Compare commits

..

6 Commits

Author SHA1 Message Date
Ashwin Sangem 49db015eb5 Merge pull request #1063 from tiwarishub/starter_workflow_new_exp
Validate Data / validate-data (push) Has been cancelled
[Do not merge to main] Only for feature branch
2021-08-26 10:39:39 +05:30
Shubham Tiwari bff811ac16 added category 2021-08-26 10:08:12 +05:30
Ashwin Sangem 03302f7fd6 Merge pull request #1062 from tiwarishub/starter_workflow_new_exp
[Only for testing- Do not merge to main] - Dummy PR to merge to starter_workflow_new_exp branch
2021-08-25 23:29:52 +05:30
Shubham Tiwari 543e2b4253 Merge branch 'starter_workflow_new_exp' into starter_workflow_new_exp 2021-08-25 23:27:44 +05:30
Shubham Tiwari 9db205158a Category change 2021-08-25 23:24:07 +05:30
Shubham Tiwari 2b476f011c Category change 2021-08-25 23:22:32 +05:30
130 changed files with 260 additions and 3641 deletions
-2
View File
@@ -5,8 +5,6 @@ on:
jobs:
build:
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: Close Issue
-2
View File
@@ -5,8 +5,6 @@ on:
jobs:
build:
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: Close Issue
-3
View File
@@ -7,9 +7,6 @@ on:
jobs:
stale:
permissions:
issues: write
pull-requests: write
runs-on: ubuntu-latest
steps:
-2
View File
@@ -7,8 +7,6 @@ on:
jobs:
sync:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
-2
View File
@@ -6,8 +6,6 @@ on:
jobs:
validate-data:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
+2 -3
View File
@@ -12,8 +12,7 @@ These are the workflow files for helping people get started with GitHub Actions.
### Directory structure
* [ci](ci): solutions for Continuous Integration workflows.
* [deployments](deployments): solutions for Deployment workflows.
* [ci](ci): solutions for Continuous Integration and Deployments
* [automation](automation): solutions for automating workflows.
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
* [icons](icons): svg icons for the relevant template
@@ -45,5 +44,5 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
These variables can be placed in the starter workflow and will be substituted as detailed below:
* `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
* `$protected-branches`: will substitute any protected branches from the repository
* `$protected-branches`: will substitue any protected branches from the repository.
* `$cron-daily`: will substitute a valid but random time within the day
-5
View File
@@ -1,8 +1,3 @@
# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time.
#
# You can adjust the behavior by modifying this file.
# For more information, see:
# https://github.com/actions/stale
name: Mark stale issues and pull requests
on:
@@ -1,5 +1,5 @@
# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR),
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the $default-branch branch.
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when a release is created.
#
# To use this workflow, you will need to complete the following set-up steps:
#
@@ -20,9 +20,8 @@
name: Build and Deploy to ACK
on:
push:
branches:
- $default-branch
release:
types: [created]
# Environment variables available to all jobs and steps in this workflow.
env:
+15 -26
View File
@@ -1,45 +1,33 @@
# This workflow will build and push a new container image to Amazon ECR,
# and then will deploy a new task definition to Amazon ECS, when there is a push to the $default-branch branch.
# and then will deploy a new task definition to Amazon ECS, when a release is created
#
# To use this workflow, you will need to complete the following set-up steps:
#
# 1. Create an ECR repository to store your images.
# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`.
# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name.
# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region.
# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name.
# Replace the value of `aws-region` in the workflow below with your repository's region.
#
# 2. Create an ECS task definition, an ECS cluster, and an ECS service.
# For example, follow the Getting Started guide on the ECS console:
# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun
# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service.
# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster.
# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names.
#
# 3. Store your ECS task definition as a JSON file in your repository.
# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`.
# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file.
# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container
# Replace the value of `task-definition` in the workflow below with your JSON file's name.
# Replace the value of `container-name` in the workflow below with the name of the container
# in the `containerDefinitions` section of the task definition.
#
# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
# See the documentation for each action used below for the recommended IAM policies for this IAM user,
# and best practices on handling the access key credentials.
name: Deploy to Amazon ECS
on:
push:
branches:
- $default-branch
release:
types: [created]
env:
AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name
ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name
ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name
ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition
# file, e.g. .aws/task-definition.json
CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
name: Deploy to Amazon ECS
jobs:
deploy:
@@ -56,7 +44,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
aws-region: us-east-2
- name: Login to Amazon ECR
id: login-ecr
@@ -66,6 +54,7 @@ jobs:
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-ecr-repo
IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and
@@ -79,14 +68,14 @@ jobs:
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ env.ECS_TASK_DEFINITION }}
container-name: ${{ env.CONTAINER_NAME }}
task-definition: task-definition.json
container-name: sample-app
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ env.ECS_SERVICE }}
cluster: ${{ env.ECS_CLUSTER }}
service: sample-app-service
cluster: default
wait-for-service-stability: true
+3 -4
View File
@@ -1,4 +1,4 @@
# This workflow will build and push a node.js application to an Azure Web App when there is a push to the $default-branch branch.
