From 1aef78eb727a105fa27d651ec7db779032a8ad26 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 12:12:36 -0600 Subject: [PATCH 1/2] Adding workflows --- .github/workflows/codeql.yml | 26 +++++++++++++++ .github/workflows/dependency-review.yml | 42 +++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..763c62d7e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,26 @@ +name: CodeQL (Java) - SAST + +on: + pull_request: + push: + workflow_dispatch: + +jobs: + analyze: + name: Code Scanning - CodeQL + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + steps: + - uses: hyperwallet/public-security-workflows/codeql@main + with: + language: java + build-mode: 'none' + timeout-minutes: 25 + diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..9f988ad14 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,42 @@ +name: 'Dependency Review' + +on: + workflow_call: + inputs: + timeout-minutes: + description: 'Optional override for larger builds' + default: 20 + required: false + type: number + +permissions: + contents: write + pull-requests: write + +jobs: + dependency-review: + name: Dependency Review + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + timeout-minutes: ${{ inputs.timeout-minutes }} + + steps: + - name: Validate Input (timeout-minutes) + if: ${{ inputs.timeout-minutes > 99 }} + shell: bash + run: | + echo "Invalid input (timeout-minutes), maximum value is 99" + exit 1 + + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: critical + fail-on-scopes: runtime + comment-summary-in-pr: always + show-openssf-scorecard: false + license-check: false + warn-only: true From 4b5f7091b79259a7612a5cda03d98fd85f7fc509 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 13:47:02 -0600 Subject: [PATCH 2/2] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 42 +++---------------------- 1 file changed, 5 insertions(+), 37 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9f988ad14..19140c5a0 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,42 +1,10 @@ -name: 'Dependency Review' +name: CodeQL Dependency Review - SCA on: - workflow_call: - inputs: - timeout-minutes: - description: 'Optional override for larger builds' - default: 20 - required: false - type: number - -permissions: - contents: write - pull-requests: write + pull_request: + push: + workflow_dispatch: jobs: dependency-review: - name: Dependency Review - if: ${{ github.event_name == 'pull_request' }} - runs-on: ubuntu-latest - timeout-minutes: ${{ inputs.timeout-minutes }} - - steps: - - name: Validate Input (timeout-minutes) - if: ${{ inputs.timeout-minutes > 99 }} - shell: bash - run: | - echo "Invalid input (timeout-minutes), maximum value is 99" - exit 1 - - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Dependency Review - uses: actions/dependency-review-action@v4 - with: - fail-on-severity: critical - fail-on-scopes: runtime - comment-summary-in-pr: always - show-openssf-scorecard: false - license-check: false - warn-only: true + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file