From 00b3e649573f7248db43cb16507db06ccf6b5bf3 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Thu, 1 Jun 2023 12:25:35 +0200 Subject: [PATCH 01/17] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From da4a9991635f4f33a18d230589319deb601d9259 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Thu, 19 Oct 2023 04:36:35 +0200 Subject: [PATCH 02/17] Update issue templates (#11) --- .github/ISSUE_TEMPLATE/bug_report.md | 38 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/custom.md | 10 ++++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/custom.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000000..dd84ea7824 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Smartphone (please complete the following information):** + - Device: [e.g. iPhone6] + - OS: [e.g. iOS8.1] + - Browser [e.g. stock browser, safari] + - Version [e.g. 22] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md new file mode 100644 index 0000000000..48d5f81fa4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/custom.md @@ -0,0 +1,10 @@ +--- +name: Custom issue template +about: Describe this issue template's purpose here. +title: '' +labels: '' +assignees: '' + +--- + + diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000000..bbcbbe7d61 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From 1f23a284da1e1fc8d21b4960780986b8b05f0d77 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Sat, 4 Nov 2023 19:08:04 +0100 Subject: [PATCH 03/17] Create bearer.yml (#13) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/bearer.yml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/bearer.yml diff --git a/.github/workflows/bearer.yml b/.github/workflows/bearer.yml new file mode 100644 index 0000000000..7ddcb09258 --- /dev/null +++ b/.github/workflows/bearer.yml @@ -0,0 +1,39 @@ +# This workflow file requires a free account on Bearer.com to manage findings, notifications and more. +# +# See https://docs.bearer.com/guides/bearer-cloud/ + +name: Bearer + +on: + push: + branches: ["development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: ["development"] + schedule: + - cron: '20 4 * * 6' + +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + +jobs: + bearer: + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v3 + # Scan code using Bearer CLI + - name: Run Report + id: report + uses: bearer/bearer-action@v2 + with: + api-key: ${{ secrets.BEARER_TOKEN }} + format: sarif + output: results.sarif + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From f681d045102de28962a47ba6c31b29c0a1eee97d Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Fri, 22 Dec 2023 04:40:19 +0100 Subject: [PATCH 04/17] Create trivy.yml (#15) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/trivy.yml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..23f5a7b565 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "development" ] + schedule: + - cron: '21 5 * * 3' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From e61aa11d5711f8b987d8f19100565abb580245e3 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Sat, 6 Jan 2024 00:30:15 +0100 Subject: [PATCH 05/17] Create devskim.yml (#16) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/devskim.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/devskim.yml diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml new file mode 100644 index 0000000000..b091b89367 --- /dev/null +++ b/.github/workflows/devskim.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ "development" ] + pull_request: + branches: [ "development" ] + schedule: + - cron: '40 4 * * 2' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: devskim-results.sarif From e2c98149f08856949f1778c67f0a8e0cdcae7143 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Thu, 11 Jan 2024 19:47:29 +0100 Subject: [PATCH 06/17] Create zscan.yml (#17) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/zscan.yml | 60 +++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/zscan.yml diff --git a/.github/workflows/zscan.yml b/.github/workflows/zscan.yml new file mode 100644 index 0000000000..9b0852697d --- /dev/null +++ b/.github/workflows/zscan.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# and identifies security, privacy, and compliance-related vulnerabilities. ​ +# +# Prerequisites: +# * An active Zimperium zScan account is required. If you are not an existing Zimperium +# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# issues and view the remediation information inside of GitHub code scanning alerts.​ +# +# For additional information and setup instructions +# please visit: https://github.com/Zimperium/zScanMarketplace#readme + +name: "Zimperium zScan" + +on: + push: + branches: [ "development" ] + pull_request: + branches: [ "development" ] + +permissions: + contents: read + +jobs: + zscan: + name: zScan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Execute gradle build + run: ./gradlew build # Change this to build your mobile application + + - name: Run Zimperium zScan + uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d + timeout-minutes: 60 + with: + # REPLACE: Zimperium Client Environment Name + client_env: env_string + # REPLACE: Zimperium Client ID + client_id: id_string + # REPLACE: Zimperium Client Secret + client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }} + # REPLACE: The path to an .ipa or .apk + app_file: app-release-unsigned.apk + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: Zimperium.sarif From 4ce34536dc4b03cc2d45f32aa42a723a3227c1de Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Thu, 11 Jan 2024 19:49:24 +0100 Subject: [PATCH 07/17] Create Sponsor FUNDING.yml (#18) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/Sponsor FUNDING.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/Sponsor FUNDING.yml diff --git a/.github/Sponsor FUNDING.yml b/.github/Sponsor FUNDING.yml new file mode 100644 index 0000000000..cd443a1971 --- /dev/null +++ b/.github/Sponsor FUNDING.yml @@ -0,0 +1,13 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] From 0b41bc17da898640c6a1e32587749d6a93dbb91f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 23:42:09 +0100 Subject: [PATCH 08/17] Bump @openzeppelin/contracts from 4.8.1 to 4.9.2 (#6) Bumps [@openzeppelin/contracts](https://github.com/OpenZeppelin/openzeppelin-contracts) from 4.8.1 to 4.9.2. - [Release notes](https://github.com/OpenZeppelin/openzeppelin-contracts/releases) - [Changelog](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.9.2/CHANGELOG.md) - [Commits](https://github.com/OpenZeppelin/openzeppelin-contracts/compare/v4.8.1...v4.9.2) --- updated-dependencies: - dependency-name: "@openzeppelin/contracts" dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 69239cd9bb..b1b1ccdd95 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2886,9 +2886,9 @@ "@octokit/openapi-types" "^12.11.0" "@openzeppelin/contracts@^4.8.1": - version "4.8.1" - resolved "https://registry.yarnpkg.com/@openzeppelin/contracts/-/contracts-4.8.1.tgz#709cfc4bbb3ca9f4460d60101f15dac6b7a2d5e4" - integrity sha512-xQ6eUZl+RDyb/FiZe1h+U7qr/f4p/SrTSQcTPH2bjur3C5DbuW/zFgCU/b1P/xcIaEqJep+9ju4xDRi3rmChdQ== + version "4.9.2" + resolved "https://registry.yarnpkg.com/@openzeppelin/contracts/-/contracts-4.9.2.tgz#1cb2d5e4d3360141a17dbc45094a8cad6aac16c1" + integrity sha512-mO+y6JaqXjWeMh9glYVzVu8HYPGknAAnWyxTRhGeckOruyXQMNnlcW6w/Dx9ftLeIQk6N+ZJFuVmTwF7lEIFrg== "@sindresorhus/slugify@^0.8.0": version "0.8.0" From 8ad88cd68094c8ee1316ab22a0dab48adba28a87 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Sat, 20 Jan 2024 11:25:17 +0100 Subject: [PATCH 09/17] fix: package.json to reduce vulnerabilities (#7) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795 Co-authored-by: snyk-bot --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 4d135dd4a3..7ab8b24b34 100644 --- a/package.json +++ b/package.json @@ -79,12 +79,12 @@ "coveralls": "^3.0.0", "ganache-cli": "6.12.2", "husky": "^8.0.3", - "lerna": "^3.0.0-beta.25", + "lerna": "^4.0.0", "lint-staged": "^13.1.0", "npm-run-all": "^4.1.2", "prettier": "2.7.1", "prettier-plugin-solidity": "^1.0.0", - "solhint": "^3.3.7", + "solhint": "^3.4.0", "solhint-plugin-prettier": "^0.0.5", "source-map-support": "^0.5.6", "typescript": "4.6.3", From 551bb4b214a40bb522f7b21b1364ee83a3aa12fc Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Sat, 20 Jan 2024 11:25:43 +0100 Subject: [PATCH 10/17] Create codeql.yml (#14) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/codeql.yml | 82 ++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..d59672730f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,82 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "development" ] + schedule: + - cron: '21 9 * * 4' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript-typescript' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From a425da3e716e99d904d87d516d3d418ad7e60ef4 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Sat, 20 Jan 2024 11:26:09 +0100 Subject: [PATCH 11/17] Create SECURITY.md (#4) From a5f07498ff63ee4deb2630d04eec546d8b9e5c8c Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Sat, 20 Jan 2024 11:27:50 +0100 Subject: [PATCH 12/17] Create mayhem-for-api.yml (#19) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/mayhem-for-api.yml | 66 ++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/mayhem-for-api.yml diff --git a/.github/workflows/mayhem-for-api.yml b/.github/workflows/mayhem-for-api.yml new file mode 100644 index 0000000000..b69e24f2c2 --- /dev/null +++ b/.github/workflows/mayhem-for-api.