 Merge pull request #1262 from apisec-inc/master
Added starter workflow to help get started with APIsec-Scan code-scanning Action
2021-12-01 12:45:02 +00:00
Anurag Chauhan a8de83bc48 Merge pull request #1268 from actions/update_azure_py_webapp_cache
Updating azure partner templates to use commitId for 3rd party actions and setup actions cache.
2021-12-01 15:19:00 +05:30
abdul-hai-apisec e99eb117c5 Merge remote-tracking branch 'origin/master' 2021-12-01 13:44:28 +05:30
abdul-hai-apisec 3f39a5a76b Removed the unwanted space in actions file.
Updated the logo to have only the shield portion.
2021-12-01 13:27:02 +05:30
anaarmas b629998430 replace unnecessary actions with shell commands 2021-11-30 09:56:40 +01:00
abdul-hai-apisec fa053f9bf1 Merge branch 'main' into master 2021-11-30 12:24:56 +05:30
anaarmas 1a37cd5345 add veracode workflow 2021-11-29 11:49:33 +01:00
Anurag Chauhan 3258466b26 Adding commit sha for 3rd party actions 2021-11-29 08:51:54 +00:00
Nick Fyson a85155b04a Merge pull request #1266 from actions/detekt_workflow
Add Detekt workflow template
2021-11-25 10:15:32 +00:00
Nick Fyson e1db44513b Merge branch 'main' into detekt_workflow 2021-11-25 10:07:09 +00:00
Anurag Chauhan b4ee598043 use setup cache option instead of action 2021-11-25 10:03:14 +00:00
Anurag Chauhan cb87b05b73 Merge pull request #1162 from JasonFreeberg/partner_templates
Add partner templates for Azure Web Apps
2021-11-25 12:03:45 +05:30
Jason Freeberg 1a67e08a9e Update azure-webapps-container.yml 2021-11-24 15:58:25 -08:00
Jason Freeberg 278aa7a82e Add dependency caching for .NET, Node, PHP, and Python workflows 2021-11-24 14:26:16 -08:00
Jason Freeberg 8fd6550c33 Revert overwrite from upstream pull 2021-11-24 14:20:00 -08:00
Jason Freeberg b9fd04a8cf Merge remote-tracking branch 'upstream/partner_templates' into partner_templates 2021-11-24 12:13:19 -08:00
Anurag Chauhan 2d4fbbba8f Merge pull request #1259 from FrodoTheTrue/update-google-deployment-2
Update google deployment starter workflow (partner_templates)
2021-11-24 15:47:21 +05:30
Anurag Chauhan 12aae3647b Merge branch 'partner_templates' into update-google-deployment-2 2021-11-24 13:38:23 +05:30
Anurag Chauhan a96cff48f1 Merge pull request #1207 from gambtho/thgamble/aksstarter
Deploy an application to AKS
2021-11-24 13:37:33 +05:30
anaarmas c4dadecc05 find a way to pin the SHA for detekt workflow template 2021-11-23 21:14:53 +01:00
Ana Armas Romero 200b0c34b1 Merge pull request #1254 from actions/move-code-scanning-workflows
Validate Data / validate-data (push) Has been cancelled
Move code scanning workflows
2021-11-23 14:21:15 +01:00
anaarmas 0debae5ec7 fix crunch42 template id so it overrides old template as required 2021-11-23 09:37:32 +01:00
abdul-hai-apisec 6439d558f4 Updated the names as per the pull request checklist. 2021-11-22 21:14:54 +05:30
abdul-hai-apisec 499e38bc3e Added starter workflow to help you get started with APIsec-Scan Actions. 2021-11-22 20:35:15 +05:30
Fedor Isakov 28856d6071 Update google deployment starter workflow 2021-11-19 20:46:53 +03:00
anaarmas 52edf1b580 add a bunch of code scanning workflows 2021-11-19 16:55:27 +01:00
anaarmas 42dcf88eb9 add detekt workflow 2021-11-19 16:41:15 +01:00
Tom Gamble 2b3dac02b4 Merge branch 'partner_templates' into thgamble/aksstarter 2021-11-18 10:10:38 -05:00
gambtho 11147495c0 variable cleanup and comment additions 2021-11-18 07:30:10 -05:00
Jason Freeberg 757758750a Merge remote-tracking branch 'upstream/partner_templates' into partner_templates 2021-11-16 09:45:39 -08:00
Jason Freeberg 214aeaaafe Update quickstart link 2021-11-16 09:43:18 -08:00
Nick Fyson da223f8a03 Merge pull request #1238 from meme/nowsecure
Add NowSecure starter workflow
2021-11-15 22:23:51 +00:00
Keegan Saunders f61ca9907b Add NowSecure starter workflow 2021-11-15 08:40:01 -05:00
Ashwin Sangem 4f8abda415 Updated the azure properties file to the main branch version. (#1251)
* Added Cloudrail according to instructions and existing examples

* Adding Cloudrail according to documentation and examples

* Oops

* Add original Fortify on Demand workflow

* Update Fortify on Demand workflow

* Update Fortify on Demand supported languages

* Add 3rd-party GitHub Actions disclaimer

* Sysdig Secure Inline Scan with SARIF report to starter workflows

* Added some extra comments, Github Actions V2 and changed env vars

* Reviews from PR #1110

* Adding 'Dockerfile' to category list

* Update according to PR review comments

* File renames as requested in PR comments

* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)

This reverts commit 7f30309cce.

* use env variables for user-set values (#1117)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Apply suggestions from nickfyson's code review

Co-authored-by: Nick Fyson <nickfyson@github.com>

* removing "deployment" templates from sync-ghes (#1127)

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Changed svg logo

* Rename sysdig.svg to sysdig-scan.svg

* Switched svg logo (again) for a better fit

* Rename fortify.json to fortify.properties.json

* Correct character-case of "c" in Cloudrail

* AWS template also used Docker

* trigger on push instead of release (#1157)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Adding MobSF starter workflow

* Adhering to pull request guidelines

* python: update to use python 3.10

Signed-off-by: Rui Chen <rui@chenrui.dev>

* Added new templates for 3 clouds.

* Revert "Added new templates for 3 clouds."

This reverts commit c765d6316f.

* Add ruby and update workflow

* Add workflow for Microsoft C++ Code Analysis

* Updated action to meet guidelines

* quote the version strings

* correct typo in msvc.properties.json

* Update codeql.properties.json

* Update code-scanning/properties/codeql.properties.json

Co-authored-by: Arthur Baars <arthur@semmle.com>

* Update codeql.properties.json

* Update codeql.properties.json

* Update code-scanning/mobsf.yml

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/mobsf.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Fixed typo in workflow that will cause every run to fail

* Update commit SHA

* r: use setup-r@1 and include r@4 for starter (#1169)

* r: use setup-r@1 and include r@4 for starter

Signed-off-by: Rui Chen <rui@chenrui.dev>

* use sha instead of tag for external action

Co-authored-by: Josh Gross <joshmgross@github.com>

Co-authored-by: Josh Gross <joshmgross@github.com>

* elixir: refresh dependencies (#1212)

- setup action got renamed into `setup-beam`
- update elixir and erlang versions

* Updated to main branch version.

Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Abir Majumdar <abirismyname@github.com>
Co-authored-by: Rui Chen <rui@chenrui.dev>
Co-authored-by: David Verdeguer <daverlo@github.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com>
Co-authored-by: Arthur Baars <arthur@semmle.com>
Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com>
Co-authored-by: Marco Gario <marcogario@github.com>
Co-authored-by: Andy McKay <andymckay@github.com>
2021-11-15 18:03:36 +05:30
Ashwin Sangem b1b3ae86ee Sync partner_templates with the main Branch. (#1250)
* Added Cloudrail according to instructions and existing examples

* Adding Cloudrail according to documentation and examples

* Oops

* Add original Fortify on Demand workflow

* Update Fortify on Demand workflow

* Update Fortify on Demand supported languages

* Add 3rd-party GitHub Actions disclaimer

* Sysdig Secure Inline Scan with SARIF report to starter workflows

* Added some extra comments, Github Actions V2 and changed env vars

* Reviews from PR #1110

* Adding 'Dockerfile' to category list

* Update according to PR review comments

* File renames as requested in PR comments

* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)

This reverts commit 7f30309cce.

* use env variables for user-set values (#1117)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Apply suggestions from nickfyson's code review

Co-authored-by: Nick Fyson <nickfyson@github.com>

* removing "deployment" templates from sync-ghes (#1127)

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Changed svg logo

* Rename sysdig.svg to sysdig-scan.svg

* Switched svg logo (again) for a better fit

* Rename fortify.json to fortify.properties.json

* Correct character-case of "c" in Cloudrail

* AWS template also used Docker

* trigger on push instead of release (#1157)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Adding MobSF starter workflow

* Adhering to pull request guidelines

* python: update to use python 3.10

Signed-off-by: Rui Chen <rui@chenrui.dev>

* Added new templates for 3 clouds.

* Revert "Added new templates for 3 clouds."

This reverts commit c765d6316f.

