diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1191a51..ff3f710 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,3 +4,4 @@ .gitleaks.toml @centreon/owners-security .gitleaksignore @centreon/owners-security +**/secu-*.yml @centreon/owners-security diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..db9902b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: '/' + schedule: + interval: monthly + open-pull-requests-limit: 50 + labels: + - 'dependencies' + - 'gha' diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 0000000..b570ea8 --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,26 @@ +name: actionlint + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + workflow_dispatch: + pull_request: + branches: + - master + paths: + - ".github/**" + +jobs: + action-lint: + runs-on: ubuntu-24.04 + steps: + - name: Checkout sources + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Ensure SHA pinned actions + uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3 + with: + allowlist: | + centreon/security-tools diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index 294b431..0000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: gitleaks -on: - pull_request: - workflow_dispatch: - -jobs: - scan: - name: gitleaks - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_LICENSE: "Centreon" - GITLEAKS_ENABLE_COMMENTS: false - GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - GITLEAKS_ENABLE_SUMMARY: false diff --git a/.github/workflows/secu-code-scan.yml b/.github/workflows/secu-code-scan.yml new file mode 100644 index 0000000..45190d2 --- /dev/null +++ b/.github/workflows/secu-code-scan.yml @@ -0,0 +1,30 @@ +name: code-scan + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + pull_request: + branches: + - master + push: + branches: + - master + workflow_dispatch: + schedule: + - cron: 0 1 * * 1-5 + +jobs: + + code-scan: + uses: centreon/security-tools/.github/workflows/checkmarx-analysis.yml@main + with: + module_directory: + module_name: warp10r + exclude_list: + secrets: + base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} + cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} + cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} + cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} diff --git a/.github/workflows/secu-dependency-scan.yml b/.github/workflows/secu-dependency-scan.yml new file mode 100644 index 0000000..a1dae0e --- /dev/null +++ b/.github/workflows/secu-dependency-scan.yml @@ -0,0 +1,12 @@ +name: dependency-scan + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + +on: + pull_request: + workflow_dispatch: + +jobs: + dependency-scan: + uses: centreon/security-tools/.github/workflows/dependency-analysis.yml@main diff --git a/.github/workflows/secu-secret-scan.yml b/.github/workflows/secu-secret-scan.yml new file mode 100644 index 0000000..b6dc4bb --- /dev/null +++ b/.github/workflows/secu-secret-scan.yml @@ -0,0 +1,12 @@ +name: secrets-scan + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + +on: + pull_request: + workflow_dispatch: + +jobs: + secrets-scan: + uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main