Compare commits
119 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 200b0c34b1 | |||
| 0debae5ec7 | |||
| 52edf1b580 | |||
| da223f8a03 | |||
| f61ca9907b | |||
| 56c93ff752 | |||
| 1d8891efc2 | |||
| 93ee3d86f6 | |||
| 97d8c1c765 | |||
| 1b52eb3e6f | |||
| 216dc929eb | |||
| ef1ebb2538 | |||
| 440e8daf05 | |||
| 0f5b68ee4f | |||
| d9dc2c2f72 | |||
| 83bdb0fcd6 | |||
| ed8c87df74 | |||
| 09b078fd76 | |||
| 4a9a12a099 | |||
| 3a3f99717d | |||
| 281a35c5ef | |||
| dcdce00205 | |||
| 8a8c5b274c | |||
| 149db50d43 | |||
| c3de16f318 | |||
| 40f0709bd6 | |||
| 9fccb15dc6 | |||
| bafed29a86 | |||
| 042eac3858 | |||
| e3fc80f30e | |||
| c765d6316f | |||
| e6620ddc5b | |||
| 6e44c89176 | |||
| ffef54a02c | |||
| 700743e332 | |||
| a857e4e5a6 | |||
| 6b14bf21cb | |||
| ad91ff259d | |||
| 2e38bc8da2 | |||
| 5b659e82b4 | |||
| 764ebceaf5 | |||
| 122f83ece7 | |||
| 6a1dba2d71 | |||
| a95943d406 | |||
| d07ff38b96 | |||
| 3c200bdb21 | |||
| b258b33234 | |||
| c342a0c6e3 | |||
| b55a65157e | |||
| b7d9f15826 | |||
| 2a1abda503 | |||
| 85d2a866f0 | |||
| 5d273fbcb3 | |||
| d4dccf0b1e | |||
| c705225b8f | |||
| 596b345944 | |||
| 7b9e3b6858 | |||
| 13f632a90b | |||
| 65fef9614f | |||
| 02d91c6ccf | |||
| 6b053712be | |||
| 8c91a4c02f | |||
| 15daabeaa4 | |||
| 4087ed4594 | |||
| 7f30309cce | |||
| f0b8c8ad72 | |||
| 70655750b2 | |||
| cb6678504a | |||
| fd79bd4838 | |||
| b5a43f8049 | |||
| 9426610033 | |||
| b58a4e21c6 | |||
| 4a9a1680df | |||
| 5a1343bb22 | |||
| 97de22b47c | |||
| 835899e531 | |||
| 55f65bcc15 | |||
| 9b4fcbf911 | |||
| 7d41cdb581 | |||
| e4091f2f55 | |||
| 38d4e3bfd2 | |||
| 6dfa11d0c4 | |||
| 45ae2e08fc | |||
| 5e116cb9e8 | |||
| c36ea2c560 | |||
| 59daabb07b | |||
| 9095e7c9d5 | |||
| 1cb322141e | |||
| df5ac56102 | |||
| dda42cb8f2 | |||
| 3175118151 | |||
| 238e55b9b4 | |||
| 149cf11287 | |||
| 48e2865d35 | |||
| 30715e86a4 | |||
| ddf7fe1e94 | |||
| 6d89fb8045 | |||
| 028df69d88 | |||
| 99fae1ecb1 | |||
| b671ee6c7b | |||
| b33f57dde1 | |||
| 84a9757692 | |||
| 29e8b6c38a | |||
| c2cc54a69e | |||
| 7aa1944311 | |||
| e6aff964db | |||
| ff4d33e44b | |||
| 41e3bc11ea | |||
| 79ff92ef6d | |||
| e9f0116056 | |||
| 237e7737ce | |||
| fc748cc482 | |||
| 7b64f44165 | |||
| ac64f9caf5 | |||
| ea5c3f66f6 | |||
| 108dfef5d2 | |||
| 98bde3b31e | |||
| 188b52b51c | |||
| 69184c7484 |
@@ -5,6 +5,8 @@ on:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
issues: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Close Issue
|
||||
|
||||
@@ -5,6 +5,8 @@ on:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
issues: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Close Issue
|
||||
|
||||
@@ -7,6 +7,9 @@ on:
|
||||
jobs:
|
||||
stale:
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
pull-requests: write
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
@@ -7,6 +7,8 @@ on:
|
||||
|
||||
jobs:
|
||||
sync:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
@@ -6,6 +6,8 @@ on:
|
||||
|
||||
jobs:
|
||||
validate-data:
|
||||
permissions:
|
||||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
@@ -12,7 +12,8 @@ These are the workflow files for helping people get started with GitHub Actions.
|
||||
|
||||
### Directory structure
|
||||
|
||||
* [ci](ci): solutions for Continuous Integration and Deployments
|
||||
* [ci](ci): solutions for Continuous Integration workflows.
|
||||
* [deployments](deployments): solutions for Deployment workflows.
|
||||
* [automation](automation): solutions for automating workflows.
|
||||
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
|
||||
* [icons](icons): svg icons for the relevant template
|
||||
@@ -44,5 +45,5 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
|
||||
These variables can be placed in the starter workflow and will be substituted as detailed below:
|
||||
|
||||
* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
|
||||
* `$protected-branches`: will substitue any protected branches from the repository.
|
||||
* `$protected-branches`: will substitute any protected branches from the repository
|
||||
* `$cron-daily`: will substitute a valid but random time within the day
|
||||
|
||||
@@ -1,3 +1,8 @@
|
||||
# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time.
|
||||
#
|
||||
# You can adjust the behavior by modifying this file.
|
||||
# For more information, see:
|
||||
# https://github.com/actions/stale
|
||||
name: Mark stale issues and pull requests
|
||||
|
||||
on:
|
||||
|
||||
@@ -107,7 +107,7 @@ jobs:
|
||||
- name: Remove the pfx
|
||||
run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
|
||||
|
||||
# Upload the MSIX package: https://github.com/marketplace/actions/upload-artifact
|
||||
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
|
||||
- name: Upload build artifacts
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
|
||||
+3
-3
@@ -15,10 +15,10 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up Elixir
|
||||
uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24
|
||||
uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
|
||||
with:
|
||||
elixir-version: '1.10.3' # Define the elixir version [required]
|
||||
otp-version: '22.3' # Define the OTP version [required]
|
||||
elixir-version: '1.12.3' # Define the elixir version [required]
|
||||
otp-version: '24.1' # Define the OTP version [required]
|
||||
- name: Restore dependencies cache
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
name: Makefile CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: configure
|
||||
run: ./configure
|
||||
|
||||
- name: Install dependencies
|
||||
run: make
|
||||
|
||||
- name: Run check
|
||||
run: make check
|
||||
|
||||
- name: Run distcheck
|
||||
run: make distcheck
|
||||
@@ -0,0 +1,30 @@
|
||||
name: Xcode - Build and Analyze
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and analyse default scheme using xcodebuild command
|
||||
runs-on: macos-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
- name: Set Default Scheme
|
||||
run: |
|
||||
scheme_list=$(xcodebuild -list -json | tr -d "\n")
|
||||
default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]")
|
||||
echo $default | cat >default
|
||||
echo Using default scheme: $default
|
||||
- name: Build
|
||||
env:
|
||||
scheme: ${{ 'default' }}
|
||||
run: |
|
||||
if [ $scheme = default ]; then scheme=$(cat default); fi
|
||||
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
|
||||
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
|
||||
xcodebuild clean build analyze -scheme "$scheme" -"$filetype_parameter" "$file_to_build" | xcpretty && exit ${PIPESTATUS[0]}
|
||||
@@ -1,180 +0,0 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
### The OpenShift Starter workflow will:
|
||||
# - Checkout your repository
|
||||
# - Perform a Docker build
|
||||
# - Push the built image to an image registry
|
||||
# - Log in to your OpenShift cluster
|
||||
# - Create an OpenShift app from the image and expose it to the internet.
|
||||
|
||||
### Before you begin:
|
||||
# - Have write access to a container image registry such as quay.io or Dockerhub.
|
||||
# - Have access to an OpenShift cluster.
|
||||
# - For instructions to get started with OpenShift see https://www.openshift.com/try
|
||||
# - The project you wish to add this workflow to should have a Dockerfile.
|
||||
# - If you don't have a Dockerfile at the repository root, see the buildah-build step.
|
||||
# - Builds from scratch are also available, but require more configuration.
|
||||
|
||||
### To get the workflow running:
|
||||
# 1. Add this workflow to your repository.
|
||||
# 2. Edit the top-level 'env' section, which contains a list of environment variables that must be configured.
|
||||
# 3. Create the secrets referenced in the 'env' section under your repository Settings.
|
||||
# 4. Edit the 'branches' in the 'on' section to trigger the workflow on a push to your branch.
|
||||
# 5. Commit and push your changes.
|
||||
|
||||
# For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml
|
||||
# Also see our GitHub organization, https://github.com/redhat-actions/
|
||||
# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho
|
||||
|
||||
name: OpenShift
|
||||
|
||||
# ⬇️ Modify the fields marked with ⬇️ to fit your project, and create any secrets that are referenced.
|
||||
# https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets
|
||||
env:
|
||||
# ⬇️ EDIT with your registry and registry path.
|
||||
REGISTRY: quay.io/<username>
|
||||
# ⬇️ EDIT with your registry username.
|
||||
REGISTRY_USER: <username>
|
||||
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
|
||||
# ⬇️ EDIT to log into your OpenShift cluster and set up the context.
|
||||
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
|
||||
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
|
||||
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
|
||||
|
||||
# ⬇️ EDIT with any additional port your application should expose.
|
||||
# By default, oc new-app action creates a service to the image's lowest numeric exposed port.
|
||||
APP_PORT: ""
|
||||
|
||||
# ⬇️ EDIT if you wish to set the kube context's namespace after login. Leave blank to use the default namespace.
|
||||
OPENSHIFT_NAMESPACE: ""
|
||||
|
||||
# If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected.
|
||||
APP_NAME: ""
|
||||
TAG: ""
|
||||
|
||||
on:
|
||||
# https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows
|
||||
push:
|
||||
# Edit to the branch(es) you want to build and deploy on each push.
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
openshift-ci-cd:
|
||||
name: Build and deploy to OpenShift
|
||||
runs-on: ubuntu-18.04
|
||||
environment: production
|
||||
|
||||
outputs:
|
||||
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
|
||||
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
|
||||
|
||||
steps:
|
||||
- name: Check if secrets exists
|
||||
uses: actions/github-script@v3
|
||||
with:
|
||||
script: |
|
||||
const secrets = {
|
||||
REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`,
|
||||
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
|
||||
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
|
||||
};
|
||||
|
||||
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
|
||||
if (value.length === 0) {
|
||||
core.warning(`Secret "${name}" is not set`);
|
||||
return true;
|
||||
}
|
||||
core.info(`✔️ Secret "${name}" is set`);
|
||||
return false;
|
||||
|
||||
});
|
||||
|
||||
if (missingSecrets.length > 0) {
|
||||
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
|
||||
"You can add it using:\n" +
|
||||
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
|
||||
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
|
||||
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
|
||||
}
|
||||
else {
|
||||
core.info(`✅ All the required secrets are set`);
|
||||
}
|
||||
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Determine app name
|
||||
if: env.APP_NAME == ''
|
||||
run: |
|
||||
echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV
|
||||
|
||||
- name: Determine tag
|
||||
if: env.TAG == ''
|
||||
run: |
|
||||
echo "TAG=${GITHUB_SHA::7}" | tee -a $GITHUB_ENV
|
||||
|
||||
# https://github.com/redhat-actions/buildah-build#readme
|
||||
- name: Build from Dockerfile
|
||||
id: image-build
|
||||
uses: redhat-actions/buildah-build@v2
|
||||
with:
|
||||
image: ${{ env.APP_NAME }}
|
||||
tags: ${{ env.TAG }}
|
||||
# If you don't have a dockerfile, see:
|
||||
# https://github.com/redhat-actions/buildah-build#scratch-build-inputs
|
||||
# Otherwise, point this to your Dockerfile relative to the repository root.
|
||||
dockerfiles: |
|
||||
./Dockerfile
|
||||
|
||||
# https://github.com/redhat-actions/push-to-registry#readme
|
||||
- name: Push to registry
|
||||
id: push-to-registry
|
||||
uses: redhat-actions/push-to-registry@v2
|
||||
with:
|
||||
image: ${{ steps.image-build.outputs.image }}
|
||||
tags: ${{ steps.image-build.outputs.tags }}
|
||||
registry: ${{ env.REGISTRY }}
|
||||
username: ${{ env.REGISTRY_USER }}
|
||||
password: ${{ env.REGISTRY_PASSWORD }}
|
||||
|
||||
# The path the image was pushed to is now stored in ${{ steps.push-to-registry.outputs.registry-path }}
|
||||
|
||||
# oc-login works on all platforms, but oc must be installed first.
|
||||
# The GitHub Ubuntu runner already includes oc.
|
||||
# Otherwise, https://github.com/redhat-actions/openshift-tools-installer can be used to install oc,
|
||||
# as well as many other tools.
|
||||
|
||||
# https://github.com/redhat-actions/oc-login#readme
|
||||
- name: Log in to OpenShift
|
||||
uses: redhat-actions/oc-login@v1
|
||||
with:
