Skip to content

Testing#10

Open
VirajNayak wants to merge 72 commits intoOWASP:masterfrom
VirajNayak:Testing
Open

Testing#10
VirajNayak wants to merge 72 commits intoOWASP:masterfrom
VirajNayak:Testing

Conversation

@VirajNayak
Copy link

@VirajNayak VirajNayak commented Sep 6, 2023

No description provided.

@VirajNayak
Create semgrep.yml
9686f84
@VirajNayak
Create sonarcloud.yml
a01784e
@VirajNayak
Update semgrep.yml
6a57798
@VirajNayak
Update semgrep.yml
fa46571
@VirajNayak
Delete semgrep.yml
462f577
@VirajNayak
Delete sonarcloud.yml
2c818ac
@VirajNayak
Create codeql.yml
0a82d5f
@VirajNayak
Create sonarqube.yml
f12fddb
@VirajNayak
Create semgrep.yml
0c5ae8a
@VirajNayak
Update semgrep.yml
2fe98f7
@VirajNayak
Delete sonarqube.yml
225d604
@VirajNayak
Delete semgrep.yml
39cbeac
@VirajNayak
Create sonarqube.yml
b26464b
@VirajNayak
Create semgrep.yml
114ebe1
@VirajNayak
Update sonarqube.yml
b2a38bd
@VirajNayak
Update sonarqube.yml
c4797d1
@VirajNayak
Update sonarqube.yml
15b63c5
@VirajNayak
Update semgrep.yml
68f1507
@VirajNayak
Update semgrep.yml
e00a960
@VirajNayak
Update semgrep.yml
309306e
@VirajNayak
Update semgrep.yml
616de32
@VirajNayak
Update semgrep.yml
2c8ba70
@VirajNayak
Update semgrep.yml
1925327
@VirajNayak
Update semgrep.yml
e26093f
@VirajNayak
Update semgrep.yml
1d5befb
@VirajNayak
Update semgrep.yml
6b5c01c
@VirajNayak
Update semgrep.yml
96e2995
@VirajNayak
Update semgrep.yml
50af738
@VirajNayak
Add files via upload
1f2c587
@VirajNayak
Update semgrep.yml
bae3657
@VirajNayak
Update semgrep.yml
0641f23
@VirajNayak
Delete semgrep_rules_copy.yaml
871f1fe
@VirajNayak
Delete semgrep_rules.yaml
2d7308c
@VirajNayak
Add files via upload
f1e2165
@VirajNayak
Delete semgrep_rules.yaml
efd7151
@VirajNayak
Add files via upload
9dec52b
@VirajNayak
Update semgrep.yml
35f7f78
@VirajNayak
Update semgrep.yml
87a7351
@VirajNayak
Update semgrep.yml
bcbc34d
@VirajNayak
Update semgrep.yml
ec47e60
@VirajNayak
Update semgrep.yml
3c20be5
@VirajNayak
Update semgrep.yml
cb7623b
@VirajNayak
Update semgrep.yml
b8757ce
@VirajNayak
Update semgrep.yml
fbd627c
@VirajNayak
Update semgrep.yml
eb566b7
@VirajNayak
Update semgrep.yml
8523b6a
@VirajNayak
Update semgrep.yml
54f76b4
@VirajNayak
Update semgrep.yml
4958cc5
@VirajNayak
Update semgrep.yml
065bcef
@VirajNayak
Update semgrep.yml
577cb95
@VirajNayak
Update semgrep.yml
babe906
@VirajNayak
Update semgrep.yml
aeb1f6b
@VirajNayak
Update semgrep.yml
2718d31
@VirajNayak
Update semgrep.yml
1666ac6
@VirajNayak
Update semgrep.yml
43b5263
@VirajNayak
Update semgrep.yml
2b83f4f
@VirajNayak
Delete .github/workflows/semgrep.yml
a10a0f3
@VirajNayak
Create semgrep.yml
5393358
@VirajNayak
Update semgrep.yml
72e74c3
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 6, 2023
View reviewed changes
.github/workflows/sonarqube.yml

# You can pin the exact commit or the version.
uses: SonarSource/sonarqube-scan-action@v1.1.0
#uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8

Check failure

Code scanning / Semgrep

Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key

SonarQube Docs API Key detected
.github/workflows/codeql.yml

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2

Check warning

Code scanning / Semgrep

Semgrep Finding: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
.github/workflows/codeql.yml
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2

Check warning

Code scanning / Semgrep

Semgrep Finding: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
.github/workflows/codeql.yml
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2

Check warning

Code scanning / Semgrep

Semgrep Finding: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
.github/workflows/sonarqube.yml
- name: Analyze with SonarQube

# You can pin the exact commit or the version.
uses: SonarSource/sonarqube-scan-action@v1.1.0

Check warning

Code scanning / Semgrep

Semgrep Finding: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
.github/workflows/semgrep.yml

# step 4
- name: Publish Code Scanning Alerts
uses: github/codeql-action/upload-sarif@v2

Check warning

Code scanning / Semgrep

Semgrep Finding: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VirajNayak