This commit is contained in:
Juri Burakov 2021-10-14 21:27:48 +03:00 committed by GitHub
commit 1768669500
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 783 additions and 0 deletions

13
.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,13 @@
# These are supported funding model platforms
github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
patreon: # Replace with a single Patreon username
open_collective: # Replace with a single Open Collective username
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
otechie: # Replace with a single Otechie username
custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
FUNDING.yml

38
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View file

@ -0,0 +1,38 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
**Smartphone (please complete the following information):**
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
**Additional context**
Add any other context about the problem here.

10
.github/ISSUE_TEMPLATE/custom.md vendored Normal file
View file

@ -0,0 +1,10 @@
---
name: Custom issue template
about: Describe this issue template's purpose here.
title: ''
labels: ''
assignees: ''
---

View file

@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

49
.github/workflows/codacy-analysis.yml vendored Normal file
View file

@ -0,0 +1,49 @@
# This workflow checks out code, performs a Codacy security scan
# and integrates the results with the
# GitHub Advanced Security code scanning feature. For more information on
# the Codacy security scan action usage and parameters, see
# https://github.com/codacy/codacy-analysis-cli-action.
# For more information on Codacy Analysis CLI in general, see
# https://github.com/codacy/codacy-analysis-cli.
name: Codacy Security Scan
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '29 13 * * 4'
jobs:
codacy-security-scan:
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v2
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@1.1.0
with:
# Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
# You can also omit the token and run the tools that support default configurations
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
verbose: true
output: results.sarif
format: sarif
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will handover control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif

48
.github/workflows/crunch42-analysis.yml vendored Normal file
View file

@ -0,0 +1,48 @@
# This workflow locates REST API file contracts
# (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
# and runs 200+ security checks on them using 42Crunch Security Audit technology.
#
# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
#
# To use this workflow, you will need to complete the following setup steps.
#
# 1. Create a free 42Crunch account at https://platform.42crunch.com/register
#
# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
# to create an API Token on the 42Crunch platform
#
# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm,
# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow
#
# If you have any questions or need help contact https://support.42crunch.com
name: "42Crunch REST API Static Security Testing"
# follow standard Code Scanning triggers
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '27 23 * * 3'
jobs:
rest-api-static-security-testing:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@v1
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
api-token: ${{ secrets.API_TOKEN }}
# Fail if any OpenAPI file scores lower than 75
min-score: 75
# Upload results to Github code scanning
upload-to-code-scanning: true
# Github token for uploading the results
github-token: ${{ github.token }}

34
.github/workflows/devskim-analysis.yml vendored Normal file
View file

@ -0,0 +1,34 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: DevSkim
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '24 19 * * 4'
jobs:
lint:
name: DevSkim
runs-on: ubuntu-20.04
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: devskim-results.sarif

97
.github/workflows/fortify-analysis.yml vendored Normal file
View file

@ -0,0 +1,97 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
################################################################################################################################################
# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
# or contact our sales team, visit microfocus.com/appsecurity. #
# #
# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
################################################################################################################################################
name: Fortify on Demand Scan
# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
on:
workflow_dispatch:
push:
branches: [ main ]
schedule:
- cron: '41 13 * * 0'
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.8
# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
# ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
# ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
# ScanCentral has additional options that should be set for PHP and Python projects
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
env:
PACKAGE_OPTS: "-bt mvn"
# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
env:
FOD_URL: "https://ams.fortify.com/"
FOD_API_URL: "https://api.ams.fortify.com/"
FOD_TENANT: ${{ secrets.FOD_TENANT }}
FOD_USER: ${{ secrets.FOD_USER }}
FOD_PAT: ${{ secrets.FOD_PAT }}
FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export results to GitHub-optimized SARIF
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
with:
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.FOD_TENANT }}
fod_user: ${{ secrets.FOD_USER }}
fod_password: ${{ secrets.FOD_PAT }}
fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./gh-fortify-sast.sarif

41
.github/workflows/kubesec-analysis.yml vendored Normal file
View file

@ -0,0 +1,41 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Kubesec
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '31 22 * * 3'
jobs:
lint:
name: Kubesec
runs-on: ubuntu-20.04
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run kubesec scanner
uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
with:
input: file.yaml # specify configuration file to scan here
format: template
template: template/sarif.tpl
output: kubesec-results.sarif
exit-code: "0"
- name: Upload Kubesec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: kubesec-results.sarif

View file

@ -0,0 +1,66 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API
# to find reliability, performance and security issues before they reach
# production.
#
# To use this workflow, you will need to:
#
# 1. Create a Mayhem for API account at
# https://mayhem4api.forallsecure.com/signup
#
# 2. Create a service account token `mapi organization service-account create
# <org-name> <service-account-name>`
#
# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN"
#
# 4. Update the "Start your API" step to run your API in the background before
# starting the Mayhem for API scan, and update the `api-url` & `api-spec`
# field.
#
# If you have any questions, please contact us at mayhem4api@forallsecure.com
name: "Mayhem for API"
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
jobs:
mayhem-for-api:
name: Mayhem for API
# Mayhem for API runs on linux, mac and windows
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v2
# Run your API in the background. Ideally, the API would run in debug
# mode & send stacktraces back on "500 Internal Server Error" responses
# (don't do this in production though!)
- name: Start your API
run: ./run_your_api.sh & # <- ✏️ update this
- name: Mayhem for API
uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010
continue-on-error: true
with:
mapi-token: ${{ secrets.MAPI_TOKEN }}
api-url: http://localhost:8080 # <- ✏️ update this
api-spec: http://localhost:8080/openapi.json # <- ✏️ update this
duration: 60
sarif-report: mapi.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: mapi.sarif

30
.github/workflows/njsscan-analysis.yml vendored Normal file
View file

@ -0,0 +1,30 @@
# This workflow integrates njsscan with GitHub's Code Scanning feature
# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
name: njsscan sarif
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '30 22 * * 0'
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif

49
.github/workflows/prisma-analysis.yml vendored Normal file
View file

@ -0,0 +1,49 @@
# A sample workflow that checks for security issues using
# the Prisma Cloud Infrastructure as Code Scan Action on
# the IaC files present in the repository.
# The results are uploaded to GitHub Security Code Scanning
#
# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
name: Prisma Cloud IaC Scan
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '41 19 * * 6'
jobs:
prisma_cloud_iac_scan:
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v2
- id: iac-scan
name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@v1
with:
# You will need Prisma Cloud API Access Token
# More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
# Scan sources on Prisma Cloud are uniquely identified by their name
asset_name: 'my-asset-name'
# The service need to know the type of IaC being scanned
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed.
# And alternative it to add `continue-on-error: true` to the previous step
if: success() || failure()
with:
# The SARIF Log file name is configurable on scan action
# therefore the file name is best read from the steps output
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}

37
.github/workflows/semgrep-analysis.yml vendored Normal file
View file

@ -0,0 +1,37 @@
# This workflow file requires a free account on Semgrep.dev to
# manage rules, file ignores, notifications, and more.
#
# See https://semgrep.dev/docs
name: Semgrep
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '39 13 * * 1'
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
steps:
# Checkout project source
- uses: actions/checkout@v2
# Scan code using project's configuration on https://semgrep.dev/manage
- uses: returntocorp/semgrep-action@v1
with:
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
generateSarif: "1"
# Upload SARIF file generated in previous step
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: semgrep.sarif
if: always()

View file

@ -0,0 +1,42 @@
# This workflow integrates Scan with GitHub's code scanning feature
# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
# Visit https://slscan.io/en/latest/integrations/code-scan for help
name: SL Scan
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '28 17 * * 0'
jobs:
Scan-Build:
# Scan runs on ubuntu, mac and windows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# Instructions
# 1. Setup JDK, Node.js, Python etc depending on your project type
# 2. Compile or build the project before invoking scan
# Example: mvn compile, or npm install or pip install goes here
# 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
env:
WORKSPACE: ""
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_AUTO_BUILD: true
with:
output: reports
# Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
# type: credscan,java
# type: python
- name: Upload report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: reports

View file

@ -0,0 +1,42 @@
# A sample workflow which checks out your Infrastructure as Code Configuration files,
# such as Kubernetes, Helm & Terraform and scans them for any security issues.
# The results are then uploaded to GitHub Security Code Scanning
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/
name: Snyk Infrastructure as Code
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '28 6 * * 3'
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/iac@master
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif

View file

@ -0,0 +1,57 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# 🦅 STACKHAWK https://stackhawk.com
# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your
# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with
# StackHawk quickly.
# To use this workflow, you must:
#
# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and
# create your first app and configuration file at https://app.stackhawk.com.
#
# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY.
#
# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory.
#
# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option
# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan
# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42
# and trigger a Code Scanning alert with a link to your scan results.
#
# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to
# start your service so that it can be scanned with the "Run HawkScan" step.
name: "StackHawk"
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '43 9 * * 3'
jobs:
stackhawk:
name: StackHawk
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Start your service
run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned
- name: Run HawkScan
uses: stackhawk/hawkscan-action@4c3258cd62248dac6d9fe91dd8d45928c697dee0
continue-on-error: true # ✏️ Set to false to break your build on scan errors
with:
apiKey: ${{ secrets.HAWK_API_KEY }}
codeScanningAlerts: true
githubToken: ${{ github.token }}

View file

@ -0,0 +1,87 @@
# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
#
# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
#
# To use this basic workflow, you will need to complete the following setup steps:
#
# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
# Licenses are free of charge for open source projects and for educational usage.
# To get more information about the Xanitizer licenses and how to obtain a license file,
# please consult https://www.xanitizer.com/xanitizer-pricing/.
#
# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
#
# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
# Example:
# - name: Xanitizer Security Analysis
# uses: RIGS-IT/xanitizer-action@v1
# with:
# license: ${{ secrets.XANITIZER_LICENSE }}
#
# 4. As a static application security testing (SAST) tool,
# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
# So you have to install all used libraries and build your project before running the security analysis,
# e.g. via `mvn compile` for Java or `npm install` for JavaScript
name: "Xanitizer Security Analysis"
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '16 23 * * 2'
workflow_dispatch:
jobs:
xanitizer-security-analysis:
# Xanitizer runs on ubuntu-latest and windows-latest.
runs-on: ubuntu-latest
steps:
# Check out the repository
- name: Checkout
uses: actions/checkout@v2
# Set up the correct Java version for your project
# Please comment out, if your project does not contain Java source code.
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
# Compile the code for Java projects and get all libraries, e.g. via Maven
# Please adapt, if your project uses another build system to compile Java source code.
# Please comment out, if your project does not contain Java source code.
- name: Compile Java code
run: mvn -B compile
# Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
# Please adapt to run `npm install` in the correct directories.
# Please adapt, if your project uses another package manager for getting JavaScript libraries.
# Please comment out, if your project does not use a package manager for getting JavaScript libraries.
- name: Install JavaScript libraries
run: npm install
# Run the security analysis with default settings
- name: Xanitizer Security Analysis
uses: RIGS-IT/xanitizer-action@v1
with:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- uses: actions/upload-artifact@v2
with:
name: Xanitizer-Reports
path: |
*-Findings-List.pdf
*-Findings-List.sarif
# Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: Xanitizer-Findings-List.sarif

22
SECURITY.md Normal file
View file

@ -0,0 +1,22 @@
# Security Policy
## Supported Versions
Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 5.1.x | :white_check_mark: |
| 5.0.x | :x: |
| 4.0.x | :white_check_mark: |
| < 4.0 | :x: |
## Reporting a Vulnerability
Use this section to tell people how to report a vulnerability.
Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.
SECURITY.md

1
_config.yml Normal file
View file

@ -0,0 +1 @@
theme: jekyll-theme-cayman