|
||||
openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
|
||||
openshift_token: ${{ env.OPENSHIFT_TOKEN }}
|
||||
insecure_skip_tls_verify: true
|
||||
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
|
||||
|
||||
# This step should create a deployment, service, and route to run your app and expose it to the internet.
|
||||
# https://github.com/redhat-actions/oc-new-app#readme
|
||||
- name: Create and expose app
|
||||
id: deploy-and-expose
|
||||
uses: redhat-actions/oc-new-app@v1
|
||||
with:
|
||||
app_name: ${{ env.APP_NAME }}
|
||||
image: ${{ steps.push-to-registry.outputs.registry-path }}
|
||||
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
|
||||
port: ${{ env.APP_PORT }}
|
||||
|
||||
- name: View application route
|
||||
run: |
|
||||
[[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1)
|
||||
echo "======================== Your application is available at: ========================"
|
||||
echo ${{ env.ROUTE }}
|
||||
echo "==================================================================================="
|
||||
echo
|
||||
echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\""
|
||||
env:
|
||||
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
|
||||
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "D",
|
||||
"description": "Build and test a D project with dub.",
|
||||
"iconName": "d",
|
||||
"categories": ["Continuous integration", "D" ]
|
||||
"categories": ["Continuous integration", "D"]
|
||||
}
|
||||
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": ".NET",
|
||||
"description": "Build and test a .NET or ASP.NET Core project.",
|
||||
"iconName": "dotnet",
|
||||
"categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"]
|
||||
"categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET", "AspNetCore", "DotNetConsole"]
|
||||
}
|
||||
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Publish Java Package with Gradle",
|
||||
"description": "Build a Java Package using Gradle and publish to GitHub Packages.",
|
||||
"iconName": "gradle",
|
||||
"categories": ["Continuous integration", "Java", "Gradle"]
|
||||
"categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"]
|
||||
}
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Java with Gradle",
|
||||
"description": "Build and test a Java project using a Gradle wrapper script.",
|
||||
"iconName": "gradle",
|
||||
"categories": ["Continuous integration", "Java", "Gradle"]
|
||||
"categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "Build projects with Make",
|
||||
"description": "Build and test a project using Make.",
|
||||
"iconName": "makefile",
|
||||
"categories": ["Continuous integration", "Makefile"]
|
||||
}
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Publish Java Package with Maven",
|
||||
"description": "Build a Java Package using Maven and publish to GitHub Packages.",
|
||||
"iconName": "maven",
|
||||
"categories": ["Continuous integration", "Java", "Maven"]
|
||||
"categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"]
|
||||
}
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Java with Maven",
|
||||
"description": "Build and test a Java project with Apache Maven.",
|
||||
"iconName": "maven",
|
||||
"categories": ["Continuous integration", "Java", "Maven"]
|
||||
"categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"]
|
||||
}
|
||||
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Node.js",
|
||||
"description": "Build and test a Node.js project with npm.",
|
||||
"iconName": "nodejs",
|
||||
"categories": ["Continuous integration", "JavaScript", "npm"]
|
||||
"categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "Xcode - Build and Analyze",
|
||||
"description": "Build Xcode project using xcodebuild",
|
||||
"iconName": "xcode",
|
||||
"categories": ["Continuous integration", "Xcode", "Objective-C"]
|
||||
}
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Pylint",
|
||||
"description": "Lint a Python application with pylint.",
|
||||
"iconName": "python",
|
||||
"categories": ["Continuous integration", "Python"]
|
||||
"categories": ["Continuous integration", "Python", "Bottle", "Flask"]
|
||||
}
|
||||
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Python application",
|
||||
"description": "Create and test a Python application.",
|
||||
"iconName": "python",
|
||||
"categories": ["Continuous integration", "Python"]
|
||||
"categories": ["Continuous integration", "Python", "Bottle", "Flask"]
|
||||
}
|
||||
|
||||
@@ -2,5 +2,5 @@
|
||||
"name": "Python package",
|
||||
"description": "Create and test a Python package on multiple Python versions.",
|
||||
"iconName": "python",
|
||||
"categories": ["Continuous integration", "Python"]
|
||||
"categories": ["Continuous integration", "Python", "Bottle", "Flask"]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "Rails - Install Dependencies and Run Linters",
|
||||
"description": "Install dependencies and run linters on Rails application",
|
||||
"iconName": "ruby",
|
||||
"categories": ["Continuous integration", "Ruby", "Rails"]
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"name": "Super Linter - Run Linters for several languages",
|
||||
"description": "Run linters for several languages on your code base for changed files",
|
||||
"iconName": "octicon check-circle",
|
||||
"categories": ["Continuous integration", "code-quality", "code-review"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"name": "Symfony",
|
||||
"description": "Test a Symfony project.",
|
||||
"iconName": "php",
|
||||
"categories": [
|
||||
"Continuous integration",
|
||||
"PHP",
|
||||
"Symfony"
|
||||
]
|
||||
}
|
||||
+5
-4
@@ -4,15 +4,16 @@ on: [push]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
python-version: ["3.8", "3.9", "3.10"]
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up Python 3.9
|
||||
- name: Set up Python ${{ matrix.python-version }}
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.9
|
||||
python-version: ${{ matrix.python-version }}
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
|
||||
+2
-2
@@ -16,10 +16,10 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up Python 3.9
|
||||
- name: Set up Python 3.10
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.9
|
||||
python-version: "3.10"
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
|
||||
@@ -10,10 +10,10 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up Python 3.8
|
||||
- name: Set up Python 3.10
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
python-version: 3.10
|
||||
- name: Add conda to system path
|
||||
run: |
|
||||
# $CONDA is an environment variable pointing to the root of the miniconda directory
|
||||
|
||||
@@ -16,7 +16,7 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
python-version: [3.7, 3.8, 3.9]
|
||||
python-version: ["3.8", "3.9", "3.10"]
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
@@ -19,12 +19,12 @@ jobs:
|
||||
runs-on: macos-latest
|
||||
strategy:
|
||||
matrix:
|
||||
r-version: [3.5, 3.6]
|
||||
r-version: ['3.6.3', '4.1.1']
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up R ${{ matrix.r-version }}
|
||||
uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3
|
||||
uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a
|
||||
with:
|
||||
r-version: ${{ matrix.r-version }}
|
||||
- name: Install dependencies
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
|
||||
name: Rails - Install dependencies and run linters
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
jobs:
|
||||
run-lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Setup Ruby and install gems
|
||||
uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
|
||||
with:
|
||||
bundler-cache: true
|
||||
# Add or Replace any other security checks here
|
||||
- name: Run security checks
|
||||
run: |
|
||||
bin/bundler-audit --update
|
||||
bin/brakeman -q -w2
|
||||
# Add or Replace any other Linters here
|
||||
- name: Run linters
|
||||
run: |
|
||||
bin/rubocop --parallel
|
||||
@@ -0,0 +1,29 @@
|
||||
# This workflow executes several linters on changed files based on languages used in your code base whenever
|
||||
# you push a code or open a pull request.
|
||||
#
|
||||
# You can adjust the behavior by modifying this file.
|
||||
# For more information, see:
|
||||
# https://github.com/github/super-linter
|
||||
name: Lint Code Base
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
jobs:
|
||||
run-lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
# Full git history is needed to get a proper list of changed files within `super-linter`
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Lint Code Base
|
||||
uses: github/super-linter@v4
|
||||
env:
|
||||
VALIDATE_ALL_CODEBASE: false
|
||||
DEFAULT_BRANCH: $default-branch
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
@@ -0,0 +1,39 @@
|
||||
name: Symfony
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
symfony-tests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# To automatically get bug fixes and new Php versions for shivammathur/setup-php,
|
||||
# change this to (see https://github.com/shivammathur/setup-php#bookmark-versioning):
|
||||
# uses: shivammathur/setup-php@v2
|
||||
- uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28
|
||||
with:
|
||||
php-version: '8.0'
|
||||
- uses: actions/checkout@v2
|
||||
- name: Copy .env.test.local
|
||||
run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');"
|
||||
- name: Cache Composer packages
|
||||
id: composer-cache
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: vendor
|
||||
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-php-
|
||||
- name: Install Dependencies
|
||||
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
|
||||
- name: Create Database
|
||||
run: |
|
||||
mkdir -p data
|
||||
touch data/database.sqlite
|
||||
- name: Execute tests (Unit and Feature tests) via PHPUnit
|
||||
env:
|
||||
DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
|
||||
run: vendor/bin/phpunit
|
||||
@@ -0,0 +1,39 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, builds an image, performs a container image
|
||||
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
|
||||
# code scanning feature. For more information on the Anchore scan action usage
|
||||
# and parameters, see https://github.com/anchore/scan-action. For more
|
||||
# information on Anchore's container image scanning tool Grype, see
|
||||
# https://github.com/anchore/grype
|
||||
name: Anchore Container Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
Anchore-Build-Scan:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
uses: actions/checkout@v2
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
|
||||
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
|
||||
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
|
||||
with:
|
||||
image: "localbuild/testimage:latest"
|
||||
acs-report-enable: true
|
||||
- name: Upload Anchore Scan Report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -0,0 +1,51 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Brakeman with GitHub's Code Scanning feature
|
||||
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
|
||||
|
||||
name: Brakeman Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
brakeman-scan:
|
||||
name: Brakeman Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Customize the ruby version depending on your needs
|
||||
- name: Setup Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
with:
|
||||
ruby-version: '2.7'
|
||||
|
||||
- name: Setup Brakeman
|
||||
env:
|
||||
BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
|
||||
run: |
|
||||
gem install brakeman --version $BRAKEMAN_VERSION
|
||||
|
||||
# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
|
||||
- name: Scan
|
||||
continue-on-error: true
|
||||
run: |
|
||||
brakeman -f sarif -o output.sarif.json .
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: output.sarif.json
|
||||
@@ -0,0 +1,44 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action
|
||||
|
||||
name: CxFlow
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
|
||||
jobs:
|
||||
# This workflow contains a single job called "build"
|
||||
build:
|
||||
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
|
||||
steps:
|
||||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
|
||||
- uses: actions/checkout@v2
|
||||
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
|
||||
- name: Checkmarx CxFlow Action
|
||||
uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b
|
||||
with:
|
||||
project: GithubActionTest
|
||||
team: '\CxServer\SP\Checkmarx'
|
||||
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
|
||||
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
|
||||
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
|
||||
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
|
||||
# Upload the Report for CodeQL/Security Alerts
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: cx.sarif
|
||||
@@ -0,0 +1,58 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: Cloudrail
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
cloudrail:
|
||||
name: Run Indeni Cloudrail on Terraform code with SARIF output
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
steps:
|
||||
- name: Clone repo
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# For Terraform, Cloudrail requires the plan as input. So we generate it using
|
||||
# the Terraform core binary.
|
||||
- uses: hashicorp/setup-terraform@v1
|
||||
with:
|
||||
terraform_version: v0.13.2
|
||||
|
||||
- run: terraform init
|
||||
|
||||
- run: terraform plan -out=plan.out
|
||||
env:
|
||||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||
|
||||
# Confirm we have the plan file
|
||||
- run: stat plan.out
|
||||
|
||||
- name: Run Cloudrail
|
||||
uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622
|
||||
with:
|
||||
tf-plan-file: plan.out # This was created in a "terraform plan" step
|
||||
cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app
|
||||
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
|
||||
# is needed to ensure the SARIF file is uploaded
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: cloudrail_results.sarif
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, performs a Codacy security scan
|
||||
# and integrates the results with the
|
||||
# GitHub Advanced Security code scanning feature. For more information on
|
||||
# the Codacy security scan action usage and parameters, see
|
||||
# https://github.com/codacy/codacy-analysis-cli-action.
|
||||
# For more information on Codacy Analysis CLI in general, see
|
||||
# https://github.com/codacy/codacy-analysis-cli.
|
||||
|
||||
name: Codacy Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
codacy-security-scan:
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
|
||||
- name: Run Codacy Analysis CLI
|
||||
uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
|
||||
with:
|
||||
# Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
|
||||
# You can also omit the token and run the tools that support default configurations
|
||||
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
|
||||
verbose: true
|
||||
output: results.sarif
|
||||
format: sarif
|
||||
# Adjust severity of non-security issues
|
||||
gh-code-scanning-compat: true
|
||||
# Force 0 exit code to allow SARIF file generation
|
||||
# This will handover control about PR rejection to the GitHub side
|
||||
max-allowed-issues: 2147483647
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -34,8 +34,7 @@ jobs:
|
||||
matrix:
|
||||
language: [ $detected-codeql-languages ]
|
||||
# CodeQL supports [ $supported-codeql-languages ]
|
||||
# Learn more:
|
||||
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
|
||||
# Learn more about CodeQL language support at https://git.io/codeql-language-support
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow requires that you have an existing account with codescan.io
|
||||
# For more information about configuring your workflow,
|
||||
# read our documentation at https://github.com/codescan-io/codescan-scanner-action
|
||||
name: CodeScan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
CodeScan:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
- name: Cache files
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: |
|
||||
~/.sonar
|
||||
key: ${{ runner.os }}-sonar
|
||||
restore-keys: ${{ runner.os }}-sonar
|
||||
- name: Run Analysis
|
||||
uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
|
||||
with:
|
||||
login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
|
||||
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
|
||||
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: codescan.sarif
|
||||
@@ -0,0 +1,53 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow locates REST API file contracts
|
||||
# (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
|
||||
# and runs 200+ security checks on them using 42Crunch Security Audit technology.
|
||||
#
|
||||
# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
#
|
||||
# To use this workflow, you will need to complete the following setup steps.
|
||||
#
|
||||
# 1. Create a free 42Crunch account at https://platform.42crunch.com/register
|
||||
#
|
||||
# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
# to create an API Token on the 42Crunch platform
|
||||
#
|
||||
# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm,
|
||||
# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow
|
||||
#
|
||||
# If you have any questions or need help contact https://support.42crunch.com
|
||||
|
||||
name: "42Crunch REST API Static Security Testing"
|
||||
|
||||
# follow standard Code Scanning triggers
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
rest-api-static-security-testing:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: 42Crunch REST API Static Security Testing
|
||||
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
|
||||
with:
|
||||
# Please create free account at https://platform.42crunch.com/register
|
||||
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
|
||||
api-token: ${{ secrets.API_TOKEN }}
|
||||
# Fail if any OpenAPI file scores lower than 75
|
||||
min-score: 75
|
||||
# Upload results to Github code scanning
|
||||
upload-to-code-scanning: true
|
||||
# Github token for uploading the results
|
||||
github-token: ${{ github.token }}
|
||||
@@ -0,0 +1,97 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
################################################################################################################################################
|
||||
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
|
||||
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
|
||||
# or contact our sales team, visit microfocus.com/appsecurity. #
|
||||
# #
|
||||
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
|
||||
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
|
||||
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
|
||||
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
|
||||
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
|
||||
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
|
||||
################################################################################################################################################
|
||||
|
||||
name: Fortify on Demand Scan
|
||||
|
||||
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
FoD-SAST-Scan:
|
||||
# Use the appropriate runner for building your source code.
|
||||
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
steps:
|
||||
# Check out source code
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Java is required to run the various Fortify utilities.
|
||||
# When scanning a Java application, please use the appropriate Java version for building your application.
|
||||
- name: Setup Java
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: 1.8
|
||||
|
||||
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
|
||||
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
|
||||
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
|
||||
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
|
||||
# ScanCentral has additional options that should be set for PHP and Python projects
|
||||
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
|
||||
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
|
||||
- name: Download Fortify ScanCentral Client
|
||||
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
|
||||
- name: Package Code + Dependencies
|
||||
run: scancentral package $PACKAGE_OPTS -o package.zip
|
||||
env:
|
||||
PACKAGE_OPTS: "-bt mvn"
|
||||
|
||||
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
|
||||
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
|
||||
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
|
||||
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
|
||||
- name: Download Fortify on Demand Universal CI Tool
|
||||
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
|
||||
- name: Perform SAST Scan
|
||||
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
|
||||
env:
|
||||
FOD_URL: "https://ams.fortify.com/"
|
||||
FOD_API_URL: "https://api.ams.fortify.com/"
|
||||
FOD_TENANT: ${{ secrets.FOD_TENANT }}
|
||||
FOD_USER: ${{ secrets.FOD_USER }}
|
||||
FOD_PAT: ${{ secrets.FOD_PAT }}
|
||||
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
|
||||
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
|
||||
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
|
||||
|
||||
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
|
||||
- name: Export results to GitHub-optimized SARIF
|
||||
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
|
||||
with:
|
||||
fod_base_url: "https://ams.fortify.com/"
|
||||
fod_tenant: ${{ secrets.FOD_TENANT }}
|
||||
fod_user: ${{ secrets.FOD_USER }}
|
||||
fod_password: ${{ secrets.FOD_PAT }}
|
||||
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
|
||||
|
||||
# Import Fortify on Demand results to GitHub Security Code Scanning
|
||||
- name: Import Results
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ./gh-fortify-sast.sarif
|
||||
@@ -10,7 +10,7 @@
|
||||
# To use this workflow, you will need to:
|
||||
#
|
||||
# 1. Create a Mayhem for API account at
|
||||
# https://mayhem4api.forallsecure.com/signup (30-day free trial)
|
||||
# https://mayhem4api.forallsecure.com/signup
|
||||
#
|
||||
# 2. Create a service account token `mapi organization service-account create
|
||||
# <org-name> <service-account-name>`
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: MobSF
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
mobile-security:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Setup python
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
|
||||
- name: Run mobsfscan
|
||||
uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65
|
||||
with:
|
||||
args: . --sarif --output results.sarif || true
|
||||
|
||||
- name: Upload mobsfscan report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -0,0 +1,59 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# Find more information at:
|
||||
# https://github.com/microsoft/msvc-code-analysis-action
|
||||
|
||||
name: Microsoft C++ Code Analysis
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
env:
|
||||
# Path to the CMake build directory.
|
||||
build: '${{ github.workspace }}/build'
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze
|
||||
runs-on: windows-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Configure CMake
|
||||
run: cmake -B ${{ env.build }}
|
||||
|
||||
# Build is not required unless generated source files are used
|
||||
# - name: Build CMake
|
||||
# run: cmake --build ${{ env.build }}
|
||||
|
||||
- name: Initialize MSVC Code Analysis
|
||||
uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
|
||||
# Provide a unique ID to access the sarif output path
|
||||
id: run-analysis
|
||||
with:
|
||||
cmakeBuildDirectory: ${{ env.build }}
|
||||
# Ruleset file that will determine what checks will be run
|
||||
ruleset: NativeRecommendedRules.ruleset
|
||||
|
||||
# Upload SARIF file to GitHub Code Scanning Alerts
|
||||
- name: Upload SARIF to GitHub
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
# Upload SARIF file as an Artifact to download and view
|
||||
# - name: Upload SARIF as an Artifact
|
||||
# uses: actions/upload-artifact@v2
|
||||
# with:
|
||||
# name: sarif-file
|
||||
# path: ${{ steps.run-analysis.outputs.sarif }}
|
||||
@@ -0,0 +1,35 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates njsscan with GitHub's Code Scanning feature
|
||||
# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
|
||||
|
||||
name: njsscan sarif
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
njsscan:
|
||||
runs-on: ubuntu-latest
|
||||
name: njsscan code scanning
|
||||
steps:
|
||||
- name: Checkout the code
|
||||
uses: actions/checkout@v2
|
||||
- name: nodejsscan scan
|
||||
id: njsscan
|
||||
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
|
||||
with:
|
||||
args: '. --sarif --output results.sarif || true'
|
||||
- name: Upload njsscan report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -0,0 +1,52 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
#
|
||||
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
|
||||
#
|
||||
# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your
|
||||
# repository.
|
||||
#
|
||||
# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
|
||||
# <https://info.nowsecure.com/github-request>.
|
||||
#
|
||||
# Instructions:
|
||||
#
|
||||
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
|
||||
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
|
||||
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
|
||||
#
|
||||
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
|
||||
# and review the "Security" tab once the action has run.
|
||||
|
||||
name: "NowSecure"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
nowsecure:
|
||||
name: NowSecure
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build your application
|
||||
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
|
||||
|
||||
- name: Run NowSecure
|
||||
uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26
|
||||
with:
|
||||
token: ${{ secrets.NS_TOKEN }}
|
||||
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
|
||||
group_id: {{ groupId }} # Update this to your desired Platform group ID
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: NowSecure.sarif
|
||||
@@ -0,0 +1,49 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates a collection of open source static analysis tools
|
||||
# with GitHub code scanning. For documentation, or to provide feedback, visit
|
||||
# https://github.com/github/ossar-action
|
||||
name: OSSAR
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
OSSAR-Scan:
|
||||
# OSSAR runs on windows-latest.
|
||||
# ubuntu-latest and macos-latest support coming soon
|
||||
runs-on: windows-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Ensure a compatible version of dotnet is installed.
|
||||
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
|
||||
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
|
||||
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
|
||||
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
|
||||
# - name: Install .NET
|
||||
# uses: actions/setup-dotnet@v1
|
||||
# with:
|
||||
# dotnet-version: '3.1.x'
|
||||
|
||||
# Run open source static analysis tools
|
||||
- name: Run OSSAR
|
||||
uses: github/ossar-action@v1
|
||||
id: ossar
|
||||
|
||||
# Upload results to the Security tab
|
||||
- name: Upload OSSAR results
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow that checks for security issues using
|
||||
# the Prisma Cloud Infrastructure as Code Scan Action on
|
||||
# the IaC files present in the repository.
|
||||
# The results are uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
|
||||
|
||||
name: Prisma Cloud IaC Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
prisma_cloud_iac_scan:
|
||||
runs-on: ubuntu-latest
|
||||
name: Run Prisma Cloud IaC Scan to check
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
- id: iac-scan
|
||||
name: Run Scan on CFT files in the repository
|
||||
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
|
||||
with:
|
||||
# You will need Prisma Cloud API Access Token
|
||||
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
|
||||
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
|
||||
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
|
||||
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
|
||||
# Scan sources on Prisma Cloud are uniquely identified by their name
|
||||
asset_name: 'my-asset-name'
|
||||
# The service need to know the type of IaC being scanned
|
||||
template_type: 'CFT'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
# Results are generated only on a success or failure
|
||||
# this is required since GitHub by default won't run the next step
|
||||
# when the previous one has failed.
|
||||
# And alternative it to add `continue-on-error: true` to the previous step
|
||||
if: success() || failure()
|
||||
with:
|
||||
# The SARIF Log file name is configurable on scan action
|
||||
# therefore the file name is best read from the steps output
|
||||
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Anchore Container Scan",
|
||||
"creator": "Indeni Cloudrail",
|
||||
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
|
||||
"iconName": "anchore",
|
||||
"categories": ["Code Scanning", "dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Brakeman",
|
||||
"creator": "Brakeman",
|
||||
"description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.",
|
||||
"iconName": "brakeman",
|
||||
"categories": ["Code Scanning", "ruby"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "CxSAST",
|
||||
"creator": "Checkmarx",
|
||||
"description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.",
|
||||
"iconName": "checkmarx",
|
||||
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "cloudrail",
|
||||
"creator": "Indeni Cloudrail",
|
||||
"description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.",
|
||||
"iconName": "cloudrail",
|
||||
"categories": ["Code Scanning", "HCL"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Codacy Security Scan",
|
||||
"creator": "Codacy",
|
||||
"description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
|
||||
"iconName": "codacy",
|
||||
"categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
|
||||
}
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "CodeQL Analysis",
|
||||
"creator": "GitHub",
|
||||
"description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.",
|
||||
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"]
|
||||
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "CodeScan",
|
||||
"creator": "CodeScan Enterprises, LLC",
|
||||
"description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.",
|
||||
"iconName": "codescan",
|
||||
"categories": ["Code Scanning", "javascript", "apex"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "42Crunch API Security Audit",
|
||||
"creator": "42Crunch",
|
||||
"description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.",
|
||||
"iconName": "42crunch",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Fortify on Demand Scan",
|
||||
"creator": "Micro Focus",
|
||||
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
|
||||
"iconName": "fortify",
|
||||
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
{
|
||||
"name": "mobsf",
|
||||
"creator": "mobsf",
|
||||
"description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.",
|
||||
"iconName": "mobsf",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Swift",
|
||||
"Objective-C",
|
||||
"Kotlin"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Microsoft C++ Code Analysis",
|
||||
"creator": "Microsoft",
|
||||
"description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.",
|
||||
"iconName": "microsoft",
|
||||
"categories": ["Code Scanning", "C", "C++"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "njsscan",
|
||||
"creator": "NodeJSScan",
|
||||
"description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.",
|
||||
"iconName": "njsscan",
|
||||
"categories": ["Code Scanning", "JavaScript", "TypeScript"]
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
"name": "NowSecure",
|
||||
"creator": "NowSecure",
|
||||
"description": "The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language",
|
||||
"iconName": "nowsecure",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"Java",
|
||||
"Kotlin",
|
||||
"Scala",
|
||||
"Swift",
|
||||
"Objective C",
|
||||
"C",
|
||||
"C++",
|
||||
"C#",
|
||||
"Rust",
|
||||
"JavaScript",
|
||||
"TypeScript",
|
||||
"Node"
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "OSSAR",
|
||||
"creator": "GitHub",
|
||||
"description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).",
|
||||
"iconName": "octicon mark-github",
|
||||
"categories": ["Code Scanning", "python", "javascript"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Prisma Cloud IaC Scan",
|
||||
"creator": "Palo Alto Prisma Cloud",
|
||||
"description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues",
|
||||
"iconName": "prisma",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "RuboCop Linting",
|
||||
"creator": "arthurnn",
|
||||
"description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.",
|
||||
"iconName": "rubocop",
|
||||
"categories": ["Code Scanning", "ruby"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "SecurityCodeScan",
|
||||
"creator": "@security-code-scan",
|
||||
"description": "Vulnerability Patterns Detector for C# and VB.NET",
|
||||
"iconName": "securitycodescan",
|
||||
"categories": ["Code Scanning", "C#", "Visual Basic .NET"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Semgrep",
|
||||
"creator": "Returntocorp",
|
||||
"description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
|
||||
"iconName": "semgrep",
|
||||
"categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Scan",
|
||||
"creator": "ShiftLeft",
|
||||
"description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
|
||||
"iconName": "shiftleft",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Snyk Container",
|
||||
"creator": "Snyk",
|
||||
"description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.",
|
||||
"iconName": "snyk",
|
||||
"categories": ["Code Scanning", "dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Snyk Infrastructure as Code",
|
||||
"creator": "Snyk",
|
||||
"description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.",
|
||||
"iconName": "snyk",
|
||||
"categories": ["Code Scanning"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Sysdig Inline Scan",
|
||||
"creator": "Sysdig",
|
||||
"description": "Performs analysis on locally built container image and posts the results in SARIF report",
|
||||
"iconName": "sysdig-scan",
|
||||
"categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"name": "Trivy",
|
||||
"creator": "Aqua Security",
|
||||
"description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.",
|
||||
"iconName": "trivy",
|
||||
"categories": ["Code Scanning", "dockerfile"],
|
||||
"enterprise_requirements": ["docker"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Xanitizer",
|
||||
"creator": "RIGS IT",
|
||||
"description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).",
|
||||
"iconName": "xanitizer",
|
||||
"categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"]
|
||||
}
|
||||
@@ -0,0 +1,52 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# pulled from repo
|
||||
name: "Rubocop"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
rubocop:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# If running on a self-hosted runner, check it meets the requirements
|
||||
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
|
||||
- name: Set up Ruby
|
||||
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
|
||||
with:
|
||||
ruby-version: 2.6
|
||||
|
||||
# This step is not necessary if you add the gem to your Gemfile
|
||||
- name: Install Code Scanning integration
|
||||
run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
|
||||
|
||||
- name: Install dependencies
|
||||
run: bundle install
|
||||
|
||||
- name: Rubocop run
|
||||
run: |
|
||||
bash -c "
|
||||
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
|
||||
[[ $? -ne 2 ]]
|
||||
"
|
||||
|
||||
- name: Upload Sarif output
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: rubocop.sarif
|
||||
@@ -0,0 +1,41 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
|
||||
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET
|
||||
|
||||
name: SecurityCodeScan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
SCS:
|
||||
runs-on: windows-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
|
||||
- uses: microsoft/setup-msbuild@v1.0.2
|
||||
|
||||
- name: Set up projects for analysis
|
||||
uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
|
||||
|
||||
- name: Restore dependencies
|
||||
run: dotnet restore
|
||||
|
||||
- name: Build
|
||||
run: dotnet build --no-restore
|
||||
|
||||
- name: Convert sarif for uploading to GitHub
|
||||
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
|
||||
|
||||
- name: Upload sarif
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
@@ -0,0 +1,42 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow file requires a free account on Semgrep.dev to
|
||||
# manage rules, file ignores, notifications, and more.
|
||||
#
|
||||
# See https://semgrep.dev/docs
|
||||
|
||||
name: Semgrep
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
name: Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout project source
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# Scan code using project's configuration on https://semgrep.dev/manage
|
||||
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
|
||||
with:
|
||||
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
|
||||
publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
|
||||
generateSarif: "1"
|
||||
|
||||
# Upload SARIF file generated in previous step
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: semgrep.sarif
|
||||
if: always()
|
||||
@@ -0,0 +1,47 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow integrates Scan with GitHub's code scanning feature
|
||||
# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
|
||||
# Visit https://slscan.io/en/latest/integrations/code-scan for help
|
||||
name: SL Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
Scan-Build:
|
||||
# Scan runs on ubuntu, mac and windows
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
# Instructions
|
||||
# 1. Setup JDK, Node.js, Python etc depending on your project type
|
||||
# 2. Compile or build the project before invoking scan
|
||||
# Example: mvn compile, or npm install or pip install goes here
|
||||
# 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
|
||||
|
||||
- name: Perform Scan
|
||||
uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
|
||||
env:
|
||||
WORKSPACE: ""
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
SCAN_AUTO_BUILD: true
|
||||
with:
|
||||
output: reports
|
||||
# Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
|
||||
# type: credscan,java
|
||||
# type: python
|
||||
|
||||
- name: Upload report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: reports
|
||||
@@ -0,0 +1,48 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow which checks out the code, builds a container
|
||||
# image using Docker and scans that image for vulnerabilities using
|
||||
# Snyk. The results are then uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more examples, including how to limit scans to only high-severity
|
||||
# issues, monitor images for newly disclosed vulnerabilities in Snyk and
|
||||
# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
|
||||
|
||||
name: Snyk Container
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
snyk:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Build a Docker image
|
||||
run: docker build -t your/image-to-test .
|
||||
- name: Run Snyk to check Docker image for vulnerabilities
|
||||
# Snyk can be used to break the build when it detects vulnerabilities.
|
||||
# In this case we want to upload the issues to GitHub Code Scanning
|
||||
continue-on-error: true
|
||||
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
|
||||
env:
|
||||
# In order to use the Snyk Action you will need to have a Snyk API token.
|
||||
# More details in https://github.com/snyk/actions#getting-your-snyk-token
|
||||
# or you can signup for free at https://snyk.io/login
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
with:
|
||||
image: your/image-to-test
|
||||
args: --file=Dockerfile
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
@@ -0,0 +1,47 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# A sample workflow which checks out your Infrastructure as Code Configuration files,
|
||||
# such as Kubernetes, Helm & Terraform and scans them for any security issues.
|
||||
# The results are then uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more examples, including how to limit scans to only high-severity issues
|
||||
# and fail PR checks, see https://github.com/snyk/actions/
|
||||
|
||||
name: Snyk Infrastructure as Code
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
snyk:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Run Snyk to check configuration files for security issues
|
||||
# Snyk can be used to break the build when it detects security issues.
|
||||
# In this case we want to upload the issues to GitHub Code Scanning
|
||||
continue-on-error: true
|
||||
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
|
||||
env:
|
||||
# In order to use the Snyk Action you will need to have a Snyk API token.
|
||||
# More details in https://github.com/snyk/actions#getting-your-snyk-token
|
||||
# or you can signup for free at https://snyk.io/login
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
with:
|
||||
# Add the path to the configuration file that you would like to test.
|
||||
# For example `deployment.yaml` for a Kubernetes deployment manifest
|
||||
# or `main.tf` for a Terraform configuration file
|
||||
file: your-file-to-test.yaml
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
||||
@@ -0,0 +1,54 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: Sysdig - Build, scan, push and upload sarif report
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Build the Docker image
|
||||
# Tag image to be built
|
||||
# Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below
|
||||
run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest
|
||||
|
||||
- name: Sysdig Secure Inline Scan
|
||||
id: scan
|
||||
uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163
|
||||
with:
|
||||
# Tag of the image to analyse.
|
||||
# Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above
|
||||
image-tag: ${{ github.repository }}:latest
|
||||
# API token for Sysdig Scanning auth
|
||||
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}}
|
||||
# Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
|
||||
# US-East https://secure.sysdig.com
|
||||
# US-West https://us2.app.sysdig.com
|
||||
# EU https://eu1.app.sysdig.com
|
||||
sysdig-secure-url: https://us2.app.sysdig.com
|
||||
dockerfile-path: ./Dockerfile
|
||||
input-type: docker-daemon
|
||||
ignore-failed-scan: true
|
||||
# Sysdig inline scanner requires privileged rights
|
||||
run-as-user: root
|
||||
|
||||
- uses: github/codeql-action/upload-sarif@v1
|
||||
#Upload SARIF file
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarifReport }}
|
||||
@@ -0,0 +1,41 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: build
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: "ubuntu-18.04"
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
@@ -0,0 +1,92 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
|
||||
# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
|
||||
#
|
||||
# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
|
||||
#
|
||||
# To use this basic workflow, you will need to complete the following setup steps:
|
||||
#
|
||||
# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
|
||||
# Licenses are free of charge for open source projects and for educational usage.
|
||||
# To get more information about the Xanitizer licenses and how to obtain a license file,
|
||||
# please consult https://www.xanitizer.com/xanitizer-pricing/.
|
||||
#
|
||||
# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
|
||||
# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
|
||||
#
|
||||
# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
|
||||
# Example:
|
||||
# - name: Xanitizer Security Analysis
|
||||
# uses: RIGS-IT/xanitizer-action@v1
|
||||
# with:
|
||||
# license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
#
|
||||
# 4. As a static application security testing (SAST) tool,
|
||||
# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
|
||||
# So you have to install all used libraries and build your project before running the security analysis,
|
||||
# e.g. via `mvn compile` for Java or `npm install` for JavaScript
|
||||
|
||||
name: "Xanitizer Security Analysis"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
xanitizer-security-analysis:
|
||||
# Xanitizer runs on ubuntu-latest and windows-latest.
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
# Check out the repository
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Set up the correct Java version for your project
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: 11
|
||||
|
||||
# Compile the code for Java projects and get all libraries, e.g. via Maven
|
||||
# Please adapt, if your project uses another build system to compile Java source code.
|
||||
# Please comment out, if your project does not contain Java source code.
|
||||
- name: Compile Java code
|
||||
run: mvn -B compile
|
||||
|
||||
# Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
|
||||
# Please adapt to run `npm install` in the correct directories.
|
||||
# Please adapt, if your project uses another package manager for getting JavaScript libraries.
|
||||
# Please comment out, if your project does not use a package manager for getting JavaScript libraries.
|
||||
- name: Install JavaScript libraries
|
||||
run: npm install
|
||||
|
||||
# Run the security analysis with default settings
|
||||
- name: Xanitizer Security Analysis
|
||||
uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316
|
||||
with:
|
||||
license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
|
||||
# Archiving the findings list reports
|
||||
- uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: Xanitizer-Reports
|
||||
path: |
|
||||
*-Findings-List.pdf
|
||||
*-Findings-List.sarif
|
||||
|
||||
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
|
||||
- uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: Xanitizer-Findings-List.sarif
|
||||
@@ -1,5 +1,5 @@
|
||||
# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR),
|
||||
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created.
|
||||
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch.
|
||||
#
|
||||
# To use this workflow, you will need to complete the following set-up steps:
|
||||
#
|
||||
@@ -20,8 +20,9 @@
|
||||
name: Build and Deploy to ACK
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
# Environment variables available to all jobs and steps in this workflow.
|
||||
env:
|
||||
@@ -1,34 +1,46 @@
|
||||
# This workflow will build and push a new container image to Amazon ECR,
|
||||
# and then will deploy a new task definition to Amazon ECS, when a release is created
|
||||
# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch.
|
||||
#
|
||||
# To use this workflow, you will need to complete the following set-up steps:
|
||||
#
|
||||
# 1. Create an ECR repository to store your images.
|
||||
# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`.
|
||||
# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name.
|
||||
# Replace the value of `aws-region` in the workflow below with your repository's region.
|
||||
# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name.
|
||||
# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region.
|
||||
#
|
||||
# 2. Create an ECS task definition, an ECS cluster, and an ECS service.
|
||||
# For example, follow the Getting Started guide on the ECS console:
|
||||
# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun
|
||||
# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names.
|
||||
# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service.
|
||||
# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster.
|
||||
#
|
||||
# 3. Store your ECS task definition as a JSON file in your repository.
|
||||
# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`.
|
||||
# Replace the value of `task-definition` in the workflow below with your JSON file's name.
|
||||
# Replace the value of `container-name` in the workflow below with the name of the container
|
||||
# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file.
|
||||
# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container
|
||||
# in the `containerDefinitions` section of the task definition.
|
||||
#
|
||||
# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
|
||||
# See the documentation for each action used below for the recommended IAM policies for this IAM user,
|
||||
# and best practices on handling the access key credentials.
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
|
||||
name: Deploy to Amazon ECS
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
env:
|
||||
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
|
||||
ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name
|
||||
ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name
|
||||
ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name
|
||||
ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition
|
||||
# file, e.g. .aws/task-definition.json
|
||||
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
|
||||
# containerDefinitions section of your task definition
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
name: Deploy
|
||||
@@ -44,7 +56,7 @@ jobs:
|
||||
with:
|
||||
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||
aws-region: us-east-2
|
||||
aws-region: ${{ env.AWS_REGION }}
|
||||
|
||||
- name: Login to Amazon ECR
|
||||
id: login-ecr
|
||||
@@ -54,7 +66,6 @@ jobs:
|
||||
id: build-image
|
||||
env:
|
||||
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
|
||||
ECR_REPOSITORY: my-ecr-repo
|
||||
IMAGE_TAG: ${{ github.sha }}
|
||||
run: |
|
||||
# Build a docker container and
|
||||
@@ -68,14 +79,14 @@ jobs:
|
||||
id: task-def
|
||||
uses: aws-actions/amazon-ecs-render-task-definition@v1
|
||||
with:
|
||||
task-definition: task-definition.json
|
||||
container-name: sample-app
|
||||
task-definition: ${{ env.ECS_TASK_DEFINITION }}
|
||||
container-name: ${{ env.CONTAINER_NAME }}
|
||||
image: ${{ steps.build-image.outputs.image }}
|
||||
|
||||
- name: Deploy Amazon ECS task definition
|
||||
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
|
||||
with:
|
||||
task-definition: ${{ steps.task-def.outputs.task-definition }}
|
||||
service: sample-app-service
|
||||
cluster: default
|
||||
service: ${{ env.ECS_SERVICE }}
|
||||
cluster: ${{ env.ECS_CLUSTER }}
|
||||
wait-for-service-stability: true
|
||||
@@ -1,4 +1,4 @@
|
||||
# This workflow will build and push a node.js application to an Azure Web App when a release is created.
|
||||
# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch.
|
||||
#
|
||||
# This workflow assumes you have already created the target Azure App Service web app.
|
||||
# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan
|
||||
@@ -16,8 +16,9 @@
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
env:
|
||||
AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
|
||||
@@ -1,4 +1,4 @@
|
||||
# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created
|
||||
# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch.
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
@@ -13,8 +13,9 @@
|
||||
name: Build and Deploy to GKE
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
env:
|
||||
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
|
||||
@@ -1,4 +1,4 @@
|
||||
# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created
|
||||
# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch.
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
@@ -9,8 +9,9 @@
|
||||
name: Build and Deploy to IKS
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
# Environment variables available to all jobs and steps in this workflow
|
||||
env:
|
||||
@@ -0,0 +1,187 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# 💁 The OpenShift Starter workflow will:
|
||||
# - Checkout your repository
|
||||
# - Perform a container image build
|
||||
# - Push the built image to the GitHub Container Registry (GHCR)
|
||||
# - Log in to your OpenShift cluster
|
||||
# - Create an OpenShift app from the image and expose it to the internet
|
||||
|
||||
# ℹ️ Configure your repository and the workflow with the following steps:
|
||||
# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try
|
||||
# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to:
|
||||
# - https://github.com/redhat-actions/oc-login#readme
|
||||
# - https://docs.github.com/en/actions/reference/encrypted-secrets
|
||||
# - https://cli.github.com/manual/gh_secret_set
|
||||
# 3. (Optional) Edit the top-level 'env' section as marked with '🖊️' if the defaults are not suitable for your project.
|
||||
# 4. (Optional) Edit the build-image step to build your project.
|
||||
# The default build type is by using a Dockerfile at the root of the repository,
|
||||
# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build.
|
||||
# 5. Commit and push the workflow file to your default branch to trigger a workflow run.
|
||||
|
||||
# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
|
||||
|
||||
name: OpenShift
|
||||
|
||||
env:
|
||||
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
|
||||
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
|
||||
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
|
||||
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
|
||||
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
|
||||
# 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
|
||||
OPENSHIFT_NAMESPACE: ""
|
||||
|
||||
# 🖊️ EDIT to set a name for your OpenShift app, or a default one will be generated below.
|
||||
APP_NAME: ""
|
||||
|
||||
# 🖊️ EDIT with the port your application should be accessible on.
|
||||
# If the container image exposes *exactly one* port, this can be left blank.
|
||||
# Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app
|
||||
APP_PORT: ""
|
||||
|
||||
# 🖊️ EDIT to change the image registry settings.
|
||||
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
|
||||
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
|
||||
IMAGE_REGISTRY_USER: ${{ github.actor }}
|
||||
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
|
||||
|
||||
# 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
|
||||
IMAGE_TAGS: ""
|
||||
|
||||
on:
|
||||
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
|
||||
push:
|
||||
# Edit to the branch(es) you want to build and deploy on each push.
|
||||
branches: [ $default-branch ]
|
||||
|
||||
jobs:
|
||||
openshift-ci-cd:
|
||||
name: Build and deploy to OpenShift
|
||||
# ubuntu-20.04 can also be used.
|
||||
runs-on: ubuntu-18.04
|
||||
environment: production
|
||||
|
||||
outputs:
|
||||
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
|
||||
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
|
||||
|
||||
steps:
|
||||
- name: Check for required secrets
|
||||
uses: actions/github-script@v4
|
||||
with:
|
||||
script: |
|
||||
const secrets = {
|
||||
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
|
||||
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
|
||||
};
|
||||
|
||||
const GHCR = "ghcr.io";
|
||||
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
|
||||
core.info(`Image registry is ${GHCR} - no registry password required`);
|
||||
}
|
||||
else {
|
||||
core.info("A registry password is required");
|
||||
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
|
||||
}
|
||||
|
||||
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
|
||||
if (value.length === 0) {
|
||||
core.error(`Secret "${name}" is not set`);
|
||||
return true;
|
||||
}
|
||||
core.info(`✔️ Secret "${name}" is set`);
|
||||
return false;
|
||||
});
|
||||
|
||||
if (missingSecrets.length > 0) {
|
||||
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
|
||||
"You can add it using:\n" +
|
||||
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
|
||||
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
|
||||
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
|
||||
}
|
||||
else {
|
||||
core.info(`✅ All the required secrets are set`);
|
||||
}
|
||||
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Determine app name
|
||||
if: env.APP_NAME == ''
|
||||
run: |
|
||||
echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV
|
||||
|
||||
- name: Determine image tags
|
||||
if: env.IMAGE_TAGS == ''
|
||||
run: |
|
||||
echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV
|
||||
|
||||
# https://github.com/redhat-actions/buildah-build#readme
|
||||
- name: Build from Dockerfile
|
||||
id: build-image
|
||||
uses: redhat-actions/buildah-build@v2
|
||||
with:
|
||||
image: ${{ env.APP_NAME }}
|
||||
tags: ${{ env.IMAGE_TAGS }}
|
||||
|
||||
# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
|
||||
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
|
||||
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
|
||||
dockerfiles: |
|
||||
./Dockerfile
|
||||
|
||||
# https://github.com/redhat-actions/push-to-registry#readme
|
||||
- name: Push to registry
|
||||
id: push-image
|
||||
uses: redhat-actions/push-to-registry@v2
|
||||
with:
|
||||
image: ${{ steps.build-image.outputs.image }}
|
||||
tags: ${{ steps.build-image.outputs.tags }}
|
||||
registry: ${{ env.IMAGE_REGISTRY }}
|
||||
username: ${{ env.IMAGE_REGISTRY_USER }}
|
||||
password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
|
||||
|
||||
# The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }}
|
||||
|
||||
- name: Install oc
|
||||
uses: redhat-actions/openshift-tools-installer@v1
|
||||
with:
|
||||
oc: 4
|
||||
|
||||
# https://github.com/redhat-actions/oc-login#readme
|
||||
- name: Log in to OpenShift
|
||||
uses: redhat-actions/oc-login@v1
|
||||
with:
|
||||
openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
|
||||
openshift_token: ${{ env.OPENSHIFT_TOKEN }}
|
||||
insecure_skip_tls_verify: true
|
||||
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
|
||||
|
||||
# This step should create a deployment, service, and route to run your app and expose it to the internet.
|
||||
# https://github.com/redhat-actions/oc-new-app#readme
|
||||
- name: Create and expose app
|
||||
id: deploy-and-expose
|
||||
uses: redhat-actions/oc-new-app@v1
|
||||
with:
|
||||
app_name: ${{ env.APP_NAME }}
|
||||
image: ${{ steps.push-image.outputs.registry-path }}
|
||||
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
|
||||
port: ${{ env.APP_PORT }}
|
||||
|
||||
- name: Print application URL
|
||||
env:
|
||||
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
|
||||
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
|
||||
run: |
|
||||
[[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1)
|
||||
echo
|
||||
echo "======================== Your application is available at: ========================"
|
||||
echo ${{ env.ROUTE }}
|
||||
echo "==================================================================================="
|
||||
echo
|
||||
echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\""
|
||||
+1
-1
@@ -3,5 +3,5 @@
|
||||
"description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).",
|
||||
"creator": "Alibaba Cloud",
|
||||
"iconName": "alibabacloud",
|
||||
"categories": ["Deployment"]
|
||||
"categories": ["Deployment", "Dockerfile"]
|
||||
}
|
||||
@@ -3,5 +3,5 @@
|
||||
"description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.",
|
||||
"creator": "Amazon Web Services",
|
||||
"iconName": "aws",
|
||||
"categories": ["Deployment"]
|
||||
}
|
||||
"categories": ["Deployment", "Dockerfile"]
|
||||
}
|
||||
+1
-1
@@ -3,5 +3,5 @@
|
||||
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
|
||||
"creator": "Google Cloud",
|
||||
"iconName": "googlegke",
|
||||
"categories": ["Deployment"]
|
||||
"categories": ["Deployment", "Dockerfile"]
|
||||
}
|
||||
@@ -3,5 +3,5 @@
|
||||
"description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.",
|
||||
"creator": "IBM",
|
||||
"iconName": "ibm",
|
||||
"categories": ["Deployment"]
|
||||
"categories": ["Deployment", "Dockerfile"]
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user