Skip to content

GitHub Actions security workflow #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 27 commits into from
Aug 4, 2021
Merged

GitHub Actions security workflow #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
6365a8b
Add GitHub Actions workflow to perform security scans
klane Jul 22, 2021
5153e53
Switch security workflow OS to Windows
klane Jul 22, 2021
3ea3ea2
Move CodeQL job to security workflow
klane Jul 24, 2021
1893e9b
Name security workflow jobs according to tool used
klane Jul 30, 2021
b469301
Add Semgrep job to security workflow
klane Jul 30, 2021
c736790
Add Codacy job to security workflow
klane Jul 30, 2021
813f5ec
Remove schedule from quality workflow
klane Jul 30, 2021
1481dcb
Revert "Add Codacy job to security workflow"
klane Jul 31, 2021
91b6baf
Merge branch 'main' into security
klane Aug 1, 2021
785d178
Use same version of checkout in all security jobs
klane Aug 1, 2021
6e2538c
Use CodeQL permissions in all security jobs
klane Aug 2, 2021
6203e5f
Add DevSkim job to security workflow
klane Aug 2, 2021
be3f71d
Run Bandit manually instead of via OSSAR
klane Aug 2, 2021
d490938
Ensure Bandit is installed in security workflow
klane Aug 2, 2021
fb2ee92
Provide target directory for Bandit
klane Aug 2, 2021
507ff3d
Revert "Add DevSkim job to security workflow"
klane Aug 2, 2021
fb39603
Always upload Bandit results to GitHub
klane Aug 2, 2021
5b80997
Always upload Semgrep results to GitHub
klane Aug 2, 2021
3afffa9
Pass Bandit analysis even if results are found
klane Aug 2, 2021
f6d5a4b
Run Bandit in Semgrep
klane Aug 2, 2021
9d3ed2a
Limit test workflow runs on pushes to main branch
klane Aug 2, 2021
d694e2e
Add OSSAR job back to security workflow
klane Aug 3, 2021
bc1eb2e
Scan for secrets with Semgrep
klane Aug 3, 2021
247c951
Never fail Semgrep job due to findings on pushes
klane Aug 3, 2021
9c61346
Add DevSkim job to security workflow
klane Aug 3, 2021
e7ab514
Revert "Add DevSkim job to security workflow"
klane Aug 3, 2021
2ed1fde
Rename CodeQL step
klane Aug 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 0 additions & 22 deletions .github/workflows/quality.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,30 +7,8 @@ on:
pull_request:
branches:
- main
schedule:
- cron: '0 0 * * 0'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Checkout
uses: actions/checkout@v2

- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: python

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v1

linting:
name: Linting
runs-on: ubuntu-latest
Expand Down
75 changes: 75 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: Security

on:
push:
branches:
- main
pull_request:
branches:
- main
# every Sunday at midnight
schedule:
- cron: '0 0 * * 0'

permissions:
actions: read
contents: read
security-events: write

jobs:
codeql:
name: CodeQL
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v2

- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: python

- name: Run CodeQL
uses: github/codeql-action/analyze@v1

ossar:
name: OSSAR
runs-on: windows-latest

steps:
- name: Checkout
uses: actions/checkout@v2

- name: Run OSSAR
id: ossar
uses: github/ossar-action@v1

- name: Upload OSSAR results
if: always()
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}

semgrep:
name: Semgrep
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v2

- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/ci
p/secrets
auditOn: push
generateSarif: true

- name: Upload Semgrep results
if: always()
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: semgrep.sarif
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Tests
on:
push:
branches:
- '*'
- main
paths-ignore:
- 'docs/**'
- '**.md'
Expand Down