* Add ruby and update workflow

* Add workflow for Microsoft C++ Code Analysis

* Updated action to meet guidelines

* quote the version strings

* correct typo in msvc.properties.json

* Update codeql.properties.json

* Update code-scanning/properties/codeql.properties.json

Co-authored-by: Arthur Baars <arthur@semmle.com>

* Update codeql.properties.json

* Update codeql.properties.json

* Update code-scanning/mobsf.yml

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/mobsf.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Fixed typo in workflow that will cause every run to fail

* Update commit SHA

* r: use setup-r@1 and include r@4 for starter (#1169)

* r: use setup-r@1 and include r@4 for starter

Signed-off-by: Rui Chen <rui@chenrui.dev>

* use sha instead of tag for external action

Co-authored-by: Josh Gross <joshmgross@github.com>

Co-authored-by: Josh Gross <joshmgross@github.com>

* elixir: refresh dependencies (#1212)

- setup action got renamed into `setup-beam`
- update elixir and erlang versions

Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Abir Majumdar <abirismyname@github.com>
Co-authored-by: Rui Chen <rui@chenrui.dev>
Co-authored-by: David Verdeguer <daverlo@github.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
Co-authored-by: David Verdeguer <47184891+Daverlo@users.noreply.github.com>
Co-authored-by: Arthur Baars <arthur@semmle.com>
Co-authored-by: Abir Majumdar <83433840+abirismyname@users.noreply.github.com>
Co-authored-by: Marco Gario <marcogario@github.com>
Co-authored-by: Andy McKay <andymckay@github.com>
2021-11-15 13:47:17 +05:30
Ashwin Sangem 2f7dd74318 Dummy azure templates (#1249)
* Rename "azure.yml" to Node-specific name

* Add templates and properties for other languages

* Add workflow for .NET Core

* Add workflow and properties file for PHP

* Updates from PR review

* Fix EOF

* Use latest versions

* Renamed the file appropriately.

* Put the azure file back.

* Added azure back.

* Revert "Dummy azure templates for showcasing the CD Ordering Behavior (#1194)"

This reverts commit 9ce2a5b56f.

Co-authored-by: Jason Freeberg <jafreebe@microsoft.com>
2021-11-15 13:40:30 +05:30
Tom Gamble 50fcc151be Update aks.properties.json 2021-11-12 07:11:40 -05:00
Tom Gamble d739e93e5e Update aks.properties.json 2021-11-09 07:01:43 -05:00
rui 56c93ff752 elixir: refresh dependencies (#1212)
- setup action got renamed into `setup-beam`
- update elixir and erlang versions
2021-11-08 11:14:50 -05:00
Jason Freeberg 5354877aa0 enable caching 2021-11-03 18:10:02 -07:00
Jason Freeberg a561392dff Update azure-webapps-container.yml 2021-11-03 18:02:06 -07:00
Jason Freeberg 69f26d5fd6 Copy/paste error 2021-11-03 17:58:38 -07:00
Tom Gamble cde6fc6c14 Update aks.properties.json 2021-11-01 09:41:55 -04:00
gambtho 644f0a59aa step names and registry path 2021-10-28 23:05:42 -04:00
gambtho de6c8cbcf0 add aks starter 2021-10-28 22:58:17 -04:00
rui 1d8891efc2 r: use setup-r@1 and include r@4 for starter (#1169)
* r: use setup-r@1 and include r@4 for starter

Signed-off-by: Rui Chen <rui@chenrui.dev>

* use sha instead of tag for external action

Co-authored-by: Josh Gross <joshmgross@github.com>

Co-authored-by: Josh Gross <joshmgross@github.com>
2021-10-28 11:37:36 -04:00
Andy McKay 93ee3d86f6 Merge pull request #1168 from chenrui333/python-3.10
python: update to use python 3.10
2021-10-28 07:40:41 -07:00
Andy McKay 97d8c1c765 Merge branch 'main' into python-3.10 2021-10-28 07:39:33 -07:00
Anurag Chauhan abf0c13931 Merge pull request #1187 from simonaco/partner_templates
Add partner templates for Azure Static Web Apps
2021-10-28 11:35:52 +05:30
Nick Fyson 1b52eb3e6f Merge pull request #1160 from abirismyname/adding-mobsf-to-codescanning 2021-10-27 21:38:42 +01:00
Nick Fyson 216dc929eb Merge branch 'main' into adding-mobsf-to-codescanning 2021-10-27 21:34:36 +01:00
Abir Majumdar c3c12f1950 Adding pmd 2021-10-27 15:35:18 -04:00
Jason Freeberg e1ca1f58be typos 2021-10-27 12:23:24 -07:00
Jason Freeberg e176cd52cd Add more tech stack metadata to the properties files 2021-10-27 12:20:29 -07:00
Jason Freeberg 3893e3d7c8 Add setup instructions to the top 2021-10-27 12:20:09 -07:00
David Verdeguer ef1ebb2538 Merge pull request #1180 from actions/daverlo/ruby-beta
Add ruby and update CodeQL workflow
2021-10-27 16:07:51 +02:00
David Verdeguer 440e8daf05 Merge branch 'main' into daverlo/ruby-beta 2021-10-27 16:01:12 +02:00
Marco Gario 0f5b68ee4f Merge pull request #1198 from d-winsor/msvc-typo
Fixed typo in Microsoft C++ Code Analysis workflow.
2021-10-27 10:16:35 +02:00
Daniel Winsor d9dc2c2f72 Update commit SHA 2021-10-26 21:48:19 -07:00
Daniel Winsor 83bdb0fcd6 Fixed typo in workflow that will cause every run to fail 2021-10-26 21:37:36 -07:00
Simona Cotin 767ba11df2 update action version to v1 2021-10-26 13:15:05 +02:00
Simona Cotin 464fcecb39 Merge branch 'actions:partner_templates' into partner_templates 2021-10-26 13:13:11 +02:00
Abir Majumdar ed8c87df74 Update code-scanning/properties/mobsf.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
2021-10-25 21:40:48 -04:00
Abir Majumdar 09b078fd76 Update code-scanning/mobsf.yml
Co-authored-by: Nick Fyson <nickfyson@github.com>
2021-10-25 21:40:31 -04:00
Ashwin Sangem c0fe29b09d Added Azure Id template back. (#1195)
* Rename "azure.yml" to Node-specific name

* Add templates and properties for other languages

* Add workflow for .NET Core

* Add workflow and properties file for PHP

* Updates from PR review

* Fix EOF

* Use latest versions

* Renamed the file appropriately.

* Put the azure file back.

* Added azure back.

Co-authored-by: Jason Freeberg <jafreebe@microsoft.com>
2021-10-25 22:06:21 +05:30
Ashwin Sangem 9ce2a5b56f Dummy azure templates for showcasing the CD Ordering Behavior (#1194)
* Rename "azure.yml" to Node-specific name

* Add templates and properties for other languages

* Add workflow for .NET Core

* Add workflow and properties file for PHP

* Updates from PR review

* Fix EOF

* Use latest versions

* Renamed the file appropriately.

Co-authored-by: Jason Freeberg <jafreebe@microsoft.com>
2021-10-25 21:16:06 +05:30
Ashwin Sangem 87a12c3391 Undo bug bash changes and Sync with the main branch (#1193)
* Added Cloudrail according to instructions and existing examples

* Adding Cloudrail according to documentation and examples

* Oops

* Add original Fortify on Demand workflow

* Update Fortify on Demand workflow

* Update Fortify on Demand supported languages

* Add 3rd-party GitHub Actions disclaimer

* Sysdig Secure Inline Scan with SARIF report to starter workflows

* Added some extra comments, Github Actions V2 and changed env vars

* Reviews from PR #1110

* Adding 'Dockerfile' to category list

* Update according to PR review comments

* File renames as requested in PR comments

* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)

This reverts commit 7f30309cce.

* use env variables for user-set values (#1117)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Apply suggestions from nickfyson's code review

Co-authored-by: Nick Fyson <nickfyson@github.com>

* removing "deployment" templates from sync-ghes (#1127)

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Changed svg logo

* Rename sysdig.svg to sysdig-scan.svg

* Switched svg logo (again) for a better fit

* Rename fortify.json to fortify.properties.json

* Correct character-case of "c" in Cloudrail

* AWS template also used Docker

* trigger on push instead of release (#1157)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Added new templates for 3 clouds.

* Revert "Added new templates for 3 clouds."

This reverts commit c765d6316f.

* Add workflow for Microsoft C++ Code Analysis

* Updated action to meet guidelines

* correct typo in msvc.properties.json

* Removed the dummy templates used in bug_bash.

Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
2021-10-25 19:30:04 +05:30
Jason Freeberg c78dd727e9 Use latest versions 2021-10-24 21:47:00 -07:00
Jason Freeberg b5113430d9 Fix EOF 2021-10-24 21:46:13 -07:00
Jason Freeberg 704eb638ce Updates from PR review 2021-10-24 21:45:21 -07:00
Jason Freeberg a702d187d1 Add workflow and properties file for PHP 2021-10-24 21:37:36 -07:00
Simona Cotin 27ebc235ee Add partner templates for Azure Static Web Apps 2021-10-22 13:00:26 +02:00
Ashwin Sangem 39293c2452 Deleting gcp dummy templates. (#1186) 2021-10-22 16:24:02 +05:30
Bishal Prasad cd0b591526 Update google_python.properties.json 2021-10-22 16:13:36 +05:30
Bishal Prasad 4abed744e3 Update azure_docker.properties.json 2021-10-22 16:12:34 +05:30
Bishal Prasad 7b8fcf2d84 Rename aws_java.yaml to aws_node.yaml 2021-10-22 16:11:57 +05:30
Bishal Prasad 2b39072b92 Rename aws_java.properties.json to aws_node.properties.json 2021-10-22 16:11:39 +05:30
Bishal Prasad 34a94290c1 Update aws_java.properties.json 2021-10-22 16:10:51 +05:30
Bishal Prasad 41027f9cb5 Update aws_dockerfile.properties.json 2021-10-22 16:08:40 +05:30
Bishal Prasad a7e746ef4e Rename aws_node.yaml to aws_java.yaml 2021-10-22 16:01:43 +05:30
Bishal Prasad 62a3686226 Rename aws_node.properties.json to aws_java.properties.json 2021-10-22 16:00:55 +05:30
Bishal Prasad ff38066101 Create aws_node.properties.json 2021-10-22 16:00:18 +05:30
Bishal Prasad 1ff952c678 Update aws_node.properties.json 2021-10-22 16:00:12 +05:30
Bishal Prasad 1d19515d95 Update google_java.properties.json 2021-10-22 15:58:29 +05:30
Bishal Prasad c3f7e66294 Update azure_docker.properties.json 2021-10-22 15:53:33 +05:30
Bishal Prasad d6e33d5f35 fix dummy template names (#1185) 2021-10-22 15:48:49 +05:30
David Verdeguer 4a9a12a099 Update codeql.properties.json 2021-10-22 11:52:12 +02:00
Ashwin Sangem a3270e70de Add files via upload 2021-10-22 15:13:09 +05:30
Ashwin Sangem 0f29a0acbb Add files via upload 2021-10-22 15:12:17 +05:30
David Verdeguer 3a3f99717d Update codeql.properties.json 2021-10-22 11:40:38 +02:00
David Verdeguer 281a35c5ef Update code-scanning/properties/codeql.properties.json
Co-authored-by: Arthur Baars <arthur@semmle.com>
2021-10-22 11:37:35 +02:00
Ashwin Sangem 4e20b52618 Sync partner_templates branch with main (#1184)
* Added Cloudrail according to instructions and existing examples

* Adding Cloudrail according to documentation and examples

* Oops

* Add original Fortify on Demand workflow

* Update Fortify on Demand workflow

* Update Fortify on Demand supported languages

* Add 3rd-party GitHub Actions disclaimer

* Sysdig Secure Inline Scan with SARIF report to starter workflows

* Added some extra comments, Github Actions V2 and changed env vars

* Reviews from PR #1110

* Adding 'Dockerfile' to category list

* Update according to PR review comments

* File renames as requested in PR comments

* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)

This reverts commit 7f30309cce.

* use env variables for user-set values (#1117)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Apply suggestions from nickfyson's code review

Co-authored-by: Nick Fyson <nickfyson@github.com>

* removing "deployment" templates from sync-ghes (#1127)

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Changed svg logo

* Rename sysdig.svg to sysdig-scan.svg

* Switched svg logo (again) for a better fit

* Rename fortify.json to fortify.properties.json

* Correct character-case of "c" in Cloudrail

* AWS template also used Docker

* trigger on push instead of release (#1157)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Added new templates for 3 clouds.

* Revert "Added new templates for 3 clouds."

This reverts commit c765d6316f.

* Add workflow for Microsoft C++ Code Analysis

* Updated action to meet guidelines

* correct typo in msvc.properties.json

Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
Co-authored-by: Daniel Winsor <danwin@microsoft.com>
2021-10-22 14:47:00 +05:30
David Verdeguer dcdce00205 Update codeql.properties.json 2021-10-22 10:54:14 +02:00
Nick Fyson 8a8c5b274c Merge pull request #1183 from actions/nickfyson-patch-1
correct typo in msvc.properties.json
2021-10-22 09:36:46 +01:00
Nick Fyson 149db50d43 correct typo in msvc.properties.json 2021-10-22 09:33:24 +01:00
Nick Fyson c3de16f318 Merge pull request #1181 from d-winsor/msvc-analysis
Microsoft C++ Code Analysis Action
2021-10-22 09:31:29 +01:00
Rui Chen 40f0709bd6 quote the version strings 2021-10-22 01:14:49 -04:00
Daniel Winsor 9fccb15dc6 Updated action to meet guidelines 2021-10-21 16:18:11 -07:00
Daniel Winsor bafed29a86 Add workflow for Microsoft C++ Code Analysis 2021-10-21 14:14:02 -07:00
David Verdeguer 042eac3858 Add ruby and update workflow 2021-10-21 22:11:00 +02:00
Ashwin Sangem e3fc80f30e Revert "Added new templates for 3 clouds."
This reverts commit c765d6316f.
2021-10-21 08:59:43 +00:00
Ashwin Sangem c765d6316f Added new templates for 3 clouds. 2021-10-21 14:27:06 +05:30
Rui Chen e6620ddc5b python: update to use python 3.10
Signed-off-by: Rui Chen <rui@chenrui.dev>
2021-10-20 00:02:48 -04:00
Jason Freeberg 4fad808870 Add workflow for .NET Core 2021-10-15 15:47:30 -07:00
Jason Freeberg e59c11c494 Add templates and properties for other languages 2021-10-15 15:33:45 -07:00
Jason Freeberg 21775ad05b Rename "azure.yml" to Node-specific name 2021-10-15 15:32:54 -07:00
Abir Majumdar 6e44c89176 Adhering to pull request guidelines 2021-10-15 08:55:34 -04:00
Abir Majumdar ffef54a02c Adding MobSF starter workflow 2021-10-15 08:37:05 -04:00
Nick Fyson 700743e332 Merge pull request #1153 from yi2020/patch-1
Correct character-case of "c" in Cloudrail
2021-10-12 09:58:03 +01:00
Nick Fyson a857e4e5a6 Merge branch 'main' into patch-1 2021-10-12 09:56:26 +01:00
Sarah Edwards 6b14bf21cb trigger on push instead of release (#1157)
Co-authored-by: Josh Gross <joshmgross@github.com>
2021-10-11 15:53:15 -04:00
Ashwin Sangem ad91ff259d AWS template also used Docker 2021-10-11 14:58:21 +05:30
Ashwin Sangem cbd5b645f1 Merge pull request #1110 from manuelbcd/main (#1155)
* Added Cloudrail according to instructions and existing examples

* Adding Cloudrail according to documentation and examples

* Oops

* Add original Fortify on Demand workflow

* Update Fortify on Demand workflow

* Update Fortify on Demand supported languages

* Add 3rd-party GitHub Actions disclaimer

* Sysdig Secure Inline Scan with SARIF report to starter workflows

* Added some extra comments, Github Actions V2 and changed env vars

* Reviews from PR #1110

* Adding 'Dockerfile' to category list

* Update according to PR review comments

* File renames as requested in PR comments

* Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)

This reverts commit 7f30309cce.

* use env variables for user-set values (#1117)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Apply suggestions from nickfyson's code review

Co-authored-by: Nick Fyson <nickfyson@github.com>

* removing "deployment" templates from sync-ghes (#1127)

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Update code-scanning/properties/sysdig-scan.properties.json

Co-authored-by: Nick Fyson <nickfyson@github.com>

* Changed svg logo

* Rename sysdig.svg to sysdig-scan.svg

* Switched svg logo (again) for a better fit

* Rename fortify.json to fortify.properties.json

Co-authored-by: Yoni Leitersdorf <y@indeni.com>
Co-authored-by: Ruud Senden <ruud.senden@microfocus.com>
Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Co-authored-by: Manuel Boira Cuevas <manuel.boira@MacBook-Pro.local>
Co-authored-by: manuelbcd <manuel.boira@sysdig.com>
Co-authored-by: Nick Fyson <nickfyson@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com>
Co-authored-by: manuelbcd <manuelbcd@gmail.com>
2021-10-08 17:31:42 +05:30
Yoni Leitersdorf 2e38bc8da2 Correct character-case of "c" in Cloudrail 2021-10-06 12:52:26 -07:00
Nick Fyson 5b659e82b4 Merge pull request #1110 from manuelbcd/main
Sysdig inline scanning
2021-10-06 10:14:48 +01:00
manuelbcd 764ebceaf5 Merge branch 'main' into main 2021-10-05 22:46:19 +02:00
Nick Fyson 122f83ece7 Merge pull request #1152 from actions/nickfyson/fix-fortify
Rename fortify.json to fortify.properties.json
2021-10-05 20:50:47 +01:00
Nick Fyson 6a1dba2d71 Rename fortify.json to fortify.properties.json 2021-10-05 20:44:48 +01:00
Nick Fyson a95943d406 Merge pull request #1090 from fortify/main
Add Fortify on Demand code scanning workflow
2021-10-05 20:24:09 +01:00
manuelbcd d07ff38b96 Merge branch 'main' into main 2021-10-05 15:10:10 +02:00
manuelbcd 3c200bdb21 Switched svg logo (again) for a better fit 2021-10-05 15:09:31 +02:00
manuelbcd b258b33234 Rename sysdig.svg to sysdig-scan.svg 2021-10-05 15:02:00 +02:00
manuelbcd c342a0c6e3 Merge branch 'main' of github.com:manuelbcd/starter-workflows 2021-10-05 10:40:25 +02:00
manuelbcd b55a65157e Changed svg logo 2021-10-05 10:39:56 +02:00
manuelbcd b7d9f15826 Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
2021-10-05 09:30:53 +02:00
manuelbcd 2a1abda503 Update code-scanning/properties/sysdig-scan.properties.json
Co-authored-by: Nick Fyson <nickfyson@github.com>
2021-10-05 09:30:45 +02:00
Aparna Ravindra 85d2a866f0 removing "deployment" templates from sync-ghes (#1127) 2021-10-05 11:22:46 +05:30
Nick Fyson 5d273fbcb3 Merge pull request #1047 from yi2020/add_cloudrail
Add Indeni Cloudrail
2021-10-04 19:45:31 +01:00
Nick Fyson d4dccf0b1e Merge branch 'main' into add_cloudrail 2021-10-04 19:44:55 +01:00
Yoni Leitersdorf c705225b8f Apply suggestions from nickfyson's code review
Co-authored-by: Nick Fyson <nickfyson@github.com>
2021-10-04 09:48:47 -07:00
Sarah Edwards 596b345944 use env variables for user-set values (#1117)
Co-authored-by: Josh Gross <joshmgross@github.com>
2021-10-01 15:07:03 -04:00
Ashwin Sangem 7b9e3b6858 Revert "Azure Data Factory CI starter workflow (#1111)" (#1146)
This reverts commit 7f30309cce.
2021-10-01 18:50:08 +05:30
Ana Armas Romero 13f632a90b Merge pull request #1144 from swarkentin/patch-1
Remove mention of trial for Mayhem for API
2021-09-30 11:41:10 +02:00
Ana Armas Romero 65fef9614f Merge branch 'main' into patch-1 2021-09-30 11:40:11 +02:00
Aparna Ravindra 02d91c6ccf checking for allowed category in validate-data script (#1131)
* checking for allowed category

* Update index.ts
2021-09-30 10:19:20 +05:30
Ashwin Sangem 6b053712be Added dockerfile to relevant CD template categories. (#1136)
* Added Dockerfile to Category for relevant CD templates.

* Update terraform.properties.json
2021-09-30 07:31:43 +05:30
Sheldon Warkentin 8c91a4c02f Remoev mention of trial for Mayhem for API
A free plan is now in place with a professional trial that may be opted into afterward.
2021-09-29 13:45:57 -06:00
Nick Fyson 15daabeaa4 Merge pull request #1129 from actions/nickfyson/validate-code-scanning
start validating code-scanning workflows
2021-09-29 16:18:11 +01:00
Nick Fyson 4087ed4594 Merge branch 'main' into nickfyson/validate-code-scanning 2021-09-29 16:11:58 +01:00
Fernando de Oliveira 7f30309cce Azure Data Factory CI starter workflow (#1111)
* Azure Data Factory CI starter workflow

* fix: data factory starter categories

* fix: checkout step formatting

* fix: data-factory-export targeting latest version

* feature: latest adf validate and export versions

* feature: Azure Data Factory tech_stack category for CI starter

Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com>
2021-09-29 10:32:01 +05:30
Gary Houbre f0b8c8ad72 Starter workflow Symfony (#1069)
* Add Symfony to starter Workflow

* Added Properties from Symfony

* Update symfony.yml

* Update symfony.yml

* Update symfony.yml

* Fix Wrong Configuration

* Review and fixing

* Update Symfony Properties Category

Co-authored-by: Ashwin Sangem <ashwinsangem@github.com>
2021-09-28 15:11:17 +05:30
Nick Fyson 70655750b2 check for yml and yaml extensions 2021-09-28 09:37:43 +01:00
Ruud Senden cb6678504a File renames as requested in PR comments 2021-09-28 10:24:29 +02:00
Ruud Senden fd79bd4838 Merge branch 'main' into main 2021-09-28 10:21:39 +02:00
Nick Fyson b5a43f8049 Merge branch 'main' into add_cloudrail 2021-09-27 21:35:59 +01:00
Nick Fyson 9426610033 Merge branch 'main' into nickfyson/validate-code-scanning 2021-09-27 20:46:46 +01:00
Nick Fyson b58a4e21c6 start validating code-scanning workflows 2021-09-27 20:35:10 +01:00
Randy Kleinman 4a9a1680df Update README grammar (#1123)
substitue -> substitute
2021-09-24 18:05:34 -04:00
Aparna Ravindra 5a1343bb22 Adding template - Build Xcode project (#1095)
* adding build for xcode

* renaming template

Co-authored-by: Ashwin Sangem <ashwinsangem@github.com>
2021-09-23 10:29:50 +05:30
Ruud Senden 97de22b47c Update according to PR review comments 2021-09-22 14:12:39 +02:00
Ruud Senden 835899e531 Merge branch 'actions:main' into main 2021-09-22 14:07:52 +02:00
Fernando de Oliveira 55f65bcc15 Directory structure updated (#1112)
Co-authored-by: Fernando de Oliveira <5161098+fernandoBRS@users.noreply.github.com>
2021-09-22 16:37:22 +05:30
manuelbcd 9b4fcbf911 Adding 'Dockerfile' to category list 2021-09-21 11:25:16 +02:00
manuelbcd 7d41cdb581 Reviews from PR #1110 2021-09-21 11:03:21 +02:00
Ninad Kavimandan e4091f2f55 add Vue to nodejs props (#1109) 2021-09-21 13:35:26 +05:30
manuelbcd 38d4e3bfd2 Added some extra comments, Github Actions V2 and changed env vars 2021-09-20 11:52:53 +02:00
Cadu Ribeiro 6dfa11d0c4 Add github/super-linter as starter workflow on CI (#1089)
This commit adds github/super-linter as a starter workflow to execute
several linters based on the user codebase on changed files.

Co-authored-by: Josh Gross <joshmgross@github.com>
2021-09-17 16:58:46 -04:00
Ruud Senden 45ae2e08fc Merge branch 'main' into main 2021-09-17 12:38:42 +02:00
Manuel Boira Cuevas 5e116cb9e8 Sysdig Secure Inline Scan with SARIF report to starter workflows 2021-09-16 10:47:05 +02:00
Ninad Kavimandan c36ea2c560 add Continuous integration to makefile props (#1100) 2021-09-16 11:51:53 +05:30
Ninad Kavimandan 59daabb07b support AspNetCore and DotNetConsole (#1096)
Co-authored-by: Ashwin Sangem <ashwinsangem@github.com>
2021-09-16 11:19:17 +05:30
Ninad Kavimandan 9095e7c9d5 added prefix npm- (#1097) 2021-09-16 11:17:56 +05:30
Ninad Kavimandan 1cb322141e add makefile template (#1093)
Co-authored-by: Ashwin Sangem <ashwinsangem@github.com>
2021-09-16 11:02:21 +05:30
Shubham Tiwari df5ac56102 Adding category in the template property file (#1092)
* adding category in the template property file

* added category on ruby template
2021-09-16 11:00:07 +05:30
Aparna Ravindra dda42cb8f2 Addition to categories to python templates (#1088)
* addition to categories for python-app template

* adding categories to pylint template

* adding categories to python-package template

Co-authored-by: Ashwin Sangem <ashwinsangem@github.com>
2021-09-15 20:04:06 +05:30
Aparna Ravindra 3175118151 Addressing review comments - Renaming template and updating setup-ruby action version (#1086)
* renaming template and updating setup-ruby action version

* renaming rubyrails files

* renaming rails files
2021-09-15 20:02:11 +05:30
John Bohannon 238e55b9b4 Merge pull request #1091 from tetchel/openshift-ghcr-squashed
Update OpenShift workflow to use GHCR by default (#6)
2021-09-14 15:01:30 -04:00
Tim Etchells 149cf11287 Update github-script major version
Co-authored-by: John Bohannon <imjohnbo@github.com>
2021-09-14 11:52:30 -07:00
Tim Etchells 48e2865d35 Update OpenShift workflow to use GHCR by default (#6)
- Simplifies required configuration since a registry account is now
  optional
- Update a variety of comments
- Use tools-installer to install oc
- Other small changes towards a better UX

Signed-off-by: Tim Etchells <tetchel@gmail.com>
2021-09-14 11:12:35 -07:00
Ruud Senden 30715e86a4 Add 3rd-party GitHub Actions disclaimer 2021-09-14 09:06:33 +02:00
Ruud Senden ddf7fe1e94 Merge branch 'actions:main' into main 2021-09-14 08:58:07 +02:00
Ruud Senden 6d89fb8045 Update Fortify on Demand supported languages 2021-09-14 08:56:36 +02:00
Ashwin Sangem 028df69d88 Added support for Java Frameworks, Spring and JSF to CI Templates. (#1087) 2021-09-14 08:04:52 +05:30
Ruud Senden 99fae1ecb1 Update Fortify on Demand workflow 2021-09-13 10:29:38 +02:00
Ruud Senden b671ee6c7b Add original Fortify on Demand workflow 2021-09-13 10:16:30 +02:00
tmash06 b33f57dde1 Fixed a broken link to actions/upload-a-build-artifact in dotnet-desktop.yml. (#1074)
Co-authored-by: Josh Gross <joshmgross@github.com>
2021-09-09 15:45:29 -04:00
Ninad Kavimandan 84a9757692 added React and Angular as categories to node (#1084) 2021-09-09 16:16:31 +05:30
Nick Fyson 29e8b6c38a Merge pull request #1081 from actions/nickfyson/add-codeql-to-ghes
Nickfyson/add codeql to ghes
2021-09-08 11:05:03 +01:00
Nick Fyson c2cc54a69e only check nwo of supported actions 2021-09-08 10:28:14 +01:00
Nick Fyson 7aa1944311 only run ghes sync checks on YML files 2021-09-08 10:08:06 +01:00
Nick Fyson e6aff964db add codeql workflow to ghes 2021-09-08 09:54:15 +01:00
Nick Fyson ff4d33e44b Merge pull request #1080 from actions/revert-1077-nickfyson/add-codeql-to-ghes
Revert "add codeql workflow to ghes branch"
2021-09-08 07:27:03 +01:00
Nick Fyson 41e3bc11ea Revert "add codeql workflow to ghes branch" 2021-09-08 07:26:24 +01:00
Nick Fyson 79ff92ef6d Merge pull request #1077 from actions/nickfyson/add-codeql-to-ghes
add codeql workflow to ghes branch
2021-09-08 07:24:31 +01:00
Nick Fyson e9f0116056 Merge branch 'main' into nickfyson/add-codeql-to-ghes 2021-09-08 07:23:25 +01:00
Aparna Ravindra 237e7737ce restoring from main (#1078) 2021-09-08 11:52:12 +05:30
Nick Fyson fc748cc482 add codeql workflow to ghes 2021-09-06 15:25:04 +00:00
Aparna Ravindra 7b64f44165 Directory for deployments (#1071)
* moving deployment templates

* including deployment directory in scripts

* validate categories script init

* introducing scout

* introducing workflow

* Update validate-categories.yaml

* Update validate-categories.yaml

* Update validate-categories.yaml

* Update validate.rb

* Update validate.rb

* Update validate.rb

* Update validate.rb

* Update validate-categories.yaml

* Update validate-categories.yaml

* Update validate-categories.yaml

* Update validate.rb

* Update validate-categories.yaml

* Update validate-categories.yaml

* Create test_comment.yaml

* rename

* using [enter]

* testing newline

* test

* setting up variable

* using echo -e

* using join

* testing space space new line

* setting multi line in echo

* removing checkout

* setting rows-generator

* fixing error

* using join

* commit

* Update test_comment.yaml

* escaping pipe

* printing debug line

* using %0A

* Update validate-categories.yaml

* Update validate.rb

* Update validate.rb

* removing debug

* removing variable

* Update validate.rb

* Update validate-categories.yaml

* Validate categories comment on pr (#32)

* reverting deployment directory

* checking for output

* Categories validation two workflows (#34)

comment on pr in a separate workflow

* Categories validation two workflows (#35)

using right dir name

* Categories validation two workflows (#36)

.

* Categories validation two workflows (#37)

fixing typo

* adding if conditions

* adding try catch

* using console instead of echo

* equating to upstream

* moving deployment templates
2021-09-06 11:04:54 +05:30
Varun Sharma ac64f9caf5 Secure workflows (#1) (#1072)
* Restrict permissions for the GITHUB_TOKEN in .github/workflows/label-feature.yml

* Restrict permissions for the GITHUB_TOKEN in .github/workflows/label-support.yml

* Restrict permissions for the GITHUB_TOKEN in .github/workflows/stale.yml

* Restrict permissions for the GITHUB_TOKEN in .github/workflows/sync_ghes.yaml

* Restrict permissions for the GITHUB_TOKEN in .github/workflows/validate-data.yaml

Co-authored-by: Step Security <bot@stepsecurity.io>

Co-authored-by: step-security[bot] <89328102+step-security[bot]@users.noreply.github.com>
Co-authored-by: Step Security <bot@stepsecurity.io>
2021-09-02 16:05:24 -04:00
Yoni Leitersdorf 98bde3b31e Oops 2021-08-17 07:32:50 -07:00
Yoni Leitersdorf 188b52b51c Adding Cloudrail according to documentation and examples 2021-08-17 07:29:29 -07:00
Yoni Leitersdorf 69184c7484 Added Cloudrail according to instructions and existing examples 2021-08-17 07:29:02 -07:00
164 changed files with 4881 additions and 489 deletions
+1
View File
@@ -26,6 +26,7 @@ It is not:
- [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
- [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
- [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
**For _CI_ workflows, the workflow:**
+3 -2
View File
@@ -12,7 +12,8 @@ These are the workflow files for helping people get started with GitHub Actions.
### Directory structure
* [ci](ci): solutions for Continuous Integration and Deployments
* [ci](ci): solutions for Continuous Integration workflows.
* [deployments](deployments): solutions for Deployment workflows.
* [automation](automation): solutions for automating workflows.
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
* [icons](icons): svg icons for the relevant template
@@ -44,5 +45,5 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
These variables can be placed in the starter workflow and will be substituted as detailed below:
* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
* `$protected-branches`: will substitue any protected branches from the repository.
* `$protected-branches`: will substitute any protected branches from the repository
* `$cron-daily`: will substitute a valid but random time within the day
+1 -1
View File
@@ -17,7 +17,7 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
distribution: 'temurin'
cache: gradle
- name: Grant execute permission for gradlew
+1 -1
View File
@@ -20,6 +20,6 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
distribution: 'temurin'
- name: Build with Ant
run: ant -noinput -buildfile build.xml
+2 -3
View File
@@ -12,9 +12,8 @@ env:
jobs:
build:
# The CMake configure and build commands are platform agnostic and should work equally
# well on Windows or Mac. You can convert this to a matrix build if you need
# cross-platform coverage.
# The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
# You can convert this to a matrix build if you need cross-platform coverage.
# See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
runs-on: ubuntu-latest
+1 -1
View File
@@ -24,7 +24,7 @@ jobs:
- name: Setup Deno
# uses: denoland/setup-deno@v1
uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e9833173669
uses: denoland/setup-deno@004814556e37c54a2f6e31384c9e18e983317366
with:
deno-version: v1.x
+30
View File
@@ -29,11 +29,27 @@ jobs:
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
with:
cosign-release: 'v1.4.0'
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
@@ -55,9 +71,23 @@ jobs:
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+3 -3
View File
@@ -15,10 +15,10 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Elixir
uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24
uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
with:
elixir-version: '1.10.3' # Define the elixir version [required]
otp-version: '22.3' # Define the OTP version [required]
elixir-version: '1.12.3' # Define the elixir version [required]
otp-version: '24.1' # Define the OTP version [required]
- name: Restore dependencies cache
uses: actions/cache@v2
with:
+11 -3
View File
@@ -1,3 +1,7 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created
# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle
@@ -21,17 +25,21 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
distribution: 'temurin'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: Build with Gradle
run: gradle build
uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
with:
arguments: build
# The USERNAME and TOKEN need to correspond to the credentials environment variables used in
# the publishing section of your build.gradle
- name: Publish to GitHub Packages
run: gradle publish
uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
with:
arguments: publish
env:
USERNAME: ${{ github.actor }}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
+8 -5
View File
@@ -1,3 +1,7 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
@@ -20,9 +24,8 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
cache: gradle
- name: Grant execute permission for gradlew
run: chmod +x gradlew
distribution: 'temurin'
- name: Build with Gradle
run: ./gradlew build
uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7
with:
arguments: build
+1 -1
View File
@@ -21,7 +21,7 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
distribution: 'temurin'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
+1 -1
View File
@@ -20,7 +20,7 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
distribution: 'temurin'
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
+5 -1
View File
@@ -1,6 +1,10 @@
name: MSBuild
on: [push]
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
env:
# Path to the solution file relative to the root of the project.
+1 -1
View File
@@ -1,4 +1,4 @@
# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
name: Node.js CI
+36
View File
@@ -0,0 +1,36 @@
# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
name: Node.js Package
on:
release:
types: [created]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- run: npm ci
- run: npm test
publish-gpr:
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
registry-url: $registry-url(npm)
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+2 -19
View File
@@ -14,7 +14,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 14
node-version: 16
- run: npm ci
- run: npm test
@@ -25,26 +25,9 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 14
node-version: 16
registry-url: https://registry.npmjs.org/
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
publish-gpr:
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 14
registry-url: $registry-url(npm)
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+30
View File
@@ -0,0 +1,30 @@
name: Xcode - Build and Analyze
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
build:
name: Build and analyse default scheme using xcodebuild command
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]")
echo $default | cat >default
echo Using default scheme: $default
- name: Build
env:
scheme: ${{ 'default' }}
run: |
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
xcodebuild clean build analyze -scheme "$scheme" -"$filetype_parameter" "$file_to_build" | xcpretty && exit ${PIPESTATUS[0]}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Node.js",
"description": "Build and test a Node.js project with npm.",
"iconName": "nodejs",
"categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular"]
"categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"]
}
@@ -0,0 +1,6 @@
{
"name": "Publish Node.js Package to GitHub Packages",
"description": "Publishes a Node.js package to GitHub Packages.",
"iconName": "node-package-transparent",
"categories": ["Continuous integration", "JavaScript", "npm"]
}
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "Publish Node.js Package",
"description": "Publishes a Node.js package to npm and GitHub Packages.",
"description": "Publishes a Node.js package to npm.",
"iconName": "node-package-transparent",
"categories": ["Continuous integration", "JavaScript", "npm"]
}
@@ -0,0 +1,6 @@
{
"name": "Xcode - Build and Analyze",
"description": "Build Xcode project using xcodebuild",
"iconName": "xcode",
"categories": ["Continuous integration", "Xcode", "Objective-C"]
}
-6
View File
@@ -1,6 +0,0 @@
{
"name": "Rails - Build and Run Linters",
"description": "Build Rails application and run linters",
"iconName": "ruby",
"categories": ["Ruby", "Rails"]
}
@@ -1,6 +0,0 @@
{
"name": "Rails - Install Dependencies and Run Linters",
"description": "Install dependencies and run linters on Rails application",
"iconName": "ruby",
"categories": ["Continuous integration", "Ruby", "Rails"]
}
@@ -0,0 +1,6 @@
{
"name": "Ruby on Rails continuous integration",
"description": "Build, lint, and test a Rails application",
"iconName": "rails",
"categories": ["Continuous integration", "Ruby", "Rails"]
}
@@ -0,0 +1,6 @@
{
"name": "Super Linter - Run Linters for several languages",
"description": "Run linters for several languages on your code base for changed files",
"iconName": "octicon check-circle",
"categories": ["Continuous integration", "code-quality", "code-review"]
}
+10
View File
@@ -0,0 +1,10 @@
{
"name": "Symfony",
"description": "Test a Symfony project.",
"iconName": "php",
"categories": [
"Continuous integration",
"PHP",
"Symfony"
]
}
+6 -5
View File
@@ -4,19 +4,20 @@ on: [push]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.8", "3.9", "3.10"]
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.9
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: 3.9
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pylint
- name: Analysing the code with pylint
run: |
pylint `ls -R|grep .py$|xargs`
pylint $(git ls-files '*.py')
+2 -2
View File
@@ -16,10 +16,10 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.9
- name: Set up Python 3.10
uses: actions/setup-python@v2
with:
python-version: 3.9
python-version: "3.10"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
+2 -2
View File
@@ -10,10 +10,10 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.8
- name: Set up Python 3.10
uses: actions/setup-python@v2
with:
python-version: 3.8
python-version: 3.10
- name: Add conda to system path
run: |
# $CONDA is an environment variable pointing to the root of the miniconda directory
+1 -1
View File
@@ -16,7 +16,7 @@ jobs:
strategy:
fail-fast: false
matrix:
python-version: [3.7, 3.8, 3.9]
python-version: ["3.8", "3.9", "3.10"]
steps:
- uses: actions/checkout@v2
+2 -2
View File
@@ -19,12 +19,12 @@ jobs:
runs-on: macos-latest
strategy:
matrix:
r-version: [3.5, 3.6]
r-version: ['3.6.3', '4.1.1']
steps:
- uses: actions/checkout@v2
- name: Set up R ${{ matrix.r-version }}
uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3
uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a
with:
r-version: ${{ matrix.r-version }}
- name: Install dependencies
-32
View File
@@ -1,32 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
name: Build Rails and run linters
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
run-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Setup Ruby and install gems
uses: ruby/setup-ruby@v1
with:
bundler-cache: true
# Add or Replace any other security checks here
- name: Run security checks
run: |
bin/bundler-audit --update
bin/brakeman -q -w2
# Add or Replace any other Linters here
- name: Run linters
run: |
bin/rubocop --parallel
-32
View File
@@ -1,32 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
name: Rails - Install dependencies and run linters
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
run-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Setup Ruby and install gems
uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
with:
bundler-cache: true
# Add or Replace any other security checks here
- name: Run security checks
run: |
bin/bundler-audit --update
bin/brakeman -q -w2
# Add or Replace any other Linters here
- name: Run linters
run: |
bin/rubocop --parallel
+58
View File
@@ -0,0 +1,58 @@
# This workflow uses actions that are not certified by GitHub. They are
# provided by a third-party and are governed by separate terms of service,
# privacy policy, and support documentation.
#
# This workflow will install a prebuilt Ruby version, install dependencies, and
# run tests and linters.
name: "Ruby on Rails CI"
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
test:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:11-alpine
ports:
- "5432:5432"
env:
POSTGRES_DB: rails_test
POSTGRES_USER: rails
POSTGRES_PASSWORD: password
env:
RAILS_ENV: test
DATABASE_URL: "postgres://rails:password@localhost:5432/rails_test"
steps:
- name: Checkout code
uses: actions/checkout@v2
# Add or replace dependency steps here
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
with:
bundler-cache: true
# Add or replace database setup steps here
- name: Set up database schema
run: bin/rails db:schema:load
# Add or replace test runners here
- name: Run tests
run: bin/rake
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Install Ruby and gems
uses: ruby/setup-ruby@8f312efe1262fb463d906e9bf040319394c18d3e # v1.92
with:
bundler-cache: true
# Add or replace any other lints here
- name: Security audit dependencies
run: bin/bundler-audit --update
- name: Security audit application code
run: bin/brakeman -q -w2
- name: Lint Ruby files
run: bin/rubocop --parallel
+1 -1
View File
@@ -17,6 +17,6 @@ jobs:
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
distribution: 'temurin'
- name: Run tests
run: sbt test
+29
View File
@@ -0,0 +1,29 @@
# This workflow executes several linters on changed files based on languages used in your code base whenever
# you push a code or open a pull request.
#
# You can adjust the behavior by modifying this file.
# For more information, see:
# https://github.com/github/super-linter
name: Lint Code Base
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
run-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
- name: Lint Code Base
uses: github/super-linter@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: $default-branch
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+39
View File
@@ -0,0 +1,39 @@
name: Symfony
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
symfony-tests:
runs-on: ubuntu-latest
steps:
# To automatically get bug fixes and new Php versions for shivammathur/setup-php,
# change this to (see https://github.com/shivammathur/setup-php#bookmark-versioning):
# uses: shivammathur/setup-php@v2
- uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28
with:
php-version: '8.0'
- uses: actions/checkout@v2
- name: Copy .env.test.local
run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');"
- name: Cache Composer packages
id: composer-cache
uses: actions/cache@v2
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
restore-keys: |
${{ runner.os }}-php-
- name: Install Dependencies
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
- name: Create Database
run: |
mkdir -p data
touch data/database.sqlite
- name: Execute tests (Unit and Feature tests) via PHPUnit
env:
DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
run: vendor/bin/phpunit
+45
View File
@@ -0,0 +1,45 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
# code scanning feature. For more information on the Anchore scan action usage
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name: Anchore Container Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
Anchore-Build-Scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
+64
View File
@@ -0,0 +1,64 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# APIsec addresses the critical need to secure APIs before they reach production.
# APIsec provides the industrys only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
# How to Get Started with APIsec.ai
# 1. Schedule a demo at https://www.apisec.ai/request-a-demo .
#
# 2. Register your account at https://cloud.fxlabs.io/#/signup .
#
# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly.
#
# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions
#
# apisec-run-scan
#
# This action triggers the on-demand scans for projects registered in APIsec.
# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings.
# Else you can view the scan results from the project home page in APIsec Platform.
# The link to view the scan results is also displayed on the console on successful completion of action.
# This is a starter workflow to help you get started with APIsec-Scan Actions
name: APIsec
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the $default-branch branch
# Customize trigger events based on your DevSecOps processes.
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
Trigger APIsec scan:
runs-on: ubuntu-latest
steps:
- name: APIsec scan
uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993
with:
# The APIsec username with which the scans will be executed
apisec-username: ${{ secrets.apisec_username }}
# The Password of the APIsec user with which the scans will be executed
apisec-password: ${{ secrets.apisec_password}}
# The name of the project for security scan
apisec-project: "VAmPI"
# The name of the sarif format result file The file is written only if this property is provided.
sarif-result-file: "apisec-results.sarif"
- name: Import results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./apisec-results.sarif
+51
View File
@@ -0,0 +1,51 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
name: Brakeman Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
brakeman-scan:
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Customize the ruby version depending on your needs
- name: Setup Ruby
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
with:
ruby-version: '2.7'
- name: Setup Brakeman
env:
BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
run: |
gem install brakeman --version $BRAKEMAN_VERSION
# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
- name: Scan
continue-on-error: true
run: |
brakeman -f sarif -o output.sarif.json .
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: output.sarif.json
+54
View File
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action
name: CxFlow
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
permissions:
contents: read
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
permissions:
contents: read # for actions/checkout to fetch code
issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
uses: checkmarx-ts/checkmarx-cxflow-github-action@9975af7d6b957abec9ee9646effa3fb3b82c5314
with:
project: ${{ secrets.CHECKMARX_PROJECT }}
team: ${{ secrets.CHECKMARX_TEAMS }}
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
scanners: sast
params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: cx.sarif
+58
View File
@@ -0,0 +1,58 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Cloudrail
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
cloudrail:
name: Run Indeni Cloudrail on Terraform code with SARIF output
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Clone repo
uses: actions/checkout@v2
# For Terraform, Cloudrail requires the plan as input. So we generate it using
# the Terraform core binary.
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: v0.13.2
- run: terraform init
- run: terraform plan -out=plan.out
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# Confirm we have the plan file
- run: stat plan.out
- name: Run Cloudrail
uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622
with:
tf-plan-file: plan.out # This was created in a "terraform plan" step
cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
with:
sarif_file: cloudrail_results.sarif
+60
View File
@@ -0,0 +1,60 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, performs a Codacy security scan
# and integrates the results with the
# GitHub Advanced Security code scanning feature. For more information on
# the Codacy security scan action usage and parameters, see
# https://github.com/codacy/codacy-analysis-cli-action.
# For more information on Codacy Analysis CLI in general, see
# https://github.com/codacy/codacy-analysis-cli.
name: Codacy Security Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
codacy-security-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v2
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
with:
# Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
# You can also omit the token and run the tools that support default configurations
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
verbose: true
output: results.sarif
format: sarif
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will handover control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
+1 -2
View File
@@ -34,8 +34,7 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
# Learn more:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
# Learn more about CodeQL language support at https://git.io/codeql-language-support
steps:
- name: Checkout repository
+42
View File
@@ -0,0 +1,42 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow requires that you have an existing account with codescan.io
# For more information about configuring your workflow,
# read our documentation at https://github.com/codescan-io/codescan-scanner-action
name: CodeScan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
CodeScan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Cache files
uses: actions/cache@v2
with:
path: |
~/.sonar
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Run Analysis
uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
with:
login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: codescan.sarif
+59
View File
@@ -0,0 +1,59 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow locates REST API file contracts
# (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
# and runs 200+ security checks on them using 42Crunch Security Audit technology.
#
# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
#
# To use this workflow, you will need to complete the following setup steps.
#
# 1. Create a free 42Crunch account at https://platform.42crunch.com/register
#
# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
# to create an API Token on the 42Crunch platform
#
# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm,
# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow
#
# If you have any questions or need help contact https://support.42crunch.com
name: "42Crunch REST API Static Security Testing"
# follow standard Code Scanning triggers
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
rest-api-static-security-testing:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
api-token: ${{ secrets.API_TOKEN }}
# Fail if any OpenAPI file scores lower than 75
min-score: 75
# Upload results to Github code scanning
upload-to-code-scanning: true
# Github token for uploading the results
github-token: ${{ github.token }}
+118
View File
@@ -0,0 +1,118 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow performs a static analysis of your Kotlin source code using
# Detekt.
#
# Scans are triggered:
# 1. On every push to default and protected branches
# 2. On every Pull Request targeting the default branch
# 3. On a weekly schedule
# 4. Manually, on demand, via the "workflow_dispatch" event
#
# The workflow should work with no modifications, but you might like to use a
# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
# environment variable.
name: Scan with Detekt
on:
# Triggers the workflow on push or pull request events but only for default and protected branches
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
# Release tag associated with version of Detekt to be installed
# SARIF support (required for this workflow) was introduced in Detekt v1.15.0
DETEKT_RELEASE_TAG: v1.15.0
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "scan"
scan:
name: Scan
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Gets the download URL associated with the $DETEKT_RELEASE_TAG
- name: Get Detekt download URL
id: detekt_info
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query='
query getReleaseAssetDownloadUrl($tagName: String!) {
repository(name: "detekt", owner: "detekt") {
release(tagName: $tagName) {
releaseAssets(name: "detekt", first: 1) {
nodes {
downloadUrl
}
}
tagCommit {
oid
}
}
}
}
' 1> gh_response.json
DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json)
if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then
echo "Release tag doesn't match expected commit SHA"
exit 1
fi
DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
# Sets up the detekt cli
- name: Setup Detekt
run: |
dest=$( mktemp -d )
curl --request GET \
--url ${{ steps.detekt_info.outputs.download_url }} \
--silent \
--location \
--output $dest/detekt
chmod a+x $dest/detekt
echo $dest >> $GITHUB_PATH
# Performs static analysis using Detekt
- name: Run Detekt
continue-on-error: true
run: |
detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json
# Modifies the SARIF output produced by Detekt so that absolute URIs are relative
# This is so we can easily map results onto their source files
# This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA
- name: Make artifact location URIs relative
continue-on-error: true
run: |
echo "$(
jq \
--arg github_workspace ${{ github.workspace }} \
'. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \
${{ github.workspace }}/detekt.sarif.json
)" > ${{ github.workspace }}/detekt.sarif.json
# Uploads results to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/detekt.sarif.json
checkout_path: ${{ github.workspace }}
+97
View File
@@ -0,0 +1,97 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
################################################################################################################################################
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
# or contact our sales team, visit microfocus.com/appsecurity. #
# #
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
################################################################################################################################################
name: Fortify on Demand Scan
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
on:
workflow_dispatch:
push:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.8
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
env:
PACKAGE_OPTS: "-bt mvn"
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
env:
FOD_URL: "https://ams.fortify.com/"
FOD_API_URL: "https://api.ams.fortify.com/"
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export results to GitHub-optimized SARIF
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
with:
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.FOD_TENANT }}
fod_user: ${{ secrets.FOD_USER }}
fod_password: ${{ secrets.FOD_PAT }}
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./gh-fortify-sast.sarif
+1 -1
View File
@@ -10,7 +10,7 @@
# To use this workflow, you will need to:
#
# 1. Create a Mayhem for API account at
# https://mayhem4api.forallsecure.com/signup (30-day free trial)
# https://mayhem4api.forallsecure.com/signup
#
# 2. Create a service account token `mapi organization service-account create
# <org-name> <service-account-name>`
+36
View File
@@ -0,0 +1,36 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: MobSF
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
mobile-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup python
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Run mobsfscan
uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65
with:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
+59
View File
@@ -0,0 +1,59 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# Find more information at:
# https://github.com/microsoft/msvc-code-analysis-action
name: Microsoft C++ Code Analysis
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
env:
# Path to the CMake build directory.
build: '${{ github.workspace }}/build'
jobs:
analyze:
name: Analyze
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Configure CMake
run: cmake -B ${{ env.build }}
# Build is not required unless generated source files are used
# - name: Build CMake
# run: cmake --build ${{ env.build }}
- name: Initialize MSVC Code Analysis
uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
# Provide a unique ID to access the sarif output path
id: run-analysis
with:
cmakeBuildDirectory: ${{ env.build }}
# Ruleset file that will determine what checks will be run
ruleset: NativeRecommendedRules.ruleset
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
# uses: actions/upload-artifact@v2
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
+41
View File
@@ -0,0 +1,41 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates njsscan with GitHub's Code Scanning feature
# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
name: njsscan sarif
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
njsscan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
+52
View File
@@ -0,0 +1,52 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
#
# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your
# repository.
#
# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
# <https://info.nowsecure.com/github-request>.
#
# Instructions:
#
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
#
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
# and review the "Security" tab once the action has run.
name: "NowSecure"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
jobs:
nowsecure:
name: NowSecure
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
- name: Run NowSecure
uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26
with:
token: ${{ secrets.NS_TOKEN }}
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: NowSecure.sarif
+49
View File
@@ -0,0 +1,49 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates a collection of open source static analysis tools
# with GitHub code scanning. For documentation, or to provide feedback, visit
# https://github.com/github/ossar-action
name: OSSAR
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
# uses: actions/setup-dotnet@v1
# with:
# dotnet-version: '3.1.x'
# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
+36
View File
@@ -0,0 +1,36 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: pmd
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
pmd-code-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'temurin'
- name: Run PMD
id: pmd
uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29
with:
rulesets: 'rulesets/java/quickstart.xml'
sourcePath: 'src/main/java'
analyzeModifiedFilesOnly: false
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: pmd-report.sarif
+54
View File
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow that checks for security issues using
# the Prisma Cloud Infrastructure as Code Scan Action on
# the IaC files present in the repository.
# The results are uploaded to GitHub Security Code Scanning
#
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
name: Prisma Cloud IaC Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
prisma_cloud_iac_scan:
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v2
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
with:
# You will need Prisma Cloud API Access Token
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
# Scan sources on Prisma Cloud are uniquely identified by their name
asset_name: 'my-asset-name'
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
# And alternative it to add `continue-on-error: true` to the previous step
if: success() || failure()
with:
# The SARIF Log file name is configurable on scan action
# therefore the file name is best read from the steps output
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
@@ -0,0 +1,7 @@
{
"name": "Anchore Container Scan",
"creator": "Indeni Cloudrail",
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile"]
}
@@ -0,0 +1,24 @@
{
"name": "APIsec Scan",
"creator": "APIsec",
"description": "APIsec provides the industrys only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.",
"iconName": "apisec",
"categories": [
"Code Scanning",
"C",
"C#",
"C++",
"Go",
"Java",
"JavaScript",
"Kotlin",
"Objective C",
"PHP",
"Python",
"Ruby",
"Rust",
"Scala",
"Swift",
"TypeScript"
]
}
@@ -0,0 +1,7 @@
{
"name": "Brakeman",
"creator": "Brakeman",
"description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.",
"iconName": "brakeman",
"categories": ["Code Scanning", "ruby"]
}
@@ -0,0 +1,7 @@
{
"name": "CxSAST",
"creator": "Checkmarx",
"description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.",
"iconName": "checkmarx",
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
}
@@ -0,0 +1,7 @@
{
"name": "cloudrail",
"creator": "Indeni Cloudrail",
"description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues.",
"iconName": "cloudrail",
"categories": ["Code Scanning", "HCL"]
}
@@ -0,0 +1,7 @@
{
"name": "Codacy Security Scan",
"creator": "Codacy",
"description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
"iconName": "codacy",
"categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
}
@@ -1,7 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
"description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.",
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"]
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
}
@@ -0,0 +1,7 @@
{
"name": "CodeScan",
"creator": "CodeScan Enterprises, LLC",
"description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.",
"iconName": "codescan",
"categories": ["Code Scanning", "javascript", "apex"]
}
@@ -0,0 +1,7 @@
{
"name": "42Crunch API Security Audit",
"creator": "42Crunch",
"description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.",
"iconName": "42crunch",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,8 @@
{
"name": "Detekt",
"creator": "Detekt",
"description": "Static code analysis for Kotlin",
"iconName": "detekt",
"categories": ["Code Scanning", "Kotlin"],
"enterprise": false
}
@@ -0,0 +1,7 @@
{
"name": "Fortify on Demand Scan",
"creator": "Micro Focus",
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
"iconName": "fortify",
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
}
@@ -0,0 +1,13 @@
{
"name": "mobsf",
"creator": "mobsf",
"description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.",
"iconName": "mobsf",
"categories": [
"Code Scanning",
"Java",
"Swift",
"Objective-C",
"Kotlin"
]
}
@@ -0,0 +1,7 @@
{
"name": "Microsoft C++ Code Analysis",
"creator": "Microsoft",
"description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.",
"iconName": "microsoft",
"categories": ["Code Scanning", "C", "C++"]
}
@@ -0,0 +1,7 @@
{
"name": "njsscan",
"creator": "NodeJSScan",
"description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.",
"iconName": "njsscan",
"categories": ["Code Scanning", "JavaScript", "TypeScript"]
}
@@ -0,0 +1,21 @@
{
"name": "NowSecure",
"creator": "NowSecure",
"description": "The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language",
"iconName": "nowsecure",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C",
"C",
"C++",
"C#",
"Rust",
"JavaScript",
"TypeScript",
"Node"
]
}
@@ -0,0 +1,7 @@
{
"name": "OSSAR",
"creator": "GitHub",
"description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "python", "javascript"]
}
@@ -0,0 +1,18 @@
{
"name": "pmd",
"creator": "pmd",
"description": "PMD is a static source code analyzer. It supports Java, JavaScript, Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.",
"iconName": "pmd",
"categories": [
"Code Scanning",
"Java",
"JavaScript",
"Apex",
"Modelica",
"PLSQL",
"Apache Velocity",
"XML",
"XSl",
"Scala"
]
}
@@ -0,0 +1,7 @@
{
"name": "Prisma Cloud IaC Scan",
"creator": "Palo Alto Prisma Cloud",
"description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues",
"iconName": "prisma",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,7 @@
{
"name": "RuboCop Linting",
"creator": "arthurnn",
"description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.",
"iconName": "rubocop",
"categories": ["Code Scanning", "ruby"]
}
@@ -0,0 +1,7 @@
{
"name": "OSSF Scorecards",
"creator": "Open Source Security Foundation (OpenSSF)",
"description": "Scorecards is a static supply-chain security analysis tool to assess the security posture of your project",
"iconName": "scorecards",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,7 @@
{
"name": "SecurityCodeScan",
"creator": "@security-code-scan",
"description": "Vulnerability Patterns Detector for C# and VB.NET",
"iconName": "securitycodescan",
"categories": ["Code Scanning", "C#", "Visual Basic .NET"]
}
@@ -0,0 +1,7 @@
{
"name": "Semgrep",
"creator": "Returntocorp",
"description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
"iconName": "semgrep",
"categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
}
@@ -0,0 +1,7 @@
{
"name": "Scan",
"creator": "ShiftLeft",
"description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
"iconName": "shiftleft",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,7 @@
{
"name": "Snyk Container",
"creator": "Snyk",
"description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.",
"iconName": "snyk",
"categories": ["Code Scanning", "dockerfile"]
}
@@ -0,0 +1,7 @@
{
"name": "Snyk Infrastructure as Code",
"creator": "Snyk",
"description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.",
"iconName": "snyk",
"categories": ["Code Scanning"]
}
@@ -0,0 +1,7 @@
{
"name": "Sysdig Inline Scan",
"creator": "Sysdig",
"description": "Performs analysis on locally built container image and posts the results in SARIF report",
"iconName": "sysdig-scan",
"categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"]
}
@@ -0,0 +1,8 @@
{
"name": "Trivy",
"creator": "Aqua Security",
"description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.",
"iconName": "trivy",
"categories": ["Code Scanning", "dockerfile"],
"enterprise_requirements": ["docker"]
}
@@ -0,0 +1,7 @@
{
"name": "Veracode Static Analysis",
"creator": "Veracode",
"description": "Get fast feedback on flaws with Veracode Static Analysis and the pipeline scan. Break the build based on flaw severity and CWE category.",
"iconName": "veracode",
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "kotlin", "scala", "groovy", "tsql", "plsql", "perl", "cobol"]
}
@@ -0,0 +1,7 @@
{
"name": "Xanitizer",
"creator": "RIGS IT",
"description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).",
"iconName": "xanitizer",
"categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"]
}
+52
View File
@@ -0,0 +1,52 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# pulled from repo
name: "Rubocop"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
rubocop:
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v2
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
with:
ruby-version: 2.6
# This step is not necessary if you add the gem to your Gemfile
- name: Install Code Scanning integration
run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
- name: Install dependencies
run: bundle install
- name: Rubocop run
run: |
bash -c "
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
[[ $? -ne 2 ]]
"
- name: Upload Sarif output
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: rubocop.sarif
+55
View File
@@ -0,0 +1,55 @@
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
- cron: $cron-weekly
push:
branches: [ $default-branch ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read
steps:
- name: "Checkout code"
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2
with:
results_file: results.sarif
results_format: sarif
# Read-only PAT token. To create it,
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`,
# regardless of the value entered here.
publish_results: true
# Upload the results as artifacts (optional).
- name: "Upload artifact"
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
with:
sarif_file: results.sarif
+41
View File
