Add clj-watson starter workflow (actions#1460)

* Add clj-watson starter workflow * update permissions * update to latest release * Update clj-watson-action to official release * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <[email protected]> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <[email protected]> * update categories * update categories * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <[email protected]> * Update code-scanning/properties/clj-watson.properties.json Co-authored-by: Bishal Prasad <[email protected]> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <[email protected]> * add comments to yml file * Update clj-watson.properties.json * use codeql-action/upload-sarif v2 Co-authored-by: Matheus Bernardes <[email protected]> Co-authored-by: Bishal Prasad <[email protected]>
crummy · Apr 12, 2022 · 66f87f9 · 66f87f9
1 parent 70f16d3
commit 66f87f9
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# clj-watson scans dependencies in a clojure deps.edn
+# seeking for vulnerable direct/transitive dependencies and
+# build a report with all the information needed to help you
+# understand how the vulnerability manifest in your software.
+# More details at https://github.com/clj-holmes/clj-watson 
+
+name: clj-watson
+
+on:
+  push:
+    branches: [ $default-branch, $protected-branches ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ $default-branch ]
+  schedule:
+    - cron: $cron-weekly
+
+permissions:
+  contents: read
+
+jobs:
+  clj-holmes:
+    name: Run clj-watson scanning
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Dependency scan
+        uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c
+        with:
+          clj-watson-sha: "65d928c"
+          clj-watson-tag: "v4.0.1"
+          database-strategy: github-advisory
+          aliases: clojure-lsp,test 
+          deps-edn-path: deps.edn
+          suggest-fix: true
+          output-type: sarif
+          output-file: clj-watson-results.sarif
+          fail-on-result: false
+
+      - name: Upload analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{github.workspace}}/clj-watson-results.sarif
+          wait-for-processing: true
diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json
@@ -0,0 +1,9 @@
+{
+    "name": "clj-watson",
+    "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.",
+    "iconName": "clj-watson",
+    "categories": [
+        "Code Scanning",
+        "Clojure"
+    ]
+}
diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg