From 977c81b570ed64bfbe4a0fa3ba6bc80b3276c501 Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:33:41 +0800 Subject: [PATCH 01/12] Create checkmarx-one.yml --- .github/workflows/checkmarx-one.yml | 55 +++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/checkmarx-one.yml diff --git a/.github/workflows/checkmarx-one.yml b/.github/workflows/checkmarx-one.yml new file mode 100644 index 0000000..16b78a3 --- /dev/null +++ b/.github/workflows/checkmarx-one.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# scan customization using the full functionality and flexibility of the CLI tool. + +# This is a basic workflow to help you get started with Using Checkmarx One Action, +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html + +name: Checkmarx Scan + +# Controls when the workflow will run +on: + pull_request: + types: [opened, reopened, synchronize] + branches: [ "main" ] + +permissions: + contents: read + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif + + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # This step checks out a copy of your repository. + - name: Checkout repository + uses: actions/checkout@v4 + # This step creates the Checkmarx One scan + - name: Checkmarx One scan + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc + with: + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One + additional_params: --report-format sarif --output-path . + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cx_result.sarif From d472eed201240a7a7658226a207e86c2f19b2b0c Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:34:51 +0800 Subject: [PATCH 02/12] Create codacy.yml --- .github/workflows/codacy.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/codacy.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 0000000..d2cd1b6 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '41 8 * * 2' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 045f45b82ce7e55e1802fb68ad04c87f9443a20f Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:35:36 +0800 Subject: [PATCH 03/12] Create checkmarx.yml --- .github/workflows/checkmarx.yml | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/checkmarx.yml diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml new file mode 100644 index 0000000..83f0a12 --- /dev/null +++ b/.github/workflows/checkmarx.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '33 8 * * 2' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v4 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe + with: + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: cx.sarif From cb6d8f044d54ecb2590b75b946264b3f78efce96 Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:38:11 +0800 Subject: [PATCH 04/12] Create fortify.yml --- .github/workflows/fortify.yml | 84 +++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/fortify.yml diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml new file mode 100644 index 0000000..8a1afb1 --- /dev/null +++ b/.github/workflows/fortify.yml @@ -0,0 +1,84 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # +# # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # +################################################################################################################################################ + +name: Fortify AST Scan + +# Customize trigger events based on your DevSecOps process and/or policy +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '23 5 * * 6' + workflow_dispatch: + +jobs: + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v4 + + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. + - name: Setup Java + uses: actions/setup-java@v4 + with: + java-version: 17 + distribution: 'temurin' + + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 + with: + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard From 32ffd2e3d7230b8c0230846df8488627f86a1c8c Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:38:52 +0800 Subject: [PATCH 05/12] Delete .github/workflows/checkmarx-one.yml --- .github/workflows/checkmarx-one.yml | 55 ----------------------------- 1 file changed, 55 deletions(-) delete mode 100644 .github/workflows/checkmarx-one.yml diff --git a/.github/workflows/checkmarx-one.yml b/.github/workflows/checkmarx-one.yml deleted file mode 100644 index 16b78a3..0000000 --- a/.github/workflows/checkmarx-one.yml +++ /dev/null @@ -1,55 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. -# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository -# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling -# scan customization using the full functionality and flexibility of the CLI tool. - -# This is a basic workflow to help you get started with Using Checkmarx One Action, -# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html - -name: Checkmarx Scan - -# Controls when the workflow will run -on: - pull_request: - types: [opened, reopened, synchronize] - branches: [ "main" ] - -permissions: - contents: read - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif - - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # This step checks out a copy of your repository. - - name: Checkout repository - uses: actions/checkout@v4 - # This step creates the Checkmarx One scan - - name: Checkmarx One scan - uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc - with: - base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One - cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e - cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e - cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One - additional_params: --report-format sarif --output-path . - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: cx_result.sarif From 0c8943e1fc0ea22d45ad53849a927638f4cffcbe Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:39:04 +0800 Subject: [PATCH 06/12] Delete .github/workflows/checkmarx.yml --- .github/workflows/checkmarx.yml | 55 --------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 .github/workflows/checkmarx.yml diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml deleted file mode 100644 index 83f0a12..0000000 --- a/.github/workflows/checkmarx.yml +++ /dev/null @@ -1,55 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action - -name: CxFlow - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '33 8 * * 2' - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - - # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v4 - # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe - with: - project: ${{ secrets.CHECKMARX_PROJECT }} - team: ${{ secrets.CHECKMARX_TEAMS }} - checkmarx_url: ${{ secrets.CHECKMARX_URL }} - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} - # Upload the Report for CodeQL/Security Alerts - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: cx.sarif From 48174be5d1c4a0b36afff67c12169d34bfe06ccc Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:40:05 +0800 Subject: [PATCH 07/12] Create devskim.yml --- .github/workflows/devskim.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/devskim.yml diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml new file mode 100644 index 0000000..a26b7ae --- /dev/null +++ b/.github/workflows/devskim.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '34 4 * * 4' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: devskim-results.sarif From e05a801df04b1d46e198e9c4ad2d7ba7047562cc Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:40:24 +0800 Subject: [PATCH 08/12] Delete .github/workflows/fortify.yml --- .github/workflows/fortify.yml | 84 ----------------------------------- 1 file changed, 84 deletions(-) delete mode 100644 .github/workflows/fortify.yml diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml deleted file mode 100644 index 8a1afb1..0000000 --- a/.github/workflows/fortify.yml +++ /dev/null @@ -1,84 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -################################################################################################################################################ -# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # -# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # -# # -# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # -# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # -# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # -# documentation. If you need additional assistance, please contact Fortify support. # -################################################################################################################################################ - -name: Fortify AST Scan - -# Customize trigger events based on your DevSecOps process and/or policy -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '23 5 * * 6' - workflow_dispatch: - -jobs: - Fortify-AST-Scan: - # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - # Check out source code - - name: Check Out Source Code - uses: actions/checkout@v4 - - # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - - name: Setup Java - uses: actions/setup-java@v4 - with: - java-version: 17 - distribution: 'temurin' - - # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then - # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is - # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools - # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for - # details. - - name: Run FoD SAST Scan - uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 - with: - sast-scan: true - env: - ### Required configuration when integrating with Fortify on Demand - FOD_URL: https://ams.fortify.com - FOD_TENANT: ${{secrets.FOD_TENANT}} - FOD_USER: ${{secrets.FOD_USER}} - FOD_PASSWORD: ${{secrets.FOD_PAT}} - ### Optional configuration when integrating with Fortify on Demand - # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if - # Debricked SCA scan is enabled on Fortify on Demand - # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options - # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may - # replace app+release name with numeric release ID - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard - ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # SSC_URL: ${{secrets.SSC_URL}} # SSC URL - # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken - # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token - # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; - # usually defined as organization or repo variable - ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral - # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options - # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: - # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options - # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' - # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard From 9da5b60923741602fbd1e29816b73d71d736c971 Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:41:04 +0800 Subject: [PATCH 09/12] Create ossar.yml --- .github/workflows/ossar.yml | 56 +++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/ossar.yml diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml new file mode 100644 index 0000000..131677e --- /dev/null +++ b/.github/workflows/ossar.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '18 0 * * 2' + +permissions: + contents: read + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v4 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} From 6cd3504602e0bba6abe6a3a7e7dd1283d5f32422 Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:41:56 +0800 Subject: [PATCH 10/12] Create codescan.yml --- .github/workflows/codescan.yml | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/codescan.yml diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml new file mode 100644 index 0000000..98eeaaf --- /dev/null +++ b/.github/workflows/codescan.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '26 0 * * 4' + +permissions: + contents: read + +jobs: + CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Cache files + uses: actions/cache@v3 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: codescan.sarif From f885aa03c33a6accb013eb10b525b441e3da9e85 Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:43:00 +0800 Subject: [PATCH 11/12] Delete .github/workflows/codescan.yml --- .github/workflows/codescan.yml | 49 ---------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 .github/workflows/codescan.yml diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml deleted file mode 100644 index 98eeaaf..0000000 --- a/.github/workflows/codescan.yml +++ /dev/null @@ -1,49 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow requires that you have an existing account with codescan.io -# For more information about configuring your workflow, -# read our documentation at https://github.com/codescan-io/codescan-scanner-action -name: CodeScan - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '26 0 * * 4' - -permissions: - contents: read - -jobs: - CodeScan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Cache files - uses: actions/cache@v3 - with: - path: | - ~/.sonar - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Run Analysis - uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 - with: - login: ${{ secrets.CODESCAN_AUTH_TOKEN }} - organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} - projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: codescan.sarif From 5e21690ac52622bc0f1cb230b8a87d77b6993ee7 Mon Sep 17 00:00:00 2001 From: Tsing Yi Local Distributed Database Date: Sun, 22 Dec 2024 13:43:31 +0800 Subject: [PATCH 12/12] Delete .github/workflows/ossar.yml --- .github/workflows/ossar.yml | 56 ------------------------------------- 1 file changed, 56 deletions(-) delete mode 100644 .github/workflows/ossar.yml diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml deleted file mode 100644 index 131677e..0000000 --- a/.github/workflows/ossar.yml +++ /dev/null @@ -1,56 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates a collection of open source static analysis tools -# with GitHub code scanning. For documentation, or to provide feedback, visit -# https://github.com/github/ossar-action -name: OSSAR - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '18 0 * * 2' - -permissions: - contents: read - -jobs: - OSSAR-Scan: - # OSSAR runs on windows-latest. - # ubuntu-latest and macos-latest support coming soon - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: windows-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Ensure a compatible version of dotnet is installed. - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. - # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. - # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: - # - name: Install .NET - # uses: actions/setup-dotnet@v4 - # with: - # dotnet-version: '3.1.x' - - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar - - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }}