Skip to content

Commit

Permalink
Merge pull request #1 from eu-digital-identity-wallet/feature/secinte…
Browse files Browse the repository at this point in the history
…grations

added codeowners functionality + security integrations
  • Loading branch information
pinamiranda authored Feb 7, 2024
2 parents ed0d811 + a7805a0 commit 99779f1
Show file tree
Hide file tree
Showing 5 changed files with 2,353 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @eu-digital-identity-wallet/niscy-admins
29 changes: 29 additions & 0 deletions .github/workflows/dependencycheck.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: SCA - Dependency-Check
on:
push:
workflow_dispatch:

jobs:
Dependency_check:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Depcheck Action - SCA
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: '${{ github.repository }}'
path: '.'
format: 'HTML'
out: 'reports' # this is the default, no need to specify unless you wish to override it
args: >
--enableRetired
--enableExperimental
- name: Upload results - SCA
uses: actions/upload-artifact@master
with:
name: Depcheck report
path: ${{github.workspace}}/reports
27 changes: 27 additions & 0 deletions .github/workflows/gitleaks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Secret Scanning - Gitleaks
on:
push:
workflow_dispatch:

jobs:
Secret-Scanning:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Run Gitleaks from container
run: |
docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks
docker start GL
docker exec GL git config --global --add safe.directory '/src'
docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
continue-on-error: true

- name: upload_artifacts
uses: actions/upload-artifact@v3
with:
name: Gitleaks Artifact Upload
path: ${{ github.workspace }}/gitleaks-report.json
62 changes: 62 additions & 0 deletions .github/workflows/sonar.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: SAST - SonarCloud
on:
push:
pull_request_target:
workflow_dispatch:

jobs:
check_secret:
name: Check secret presence
runs-on: ubuntu-latest
steps:
- run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

P_WD_analysis:
name: SAST - SonarCloud - Push/WD analysis
needs: check_secret
runs-on: ubuntu-latest
if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
steps:
- name: Checkout action
uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: setup projectkey
run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
- name: SonarCloud Scan - Action
uses: SonarSource/sonarcloud-github-action@master
with:
args: >
-Dsonar.organization=${{ github.repository_owner }}
-Dsonar.projectKey=${{ env.PROJECTKEY }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

PR_analysis:
name: SAST- SonarCloud - PR analysis
needs: check_secret
runs-on: ubuntu-latest
if: (github.event_name == 'pull_request_target')
steps:
- name: Checkout action
uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
ref: ${{ github.event.pull_request.head.sha }}
- name: setup projectkey
run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
- name: SonarCloud Scan - Action
uses: SonarSource/sonarcloud-github-action@master
with:
args: >
-Dsonar.organization=${{ github.repository_owner }}
-Dsonar.projectKey=${{ env.PROJECTKEY }}
-Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
-Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
-Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Loading

0 comments on commit 99779f1

Please sign in to comment.