From 690e5330cf2b4e3f1cdee97d1c0586c7a641b9dc Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:21:52 +0300 Subject: [PATCH 01/26] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..034e8480 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From d644a04985169680701fe8da504be2ed1724d700 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:23:22 +0300 Subject: [PATCH 02/26] Create msbuild.yml --- .github/workflows/msbuild.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/msbuild.yml diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml new file mode 100644 index 00000000..29b6aceb --- /dev/null +++ b/.github/workflows/msbuild.yml @@ -0,0 +1,32 @@ +name: MSBuild + +on: [push] + +env: + # Path to the solution file relative to the root of the project. + SOLUTION_FILE_PATH: . + + # Configuration type to build. + # You can convert this to a build matrix if you need coverage of multiple configuration types. + # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix + BUILD_CONFIGURATION: Release + +jobs: + build: + runs-on: windows-latest + + steps: + - uses: actions/checkout@v2 + + - name: Add MSBuild to PATH + uses: microsoft/setup-msbuild@v1.0.2 + + - name: Restore NuGet packages + working-directory: ${{env.GITHUB_WORKSPACE}} + run: nuget restore ${{env.SOLUTION_FILE_PATH}} + + - name: Build + working-directory: ${{env.GITHUB_WORKSPACE}} + # Add additional options to the MSBuild command line here (like platform or verbosity level). + # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference + run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}} From b8fc8903082dc96ab5843d1aee6ddcda2c6f52f5 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:23:34 +0300 Subject: [PATCH 03/26] Create cmake.yml --- .github/workflows/cmake.yml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/cmake.yml diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml new file mode 100644 index 00000000..e282e389 --- /dev/null +++ b/.github/workflows/cmake.yml @@ -0,0 +1,38 @@ +name: CMake + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +env: + # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) + BUILD_TYPE: Release + +jobs: + build: + # The CMake configure and build commands are platform agnostic and should work equally + # well on Windows or Mac. You can convert this to a matrix build if you need + # cross-platform coverage. + # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Configure CMake + # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. + # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type + run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} + + - name: Build + # Build your program with the given configuration + run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}} + + - name: Test + working-directory: ${{github.workspace}}/build + # Execute tests defined by the CMake configuration. + # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail + run: ctest -C ${{env.BUILD_TYPE}} + From d89a82314daa28fba6408c4fc742825b6282ae52 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:23:47 +0300 Subject: [PATCH 04/26] Create c-cpp.yml --- .github/workflows/c-cpp.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/c-cpp.yml diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml new file mode 100644 index 00000000..e3233268 --- /dev/null +++ b/.github/workflows/c-cpp.yml @@ -0,0 +1,23 @@ +name: C/C++ CI + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: configure + run: ./configure + - name: make + run: make + - name: make check + run: make check + - name: make distcheck + run: make distcheck From fd3116f084a7197bac4dca92d87419a3f6db679f Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:28:48 +0300 Subject: [PATCH 05/26] Update issue templates --- .github/ISSUE_TEMPLATE/custom.md | 10 ++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/custom.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md new file mode 100644 index 00000000..48d5f81f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/custom.md @@ -0,0 +1,10 @@ +--- +name: Custom issue template +about: Describe this issue template's purpose here. +title: '' +labels: '' +assignees: '' + +--- + + diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..bbcbbe7d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From b90093df85b65fa0777a9b362872938e5ee51aab Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:30:58 +0300 Subject: [PATCH 06/26] Set theme jekyll-theme-cayman --- _config.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 _config.yml diff --git a/_config.yml b/_config.yml new file mode 100644 index 00000000..c4192631 --- /dev/null +++ b/_config.yml @@ -0,0 +1 @@ +theme: jekyll-theme-cayman \ No newline at end of file From e504394bdf72677e5cef07f13d951a2dc93ca864 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:39:36 +0300 Subject: [PATCH 07/26] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 71 +++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..3dd8e1b8 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,71 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '19 8 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp', 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From b2574e95d146b16a64a300d682429a30fe0de3d8 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:40:08 +0300 Subject: [PATCH 08/26] Create crunch42-analysis.yml --- .github/workflows/crunch42-analysis.yml | 48 +++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/crunch42-analysis.yml diff --git a/.github/workflows/crunch42-analysis.yml b/.github/workflows/crunch42-analysis.yml new file mode 100644 index 00000000..04ac3dd8 --- /dev/null +++ b/.github/workflows/crunch42-analysis.yml @@ -0,0 +1,48 @@ +# This workflow locates REST API file contracts +# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a free 42Crunch account at https://platform.42crunch.com/register +# +# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, +# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# +# If you have any questions or need help contact https://support.42crunch.com + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '42 12 * * 4' + +jobs: + rest-api-static-security-testing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@v1 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} From eddb901b54b172b7156cd8aec727e364560cba1d Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:40:18 +0300 Subject: [PATCH 09/26] Create codacy-analysis.yml --- .github/workflows/codacy-analysis.yml | 49 +++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/codacy-analysis.yml diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml new file mode 100644 index 00000000..579b2467 --- /dev/null +++ b/.github/workflows/codacy-analysis.yml @@ -0,0 +1,49 @@ +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '27 4 * * 5' + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v2 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@1.1.0 + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif From 2e5da6e62b3c1dfebb6cd00c65485ae00275b32a Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:40:28 +0300 Subject: [PATCH 10/26] Create codescan-analysis.yml --- .github/workflows/codescan-analysis.yml | 37 +++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/codescan-analysis.yml diff --git a/.github/workflows/codescan-analysis.yml b/.github/workflows/codescan-analysis.yml new file mode 100644 index 00000000..d2e017b7 --- /dev/null +++ b/.github/workflows/codescan-analysis.yml @@ -0,0 +1,37 @@ +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '43 5 * * 6' + +jobs: + CodeScan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Cache files + uses: actions/cache@v2 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@master + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: codescan.sarif From ebe2b9a7319dc38d3251d9f3f395caf51c99e86b Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:40:37 +0300 Subject: [PATCH 11/26] Create checkmarx-analysis.yml --- .github/workflows/checkmarx-analysis.yml | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/checkmarx-analysis.yml diff --git a/.github/workflows/checkmarx-analysis.yml b/.github/workflows/checkmarx-analysis.yml new file mode 100644 index 00000000..fd169bc0 --- /dev/null +++ b/.github/workflows/checkmarx-analysis.yml @@ -0,0 +1,39 @@ +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '21 3 * * 1' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@v1.0 + with: + project: GithubActionTest + team: '\CxServer\SP\Checkmarx' + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: cx.sarif From 1fe72026ca3da85791974cce784b1b952ddd3fbb Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:58:09 +0300 Subject: [PATCH 12/26] Create xanitizer-analysis.yml --- .github/workflows/xanitizer-analysis.yml | 87 ++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/xanitizer-analysis.yml diff --git a/.github/workflows/xanitizer-analysis.yml b/.github/workflows/xanitizer-analysis.yml new file mode 100644 index 00000000..07856494 --- /dev/null +++ b/.github/workflows/xanitizer-analysis.yml @@ -0,0 +1,87 @@ +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '17 22 * * 5' + workflow_dispatch: + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v2 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@v1 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v2 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: Xanitizer-Findings-List.sarif From a17fe871176d83a0c257f84bcc6dfb9b59427921 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:58:22 +0300 Subject: [PATCH 13/26] Create veracode-analysis.yml --- .github/workflows/veracode-analysis.yml | 61 +++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/veracode-analysis.yml diff --git a/.github/workflows/veracode-analysis.yml b/.github/workflows/veracode-analysis.yml new file mode 100644 index 00000000..cb57dfd3 --- /dev/null +++ b/.github/workflows/veracode-analysis.yml @@ -0,0 +1,61 @@ +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '29 5 * * 0' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v2 + with: + repository: '' + + - uses: papeloto/action-zip@v1 + with: + files: / + recursive: true + dest: veracode-pipeline-scan-results-to-sarif.zip + + - uses: actions/upload-artifact@v1 + with: + name: my-artifact + path: veracode-pipeline-scan-results-to-sarif.zip + + # download the Veracode Static Analysis Pipeline scan jar + - uses: wei/curl@master + with: + args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v1 + with: + java-version: 1.8 + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-pipeline-scan-results-to-sarif.zip + continue-on-error: true + - uses: actions/upload-artifact@v1 + with: + name: ScanResults + path: results.json + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@master + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif From e46fbd9a5672f2e644bec2e3e58bc9d64a7a8f53 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:58:32 +0300 Subject: [PATCH 14/26] Create synopsys-io-analysis.yml --- .github/workflows/synopsys-io-analysis.yml | 77 ++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/synopsys-io-analysis.yml diff --git a/.github/workflows/synopsys-io-analysis.yml b/.github/workflows/synopsys-io-analysis.yml new file mode 100644 index 00000000..e1d77e59 --- /dev/null +++ b/.github/workflows/synopsys-io-analysis.yml @@ -0,0 +1,77 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '28 9 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v1 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json From e3f441488d81a4eafcb17e8159a7af65d80e10b5 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:58:44 +0300 Subject: [PATCH 15/26] Create stackhawk-analysis.yml --- .github/workflows/stackhawk-analysis.yml | 57 ++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/stackhawk-analysis.yml diff --git a/.github/workflows/stackhawk-analysis.yml b/.github/workflows/stackhawk-analysis.yml new file mode 100644 index 00000000..6d8526f8 --- /dev/null +++ b/.github/workflows/stackhawk-analysis.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# đŸĻ… STACKHAWK https://stackhawk.com + +# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your +# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with +# StackHawk quickly. + +# To use this workflow, you must: +# +# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and +# create your first app and configuration file at https://app.stackhawk.com. +# +# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY. +# +# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory. +# +# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option +# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan +# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42 +# and trigger a Code Scanning alert with a link to your scan results. +# +# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to +# start your service so that it can be scanned with the "Run HawkScan" step. + + +name: "StackHawk" + +on: + push: + branches: [ master, xmrig ] + pull_request: + branches: [ master ] + schedule: + - cron: '44 10 * * 2' + +jobs: + stackhawk: + name: StackHawk + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Start your service + run: ./your-service.sh & # ✏ī¸ Update this to run your own service to be scanned + + - name: Run HawkScan + uses: stackhawk/hawkscan-action@4c3258cd62248dac6d9fe91dd8d45928c697dee0 + continue-on-error: true # ✏ī¸ Set to false to break your build on scan errors + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + codeScanningAlerts: true + githubToken: ${{ github.token }} From 3b39cdc7d7dc3dd3b26847708c19517f1f421a55 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:58:56 +0300 Subject: [PATCH 16/26] Create snyk-infrastructure-analysis.yml --- .../snyk-infrastructure-analysis.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/snyk-infrastructure-analysis.yml diff --git a/.github/workflows/snyk-infrastructure-analysis.yml b/.github/workflows/snyk-infrastructure-analysis.yml new file mode 100644 index 00000000..2b7e40d7 --- /dev/null +++ b/.github/workflows/snyk-infrastructure-analysis.yml @@ -0,0 +1,42 @@ +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '19 15 * * 1' + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@master + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif From d24fec5f4ce8b8b6aedcfb8662d1eb300be3127a Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:59:08 +0300 Subject: [PATCH 17/26] Create semgrep-analysis.yml --- .github/workflows/semgrep-analysis.yml | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/semgrep-analysis.yml diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml new file mode 100644 index 00000000..62822e37 --- /dev/null +++ b/.github/workflows/semgrep-analysis.yml @@ -0,0 +1,37 @@ +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '36 15 * * 4' + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v2 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@v1 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: semgrep.sarif + if: always() From 54f11cdabb3eef602ba95eccb5b0b7f5c2038be6 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:59:27 +0300 Subject: [PATCH 18/26] Create shiftleft-analysis.yml --- .github/workflows/shiftleft-analysis.yml | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/shiftleft-analysis.yml diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml new file mode 100644 index 00000000..09f70dc6 --- /dev/null +++ b/.github/workflows/shiftleft-analysis.yml @@ -0,0 +1,42 @@ +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '21 5 * * 6' + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@master + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports From 558a95973d6e6673789ea8c1365f0d92f8a8be01 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 16:59:53 +0300 Subject: [PATCH 19/26] Create prisma-analysis.yml --- .github/workflows/prisma-analysis.yml | 49 +++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/prisma-analysis.yml diff --git a/.github/workflows/prisma-analysis.yml b/.github/workflows/prisma-analysis.yml new file mode 100644 index 00000000..09e94b35 --- /dev/null +++ b/.github/workflows/prisma-analysis.yml @@ -0,0 +1,49 @@ +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '29 23 * * 4' + +jobs: + prisma_cloud_iac_scan: + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v2 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@v1 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} From 86b2b5f18073f81286335148fd80082357b7244e Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:00:07 +0300 Subject: [PATCH 20/26] Create ossar-analysis.yml --- .github/workflows/ossar-analysis.yml | 44 ++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/ossar-analysis.yml diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml new file mode 100644 index 00000000..f58f7fa8 --- /dev/null +++ b/.github/workflows/ossar-analysis.yml @@ -0,0 +1,44 @@ +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '28 18 * * 4' + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} From dd40e33e6f0c8bb9670b2c3a1184cfab8933f3c4 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:00:43 +0300 Subject: [PATCH 21/26] Create njsscan-analysis.yml --- .github/workflows/njsscan-analysis.yml | 30 ++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/njsscan-analysis.yml diff --git a/.github/workflows/njsscan-analysis.yml b/.github/workflows/njsscan-analysis.yml new file mode 100644 index 00000000..6cb250d4 --- /dev/null +++ b/.github/workflows/njsscan-analysis.yml @@ -0,0 +1,30 @@ +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '27 4 * * 0' + +jobs: + njsscan: + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@master + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif From e8f9ee837dc8f203f3e2f01c61a25f0acef756c4 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:01:21 +0300 Subject: [PATCH 22/26] Create mayhem-for-api-analysis.yml --- .github/workflows/mayhem-for-api-analysis.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/mayhem-for-api-analysis.yml diff --git a/.github/workflows/mayhem-for-api-analysis.yml b/.github/workflows/mayhem-for-api-analysis.yml new file mode 100644 index 00000000..3f6910ad --- /dev/null +++ b/.github/workflows/mayhem-for-api-analysis.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API +# to find reliability, performance and security issues before they reach +# production. +# +# To use this workflow, you will need to: +# +# 1. Create a Mayhem for API account at +# https://mayhem4api.forallsecure.com/signup (30-day free trial) +# +# 2. Create a service account token `mapi organization service-account create +# ` +# +# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# +# 4. Update the "Start your API" step to run your API in the background before +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` +# field. +# +# If you have any questions, please contact us at mayhem4api@forallsecure.com + +name: "Mayhem for API" + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + +jobs: + mayhem-for-api: + name: Mayhem for API + # Mayhem for API runs on linux, mac and windows + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v2 + + # Run your API in the background. Ideally, the API would run in debug + # mode & send stacktraces back on "500 Internal Server Error" responses + # (don't do this in production though!) + - name: Start your API + run: ./run_your_api.sh & # <- ✏ī¸ update this + + - name: Mayhem for API + uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + continue-on-error: true + with: + mapi-token: ${{ secrets.MAPI_TOKEN }} + api-url: http://localhost:8080 # <- ✏ī¸ update this + api-spec: http://localhost:8080/openapi.json # <- ✏ī¸ update this + duration: 60 + sarif-report: mapi.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: mapi.sarif From 825f2771fb1d084c367fe3544275983dde260f1a Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:01:33 +0300 Subject: [PATCH 23/26] Create kubesec-analysis.yml --- .github/workflows/kubesec-analysis.yml | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/kubesec-analysis.yml diff --git a/.github/workflows/kubesec-analysis.yml b/.github/workflows/kubesec-analysis.yml new file mode 100644 index 00000000..956fb055 --- /dev/null +++ b/.github/workflows/kubesec-analysis.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '24 15 * * 5' + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: kubesec-results.sarif From 1e856611597db44d726e6af015b0d70b7072c2e5 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:02:37 +0300 Subject: [PATCH 24/26] Create fortify-analysis.yml --- .github/workflows/fortify-analysis.yml | 92 ++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 .github/workflows/fortify-analysis.yml diff --git a/.github/workflows/fortify-analysis.yml b/.github/workflows/fortify-analysis.yml new file mode 100644 index 00000000..9b13e45b --- /dev/null +++ b/.github/workflows/fortify-analysis.yml @@ -0,0 +1,92 @@ +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '34 2 * * 3' + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@v1 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@v1 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step. + - name: Download Results + uses: fortify/gha-fod-generate-sarif@1.1.0 + with: + base-url: https://ams.fortify.com + tenant: ${{ secrets.FOD_TENANT }} + user: ${{ secrets.FOD_USER }} + password: ${{ secrets.FOD_PAT }} + release-id: ${{ secrets.FOD_RELEASE_ID }} + output: ./sarif/output.sarif + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./sarif/output.sarif From 7393ae0478e19d98e781b047a828f53c026925d5 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:02:46 +0300 Subject: [PATCH 25/26] Create flawfinder-analysis.yml --- .github/workflows/flawfinder-analysis.yml | 38 +++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/flawfinder-analysis.yml diff --git a/.github/workflows/flawfinder-analysis.yml b/.github/workflows/flawfinder-analysis.yml new file mode 100644 index 00000000..98c7658d --- /dev/null +++ b/.github/workflows/flawfinder-analysis.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ master, xmrig ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '27 8 * * 1' + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif From 18fad13b3f0d0a33ccba48f5ed2bbb171f7e8d01 Mon Sep 17 00:00:00 2001 From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com> Date: Sun, 5 Sep 2021 17:02:58 +0300 Subject: [PATCH 26/26] Create devskim-analysis.yml --- .github/workflows/devskim-analysis.yml | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/devskim-analysis.yml diff --git a/.github/workflows/devskim-analysis.yml b/.github/workflows/devskim-analysis.yml new file mode 100644 index 00000000..78954b69 --- /dev/null +++ b/.github/workflows/devskim-analysis.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ master, xmrig ] + pull_request: + branches: [ master ] + schedule: + - cron: '42 21 * * 3' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: devskim-results.sarif