1830845916
* Switch default node version to 20 * Update version set to 18.x, 20.x, 22.x Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
127 lines
5.5 KiB
YAML
127 lines
5.5 KiB
YAML
# This workflow uses actions that are not certified by GitHub.
|
||
# They are provided by a third-party and are governed by
|
||
# separate terms of service, privacy policy, and support
|
||
# documentation.
|
||
|
||
# This workflow performs a static analysis of your source code using
|
||
# Red Hat CodeReady Dependency Analytics.
|
||
|
||
# Scans are triggered:
|
||
# 1. On every push to default and protected branches
|
||
# 2. On every Pull Request targeting the default branch
|
||
# 3. On a weekly schedule
|
||
# 4. Manually, on demand, via the "workflow_dispatch" event
|
||
|
||
# 💁 The CRDA Starter workflow will:
|
||
# - Checkout your repository
|
||
# - Setup the required tool stack
|
||
# - Install the CRDA command line tool
|
||
# - Auto detect the manifest file and install the project's dependencies
|
||
# - Perform the security scan using CRDA
|
||
# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
|
||
# - Optionally upload the SARIF file as an artifact for the future reference
|
||
|
||
# ℹ️ Configure your repository and the workflow with the following steps:
|
||
# 1. Setup the tool stack based on the project's requirement.
|
||
# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
|
||
# 2. (Optional) CRDA action attempt to detect the language and install the
|
||
# required dependencies for your project. If your project doesn't aligns
|
||
# with the default dependency installation command mentioned here
|
||
# https://github.com/redhat-actions/crda/#3-installing-dependencies.
|
||
# Use the required inputs to setup the same
|
||
# 3. (Optional) CRDA action attempts to detect the manifest file if it is
|
||
# present in the root of the project and named as per the default mentioned
|
||
# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
|
||
# If it deviates from the default, use the required inputs to setup the same
|
||
# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
|
||
# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
|
||
# 5. (Optional) Upload SARIF file as an Artifact to download and view
|
||
# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
|
||
|
||
# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
|
||
|
||
name: CRDA Scan
|
||
|
||
# Controls when the workflow will run
|
||
on:
|
||
# TODO: Customize trigger events based on your DevSecOps processes
|
||
#
|
||
# This workflow is made to run with OpenShift starter workflow
|
||
# https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
|
||
# However, if you want to run this workflow as a standalone workflow, please
|
||
# uncomment the 'push' trigger below and configure it based on your requirements.
|
||
#
|
||
workflow_call:
|
||
secrets:
|
||
CRDA_KEY:
|
||
required: false
|
||
SNYK_TOKEN:
|
||
required: false
|
||
workflow_dispatch:
|
||
|
||
# push:
|
||
# branches: [ $default-branch, $protected-branches ]
|
||
|
||
# pull_request_target is used to securely share secret to the PR's workflow run.
|
||
# For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
||
pull_request_target:
|
||
branches: [ $default-branch ]
|
||
types: [ assigned, opened, synchronize, reopened, labeled, edited ]
|
||
|
||
permissions:
|
||
contents: read
|
||
|
||
jobs:
|
||
crda-scan:
|
||
permissions:
|
||
contents: read # for actions/checkout to fetch code
|
||
security-events: write # for redhat-actions/crda to upload SARIF results
|
||
name: Scan project vulnerabilities with CRDA
|
||
runs-on: ubuntu-20.04
|
||
steps:
|
||
|
||
- name: Check out repository
|
||
uses: actions/checkout@v2
|
||
|
||
# *******************************************************************
|
||
# Required: Instructions to setup project
|
||
# 1. Setup Go, Java, Node.js or Python depending on your project type
|
||
# 2. Setup Actions are listed below, choose one from them:
|
||
# - Go: https://github.com/actions/setup-go
|
||
# - Java: https://github.com/actions/setup-java
|
||
# - Node.js: https://github.com/actions/setup-node
|
||
# - Python: https://github.com/actions/setup-python
|
||
#
|
||
# Example:
|
||
# - name: Setup Node
|
||
# uses: actions/setup-node@v4
|
||
# with:
|
||
# node-version: '20'
|
||
|
||
# https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
|
||
- name: Install CRDA CLI
|
||
uses: redhat-actions/openshift-tools-installer@v1
|
||
with:
|
||
source: github
|
||
github_pat: ${{ github.token }}
|
||
# Choose the desired version of the CRDA CLI
|
||
crda: "latest"
|
||
|
||
######################################################################################
|
||
# https://github.com/redhat-actions/crda/blob/main/README.md
|
||
#
|
||
# By default, CRDA will detect the manifest file and install the required dependencies
|
||
# using the standard command for the project type.
|
||
# If your project doesn't aligns with the defaults mentioned in this action, you will
|
||
# need to set few inputs that are described here:
|
||
# https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
|
||
# Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
|
||
# process to get a SNYK_TOKEN or a CRDA_KEY
|
||
- name: CRDA Scan
|
||
id: scan
|
||
uses: redhat-actions/crda@v1
|
||
with:
|
||
crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
|
||
# snyk_token: ${{ secrets.SNYK_TOKEN }}
|
||
# upload_artifact: false # Set this to false to skip artifact upload
|