Skip to content
scans

chore(deps): update all digest updates #238

Sign in to view logs

chore(deps): update all digest updates

chore(deps): update all digest updates #238

Workflow file for this run

.github/workflows/scans.yml at 93db2ae
name: scans
on:
push:
branches: [main]
pull_request:
branches: [main]
merge_group:
branches: [main]
workflow_call:
workflow_dispatch:
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
jobs:
checkov:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: bridgecrewio/checkov-action@24efff410ab3a0ae8a83e3fb913cf90ceaaddb3a # master
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: results.sarif
devskim:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: microsoft/DevSkim-Action@a6b6966a33b497cd3ae2ebc406edf8f4cc2feec6 # v1
- uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: devskim-results.sarif
dustilock:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: checkmarx/dustilock@9a0cc4fe3da93f7efb38679896c074dc94d60ac6 # v1
gitleaks:
permissions:
contents: write
pull-requests: write
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: (${{ github.event.pull_request.commits || 2 }} + 1)
- uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
env:
GITHUB_TOKEN: ${{ github.token }}
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: results.sarif
grype:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- id: grype
uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6
with:
path: .
severity-cutoff: high
only-fixed: true
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
kics:
permissions:
checks: write
contents: read
pull-requests: write
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: checkmarx/kics-github-action@5373b38b35d09a400790b9e560189064d185391f # v2
with:
enable_annotations: true
enable_comments: true
enable_jobs_summary: true
comments_with_queries: true
path: .
fail_on: critical,high
output_formats: sarif
bom: true
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: results.sarif
megalinter:
permissions:
contents: write
pull-requests: write
security-events: write
statuses: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- id: megalinter
# You can override MegaLinter flavor used to have faster performances
# More info at https://megalinter.io/latest/flavors/
uses: oxsecurity/megalinter@146333030da68e2e58c6ff826633824fabe01eaf # v8
env:
GITHUB_TOKEN: ${{ github.token }}
- if: ${{ success() || failure() }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: megalinter-reports
path: |
megalinter-reports
mega-linter.log
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: megalinter-reports/megalinter-report.sarif
ref: ${{ github.head_ref && format('refs/heads/{0}', github.head_ref) || github.ref }}
sha: ${{ github.event.pull_request.head.sha || github.sha }}
- if: ${{ failure() && steps.megalinter.outputs.has_updated_sources == 1 && github.event_name == 'pull_request' }}
name: commit changes
run: |
git config user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
git config user.name "${GITHUB_ACTOR}"
git commit --all --message "${COMMIT_MESSAGE}"
git push origin "HEAD:refs/heads/${GITHUB_HEAD_REF}"
env:
COMMIT_MESSAGE: "fix: apply megalinter fixes"
# https://api.github.com/users/megalinter-bot
GITHUB_ACTOR: megalinter-bot
GITHUB_ACTOR_ID: 129584137
msdo:
permissions:
contents: read
id-token: write
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1
id: msdo
- uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
osv-scan-pr:
permissions:
actions: read
contents: read
security-events: write
if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v2
osv-scan-push:
permissions:
actions: read
contents: read
security-events: write
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v2
syft:
permissions:
actions: read
contents: write
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: anchore/sbom-action@9f7302141466aa6482940f15371237e9d9f4c34a # v0
with:
output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
dependency-snapshot: true
- id: grype
uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6
with:
sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
severity-cutoff: high
only-fixed: true
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
trivy:
permissions:
contents: write
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
with:
scan-type: fs
format: github
output: dependency-results.sbom.json
github-pat: ${{ github.token }}
ignore-unfixed: true
severity: HIGH,CRITICAL
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: trivy-sbom-report
path: "${{ github.workspace }}/dependency-results.sbom.json"
- uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
with:
scan-type: fs
exit-code: 1
ignore-unfixed: true
severity: HIGH,CRITICAL
format: sarif
output: trivy-results.sarif
skip-setup-trivy: true
- if: ${{ success() || failure() }}
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
with:
sarif_file: trivy-results.sarif
trufflehog:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: (${{ github.event.pull_request.commits || 2 }} + 1)
- uses: trufflesecurity/trufflehog@d722a7e50645c42123e31fe97761a88ade988db8 # v3
with:
extra_args: --results=verified,unknown
trunk:
permissions:
checks: write
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1
- name: trunk check --fix
if: ${{ failure() && github.event_name == 'pull_request' }}
run: |
git config user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
git config user.name "${GITHUB_ACTOR}"
git fetch origin "${GITHUB_HEAD_REF}" --depth 1
git switch "${GITHUB_HEAD_REF}"
git fetch origin "${DEFAULT_BRANCH}" --depth 1
upstream=$(git rev-parse "${DEFAULT_BRANCH}")
"${TRUNK_PATH}" check --ci --upstream "${upstream}" --fix
if [[ -n "$(git diff --name-only)" ]]; then
git commit --all --message "${COMMIT_MESSAGE}"
git push origin HEAD:refs/heads/"${GITHUB_HEAD_REF}"
fi
env:
COMMIT_MESSAGE: "fix: trunk check --fix"
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
# https://api.github.com/users/trunk-io
GITHUB_ACTOR: trunk-io
GITHUB_ACTOR_ID: 74779146
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
vorpal:
permissions:
checks: write
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- id: changed-files
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 #v45
with:
files: "**/*.{cs,java,js,py}"
separator: ","
- if: ${{ steps.changed-files.outputs.all_changed_files != '' }}
uses: checkmarx/vorpal-reviewdog-github-action@e1d13fe263794580947b3cfa456b9140bbfb1a81 # v1
with:
source_path: ${{ steps.changed-files.outputs.all_changed_files }}
reporter: github-pr-check
filter_mode: file
fail_on_error: true