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API +# to find reliability, performance and security issues before they reach +# production. +# +# To use this workflow, you will need to: +# +# 1. Create a Mayhem for API account at +# https://mayhem4api.forallsecure.com/signup +# +# 2. Create a service account token `mapi organization service-account create +# ` +# +# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# +# 4. Update the "Start your API" step to run your API in the background before +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` +# field. +# +# If you have any questions, please contact us at mayhem4api@forallsecure.com + +name: "Mayhem for API" + +on: + push: + branches: [ "development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "development" ] + +jobs: + mayhem-for-api: + name: Mayhem for API + # Mayhem for API runs on linux, mac and windows + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + + # Run your API in the background. Ideally, the API would run in debug + # mode & send stacktraces back on "500 Internal Server Error" responses + # (don't do this in production though!) + - name: Start your API + run: ./run_your_api.sh & # <- ✏ī¸ update this + + - name: Mayhem for API + uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 + continue-on-error: true + with: + mapi-token: ${{ secrets.MAPI_TOKEN }} + api-url: http://localhost:8080 # <- ✏ī¸ update this + api-spec: http://localhost:8080/openapi.json # <- ✏ī¸ update this + duration: 60 + sarif-report: mapi.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: mapi.sarif From 9b6f2eba6e0ccf888610d7ef48232f9fa91d1b92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jan 2024 22:18:33 +0100 Subject: [PATCH 13/17] Bump actions/stale from 7 to 8 (#3) Bumps [actions/stale](https://github.com/actions/stale) from 7 to 8. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 69b6965c52..0f98b34a15 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -18,7 +18,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v8 with: ascending: true # Spend API operations budget on older, more-likely-to-get-closed issues first close-issue-message: "" # Leave no comment when closing From ad0b3426c0551cdd3814f8d404a5a70e1ee1e014 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Wed, 21 Feb 2024 00:14:01 +0100 Subject: [PATCH 14/17] Create contrast-scan.yml (#20) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/contrast-scan.yml | 53 +++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/contrast-scan.yml diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml new file mode 100644 index 0000000000..7e6a1082e1 --- /dev/null +++ b/.github/workflows/contrast-scan.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ "development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "development" ] + schedule: + - cron: '32 15 * * 0' + +permissions: + contents: read + +name: Scan analyze workflow +jobs: + build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v3 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output From 3c6bdbaa6df1d8f9ddf009f568321eace47ae79e Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Tue, 27 Feb 2024 16:55:54 +0100 Subject: [PATCH 15/17] Create snyk-security.yml (#22) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/snyk-security.yml | 79 +++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 0000000000..3b82d95db7 --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: ["development" ] + pull_request: + branches: ["development"] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v3 + # with: + # node-version: 16 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif From 6c6a955124970c3e49ac78024d946fbd481701eb Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Wed, 28 Feb 2024 01:23:44 +0100 Subject: [PATCH 16/17] Create anchore.yml (#23) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/anchore.yml | 48 +++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/anchore.yml diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml new file mode 100644 index 0000000000..ebbd068eb3 --- /dev/null +++ b/.github/workflows/anchore.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Grype vulnerability scan + +on: + push: + branches: [ "development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "development" ] + schedule: + - cron: '44 3 * * 3' + +permissions: + contents: read + +jobs: + Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: Check out the code + uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan + with: + image: "localbuild/testimage:latest" + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} From bd0560a4f85f924da90bdc914dc457b938151d31 Mon Sep 17 00:00:00 2001 From: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> Date: Fri, 1 Mar 2024 17:24:45 +0100 Subject: [PATCH 17/17] Create flawfinder.yml (#24) Signed-off-by: Sascha Ronnie Daoudia <85792632+Dadudidas@users.noreply.github.com> --- .github/workflows/flawfinder.yml | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/flawfinder.yml diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml new file mode 100644 index 0000000000..09a75da21b --- /dev/null +++ b/.github/workflows/flawfinder.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ "development" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "development" ] + schedule: + - cron: '29 17 * * 0' + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif