From 9c738f8a0d79ba0050ab746495f438af44c2af57 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy <99187454+RoKrish14@users.noreply.github.com> Date: Fri, 14 Jun 2024 15:47:05 +0200 Subject: [PATCH 01/13] chore: Updated trivy workflow --- .github/workflows/trivy.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f1854fef..2fbb3207 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -40,12 +40,15 @@ jobs: uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0 + uses: aquasecurity/trivy-action@master with: image-ref: "tractusx/app-puris-frontend:latest" format: "sarif" output: "trivy-results-1.sarif" vuln-type: "os,library" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + exit-code: "1" + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 @@ -64,12 +67,15 @@ jobs: steps: # Pull image from Docker Hub and run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 + uses: aquasecurity/trivy-action@master with: image-ref: "tractusx/app-puris-backend:latest" format: "sarif" output: "trivy-results-2.sarif" vuln-type: "os,library" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + exit-code: "1" + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 From 131c1f7873fc3ff23dd392b34781e7f9cfdb4593 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy <99187454+RoKrish14@users.noreply.github.com> Date: Fri, 14 Jun 2024 16:05:00 +0200 Subject: [PATCH 02/13] chore: Updated trivy workflow Thanks for the suggestion. Co-authored-by: Tom Meyer --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2fbb3207..b7df3a65 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -40,7 +40,7 @@ jobs: uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0 with: image-ref: "tractusx/app-puris-frontend:latest" format: "sarif" From 6eb1435894cdb546ad476f952d28d867eaedc091 Mon Sep 17 00:00:00 2001 From: Rohan Krishnamurthy <99187454+RoKrish14@users.noreply.github.com> Date: Fri, 14 Jun 2024 16:05:19 +0200 Subject: [PATCH 03/13] chore: Updated trivy workflow Co-authored-by: Tom Meyer --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index b7df3a65..827999e9 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -67,7 +67,7 @@ jobs: steps: # Pull image from Docker Hub and run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0 with: image-ref: "tractusx/app-puris-backend:latest" format: "sarif" From 960de2fffd57b14c20b374249b5666b6d2ecda1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Jun 2024 14:16:04 +0000 Subject: [PATCH 04/13] chore(deps): bump checkmarx/kics-github-action from 1.7.0 to 2.1.0 Bumps [checkmarx/kics-github-action](https://github.com/checkmarx/kics-github-action) from 1.7.0 to 2.1.0. - [Release notes](https://github.com/checkmarx/kics-github-action/releases) - [Commits](https://github.com/checkmarx/kics-github-action/compare/8a44970e3d2eca668be41abe9d4e06709c3b3609...aacf8e81cd48e227259c937c215b352e02ad447a) --- updated-dependencies: - dependency-name: checkmarx/kics-github-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/kics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml index 37f4a15e..bea7c26d 100644 --- a/.github/workflows/kics.yml +++ b/.github/workflows/kics.yml @@ -50,7 +50,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: KICS scan - uses: checkmarx/kics-github-action@8a44970e3d2eca668be41abe9d4e06709c3b3609 # v1.7.0 + uses: checkmarx/kics-github-action@aacf8e81cd48e227259c937c215b352e02ad447a # v2.1.0 with: path: "." fail_on: high From 0aea9c09b459e88c051b7db95d7fd18c321f273c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jun 2024 06:59:40 +0000 Subject: [PATCH 05/13] chore(deps): bump actions/download-artifact from 3.0.2 to 4.1.7 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.2 to 4.1.7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/9bc31d5ccc31df68ecc42ccf4149144866c47d8a...65a9edc5881444af0b9093a5e628f2fe47ea3b2e) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/render-puml-to-svg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/render-puml-to-svg.yml b/.github/workflows/render-puml-to-svg.yml index 003ea1ce..79dba58b 100644 --- a/.github/workflows/render-puml-to-svg.yml +++ b/.github/workflows/render-puml-to-svg.yml @@ -44,7 +44,7 @@ jobs: - name: checkout source repo uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: download generated svg file from job before - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v3 id: download with: name: artifacts From 028316c04f4312263a21ce6faf9fdc4cf7056c14 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jun 2024 07:06:35 +0000 Subject: [PATCH 06/13] chore(deps): bump azure/setup-helm from 3.5 to 4 Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3.5 to 4. - [Release notes](https://github.com/azure/setup-helm/releases) - [Changelog](https://github.com/Azure/setup-helm/blob/main/CHANGELOG.md) - [Commits](https://github.com/azure/setup-helm/compare/5119fcb9089d432beecbf79bb2c7915207344b78...fe7b79cd5ee1e45176fcad797de68ecaf3ca4814) --- updated-dependencies: - dependency-name: azure/setup-helm dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/chart-release.yaml | 2 +- .github/workflows/helm-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-release.yaml b/.github/workflows/chart-release.yaml index b1e720dd..5ad2b54c 100644 --- a/.github/workflows/chart-release.yaml +++ b/.github/workflows/chart-release.yaml @@ -42,7 +42,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: v3.8.1 diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index 69115255..6c5f4546 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -82,7 +82,7 @@ jobs: tags: ${{ env.REGISTRY }}/${{ env.APP_BACKEND_NAME }}:${{ env.TAG }} - name: Set up Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: ${{ github.event.inputs.helm_version || 'latest' }} From 7846a5db19448089b7dd9a1105913f52b0626d51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jun 2024 07:19:47 +0000 Subject: [PATCH 07/13] chore(deps): bump github/codeql-action from 2.22.7 to 3.25.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 3.25.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/66b90a5db151a8042fa97405c6cf843bbe433f7b...23acc5c183826b7a8a97bce3cecc52db901f8251) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/kics.yml | 2 +- .github/workflows/trivy.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e12d5c61..1b962eae 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -69,7 +69,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 + uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -93,7 +93,7 @@ jobs: # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 + uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 # Command-line programs to run using the OS shell. # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -106,6 +106,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 + uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml index bea7c26d..c1febbbe 100644 --- a/.github/workflows/kics.yml +++ b/.github/workflows/kics.yml @@ -62,6 +62,6 @@ jobs: # Upload findings to GitHub Advanced Security Dashboard - name: Upload SARIF file for GitHub Advanced Security Dashboard if: always() - uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 with: sarif_file: kicsResults/results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 827999e9..62bc2268 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -51,7 +51,7 @@ jobs: limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 if: always() with: sarif_file: "trivy-results-1.sarif" @@ -78,6 +78,6 @@ jobs: limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 with: sarif_file: "trivy-results-2.sarif" From 46ad128829fae66969049b2e5095642f776e1a58 Mon Sep 17 00:00:00 2001 From: Tom Meyer Date: Sat, 15 Jun 2024 09:59:28 +0200 Subject: [PATCH 08/13] chore(codeql): update version string --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1b962eae..148035a5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -69,7 +69,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 + uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. From 1cbce9d50237a3b3760e9d1eb2f43f97e325166a Mon Sep 17 00:00:00 2001 From: Tom Meyer Date: Sat, 15 Jun 2024 09:59:35 +0200 Subject: [PATCH 09/13] chore(codeql): update version string --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 148035a5..0ae865a2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -93,7 +93,7 @@ jobs: # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 + uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 # Command-line programs to run using the OS shell. # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun From de199a36d661d8ea9d4ce92e471aa3edacbad4c5 Mon Sep 17 00:00:00 2001 From: Tom Meyer Date: Sat, 15 Jun 2024 09:59:40 +0200 Subject: [PATCH 10/13] chore(codeql): update version string --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0ae865a2..62977247 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -106,6 +106,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 + uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: category: "/language:${{matrix.language}}" From bf25206a96a0519ebf2d9b3225776b9689a29856 Mon Sep 17 00:00:00 2001 From: Tom Meyer Date: Sat, 15 Jun 2024 09:59:46 +0200 Subject: [PATCH 11/13] chore(codeql): update version string --- .github/workflows/kics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml index c1febbbe..6efd512c 100644 --- a/.github/workflows/kics.yml +++ b/.github/workflows/kics.yml @@ -62,6 +62,6 @@ jobs: # Upload findings to GitHub Advanced Security Dashboard - name: Upload SARIF file for GitHub Advanced Security Dashboard if: always() - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: sarif_file: kicsResults/results.sarif From dc95a247d6b4d816a9b729e650d93a214cb52bff Mon Sep 17 00:00:00 2001 From: Tom Meyer Date: Sat, 15 Jun 2024 09:59:52 +0200 Subject: [PATCH 12/13] chore(codeql): update version string --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 62bc2268..942a1642 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -51,7 +51,7 @@ jobs: limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 if: always() with: sarif_file: "trivy-results-1.sarif" From d542d5233141ea2f2f7525e93e6f2fc12592599c Mon Sep 17 00:00:00 2001 From: Tom Meyer Date: Sat, 15 Jun 2024 10:00:02 +0200 Subject: [PATCH 13/13] chore(codeql): update version string --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 942a1642..2ad384c6 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -78,6 +78,6 @@ jobs: limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v2.227 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: sarif_file: "trivy-results-2.sarif"