# This workflow will build and push a node.js application to an Azure Web App when a release is created.
#
# This workflow assumes you have already created the target Azure App Service web app.
# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan
@@ -16,9 +16,8 @@
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
on:
push:
branches:
- $default-branch
release:
types: [created]
env:
AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
+1 -1
View File
@@ -107,7 +107,7 @@ jobs:
- name: Remove the pfx
run: Remove-Item -path $env:Wap_Project_Directory\$env:Signing_Certificate
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
# Upload the MSIX package: https://github.com/marketplace/actions/upload-artifact
- name: Upload build artifacts
uses: actions/upload-artifact@v2
with:
+3 -3
View File
@@ -15,10 +15,10 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Elixir
uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
uses: erlef/setup-elixir@885971a72ed1f9240973bd92ab57af8c1aa68f24
with:
elixir-version: '1.12.3' # Define the elixir version [required]
otp-version: '24.1' # Define the OTP version [required]
elixir-version: '1.10.3' # Define the elixir version [required]
otp-version: '22.3' # Define the OTP version [required]
- name: Restore dependencies cache
uses: actions/cache@v2
with:
+3 -4
View File
@@ -1,4 +1,4 @@
# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the $default-branch branch.
# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created
#
# To configure this workflow:
#
@@ -13,9 +13,8 @@
name: Build and Deploy to GKE
on:
push:
branches:
- $default-branch
release:
types: [created]
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
View File
View File
+3 -4
View File
@@ -1,4 +1,4 @@
# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the $default-branch branch.
# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created
#
# To configure this workflow:
#
@@ -9,9 +9,8 @@
name: Build and Deploy to IKS
on:
push:
branches:
- $default-branch
release:
types: [created]
# Environment variables available to all jobs and steps in this workflow
env:
-27
View File
@@ -1,27 +0,0 @@
name: Makefile CI
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: configure
run: ./configure
- name: Install dependencies
run: make
- name: Run check
run: make check
- name: Run distcheck
run: make distcheck
-30
View File
@@ -1,30 +0,0 @@
name: Xcode - Build and Analyze
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
build:
name: Build and analyse default scheme using xcodebuild command
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set Default Scheme
run: |
scheme_list=$(xcodebuild -list -json | tr -d "\n")
default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]")
echo $default | cat >default
echo Using default scheme: $default
- name: Build
env:
scheme: ${{ 'default' }}
run: |
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
xcodebuild clean build analyze -scheme "$scheme" -"$filetype_parameter" "$file_to_build" | xcpretty && exit ${PIPESTATUS[0]}
+180
View File
@@ -0,0 +1,180 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
### The OpenShift Starter workflow will:
# - Checkout your repository
# - Perform a Docker build
# - Push the built image to an image registry
# - Log in to your OpenShift cluster
# - Create an OpenShift app from the image and expose it to the internet.
### Before you begin:
# - Have write access to a container image registry such as quay.io or Dockerhub.
# - Have access to an OpenShift cluster.
# - For instructions to get started with OpenShift see https://www.openshift.com/try
# - The project you wish to add this workflow to should have a Dockerfile.
# - If you don't have a Dockerfile at the repository root, see the buildah-build step.
# - Builds from scratch are also available, but require more configuration.
### To get the workflow running:
# 1. Add this workflow to your repository.
# 2. Edit the top-level 'env' section, which contains a list of environment variables that must be configured.
# 3. Create the secrets referenced in the 'env' section under your repository Settings.
# 4. Edit the 'branches' in the 'on' section to trigger the workflow on a push to your branch.
# 5. Commit and push your changes.
# For a more sophisticated example, see https://github.com/redhat-actions/spring-petclinic/blob/main/.github/workflows/petclinic-sample.yaml
# Also see our GitHub organization, https://github.com/redhat-actions/
# ▶️ See a video of how to set up this workflow at https://www.youtube.com/watch?v=6hgBO-1pKho
name: OpenShift
# ⬇️ Modify the fields marked with ⬇️ to fit your project, and create any secrets that are referenced.
# https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets
env:
# ⬇️ EDIT with your registry and registry path.
REGISTRY: quay.io/<username>
# ⬇️ EDIT with your registry username.
REGISTRY_USER: <username>
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
# ⬇️ EDIT to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# ⬇️ EDIT with any additional port your application should expose.
# By default, oc new-app action creates a service to the image's lowest numeric exposed port.
APP_PORT: ""
# ⬇️ EDIT if you wish to set the kube context's namespace after login. Leave blank to use the default namespace.
OPENSHIFT_NAMESPACE: ""
# If you wish to manually provide the APP_NAME and TAG, set them here, otherwise they will be auto-detected.
APP_NAME: ""
TAG: ""
on:
# https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows
push:
# Edit to the branch(es) you want to build and deploy on each push.
branches: [ $default-branch ]
jobs:
openshift-ci-cd:
name: Build and deploy to OpenShift
runs-on: ubuntu-18.04
environment: production
outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
steps:
- name: Check if secrets exists
uses: actions/github-script@v3
with:
script: |
const secrets = {
REGISTRY_PASSWORD: `${{ secrets.REGISTRY_PASSWORD }}`,
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.warning(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- uses: actions/checkout@v2
- name: Determine app name
if: env.APP_NAME == ''
run: |
echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV
- name: Determine tag
if: env.TAG == ''
run: |
echo "TAG=${GITHUB_SHA::7}" | tee -a $GITHUB_ENV
# https://github.com/redhat-actions/buildah-build#readme
- name: Build from Dockerfile
id: image-build
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME }}
tags: ${{ env.TAG }}
# If you don't have a dockerfile, see:
# https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Otherwise, point this to your Dockerfile relative to the repository root.
dockerfiles: |
./Dockerfile
# https://github.com/redhat-actions/push-to-registry#readme
- name: Push to registry
id: push-to-registry
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.image-build.outputs.image }}
tags: ${{ steps.image-build.outputs.tags }}
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
# The path the image was pushed to is now stored in ${{ steps.push-to-registry.outputs.registry-path }}
# oc-login works on all platforms, but oc must be installed first.
# The GitHub Ubuntu runner already includes oc.
# Otherwise, https://github.com/redhat-actions/openshift-tools-installer can be used to install oc,
# as well as many other tools.
# https://github.com/redhat-actions/oc-login#readme
- name: Log in to OpenShift
uses: redhat-actions/oc-login@v1
with:
openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
openshift_token: ${{ env.OPENSHIFT_TOKEN }}
insecure_skip_tls_verify: true
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
# This step should create a deployment, service, and route to run your app and expose it to the internet.
# https://github.com/redhat-actions/oc-new-app#readme
- name: Create and expose app
id: deploy-and-expose
uses: redhat-actions/oc-new-app@v1
with:
app_name: ${{ env.APP_NAME }}
image: ${{ steps.push-to-registry.outputs.registry-path }}
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
port: ${{ env.APP_PORT }}
- name: View application route
run: |
[[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1)
echo "======================== Your application is available at: ========================"
echo ${{ env.ROUTE }}
echo "==================================================================================="
echo
echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\""
env:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
@@ -3,5 +3,5 @@
"description": "Deploy a container to Alibaba Cloud Container Service for Kubernetes (ACK).",
"creator": "Alibaba Cloud",
"iconName": "alibabacloud",
"categories": ["Deployment", "Dockerfile"]
"categories": ["Deployment"]
}
@@ -3,5 +3,5 @@
"description": "Deploy a container to an Amazon ECS service powered by AWS Fargate or Amazon EC2.",
"creator": "Amazon Web Services",
"iconName": "aws",
"categories": ["Deployment", "Dockerfile"]
}
"categories": ["Deployment"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "D",
"description": "Build and test a D project with dub.",
"iconName": "d",
"categories": ["Continuous integration", "D"]
"categories": ["Continuous integration", "D" ]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": ".NET",
"description": "Build and test a .NET or ASP.NET Core project.",
"iconName": "dotnet",
"categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET", "AspNetCore", "DotNetConsole"]
"categories": ["Continuous integration", "C#", "F#", "Visual Basic", "ASP", "ASP.NET", ".NET"]
}
@@ -3,5 +3,5 @@
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
"creator": "Google Cloud",
"iconName": "googlegke",
"categories": ["Deployment", "Dockerfile"]
"categories": ["Deployment"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Publish Java Package with Gradle",
"description": "Build a Java Package using Gradle and publish to GitHub Packages.",
"iconName": "gradle",
"categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"]
"categories": ["Continuous integration", "Java", "Gradle"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Java with Gradle",
"description": "Build and test a Java project using a Gradle wrapper script.",
"iconName": "gradle",