@@ -0,0 +1,41 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET
name: SecurityCodeScan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
SCS:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
- uses: microsoft/setup-msbuild@v1.0.2
- name: Set up projects for analysis
uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
- name: Restore dependencies
run: dotnet restore
- name: Build
run: dotnet build --no-restore
- name: Convert sarif for uploading to GitHub
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v1
+48
View File
@@ -0,0 +1,48 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow file requires a free account on Semgrep.dev to
# manage rules, file ignores, notifications, and more.
#
# See https://semgrep.dev/docs
name: Semgrep
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
semgrep:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Scan
runs-on: ubuntu-latest
steps:
# Checkout project source
- uses: actions/checkout@v2
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
with:
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
generateSarif: "1"
# Upload SARIF file generated in previous step
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: semgrep.sarif
if: always()
+47
View File
@@ -0,0 +1,47 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates Scan with GitHub's code scanning feature
# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
# Visit https://slscan.io/en/latest/integrations/code-scan for help
name: SL Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
Scan-Build:
# Scan runs on ubuntu, mac and windows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# Instructions
# 1. Setup JDK, Node.js, Python etc depending on your project type
# 2. Compile or build the project before invoking scan
# Example: mvn compile, or npm install or pip install goes here
# 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
env:
WORKSPACE: ""
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_AUTO_BUILD: true
with:
output: reports
# Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
# type: credscan,java
# type: python
- name: Upload report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: reports
+48
View File
@@ -0,0 +1,48 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which checks out the code, builds a container
# image using Docker and scans that image for vulnerabilities using
# Snyk. The results are then uploaded to GitHub Security Code Scanning
#
# For more examples, including how to limit scans to only high-severity
# issues, monitor images for newly disclosed vulnerabilities in Snyk and
# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
name: Snyk Container
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build a Docker image
run: docker build -t your/image-to-test .
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif
+47
View File
@@ -0,0 +1,47 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which checks out your Infrastructure as Code Configuration files,
# such as Kubernetes, Helm & Terraform and scans them for any security issues.
# The results are then uploaded to GitHub Security Code Scanning
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/
name: Snyk Infrastructure as Code
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif
+6
View File
@@ -37,8 +37,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
stackhawk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
name: StackHawk
runs-on: ubuntu-20.04
steps:
+54
View File
@@ -0,0 +1,54 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Sysdig - Build, scan, push and upload sarif report
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the Docker image
# Tag image to be built
# Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below
run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest
- name: Sysdig Secure Inline Scan
id: scan
uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163
with:
# Tag of the image to analyse.
# Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above
image-tag: ${{ github.repository }}:latest
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}}
# Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
# US-East https://secure.sysdig.com
# US-West https://us2.app.sysdig.com
# EU https://eu1.app.sysdig.com
sysdig-secure-url: https://us2.app.sysdig.com
dockerfile-path: ./Dockerfile
input-type: docker-daemon
ignore-failed-scan: true
# Sysdig inline scanner requires privileged rights
run-as-user: root
- uses: github/codeql-action/upload-sarif@v1
#Upload SARIF file
if: always()
with:
sarif_file: ${{ steps.scan.outputs.sarifReport }}
+47
View File
@@ -0,0 +1,47 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: build
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build
runs-on: "ubuntu-18.04"
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
+51
View File
@@ -0,0 +1,51 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert
name: Veracode Static Analysis Pipeline Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
build-and-pipeline-scan:
# The type of runner that the job will run on
runs-on: ubuntu-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
- uses: actions/checkout@v2
with:
repository: ''
- run: zip -r veracode-scan-target.zip ./
# download the Veracode Static Analysis Pipeline scan jar
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- uses: actions/setup-java@v1
with:
java-version: 1.8
- run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
id: convert
uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
with:
pipeline-results-json: results.json
- uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
+92
View File
@@ -0,0 +1,92 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
#
# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
#
# To use this basic workflow, you will need to complete the following setup steps:
#
# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
# Licenses are free of charge for open source projects and for educational usage.
# To get more information about the Xanitizer licenses and how to obtain a license file,
# please consult https://www.xanitizer.com/xanitizer-pricing/.
#
# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
#
# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
# Example:
# - name: Xanitizer Security Analysis
# uses: RIGS-IT/xanitizer-action@v1
# with:
# license: ${{ secrets.XANITIZER_LICENSE }}
#
# 4. As a static application security testing (SAST) tool,
# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
# So you have to install all used libraries and build your project before running the security analysis,
# e.g. via `mvn compile` for Java or `npm install` for JavaScript
name: "Xanitizer Security Analysis"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
workflow_dispatch:
jobs:
xanitizer-security-analysis:
# Xanitizer runs on ubuntu-latest and windows-latest.
runs-on: ubuntu-latest
steps:
# Check out the repository
- name: Checkout
uses: actions/checkout@v2
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
# Compile the code for Java projects and get all libraries, e.g. via Maven
# Please adapt, if your project uses another build system to compile Java source code.
# Please comment out, if your project does not contain Java source code.
- name: Compile Java code
run: mvn -B compile
# Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
# Please adapt to run `npm install` in the correct directories.
# Please adapt, if your project uses another package manager for getting JavaScript libraries.
# Please comment out, if your project does not use a package manager for getting JavaScript libraries.
- name: Install JavaScript libraries
run: npm install
# Run the security analysis with default settings
- name: Xanitizer Security Analysis
uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316
with:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- uses: actions/upload-artifact@v2
with:
name: Xanitizer-Reports
path: |
*-Findings-List.pdf
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: Xanitizer-Findings-List.sarif
+4 -3
View File
@@ -1,5 +1,5 @@
# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR),
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created.
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch.
#
# To use this workflow, you will need to complete the following set-up steps:
#
@@ -20,8 +20,9 @@
name: Build and Deploy to ACK
on:
release:
types: [created]
push:
branches:
- $default-branch
# Environment variables available to all jobs and steps in this workflow.
env:
+27 -16
View File
@@ -1,34 +1,46 @@
# This workflow will build and push a new container image to Amazon ECR,
# and then will deploy a new task definition to Amazon ECS, when a release is created
# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch.
#
# To use this workflow, you will need to complete the following set-up steps:
#
# 1. Create an ECR repository to store your images.
# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`.
# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name.
# Replace the value of `aws-region` in the workflow below with your repository's region.
# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name.
# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region.
#
# 2. Create an ECS task definition, an ECS cluster, and an ECS service.
# For example, follow the Getting Started guide on the ECS console:
# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun
# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names.
# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service.
# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster.
#
# 3. Store your ECS task definition as a JSON file in your repository.
# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`.
# Replace the value of `task-definition` in the workflow below with your JSON file's name.
# Replace the value of `container-name` in the workflow below with the name of the container
# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file.
# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container
# in the `containerDefinitions` section of the task definition.
#
# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
# See the documentation for each action used below for the recommended IAM policies for this IAM user,
# and best practices on handling the access key credentials.
on:
release:
types: [created]
name: Deploy to Amazon ECS
on:
push:
branches:
- $default-branch
env:
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name
ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name
ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name
ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition
# file, e.g. .aws/task-definition.json
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
jobs:
deploy:
name: Deploy
@@ -44,7 +56,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-2
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
@@ -54,7 +66,6 @@ jobs:
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-ecr-repo
IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and
@@ -68,14 +79,14 @@ jobs:
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: task-definition.json
container-name: sample-app
task-definition: ${{ env.ECS_TASK_DEFINITION }}
container-name: ${{ env.CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: sample-app-service
cluster: default
service: ${{ env.ECS_SERVICE }}
cluster: ${{ env.ECS_CLUSTER }}
wait-for-service-stability: true
+82
View File
@@ -0,0 +1,82 @@
# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch.
#
# This workflow assumes you have already created the target Azure App Service web app.
# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux
#
# To configure this workflow:
#
# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
#
# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
#
# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
#
# 4. Create three app settings on your Azure Web app:
# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io"
# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository
# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step
#
# 5. Change the value for the AZURE_WEBAPP_NAME.
#
# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
name: Build and deploy a container to an Azure Web App
env:
AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
on:
push:
branches:
- $default-branch
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Log in to GitHub container registry
uses: docker/login-action@v1.10.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Lowercase the repo name and username
run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: Build and push container image to registry
uses: docker/build-push-action@v2
with:
push: true
tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
file: ./Dockerfile
deploy:
runs-on: ubuntu-latest
needs: build
environment:
name: 'Development'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
steps:
- name: Lowercase the repo name and username
run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: Deploy to Azure Web App
id: deploy-to-webapp
uses: azure/webapps-deploy@v2
with:
app-name: ${{ env.AZURE_WEBAPP_NAME }}
publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}'

Some files were not shown because too many files have changed in this diff Show More