From d3e36020fe2482abe22f33cd91014d53ac835c88 Mon Sep 17 00:00:00 2001 From: marcellmueller Date: Tue, 25 Jul 2023 15:22:15 -0700 Subject: [PATCH 1/3] test: resuable actions --- .github/workflows/sonarcloud.yaml | 10 ++++++++++ .github/workflows/test-code.yaml | 5 +---- 2 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/sonarcloud.yaml diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml new file mode 100644 index 0000000000..bc6eb1c7d5 --- /dev/null +++ b/.github/workflows/sonarcloud.yaml @@ -0,0 +1,10 @@ +name: sonarcloud-scan +on: + workflow_dispatch: + push: +jobs: + sonarcloud-scan: + uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-sonarcloud.yml@develop + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} + sonar-token: ${{ secrets.SONAR_TOKEN}} diff --git a/.github/workflows/test-code.yaml b/.github/workflows/test-code.yaml index 07c0cca40c..fb1a43c48a 100644 --- a/.github/workflows/test-code.yaml +++ b/.github/workflows/test-code.yaml @@ -111,10 +111,7 @@ jobs: working-directory: ./app run: yarn test --coverage - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + uses: ./.github/workflows/sonarcloud.yaml eslint: needs: [install-test-env] From c7adb171f64d9aad4e696ea80e9f22c7756e0d5c Mon Sep 17 00:00:00 2001 From: marcellmueller Date: Tue, 25 Jul 2023 15:57:44 -0700 Subject: [PATCH 2/3] test: trivy --- .github/workflows/owasp.yaml | 9 +++++++++ .github/workflows/test-code.yaml | 17 ++--------------- .github/workflows/trivy.yaml | 7 +++++++ 3 files changed, 18 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/owasp.yaml create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/owasp.yaml b/.github/workflows/owasp.yaml new file mode 100644 index 0000000000..8e8ab6391c --- /dev/null +++ b/.github/workflows/owasp.yaml @@ -0,0 +1,9 @@ +name: zap-scan +on: + workflow_dispatch: + push: +jobs: + zap-scan: + uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-owasp-zap.yml@develop + with: + target-url: 'http://localhost:3000/applicantportal' diff --git a/.github/workflows/test-code.yaml b/.github/workflows/test-code.yaml index fb1a43c48a..0f80bc3dfc 100644 --- a/.github/workflows/test-code.yaml +++ b/.github/workflows/test-code.yaml @@ -29,21 +29,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: fs - format: sarif - output: trivy-results.sarif - exit-code: '0' - ignore-unfixed: false - severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' + - name: trivy scan + uses: ./.github/workflows/trivy.yaml codeql-scan: name: codeql-scan diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000000..f534edc8f4 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,7 @@ +name: trivy-scan +on: + workflow_dispatch: + push: +jobs: + trivy-scan: + uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-trivy.yml@develop From 8c8c71309b3993b3bf669e53b6c36129f3e884c0 Mon Sep 17 00:00:00 2001 From: marcellmueller Date: Tue, 25 Jul 2023 16:02:58 -0700 Subject: [PATCH 3/3] test: gitleaks --- .github/workflows/gitleaks.yaml | 10 ++++++++++ .github/workflows/owasp.yaml | 2 +- .github/workflows/sonarcloud.yaml | 2 +- .github/workflows/test-code.yaml | 12 ++++++------ .github/workflows/trivy.yaml | 2 +- 5 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/gitleaks.yaml diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml new file mode 100644 index 0000000000..7cc432e755 --- /dev/null +++ b/.github/workflows/gitleaks.yaml @@ -0,0 +1,10 @@ +name: gitleaks-scan +on: + workflow_dispatch: + push: +jobs: + gitleaks-scan: + uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-gitleaks.yml@develop + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} + gitleaks-license: ${{ secrets.GITLEAKS_LICENSE}} diff --git a/.github/workflows/owasp.yaml b/.github/workflows/owasp.yaml index 8e8ab6391c..5184f70437 100644 --- a/.github/workflows/owasp.yaml +++ b/.github/workflows/owasp.yaml @@ -1,7 +1,7 @@ name: zap-scan on: workflow_dispatch: - push: + # push: jobs: zap-scan: uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-owasp-zap.yml@develop diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml index bc6eb1c7d5..01550e8449 100644 --- a/.github/workflows/sonarcloud.yaml +++ b/.github/workflows/sonarcloud.yaml @@ -1,7 +1,7 @@ name: sonarcloud-scan on: workflow_dispatch: - push: + # push: jobs: sonarcloud-scan: uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-sonarcloud.yml@develop diff --git a/.github/workflows/test-code.yaml b/.github/workflows/test-code.yaml index 0f80bc3dfc..7680a5df7b 100644 --- a/.github/workflows/test-code.yaml +++ b/.github/workflows/test-code.yaml @@ -76,12 +76,12 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - run: ./.bin/install-gitleaks-linux-x64.sh - - run: ./gitleaks detect --exit-code 0 --report-format sarif --report-path "gitleaks.sarif" - - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'gitleaks.sarif' + uses: ./.github/workflows/gitleaks.yaml + # - run: ./.bin/install-gitleaks-linux-x64.sh + # - run: ./gitleaks detect --exit-code 0 --report-format sarif --report-path "gitleaks.sarif" + # - uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'gitleaks.sarif' jest: needs: [install-test-env] diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index f534edc8f4..b1cc5eca9a 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -1,7 +1,7 @@ name: trivy-scan on: workflow_dispatch: - push: + # push: jobs: trivy-scan: uses: button-inc/button-shared-gh-actions/.github/workflows/scan-code-trivy.yml@develop