From 4193b3bdfdd9c76feecfd076d8404783221a3be2 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:32:20 +0100 Subject: [PATCH 01/30] Adding new yaml file with action example --- code-scanning/checkmarx-one.yml | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 code-scanning/checkmarx-one.yml diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml new file mode 100644 index 0000000000..89dcdd68ea --- /dev/null +++ b/code-scanning/checkmarx-one.yml @@ -0,0 +1,40 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx One Action + +name: Checkmarx Scan + +# Controls when the workflow will run +on: + pull_request: + types: [opened, reopened, synchronize] + branches: [ $default-branch, $protected-branches ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # This step checks out a copy of your repository. + - name: Checkout repository + uses: actions/checkout@v2 + - name: Checkmarx scan + uses: checkmarx/ast-github-action@main + with: + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx + cx_client_id: ${{ secrets.CX_CLIENT_ID }} + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} + cx_tenant: ${{ secrets.CX_TENANT }} + additional_params: --report-format sarif --output-path . + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cx_result.sarif \ No newline at end of file From b2113622be8e2b2dbf9b32aa12af30faa65e5362 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:32:56 +0100 Subject: [PATCH 02/30] Add new properties file for Checkmarx --- code-scanning/properties/checkmarx-one.properties.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 code-scanning/properties/checkmarx-one.properties.json diff --git a/code-scanning/properties/checkmarx-one.properties.json b/code-scanning/properties/checkmarx-one.properties.json new file mode 100644 index 0000000000..f5ebef8bab --- /dev/null +++ b/code-scanning/properties/checkmarx-one.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Checkmarx", + "creator": "Checkmarx", + "description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.", + "iconName": "checkmarx", + "categories": ["Code Scanning","code-quality", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} \ No newline at end of file From 4d24769f48db2cc2d8ae87ceb69c9f5a51b32e1e Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:33:34 +0100 Subject: [PATCH 03/30] Update checkmarx.svg --- icons/checkmarx.svg | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index 6bf5ad3708..ab11dadaff 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1,14 +1 @@ - - - - - - + From 3031cebead8b924c888e3d7b36340bdf4f9db1df Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:35:25 +0100 Subject: [PATCH 04/30] Update checkmarx.svg --- icons/checkmarx.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index ab11dadaff..899b3bc533 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1 +1 @@ - + From a66a1979359eb8f01c0b728469a7c62868fa9b30 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:05:01 +0100 Subject: [PATCH 05/30] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 89dcdd68ea..ffa8d85fee 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,7 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This is a basic workflow to help you get started with Using Checkmarx One Action +# This is a basic workflow to help you get started with Using Checkmarx One Action, +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html name: Checkmarx Scan @@ -24,17 +25,17 @@ jobs: steps: # This step checks out a copy of your repository. - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Checkmarx scan uses: checkmarx/ast-github-action@main with: - base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx - cx_client_id: ${{ secrets.CX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} - cx_tenant: ${{ secrets.CX_TENANT }} + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One additional_params: --report-format sarif --output-path . - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: cx_result.sarif \ No newline at end of file + sarif_file: cx_result.sarif From 4076f8b8dab71a2b12de6816f8f16f2f508dcdac Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:20:46 +0100 Subject: [PATCH 06/30] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index ffa8d85fee..262ed55272 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -14,10 +14,18 @@ on: types: [opened, reopened, synchronize] branches: [ $default-branch, $protected-branches ] +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif + # The type of runner that the job will run on runs-on: ubuntu-latest @@ -26,7 +34,8 @@ jobs: # This step checks out a copy of your repository. - name: Checkout repository uses: actions/checkout@v3 - - name: Checkmarx scan + # This step creates the Checkmarx One scan + - name: Checkmarx One scan uses: checkmarx/ast-github-action@main with: base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One From 0376d797710c37d032bd06418de4a56775c03882 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:48:51 +0100 Subject: [PATCH 07/30] Update checkmarx.svg --- icons/checkmarx.svg | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index 899b3bc533..fbdc9f3b67 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1 +1,12 @@ - + + + + + + + + + + + + From b646c9c97cd4a2e9ed23bc609e2cae25e04effb9 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Mon, 17 Oct 2022 14:24:31 +0100 Subject: [PATCH 08/30] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index 262ed55272..e666ddd8a9 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -3,6 +3,11 @@ # separate terms of service, privacy policy, and support # documentation. +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# scan customization using the full functionality and flexibility of the CLI tool. + # This is a basic workflow to help you get started with Using Checkmarx One Action, # documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html From cef3397932c8d0fa8bf0b0d10b0e662d6d3208a9 Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 20 Oct 2022 15:14:03 +0100 Subject: [PATCH 09/30] Update checkmarx-one.yml --- code-scanning/checkmarx-one.