-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
120 lines (103 loc) · 3.46 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: "Proxy action"
description: "Action that calls other actions - security actions"
inputs:
API_ID: # id of input
description: "Veracode API_ID"
required: true
# default: "World"
API_KEY: # id of input
description: "Veracode API_KEY"
required: true
path: # id of input
description: "Path to assets"
required: true
default: "."
runs:
using: "composite"
steps:
#- run: echo Hello ${{ inputs.who-to-greet }}.
# shell: bash
#- id: random-number-generator
# run: echo "::set-output name=random-id::$(echo $RANDOM)"
# shell: bash
#- run: echo "${{ github.action_path }}" >> $GITHUB_PATH
# shell: bash
#- run: zip -r tractus.zip .
# shell: bash
#- run: ls -l
# shell: bash
#- run: cat results.json
# shell: bash
- run: ls -l -a
shell: bash
# --- Software Composition Analysis (SCA) ---
- name: Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: "test"
# Automatically searches for dependency manager files in the repository
path: "."
# Exports the results in SARIF format for SARIF upload.
# Alternatively, other report formats can be selected, see command line arguments.
format: "SARIF"
# If results with a high severity are found, the workflow fails.
args: >
--failOnCVSS 7
--enableRetired
if: always()
- name: Upload DependencyCheck output as artifact
uses: actions/upload-artifact@v1
with:
name: dependency-check-report-sarif
path: ${{ github.workspace }}/reports
if: always()
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/reports/dependency-check-report.sarif
if: always()
# --- Static Application Security Testing (SAST) ---
- uses: returntocorp/semgrep-action@v1
id: semgrep
with:
config: >- # more at semgrep.dev/explore
p/security-audit
p/owasp-top-ten
p/xss
p/r2c
p/react
p/secrets
p/docker
p/typescript
generateSarif: "1"
if: always()
# == Optional settings in the `with:` block
# Instead of `config:`, use rules set in Semgrep App.
# Get your token from semgrep.dev/manage/settings.
# publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
# Never fail the build due to findings on pushes.
# Instead, just collect findings for semgrep.dev/manage/findings
# auditOn: push
# Upload findings to GitHub Advanced Security Dashboard [step 1/2]
# See also the next step.
# generateSarif: "1"
# Change job timeout (default is 1800 seconds; set to 0 to disable)
# env:
# SEMGREP_TIMEOUT: 300
- name: Upload Semgrep output as artifact
uses: actions/upload-artifact@v1
with:
name: semgrep.sarif
path: semgrep.sarif
if: always()
# Upload findings to GitHub Advanced Security Dashboard [step 2/2]
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: semgrep.sarif
if: always()
branding:
icon: "activity"
color: "gray-dark"