"categories": ["Continuous integration", "Java", "Gradle", "Spring", "JSF"]
"categories": ["Continuous integration", "Java", "Gradle"]
}
@@ -3,5 +3,5 @@
"description": "Build a docker container, publish it to IBM Cloud Container Registry, and deploy to IBM Cloud Kubernetes Service.",
"creator": "IBM",
"iconName": "ibm",
"categories": ["Deployment", "Dockerfile"]
"categories": ["Deployment"]
}
-6
View File
@@ -1,6 +0,0 @@
{
"name": "Build projects with Make",
"description": "Build and test a project using Make.",
"iconName": "makefile",
"categories": ["Continuous integration", "Makefile"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Publish Java Package with Maven",
"description": "Build a Java Package using Maven and publish to GitHub Packages.",
"iconName": "maven",
"categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"]
"categories": ["Continuous integration", "Java", "Maven"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Java with Maven",
"description": "Build and test a Java project with Apache Maven.",
"iconName": "maven",
"categories": ["Continuous integration", "Java", "Maven", "Spring", "JSF"]
"categories": ["Continuous integration", "Java", "Maven"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Node.js",
"description": "Build and test a Node.js project with npm.",
"iconName": "nodejs",
"categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"]
"categories": ["Continuous integration", "JavaScript", "npm"]
}
@@ -1,6 +0,0 @@
{
"name": "Xcode - Build and Analyze",
"description": "Build Xcode project using xcodebuild",
"iconName": "xcode",
"categories": ["Continuous integration", "Xcode", "Objective-C"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Pylint",
"description": "Lint a Python application with pylint.",
"iconName": "python",
"categories": ["Continuous integration", "Python", "Bottle", "Flask"]
"categories": ["Continuous integration", "Python"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Python application",
"description": "Create and test a Python application.",
"iconName": "python",
"categories": ["Continuous integration", "Python", "Bottle", "Flask"]
"categories": ["Continuous integration", "Python"]
}
+1 -1
View File
@@ -2,5 +2,5 @@
"name": "Python package",
"description": "Create and test a Python package on multiple Python versions.",
"iconName": "python",
"categories": ["Continuous integration", "Python", "Bottle", "Flask"]
"categories": ["Continuous integration", "Python"]
}
@@ -1,6 +0,0 @@
{
"name": "Rails - Install Dependencies and Run Linters",
"description": "Install dependencies and run linters on Rails application",
"iconName": "ruby",
"categories": ["Continuous integration", "Ruby", "Rails"]
}
@@ -1,6 +0,0 @@
{
"name": "Super Linter - Run Linters for several languages",
"description": "Run linters for several languages on your code base for changed files",
"iconName": "octicon check-circle",
"categories": ["Continuous integration", "code-quality", "code-review"]
}
-10
View File
@@ -1,10 +0,0 @@
{
"name": "Symfony",
"description": "Test a Symfony project.",
"iconName": "php",
"categories": [
"Continuous integration",
"PHP",
"Symfony"
]
}
@@ -3,5 +3,5 @@
"description": "This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).",
"creator": "Tencent Cloud",
"iconName": "tencentcloud",
"categories": ["Deployment", "Dockerfile"]
"categories": ["Deployment"]
}
+4 -5
View File
@@ -4,16 +4,15 @@ on: [push]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.8", "3.9", "3.10"]
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
- name: Set up Python 3.9
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
+2 -2
View File
@@ -16,10 +16,10 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.10
- name: Set up Python 3.9
uses: actions/setup-python@v2
with:
python-version: "3.10"
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
+2 -2
View File
@@ -10,10 +10,10 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.10
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.10
python-version: 3.8
- name: Add conda to system path
run: |
# $CONDA is an environment variable pointing to the root of the miniconda directory
+1 -1
View File
@@ -16,7 +16,7 @@ jobs:
strategy:
fail-fast: false
matrix:
python-version: ["3.8", "3.9", "3.10"]
python-version: [3.7, 3.8, 3.9]
steps:
- uses: actions/checkout@v2
+2 -2
View File
@@ -19,12 +19,12 @@ jobs:
runs-on: macos-latest
strategy:
matrix:
r-version: ['3.6.3', '4.1.1']
r-version: [3.5, 3.6]
steps:
- uses: actions/checkout@v2
- name: Set up R ${{ matrix.r-version }}
uses: r-lib/actions/setup-r@f57f1301a053485946083d7a45022b278929a78a
uses: r-lib/actions/setup-r@ffe45a39586f073cc2e9af79c4ba563b657dc6e3
with:
r-version: ${{ matrix.r-version }}
- name: Install dependencies
-32
View File
@@ -1,32 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will download a prebuilt Ruby version, install dependencies, and run linters
name: Rails - Install dependencies and run linters
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
run-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Setup Ruby and install gems
uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
with:
bundler-cache: true
# Add or Replace any other security checks here
- name: Run security checks
run: |
bin/bundler-audit --update
bin/brakeman -q -w2
# Add or Replace any other Linters here
- name: Run linters
run: |
bin/rubocop --parallel
-29
View File
@@ -1,29 +0,0 @@
# This workflow executes several linters on changed files based on languages used in your code base whenever
# you push a code or open a pull request.
#
# You can adjust the behavior by modifying this file.
# For more information, see:
# https://github.com/github/super-linter
name: Lint Code Base
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
run-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
- name: Lint Code Base
uses: github/super-linter@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: $default-branch
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-39
View File
@@ -1,39 +0,0 @@
name: Symfony
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
jobs:
symfony-tests:
runs-on: ubuntu-latest
steps:
# To automatically get bug fixes and new Php versions for shivammathur/setup-php,
# change this to (see https://github.com/shivammathur/setup-php#bookmark-versioning):
# uses: shivammathur/setup-php@v2
- uses: shivammathur/setup-php@2cb9b829437ee246e9b3cac53555a39208ca6d28
with:
php-version: '8.0'
- uses: actions/checkout@v2
- name: Copy .env.test.local
run: php -r "file_exists('.env.test.local') || copy('.env.test', '.env.test.local');"
- name: Cache Composer packages
id: composer-cache
uses: actions/cache@v2
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
restore-keys: |
${{ runner.os }}-php-
- name: Install Dependencies
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
- name: Create Database
run: |
mkdir -p data
touch data/database.sqlite
- name: Execute tests (Unit and Feature tests) via PHPUnit
env:
DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
run: vendor/bin/phpunit
+3 -4
View File
@@ -1,4 +1,4 @@
# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the $default-branch branch.
# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE).
#
# To configure this workflow:
#
@@ -16,9 +16,8 @@
name: Tencent Kubernetes Engine
on:
push:
branches:
- $default-branch
release:
types: [created]
# Environment variables available to all jobs and steps in this workflow
env:
-39
View File
@@ -1,39 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
# code scanning feature. For more information on the Anchore scan action usage
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name: Anchore Container Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
Anchore-Build-Scan:
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
-51
View File
@@ -1,51 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
name: Brakeman Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
brakeman-scan:
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Customize the ruby version depending on your needs
- name: Setup Ruby
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
with:
ruby-version: '2.7'
- name: Setup Brakeman
env:
BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
run: |
gem install brakeman --version $BRAKEMAN_VERSION
# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
- name: Scan
continue-on-error: true
run: |
brakeman -f sarif -o output.sarif.json .
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: output.sarif.json
-44
View File
@@ -1,44 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action
name: CxFlow
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
runs-on: ubuntu-latest
# Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
- name: Checkmarx CxFlow Action
uses: checkmarx-ts/checkmarx-cxflow-github-action@04e6403dbbfee0fd3fb076e5791202c31c54fe6b
with:
project: GithubActionTest
team: '\CxServer\SP\Checkmarx'
checkmarx_url: ${{ secrets.CHECKMARX_URL }}
checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
# Upload the Report for CodeQL/Security Alerts
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: cx.sarif
-58
View File
@@ -1,58 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Cloudrail
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
cloudrail:
name: Run Indeni Cloudrail on Terraform code with SARIF output
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Clone repo
uses: actions/checkout@v2
# For Terraform, Cloudrail requires the plan as input. So we generate it using
# the Terraform core binary.
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: v0.13.2
- run: terraform init
- run: terraform plan -out=plan.out
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# Confirm we have the plan file
- run: stat plan.out
- name: Run Cloudrail
uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622
with:
tf-plan-file: plan.out # This was created in a "terraform plan" step
cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app
cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
# Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
# is needed to ensure the SARIF file is uploaded
if: always()
with:
sarif_file: cloudrail_results.sarif
-54
View File
@@ -1,54 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, performs a Codacy security scan
# and integrates the results with the
# GitHub Advanced Security code scanning feature. For more information on
# the Codacy security scan action usage and parameters, see
# https://github.com/codacy/codacy-analysis-cli-action.
# For more information on Codacy Analysis CLI in general, see
# https://github.com/codacy/codacy-analysis-cli.
name: Codacy Security Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
codacy-security-scan:
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v2
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
with:
# Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
# You can also omit the token and run the tools that support default configurations
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
verbose: true
output: results.sarif
format: sarif
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will handover control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
+2 -1
View File
@@ -34,7 +34,8 @@ jobs:
matrix:
language: [ $detected-codeql-languages ]
# CodeQL supports [ $supported-codeql-languages ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support
# Learn more:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
steps:
- name: Checkout repository
-42
View File
@@ -1,42 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow requires that you have an existing account with codescan.io
# For more information about configuring your workflow,
# read our documentation at https://github.com/codescan-io/codescan-scanner-action
name: CodeScan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
CodeScan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Cache files
uses: actions/cache@v2
with:
path: |
~/.sonar
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Run Analysis
uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
with:
login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: codescan.sarif
-53
View File
@@ -1,53 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow locates REST API file contracts
# (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
# and runs 200+ security checks on them using 42Crunch Security Audit technology.
#
# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
#
# To use this workflow, you will need to complete the following setup steps.
#
# 1. Create a free 42Crunch account at https://platform.42crunch.com/register
#
# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
# to create an API Token on the 42Crunch platform
#
# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm,
# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow
#
# If you have any questions or need help contact https://support.42crunch.com
name: "42Crunch REST API Static Security Testing"
# follow standard Code Scanning triggers
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
rest-api-static-security-testing:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@96228d9c48873fe001354047d47fb62be42abeb1
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
api-token: ${{ secrets.API_TOKEN }}
# Fail if any OpenAPI file scores lower than 75
min-score: 75
# Upload results to Github code scanning
upload-to-code-scanning: true
# Github token for uploading the results
github-token: ${{ github.token }}
-97
View File
@@ -1,97 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
################################################################################################################################################
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
# or contact our sales team, visit microfocus.com/appsecurity. #
# #
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
################################################################################################################################################
name: Fortify on Demand Scan
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
on:
workflow_dispatch:
push:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.8
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
env:
PACKAGE_OPTS: "-bt mvn"
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
env:
FOD_URL: "https://ams.fortify.com/"
FOD_API_URL: "https://api.ams.fortify.com/"
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export results to GitHub-optimized SARIF
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
with:
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.FOD_TENANT }}
fod_user: ${{ secrets.FOD_USER }}
fod_password: ${{ secrets.FOD_PAT }}
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./gh-fortify-sast.sarif
+1 -1
View File
@@ -10,7 +10,7 @@
# To use this workflow, you will need to:
#
# 1. Create a Mayhem for API account at
# https://mayhem4api.forallsecure.com/signup
# https://mayhem4api.forallsecure.com/signup (30-day free trial)
#
# 2. Create a service account token `mapi organization service-account create
# <org-name> <service-account-name>`
-36
View File
@@ -1,36 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: MobSF
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
mobile-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup python
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Run mobsfscan
uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65
with:
args: . --sarif --output results.sarif || true
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
-59
View File
@@ -1,59 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# Find more information at:
# https://github.com/microsoft/msvc-code-analysis-action
name: Microsoft C++ Code Analysis
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
env:
# Path to the CMake build directory.
build: '${{ github.workspace }}/build'
jobs:
analyze:
name: Analyze
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Configure CMake
run: cmake -B ${{ env.build }}
# Build is not required unless generated source files are used
# - name: Build CMake
# run: cmake --build ${{ env.build }}
- name: Initialize MSVC Code Analysis
uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
# Provide a unique ID to access the sarif output path
id: run-analysis
with:
cmakeBuildDirectory: ${{ env.build }}
# Ruleset file that will determine what checks will be run
ruleset: NativeRecommendedRules.ruleset
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
# uses: actions/upload-artifact@v2
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
-35
View File
@@ -1,35 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates njsscan with GitHub's Code Scanning feature
# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
name: njsscan sarif
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
-52
View File
@@ -1,52 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
#
# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your
# repository.
#
# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
# <https://info.nowsecure.com/github-request>.
#
# Instructions:
#
# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
#
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
# and review the "Security" tab once the action has run.
name: "NowSecure"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
jobs:
nowsecure:
name: NowSecure
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build your application
run: ./gradlew assembleDebug # Update this to build your Android or iOS application
- name: Run NowSecure
uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26
with:
token: ${{ secrets.NS_TOKEN }}
app_file: app-debug.apk # Update this to a path to your .ipa or .apk
group_id: {{ groupId }} # Update this to your desired Platform group ID
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: NowSecure.sarif
-49
View File
@@ -1,49 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates a collection of open source static analysis tools
# with GitHub code scanning. For documentation, or to provide feedback, visit
# https://github.com/github/ossar-action
name: OSSAR
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
OSSAR-Scan:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
runs-on: windows-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - name: Install .NET
# uses: actions/setup-dotnet@v1
# with:
# dotnet-version: '3.1.x'
# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
-54
View File
@@ -1,54 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow that checks for security issues using
# the Prisma Cloud Infrastructure as Code Scan Action on
# the IaC files present in the repository.
# The results are uploaded to GitHub Security Code Scanning
#
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
name: Prisma Cloud IaC Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
prisma_cloud_iac_scan:
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v2
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
with:
# You will need Prisma Cloud API Access Token
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
# Scan sources on Prisma Cloud are uniquely identified by their name
asset_name: 'my-asset-name'
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
# And alternative it to add `continue-on-error: true` to the previous step
if: success() || failure()
with:
# The SARIF Log file name is configurable on scan action
# therefore the file name is best read from the steps output
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
@@ -1,7 +0,0 @@
{
"name": "Anchore Container Scan",
"creator": "Indeni Cloudrail",
"description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
"iconName": "anchore",
"categories": ["Code Scanning", "dockerfile"]
}
@@ -1,7 +0,0 @@
{
"name": "Brakeman",
"creator": "Brakeman",
"description": "Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications.",
"iconName": "brakeman",
"categories": ["Code Scanning", "ruby"]
}
@@ -1,7 +0,0 @@
{
"name": "CxSAST",
"creator": "Checkmarx",
"description": "Scan your code with Checkmarx CxSAST and see your results in the GitHub security tab.",
"iconName": "checkmarx",
"categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"]
}
@@ -1,7 +0,0 @@
{
"name": "cloudrail",
"creator": "Indeni Cloudrail",
"description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.",
"iconName": "cloudrail",
"categories": ["Code Scanning", "HCL"]
}
@@ -1,7 +0,0 @@
{
"name": "Codacy Security Scan",
"creator": "Codacy",
"description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
"iconName": "codacy",
"categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
}
@@ -1,7 +1,7 @@
{
"name": "CodeQL Analysis",
"creator": "GitHub",
"description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
"description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]
"categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"]
}
@@ -1,7 +0,0 @@
{
"name": "CodeScan",
"creator": "CodeScan Enterprises, LLC",
"description": "CodeScan allows for better visibility on your code quality checks based on your custom rulesets.",
"iconName": "codescan",
"categories": ["Code Scanning", "javascript", "apex"]
}
@@ -1,7 +0,0 @@
{
"name": "42Crunch API Security Audit",
"creator": "42Crunch",
"description": "Use the 42Crunch API Security Audit REST API to perform static application security testing (SAST) on OpenAPI/Swagger files.",
"iconName": "42crunch",
"categories": ["Code Scanning"]
}
@@ -1,7 +0,0 @@
{
"name": "Fortify on Demand Scan",
"creator": "Micro Focus",
"description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
"iconName": "fortify",
"categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
}
@@ -1,13 +0,0 @@
{
"name": "mobsf",
"creator": "mobsf",
"description": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.",
"iconName": "mobsf",
"categories": [
"Code Scanning",
"Java",
"Swift",
"Objective-C",
"Kotlin"
]
}
@@ -1,7 +0,0 @@
{
"name": "Microsoft C++ Code Analysis",
"creator": "Microsoft",
"description": "Code Analysis with the Microsoft C & C++ Compiler for CMake based projects.",
"iconName": "microsoft",
"categories": ["Code Scanning", "C", "C++"]
}
@@ -1,7 +0,0 @@
{
"name": "njsscan",
"creator": "NodeJSScan",
"description": "nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications.",
"iconName": "njsscan",
"categories": ["Code Scanning", "JavaScript", "TypeScript"]
}
@@ -1,21 +0,0 @@
{
"name": "NowSecure",
"creator": "NowSecure",
"description": "The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language",
"iconName": "nowsecure",
"categories": [
"Code Scanning",
"Java",
"Kotlin",
"Scala",
"Swift",
"Objective C",
"C",
"C++",
"C#",
"Rust",
"JavaScript",
"TypeScript",
"Node"
]
}
@@ -1,7 +0,0 @@
{
"name": "OSSAR",
"creator": "GitHub",
"description": "Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).",
"iconName": "octicon mark-github",
"categories": ["Code Scanning", "python", "javascript"]
}
@@ -1,7 +0,0 @@
{
"name": "Prisma Cloud IaC Scan",
"creator": "Palo Alto Prisma Cloud",
"description": "Scan your Infrastructure as Code files with Prisma Cloud to detect security issues",
"iconName": "prisma",
"categories": ["Code Scanning"]
}
@@ -1,7 +0,0 @@
{
"name": "RuboCop Linting",
"creator": "arthurnn",
"description": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.",
"iconName": "rubocop",
"categories": ["Code Scanning", "ruby"]
}
@@ -1,7 +0,0 @@
{
"name": "SecurityCodeScan",
"creator": "@security-code-scan",
"description": "Vulnerability Patterns Detector for C# and VB.NET",
"iconName": "securitycodescan",
"categories": ["Code Scanning", "C#", "Visual Basic .NET"]
}
@@ -1,7 +0,0 @@
{
"name": "Semgrep",
"creator": "Returntocorp",
"description": "Continuously run Semgrep to find bugs and enforce secure code standards. Start with 1k+ community rules or write your own in a few minutes.",
"iconName": "semgrep",
"categories": ["Code Scanning", "Go", "Java", "JavaScript", "JSON", "Python", "Ruby", "TypeScript", "JSX", "TSX"]
}
@@ -1,7 +0,0 @@
{
"name": "Scan",
"creator": "ShiftLeft",
"description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.",
"iconName": "shiftleft",
"categories": ["Code Scanning"]
}
@@ -1,7 +0,0 @@
{
"name": "Snyk Container",
"creator": "Snyk",
"description": "Detect vulnerabilities in your container images and surface the issues in GitHub code scanning.",
"iconName": "snyk",
"categories": ["Code Scanning", "dockerfile"]
}
@@ -1,7 +0,0 @@
{
"name": "Snyk Infrastructure as Code",
"creator": "Snyk",
"description": "Detect vulnerabilities in your infrastructure as code files and surface the issues in GitHub code scanning.",
"iconName": "snyk",
"categories": ["Code Scanning"]
}
@@ -1,7 +0,0 @@
{
"name": "Sysdig Inline Scan",
"creator": "Sysdig",
"description": "Performs analysis on locally built container image and posts the results in SARIF report",
"iconName": "sysdig-scan",
"categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"]
}
@@ -1,8 +0,0 @@
{
"name": "Trivy",
"creator": "Aqua Security",
"description": "Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.",
"iconName": "trivy",
"categories": ["Code Scanning", "dockerfile"],
"enterprise_requirements": ["docker"]
}
@@ -1,7 +0,0 @@
{
"name": "Xanitizer",
"creator": "RIGS IT",
"description": "Automatically scan your code for vulnerabilities and generate compliance reports with the static security analysis tool Xanitizer (SAST).",
"iconName": "xanitizer",
"categories": ["Code Scanning", "javascript", "java", "scala", "typescript", "xml", "json"]
}
-52
View File
@@ -1,52 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# pulled from repo
name: "Rubocop"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
rubocop:
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v2
# If running on a self-hosted runner, check it meets the requirements
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
- name: Set up Ruby
uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
with:
ruby-version: 2.6
# This step is not necessary if you add the gem to your Gemfile
- name: Install Code Scanning integration
run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
- name: Install dependencies
run: bundle install
- name: Rubocop run
run: |
bash -c "
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
[[ $? -ne 2 ]]
"
- name: Upload Sarif output
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: rubocop.sarif
-41
View File
@@ -1,41 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET
name: SecurityCodeScan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
SCS:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1
- uses: microsoft/setup-msbuild@v1.0.2
- name: Set up projects for analysis
uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d
- name: Restore dependencies
run: dotnet restore
- name: Build
run: dotnet build --no-restore
- name: Convert sarif for uploading to GitHub
uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v1
-42
View File
@@ -1,42 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow file requires a free account on Semgrep.dev to
# manage rules, file ignores, notifications, and more.
#
# See https://semgrep.dev/docs
name: Semgrep
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
steps:
# Checkout project source
- uses: actions/checkout@v2
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735
with:
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
generateSarif: "1"
# Upload SARIF file generated in previous step
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: semgrep.sarif
if: always()
-47
View File
@@ -1,47 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow integrates Scan with GitHub's code scanning feature
# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
# Visit https://slscan.io/en/latest/integrations/code-scan for help
name: SL Scan
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
Scan-Build:
# Scan runs on ubuntu, mac and windows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# Instructions
# 1. Setup JDK, Node.js, Python etc depending on your project type
# 2. Compile or build the project before invoking scan
# Example: mvn compile, or npm install or pip install goes here
# 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64
env:
WORKSPACE: ""
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_AUTO_BUILD: true
with:
output: reports
# Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
# type: credscan,java
# type: python
- name: Upload report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: reports
-48
View File
@@ -1,48 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which checks out the code, builds a container
# image using Docker and scans that image for vulnerabilities using
# Snyk. The results are then uploaded to GitHub Security Code Scanning
#
# For more examples, including how to limit scans to only high-severity
# issues, monitor images for newly disclosed vulnerabilities in Snyk and
# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
name: Snyk Container
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build a Docker image
run: docker build -t your/image-to-test .
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: your/image-to-test
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif
-47
View File
@@ -1,47 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which checks out your Infrastructure as Code Configuration files,
# such as Kubernetes, Helm & Terraform and scans them for any security issues.
# The results are then uploaded to GitHub Security Code Scanning
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/
name: Snyk Infrastructure as Code
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif

Some files were not shown because too many files have changed in this diff Show More