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/checkmarx-one.yml b/code-scanning/checkmarx-one.yml index e666ddd8a9..d85c0c53ca 100644 --- a/code-scanning/checkmarx-one.yml +++ b/code-scanning/checkmarx-one.yml @@ -41,7 +41,7 @@ jobs: uses: actions/checkout@v3 # This step creates the Checkmarx One scan - name: Checkmarx One scan - uses: checkmarx/ast-github-action@main + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc with: base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e From b56cd5718e3a1f4ab9c35471b8a7fd4db9569fbf Mon Sep 17 00:00:00 2001 From: Mohammed Asif <87167426+asifadn9@users.noreply.github.com> Date: Thu, 27 Oct 2022 16:59:58 +0530 Subject: [PATCH 10/30] Update apisec-scan.yml --- code-scanning/apisec-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 5a9b75138d..fc09be3793 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -53,7 +53,7 @@ jobs: steps: - name: APIsec scan - uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 + uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} From 84381b5f5ca76d70f5041ab1b484b4e8bf267c7b Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Thu, 3 Nov 2022 17:29:01 +0000 Subject: [PATCH 11/30] Update checkmarx-one.properties.json --- code-scanning/properties/checkmarx-one.properties.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/properties/checkmarx-one.properties.json b/code-scanning/properties/checkmarx-one.properties.json index f5ebef8bab..c1b2eea43b 100644 --- a/code-scanning/properties/checkmarx-one.properties.json +++ b/code-scanning/properties/checkmarx-one.properties.json @@ -3,5 +3,5 @@ "creator": "Checkmarx", "description": "Beat vulnerabilities with more secure code.Scan your code with Checkmarx One and see results in the GitHub code scanning.", "iconName": "checkmarx", - "categories": ["Code Scanning","code-quality", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] -} \ No newline at end of file + "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "c", "c++", "ruby", "swift", "go", "json", "kotlin", "apex", "scala", "perl"] +} From 0b50b4b57933ac53f9bf799ff67aea8c2bdcaddf Mon Sep 17 00:00:00 2001 From: jorgectf Date: Fri, 4 Nov 2022 20:45:41 +0100 Subject: [PATCH 12/30] Remove extra whitespaces --- .github/dependabot.yml | 6 ++--- ci/ada.yml | 2 +- ci/cmake.yml | 4 +-- ci/go-ossf-slsa3-publish.yml | 8 +++--- ci/makefile.yml | 8 +++--- ci/npm-grunt.yml | 2 +- ci/npm-gulp.yml | 2 +- ci/webpack.yml | 2 +- code-scanning/apisec-scan.yml | 6 ++--- code-scanning/brakeman.yml | 2 +- code-scanning/checkmarx.yml | 2 +- code-scanning/clj-holmes.yml | 4 +-- code-scanning/clj-watson.yml | 6 ++--- code-scanning/cloudrail.yml | 6 ++--- code-scanning/codacy.yml | 2 +- code-scanning/codeql.yml | 6 ++--- code-scanning/codescan.yml | 2 +- code-scanning/contrast-scan.yml | 8 +++--- code-scanning/detekt.yml | 4 +-- code-scanning/devskim.yml | 2 +- code-scanning/eslint.yml | 4 +-- code-scanning/ethicalcheck.yml | 8 +++--- code-scanning/hadolint.yml | 2 +- code-scanning/lintr.yml | 2 +- code-scanning/mobsf.yml | 4 +-- code-scanning/msvc.yml | 2 +- code-scanning/neuralegion.yml | 4 +-- code-scanning/njsscan.yml | 2 +- code-scanning/ossar.yml | 2 +- code-scanning/phpmd.yml | 6 ++--- code-scanning/pmd.yml | 2 +- code-scanning/powershell.yml | 10 +++---- code-scanning/prisma.yml | 2 +- code-scanning/puppet-lint.yml | 2 +- code-scanning/rust-clippy.yml | 4 +-- code-scanning/securitycodescan.yml | 6 ++--- code-scanning/semgrep.yml | 2 +- code-scanning/snyk-container.yml | 2 +- code-scanning/snyk-infrastructure.yml | 2 +- code-scanning/sobelow.yml | 6 ++--- code-scanning/sonarcloud.yml | 16 ++++++------ code-scanning/soos-dast-scan.yml | 4 +-- code-scanning/synopsys-io.yml | 16 ++++++------ code-scanning/sysdig-scan.yml | 6 ++--- code-scanning/tfsec.yml | 6 ++--- code-scanning/trivy.yml | 2 +- code-scanning/veracode.yml | 2 +- code-scanning/xanitizer.yml | 2 +- code-scanning/zscan.yml | 9 +++---- deployments/alibabacloud.yml | 32 +++++++++++------------ deployments/azure-container-webapp.yml | 2 +- deployments/azure-webapps-dotnet-core.yml | 2 +- deployments/azure-webapps-java-jar.yml | 2 +- deployments/azure-webapps-node.yml | 2 +- deployments/azure-webapps-python.yml | 8 +++--- deployments/tencent.yml | 12 ++++----- 56 files changed, 140 insertions(+), 141 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 62283f9e3c..ee66df244f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,12 @@ version: 2 updates: - - package-ecosystem: "npm" + - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" - - - package-ecosystem: "github-actions" + + - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" diff --git a/ci/ada.yml b/ci/ada.yml index 7e94b3855e..417ed2e006 100644 --- a/ci/ada.yml +++ b/ci/ada.yml @@ -17,7 +17,7 @@ jobs: - name: Set up GNAT toolchain run: > - sudo apt-get update && + sudo apt-get update && sudo apt-get install gnat gprbuild - name: Build diff --git a/ci/cmake.yml b/ci/cmake.yml index 6f06f756ca..95d7efd7cf 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -31,7 +31,7 @@ jobs: - name: Test working-directory: ${{github.workspace}}/build - # Execute tests defined by the CMake configuration. + # Execute tests defined by the CMake configuration. # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail run: ctest -C ${{env.BUILD_TYPE}} - + diff --git a/ci/go-ossf-slsa3-publish.yml b/ci/go-ossf-slsa3-publish.yml index a7388752f0..b357cc07d9 100644 --- a/ci/go-ossf-slsa3-publish.yml +++ b/ci/go-ossf-slsa3-publish.yml @@ -3,10 +3,10 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps # that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. @@ -21,7 +21,7 @@ permissions: read-all jobs: # ======================================================================================================================================== - # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file #========================================================================================================================================= build: diff --git a/ci/makefile.yml b/ci/makefile.yml index 0156944cdc..1b53855ad3 100644 --- a/ci/makefile.yml +++ b/ci/makefile.yml @@ -13,15 +13,15 @@ jobs: steps: - uses: actions/checkout@v3 - + - name: configure run: ./configure - + - name: Install dependencies run: make - + - name: Run check run: make check - + - name: Run distcheck run: make distcheck diff --git a/ci/npm-grunt.yml b/ci/npm-grunt.yml index e39ddbfe7c..0bcbd1c9ff 100644 --- a/ci/npm-grunt.yml +++ b/ci/npm-grunt.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/ci/npm-gulp.yml b/ci/npm-gulp.yml index 7606deaf43..7d79002e88 100644 --- a/ci/npm-gulp.yml +++ b/ci/npm-gulp.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/ci/webpack.yml b/ci/webpack.yml index 0bc6406270..2b8b18a805 100644 --- a/ci/webpack.yml +++ b/ci/webpack.yml @@ -13,7 +13,7 @@ jobs: strategy: matrix: node-version: [14.x, 16.x, 18.x] - + steps: - uses: actions/checkout@v3 diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 209e882d9b..09f50cd3b0 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -3,8 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# APIsec addresses the critical need to secure APIs before they reach production. -# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. # Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. # How to Get Started with APIsec.ai @@ -50,7 +50,7 @@ jobs: Trigger_APIsec_scan: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml index 957343c7fe..5547c592c9 100644 --- a/code-scanning/brakeman.yml +++ b/code-scanning/brakeman.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/checkmarx.yml b/code-scanning/checkmarx.yml index 9bdb136065..582488a128 100644 --- a/code-scanning/checkmarx.yml +++ b/code-scanning/checkmarx.yml @@ -29,7 +29,7 @@ jobs: issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) diff --git a/code-scanning/clj-holmes.yml b/code-scanning/clj-holmes.yml index 4487e237de..87f11cbceb 100644 --- a/code-scanning/clj-holmes.yml +++ b/code-scanning/clj-holmes.yml @@ -16,7 +16,7 @@ on: permissions: contents: read - + jobs: clj-holmes: name: Run clj-holmes scanning @@ -24,7 +24,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml index 76903a9d04..59bfd41b8a 100644 --- a/code-scanning/clj-watson.yml +++ b/code-scanning/clj-watson.yml @@ -6,7 +6,7 @@ # seeking for vulnerable direct/transitive dependencies and # build a report with all the information needed to help you # understand how the vulnerability manifest in your software. -# More details at https://github.com/clj-holmes/clj-watson +# More details at https://github.com/clj-holmes/clj-watson name: clj-watson @@ -29,7 +29,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 @@ -40,7 +40,7 @@ jobs: clj-watson-sha: "65d928c" clj-watson-tag: "v4.0.1" database-strategy: github-advisory - aliases: clojure-lsp,test + aliases: clojure-lsp,test deps-edn-path: deps.edn suggest-fix: true output-type: sarif diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 4a0cd73c00..e5defa3c57 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -26,7 +26,7 @@ jobs: - name: Clone repo uses: actions/checkout@v3 - # For Terraform, Cloudrail requires the plan as input. So we generate it using + # For Terraform, Cloudrail requires the plan as input. So we generate it using # the Terraform core binary. - uses: hashicorp/setup-terraform@v1 with: @@ -53,6 +53,6 @@ jobs: uses: github/codeql-action/upload-sarif@v2 # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() # is needed to ensure the SARIF file is uploaded - if: always() + if: always() with: sarif_file: cloudrail_results.sarif diff --git a/code-scanning/codacy.yml b/code-scanning/codacy.yml index 7b705bd10d..bbb211857c 100644 --- a/code-scanning/codacy.yml +++ b/code-scanning/codacy.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Codacy Security Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index 34c5de72a1..3f0ecfbd5c 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -48,11 +48,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -61,7 +61,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. + # If the Autobuild fails above, remove it and uncomment the following three lines. # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index a9f10535e3..0959d232d1 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/contrast-scan.yml b/code-scanning/contrast-scan.yml index 4e4deb7c40..ff3d9d3a84 100644 --- a/code-scanning/contrast-scan.yml +++ b/code-scanning/contrast-scan.yml @@ -8,7 +8,7 @@ # Contrast Scan currently supports Java, JavaScript and .NET artifacts. # For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action -# Pre-requisites: +# Pre-requisites: # All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. # The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout security-events: write # for github/codeql-action/upload-sarif - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest # check out project steps: @@ -38,7 +38,7 @@ jobs: # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. # -name: Build Project # ... - # Scan Artifact + # Scan Artifact - name: Contrast Scan Action uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 with: @@ -46,7 +46,7 @@ jobs: apiKey: ${{ secrets.CONTRAST_API_KEY }} orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} - #Upload the results to GitHub + #Upload the results to GitHub - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0c65813487..a13a5170a7 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -69,13 +69,13 @@ jobs: } } ' 1> gh_response.json - + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then echo "Release tag doesn't match expected commit SHA" exit 1 fi - + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" diff --git a/code-scanning/devskim.yml b/code-scanning/devskim.yml index bf1126103b..4abd6ca0cf 100644 --- a/code-scanning/devskim.yml +++ b/code-scanning/devskim.yml @@ -27,7 +27,7 @@ jobs: - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@v1 - + - name: Upload DevSkim scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 54b01c839e..fcb4f217ac 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 @@ -39,7 +39,7 @@ jobs: run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx - --format @microsoft/eslint-formatter-sarif + --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif continue-on-error: true diff --git a/code-scanning/ethicalcheck.yml b/code-scanning/ethicalcheck.yml index 2818bc695d..a68d0a2c7c 100644 --- a/code-scanning/ethicalcheck.yml +++ b/code-scanning/ethicalcheck.yml @@ -44,12 +44,12 @@ on: permissions: contents: read - + jobs: Trigger_EthicalCheck: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -61,9 +61,9 @@ jobs: # The email address to which the penetration test report will be sent. email: "xxx@apisec.ai" sarif-result-file: "ethicalcheck-results.sarif" - + - name: Upload sarif file to repository uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ./ethicalcheck-results.sarif - + diff --git a/code-scanning/hadolint.yml b/code-scanning/hadolint.yml index 315365282e..68aebaadb6 100644 --- a/code-scanning/hadolint.yml +++ b/code-scanning/hadolint.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/code-scanning/lintr.yml b/code-scanning/lintr.yml index 350df19701..8a6de5796d 100644 --- a/code-scanning/lintr.yml +++ b/code-scanning/lintr.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/mobsf.yml b/code-scanning/mobsf.yml index 1013749c50..21462488cf 100644 --- a/code-scanning/mobsf.yml +++ b/code-scanning/mobsf.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -21,7 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/msvc.yml b/code-scanning/msvc.yml index e8dac8842d..172d855551 100644 --- a/code-scanning/msvc.yml +++ b/code-scanning/msvc.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Analyze runs-on: windows-latest diff --git a/code-scanning/neuralegion.yml b/code-scanning/neuralegion.yml index e24e14a753..e9189d5e53 100644 --- a/code-scanning/neuralegion.yml +++ b/code-scanning/neuralegion.yml @@ -50,7 +50,7 @@ # # `restart_scan` # -# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. # # _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` # @@ -95,7 +95,7 @@ # # `hosts_filter` # -# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. # # Outputs # diff --git a/code-scanning/njsscan.yml b/code-scanning/njsscan.yml index d766a6fcb6..81e3650c6d 100644 --- a/code-scanning/njsscan.yml +++ b/code-scanning/njsscan.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: njsscan code scanning steps: diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 2bd91dd92b..63a7515fbf 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: windows-latest steps: diff --git a/code-scanning/phpmd.yml b/code-scanning/phpmd.yml index d10ace1e09..686551ae8c 100644 --- a/code-scanning/phpmd.yml +++ b/code-scanning/phpmd.yml @@ -2,9 +2,9 @@ # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. -# PHPMD is a spin-off project of PHP Depend and +# PHPMD is a spin-off project of PHP Depend and # aims to be a PHP equivalent of the well known Java tool PMD. -# What PHPMD does is: It takes a given PHP source code base +# What PHPMD does is: It takes a given PHP source code base # and look for several potential problems within that source. # These problems can be things like: # Possible bugs @@ -34,7 +34,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8115116ead..6b5b7ea299 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index 02e5de77f1..1e8a4267de 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -16,7 +16,7 @@ on: branches: [ $default-branch ] schedule: - cron: $cron-weekly - + permissions: contents: read @@ -25,7 +25,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: PSScriptAnalyzer runs-on: ubuntu-latest steps: @@ -37,11 +37,11 @@ jobs: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. path: .\ - recurse: true - # Include your own basic security rules. Removing this option will run all the rules + recurse: true + # Include your own basic security rules. Removing this option will run all the rules includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' output: results.sarif - + # Upload the SARIF file generated in the previous step - name: Upload SARIF results file uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/prisma.yml b/code-scanning/prisma.yml index 1a12b86d79..9b24386948 100644 --- a/code-scanning/prisma.yml +++ b/code-scanning/prisma.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest name: Run Prisma Cloud IaC Scan to check steps: diff --git a/code-scanning/puppet-lint.yml b/code-scanning/puppet-lint.yml index 50b86dbbbb..26b6cca0bc 100644 --- a/code-scanning/puppet-lint.yml +++ b/code-scanning/puppet-lint.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml index c5f10ee747..90583f342f 100644 --- a/code-scanning/rust-clippy.yml +++ b/code-scanning/rust-clippy.yml @@ -4,7 +4,7 @@ # documentation. # rust-clippy is a tool that runs a bunch of lints to catch common # mistakes in your Rust code and help improve your Rust code. -# More details at https://github.com/rust-lang/rust-clippy +# More details at https://github.com/rust-lang/rust-clippy # and https://rust-lang.github.io/rust-clippy/ name: rust-clippy analyze @@ -25,7 +25,7 @@ jobs: permissions: contents: read security-events: write - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/securitycodescan.yml b/code-scanning/securitycodescan.yml index b6ee5ad7b8..7a93d8aa9d 100644 --- a/code-scanning/securitycodescan.yml +++ b/code-scanning/securitycodescan.yml @@ -24,11 +24,11 @@ jobs: - uses: actions/checkout@v3 - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 - uses: microsoft/setup-msbuild@v1.0.2 - + - name: Set up projects for analysis uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d - - - name: Restore dependencies + + - name: Restore dependencies run: dotnet restore - name: Build diff --git a/code-scanning/semgrep.yml b/code-scanning/semgrep.yml index b10a9307f1..23486e4901 100644 --- a/code-scanning/semgrep.yml +++ b/code-scanning/semgrep.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index a232c539c7..c3756c8610 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index 3ca10353ed..aedf2a3c2b 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -29,7 +29,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/sobelow.yml b/code-scanning/sobelow.yml index 7d38c7740f..61d376f45e 100644 --- a/code-scanning/sobelow.yml +++ b/code-scanning/sobelow.yml @@ -16,7 +16,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -28,11 +28,11 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v3 - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 - name: Upload report diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index ff388c8d77..41075e4efb 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow helps you trigger a SonarCloud analysis of your code and populates +# This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. # Free for open source project. @@ -11,16 +11,16 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, +# * Please note that many languages are eligible for automatic analysis, # which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. -# +# # 3. Follow the SonarCloud in-product tutorial # * a. Copy/paste the Project Key and the Organization Key into the args parameter below # (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # # * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security +# (On SonarCloud, click on your avatar on top-right > My account > Security # or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) @@ -41,9 +41,9 @@ permissions: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud + - name: Analyze with SonarCloud # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -53,7 +53,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner - args: + args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory -Dsonar.projectKey= @@ -65,4 +65,4 @@ jobs: # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + #-Dsonar.verbose= # optional, default is false diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 95dfd673cb..2ab3d4c9b1 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -12,7 +12,7 @@ # # 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here. # -# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. # # 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. # @@ -29,7 +29,7 @@ jobs: soos: permissions: security-events: write # for uploading code scanning alert info - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: SOOS DAST Scan runs-on: ubuntu-latest steps: diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index c32334c643..61169e2c67 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -22,11 +22,11 @@ jobs: actions: read contents: read security-events: write - + steps: - name: Checkout repository uses: actions/checkout@v3 - + - name: Synopsys Intelligent Security Scan id: prescription uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 @@ -36,7 +36,7 @@ jobs: workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} stage: "IO" - + # Please note that the ID in previous step was set to prescription # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN # is defined in settings @@ -48,7 +48,7 @@ jobs: wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip unzip -j polaris_cli-linux64.zip -d /tmp /tmp/polaris analyze -w - + # Please note that the ID in previous step was set to prescription # in order for this logic to work - name: Software Composition Analysis with Black Duck @@ -56,7 +56,7 @@ jobs: uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 with: args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' - + - name: Synopsys Intelligent Security Scan if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 @@ -64,11 +64,11 @@ jobs: ioServerUrl: ${{secrets.IO_SERVER_URL}} ioServerToken: ${{secrets.IO_SERVER_TOKEN}} workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} - additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} - --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} stage: "WORKFLOW" - + - name: Upload SARIF file if: ${{steps.prescription.outputs.sastScan == 'true' }} uses: github/codeql-action/upload-sarif@v2 diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml index f9b61b9c80..8c13a4bd1e 100644 --- a/code-scanning/sysdig-scan.yml +++ b/code-scanning/sysdig-scan.yml @@ -24,7 +24,7 @@ jobs: checks: write # for sysdiglabs/scan-action to publish the checks contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: @@ -39,7 +39,7 @@ jobs: id: scan uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 with: - # Tag of the image to analyse. + # Tag of the image to analyse. # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above image-tag: ${{ github.repository }}:latest # API token for Sysdig Scanning auth @@ -47,7 +47,7 @@ jobs: # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ # US-East https://secure.sysdig.com # US-West https://us2.app.sysdig.com - # EU https://eu1.app.sysdig.com + # EU https://eu1.app.sysdig.com sysdig-secure-url: https://us2.app.sysdig.com dockerfile-path: ./Dockerfile input-type: docker-daemon diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 77f81566ba..48ee4d2243 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -9,7 +9,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] schedule: - cron: $cron-weekly @@ -29,10 +29,10 @@ jobs: - name: Run tfsec uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml index f56d9e5b98..4a8fe41ed7 100644 --- a/code-scanning/trivy.yml +++ b/code-scanning/trivy.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: "ubuntu-18.04" steps: diff --git a/code-scanning/veracode.yml b/code-scanning/veracode.yml index 89d35df251..04fc8146e6 100644 --- a/code-scanning/veracode.yml +++ b/code-scanning/veracode.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 5724a977d3..8fd5c7b497 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -51,7 +51,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 1ac6bbdde3..7f035f53ec 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -3,16 +3,16 @@ # separate terms of service, privacy policy, and support # documentation. # -# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) # and identifies security, privacy, and compliance-related vulnerabilities. ​ # # Prerequisites: ​ # * An active Zimperium zScan account is required. If you are not an existing Zimperium # zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. -# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display # issues and view the remediation information inside of GitHub code scanning alerts. ​ # -# For additional information and setup instructions +# For additional information and setup instructions # please visit: https://github.com/Zimperium/zScanMarketplace#readme name: "Zimperium zScan" @@ -33,7 +33,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout repository uses: actions/checkout@v3 @@ -58,4 +58,3 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: Zimperium.sarif - \ No newline at end of file diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 9853b75bd0..96d5d3865d 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -3,7 +3,7 @@ # # To use this workflow, you will need to complete the following set-up steps: # -# 1. Create an ACR repository to store your container images. +# 1. Create an ACR repository to store your container images. # You can use ACR EE instance for more security and better performance. # For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm # @@ -14,7 +14,7 @@ # 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. # For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ # -# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. # name: Build and Deploy to ACK @@ -46,12 +46,12 @@ jobs: build: runs-on: ubuntu-latest environment: production - + steps: - name: Checkout uses: actions/checkout@v3 - - # 1.1 Login to ACR + + # 1.1 Login to ACR - name: Login to ACR with the AccessKey pair uses: aliyun/acr-login@v1 with: @@ -59,13 +59,13 @@ jobs: access-key-id: "${{ secrets.ACCESS_KEY_ID }}" access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - # 1.2 Buid and push image to ACR - - name: Build and push image to ACR + # 1.2 Buid and push image to ACR + - name: Build and push image to ACR run: | - docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . - docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" - - # 1.3 Scan image in ACR + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR - name: Scan image in ACR uses: aliyun/acr-scan@v1 with: @@ -75,7 +75,7 @@ jobs: repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" tag: "${{ env.TAG }}" - # 2.1 (Optional) Login to ACR EE + # 2.1 (Optional) Login to ACR EE - uses: actions/checkout@v3 - name: Login to ACR EE with the AccessKey pair uses: aliyun/acr-login@v1 @@ -86,12 +86,12 @@ jobs: access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" - # 2.2 (Optional) Build and push image ACR EE - - name: Build and push image to ACR EE + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE run: | docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" - # 2.3 (Optional) Scan image in ACR EE + # 2.3 (Optional) Scan image in ACR EE - name: Scan image in ACR EE uses: aliyun/acr-scan@v1 with: @@ -102,7 +102,7 @@ jobs: repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" tag: "${{ env.ACR_EE_TAG }}" - # 3.1 Set ACK context + # 3.1 Set ACK context - name: Set K8s context uses: aliyun/ack-set-context@v1 with: diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index cc2e1ddd56..4d98340739 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -11,7 +11,7 @@ # 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. # For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret # -# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. # # 4. Create three app settings on your Azure Web app: # DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 9b2189554d..005aef2d7e 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -43,7 +43,7 @@ jobs: uses: actions/setup-dotnet@v2 with: dotnet-version: ${{ env.DOTNET_VERSION }} - + - name: Set up dependency caching for faster builds uses: actions/cache@v3 with: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 60fa68c188..c29d871aa4 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -63,7 +63,7 @@ jobs: environment: name: 'Development' url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - + steps: - name: Download artifact from build job uses: actions/download-artifact@v3 diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index 98e72c2c02..c72b1beff0 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -70,7 +70,7 @@ jobs: name: node-app - name: 'Deploy to Azure WebApp' - id: deploy-to-webapp + id: deploy-to-webapp uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index d7aa802532..0ce3ce9b8a 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -51,15 +51,15 @@ jobs: - name: Install dependencies run: pip install -r requirements.txt - + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - + - name: Upload artifact for deployment jobs uses: actions/upload-artifact@v3 with: name: python-app path: | - . + . !venv/ deploy: @@ -77,7 +77,7 @@ jobs: with: name: python-app path: . - + - name: 'Deploy to Azure Web App' id: deploy-to-webapp uses: azure/webapps-deploy@v2 diff --git a/deployments/tencent.yml b/deployments/tencent.yml index ba65fe52af..3d228548a8 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -2,12 +2,12 @@ # # To configure this workflow: # -# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, +# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, # including deployment.yml, kustomization.yml, service.yml, etc. # -# 2. Set up secrets in your workspace: +# 2. Set up secrets in your workspace: # - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id -# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key +# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key # - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id # - TKE_REGISTRY_PASSWORD with TKE registry password # @@ -38,10 +38,10 @@ jobs: - name: Checkout uses: actions/checkout@v3 - + # Build - name: Build Docker image - run: | + run: | docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . - name: Login TKE Registry @@ -65,7 +65,7 @@ jobs: secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }} tke_region: ${{ env.TKE_REGION }} cluster_id: ${{ env.TKE_CLUSTER_ID }} - + - name: Switch to TKE context run: | kubectl config use-context ${TKE_CLUSTER_ID}-context-default From ad25137ca3ada5e5c710879bb33862cb3f6c9edd Mon Sep 17 00:00:00 2001 From: Tiago Baptista <92083272+tiagobcx@users.noreply.github.com> Date: Mon, 7 Nov 2022 10:21:52 -0600 Subject: [PATCH 13/30] Update checkmarx.svg --- icons/checkmarx.svg | 81 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 71 insertions(+), 10 deletions(-) diff --git a/icons/checkmarx.svg b/icons/checkmarx.svg index fbdc9f3b67..7c5b4d9c58 100644 --- a/icons/checkmarx.svg +++ b/icons/checkmarx.svg @@ -1,12 +1,73 @@ - - - + + - - - - - - - + + + + + + + + + + + + + + From 417e1b988833bf9a2e61584d6ac86f0235e3116c Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Tue, 8 Nov 2022 14:09:19 +0100 Subject: [PATCH 14/30] Apply suggestions from code review Co-authored-by: Sampark Sharma --- code-scanning/zscan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/zscan.yml b/code-scanning/zscan.yml index 7f035f53ec..01c3b0577f 100644 --- a/code-scanning/zscan.yml +++ b/code-scanning/zscan.yml @@ -6,11 +6,11 @@ # The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) # and identifies security, privacy, and compliance-related vulnerabilities. ​ # -# Prerequisites: ​ +# Prerequisites: # * An active Zimperium zScan account is required. If you are not an existing Zimperium # zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. # * Either GitHub Advanced Security (GHAS) or a public repository is required to display -# issues and view the remediation information inside of GitHub code scanning alerts. ​ +# issues and view the remediation information inside of GitHub code scanning alerts.​ # # For additional information and setup instructions # please visit: https://github.com/Zimperium/zScanMarketplace#readme From ff2f23cb02201f3dec599148501033e5b9e7f164 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 8 Nov 2022 16:05:26 +0200 Subject: [PATCH 15/30] Update frogbot-scan-pr.yml --- code-scanning/frogbot-scan-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml index bd1a9c2dc6..74ee41e1ba 100644 --- a/code-scanning/frogbot-scan-pr.yml +++ b/code-scanning/frogbot-scan-pr.yml @@ -42,7 +42,7 @@ jobs: # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request - - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 + - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 762810aba56b19721e194f22cf5ee461b36eb635 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 8 Nov 2022 16:05:42 +0200 Subject: [PATCH 16/30] Update frogbot-scan-and-fix.yml --- code-scanning/frogbot-scan-and-fix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml index 0089f10831..12414a12fc 100644 --- a/code-scanning/frogbot-scan-and-fix.yml +++ b/code-scanning/frogbot-scan-and-fix.yml @@ -37,7 +37,7 @@ jobs: # node-version: "16.x" - - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250 + - uses: jfrog/frogbot@b92e53d9631139a697cb71d9e70229a70ca56694 env: # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) From 4050b957a2285c70272bc6bfdb4b2443847d09cf Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 8 Nov 2022 15:34:49 -0300 Subject: [PATCH 17/30] update soos dast version --- code-scanning/soos-dast-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml index 47f6c4892e..8723a8b7d1 100644 --- a/code-scanning/soos-dast-scan.yml +++ b/code-scanning/soos-dast-scan.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run SOOS DAST Scan - uses: soos-io/soos-dast-github-action@5f8e2a1994d618e6ac9902e0f491fd1656b698e6 + uses: soos-io/soos-dast-github-action@5b9c65687cee49aee1c776759f25561f908be565 with: client_id: ${{ secrets.SOOS_CLIENT_ID }} api_key: ${{ secrets.SOOS_API_KEY }} From a31c09a4f1fd94bb31fb3e8955e4c05c0b855cc1 Mon Sep 17 00:00:00 2001 From: Arjan Keeman Date: Tue, 15 Nov 2022 09:52:54 +0100 Subject: [PATCH 18/30] update deprecated syntax see https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- deployments/aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/aws.yml b/deployments/aws.yml index 958584480d..af7d87d707 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -75,7 +75,7 @@ jobs: # be deployed to ECS. docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT - name: Fill in the new image ID in the Amazon ECS task definition id: task-def From a749535e85718bb29553b8e7f6b5217e71a5ccd1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:10 +0100 Subject: [PATCH 19/30] Add lint workflow --- .github/workflows/lint.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000000..cd3fb3d5cf --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,32 @@ +name: Lint + +on: + pull_request: + branches: + - main + +jobs: + + pre-commit: + name: pre-commit + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-python@v4 + with: + python-version: 3.8 + cache: 'pip' + + - name: Cache pre-commit + uses: actions/cache@v3 + with: + path: ~/.cache/pre-commit + key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} + + - name: Install pre-commit + run: pip3 install pre-commit + + - name: Run pre-commit + run: pre-commit run --all-files --show-diff-on-failure --color always \ No newline at end of file From 6cd7a70d9f1db1f8485ccb48d863ef766fa0fbc1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:05:19 +0100 Subject: [PATCH 20/30] Add pre-commit configuration file --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..7699e821c1 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace \ No newline at end of file From 5bc87732339ec6887dbd6275cb90686464b3de3c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 16 Nov 2022 01:16:46 +0100 Subject: [PATCH 21/30] Remove pip cache --- .github/workflows/lint.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index cd3fb3d5cf..76c82c2146 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -17,7 +17,6 @@ jobs: - uses: actions/setup-python@v4 with: python-version: 3.8 - cache: 'pip' - name: Cache pre-commit uses: actions/cache@v3 From edcef6ec3eb410566c2f21feaae17d5c4eacef6c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 22 Nov 2022 19:23:58 +0000 Subject: [PATCH 22/30] update --- code-scanning/scorecards.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/scorecards.yml b/code-scanning/scorecards.yml index 11e305f3f3..0e42bae847 100644 --- a/code-scanning/scorecards.yml +++ b/code-scanning/scorecards.yml @@ -41,11 +41,11 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From d0d2da4fd3080c5a70fddd00f554a21a5aeef591 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:38:23 -0600 Subject: [PATCH 23/30] Astro: Update to use the detected package manager --- pages/astro.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 1d4ec5fcb8..54d46727d6 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,12 +40,10 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "::set-output name=manager::yarn" echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "::set-output name=manager::npm" echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" exit 0 else echo "Unable to determine packager manager" @@ -57,9 +55,14 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json - - run: npm install && npm run build + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - - uses: actions/upload-pages-artifact@v1 + - name: Build with Astro + run: ${{ steps.detect-package-manager.outputs.manager }} run build + working-directory: ${{ env.BUILD_PATH }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 with: path: ${{ env.BUILD_PATH }}/dist From 1ffc2dce9f0e0d25af6d872223730be7badd2a93 Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 13:43:51 -0600 Subject: [PATCH 24/30] Pages: Update Node.js-based workflows to use non-deprecated mechanism for setting outputs See https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- pages/astro.yml | 8 ++++---- pages/gatsby.yml | 8 ++++---- pages/nextjs.yml | 12 ++++++------ pages/nuxtjs.yml | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/pages/astro.yml b/pages/astro.yml index 54d46727d6..9f845f3f86 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -38,12 +38,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 4f2857d8ca..7db9291386 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -39,12 +39,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nextjs.yml b/pages/nextjs.yml index 5c2bf67187..7e39f832ad 100644 --- a/pages/nextjs.yml +++ b/pages/nextjs.yml @@ -34,14 +34,14 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" - echo "::set-output name=runner::yarn" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" - echo "::set-output name=runner::npx --no-install" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml index 4178f18125..660202e8d6 100644 --- a/pages/nuxtjs.yml +++ b/pages/nuxtjs.yml @@ -34,12 +34,12 @@ jobs: id: detect-package-manager run: | if [ -f "${{ github.workspace }}/yarn.lock" ]; then - echo "::set-output name=manager::yarn" - echo "::set-output name=command::install" + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then - echo "::set-output name=manager::npm" - echo "::set-output name=command::ci" + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" From c868fdbf8caaf8ec83c4b4e884a8546044d8c46b Mon Sep 17 00:00:00 2001 From: "James M. Greene" Date: Tue, 22 Nov 2022 21:47:03 -0600 Subject: [PATCH 25/30] Pages: Configure Astro origin and base path using CLI arguments --- pages/astro.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pages/astro.yml b/pages/astro.yml index 9f845f3f86..77f29248e2 100644 --- a/pages/astro.yml +++ b/pages/astro.yml @@ -40,10 +40,12 @@ jobs: if [ -f "${{ github.workspace }}/yarn.lock" ]; then echo "manager=yarn" >> $GITHUB_OUTPUT echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT exit 0 elif [ -f "${{ github.workspace }}/package.json" ]; then echo "manager=npm" >> $GITHUB_OUTPUT echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT exit 0 else echo "Unable to determine packager manager" @@ -55,11 +57,17 @@ jobs: node-version: "16" cache: ${{ steps.detect-package-manager.outputs.manager }} cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json + - name: Setup Pages + id: pages + uses: actions/configure-pages@v2 - name: Install dependencies run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} working-directory: ${{ env.BUILD_PATH }} - name: Build with Astro - run: ${{ steps.detect-package-manager.outputs.manager }} run build + run: | + ${{ steps.detect-package-manager.outputs.runner }} astro build \ + --site "${{ steps.pages.outputs.origin }}" \ + --base "${{ steps.pages.outputs.base_path }}" working-directory: ${{ env.BUILD_PATH }} - name: Upload artifact uses: actions/upload-pages-artifact@v1 From 2f81287648d16dc1cda091d44b06368c5e73af73 Mon Sep 17 00:00:00 2001 From: Nguyen Long Nhat <27698189+torn4dom4n@users.noreply.github.com> Date: Mon, 21 Nov 2022 01:17:23 +0700 Subject: [PATCH 26/30] Using node 18 --- pages/gatsby.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/gatsby.yml b/pages/gatsby.yml index 7db9291386..a288d7da56 100644 --- a/pages/gatsby.yml +++ b/pages/gatsby.yml @@ -53,7 +53,7 @@ jobs: - name: Setup Node uses: actions/setup-node@v3 with: - node-version: "16" + node-version: "18" cache: ${{ steps.detect-package-manager.outputs.manager }} - name: Setup Pages id: pages From e493e52668ef051fc37be7453871d17470f56e0e Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 17:48:50 +0530 Subject: [PATCH 27/30] Check only certain files --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7699e821c1..5d6f7eb0d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,5 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 + files: ^automation|ci|code-scanning|deployments|pages hooks: - - id: trailing-whitespace \ No newline at end of file + - id: trailing-whitespace From ec11d3549bcc7ca2a1df7f76461d31c70313d391 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Tue, 29 Nov 2022 18:13:36 +0530 Subject: [PATCH 28/30] Check for only certain files --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d6f7eb0d3..19bf39d63c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.3.0 - files: ^automation|ci|code-scanning|deployments|pages hooks: - id: trailing-whitespace + files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$ From 4f469603129f59fefca0072e32a2eed15002fe4c Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 06:55:46 +0000 Subject: [PATCH 29/30] Add instructions to test templates --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 7ff406f694..1048694d81 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as * `$default-branch`: will substitute the branch from the repository, for example `main` and `master` * `$protected-branches`: will substitute any protected branches from the repository * `$cron-daily`: will substitute a valid but random time within the day + +## How to test templates before publishing + +### Disable template for public +The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +Example `properties.json` file: +```json +{ + "name": "Node.js", + "description": "Build and test a Node.js project with npm.", + "iconName": "nodejs", + "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"], + "labels": ["preview"] +} +``` + +Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. + +### Enable template for public +Remove the `labels` array from `properties.json` file to publish the template to public From bd3d623e07d9ec600ba22e97a047b9afb91075f9 Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Thu, 1 Dec 2022 13:06:55 +0530 Subject: [PATCH 30/30] Apply suggestions from code review Co-authored-by: Anurag Chauhan <44864882+anuragc617@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1048694d81..e455e1376b 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ These variables can be placed in the starter workflow and will be substituted as ## How to test templates before publishing ### Disable template for public -The author should add a `labels` array in the `properties.json` file with a label `preview`. This would hide the template from GitHub UX. +The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL. Example `properties.json` file: ```json { @@ -66,7 +66,7 @@ Example `properties.json` file: } ``` -Then to view the template in the `actions/new` page add a URL query parameter `preview=true` and it should be visible. +For viewing the templates with `preview` label, provide query parameter `preview=true` to the `new workflow` page URL. Eg. `https://github.com///actions/new?preview=true`. ### Enable template for public Remove the `labels` array from `properties.json` file to publish the template to public