selcukhaltas
2 years ago
committed by
GitHub
GitHub
2 changed files with 77 additions and 31 deletions
@ -0,0 +1,77 @@ |
|||
# This workflow uses actions that are not certified by GitHub. |
|||
# They are provided by a third-party and are governed by |
|||
# separate terms of service, privacy policy, and support |
|||
# documentation. |
|||
|
|||
name: Synopsys Intelligent Security Scan |
|||
|
|||
on: |
|||
push: |
|||
branches: [ "patch-1" ] |
|||
pull_request: |
|||
# The branches below must be a subset of the branches above |
|||
branches: [ "patch-1" ] |
|||
schedule: |
|||
- cron: '25 9 * * 1' |
|||
|
|||
jobs: |
|||
analyze: |
|||
name: Analyze |
|||
runs-on: ubuntu-latest |
|||
permissions: |
|||
actions: read |
|||
contents: read |
|||
security-events: write |
|||
|
|||
steps: |
|||
- name: Checkout repository |
|||
uses: actions/checkout@v3 |
|||
|
|||
- name: Synopsys Intelligent Security Scan |
|||
id: prescription |
|||
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 |
|||
with: |
|||
ioServerUrl: ${{secrets.IO_SERVER_URL}} |
|||
ioServerToken: ${{secrets.IO_SERVER_TOKEN}} |
|||
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} |
|||
additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} |
|||
stage: "IO" |
|||
|
|||
# Please note that the ID in previous step was set to prescription |
|||
# in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN |
|||
# is defined in settings |
|||
- name: Static Analysis with Polaris |
|||
if: ${{steps.prescription.outputs.sastScan == 'true' }} |
|||
run: | |
|||
export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} |
|||
export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} |
|||
wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip |
|||
unzip -j polaris_cli-linux64.zip -d /tmp |
|||
/tmp/polaris analyze -w |
|||
|
|||
# Please note that the ID in previous step was set to prescription |
|||
# in order for this logic to work |
|||
- name: Software Composition Analysis with Black Duck |
|||
if: ${{steps.prescription.outputs.scaScan == 'true' }} |
|||
uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 |
|||
with: |
|||
args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' |
|||
|
|||
- name: Synopsys Intelligent Security Scan |
|||
if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} |
|||
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 |
|||
with: |
|||
ioServerUrl: ${{secrets.IO_SERVER_URL}} |
|||
ioServerToken: ${{secrets.IO_SERVER_TOKEN}} |
|||
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} |
|||
additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} |
|||
--polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} |
|||
--blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} |
|||
stage: "WORKFLOW" |
|||
|
|||
- name: Upload SARIF file |
|||
if: ${{steps.prescription.outputs.sastScan == 'true' }} |
|||
uses: github/codeql-action/upload-sarif@v2 |
|||
with: |
|||
# Path to SARIF file relative to the root of the repository |
|||
sarif_file: workflowengine-results.sarif.json |
|||
@ -1,31 +0,0 @@ |
|||
Thanks for helping make GitHub safe for everyone. |
|||
|
|||
## Security |
|||
|
|||
GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). |
|||
|
|||
Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. |
|||
|
|||
## Reporting Security Issues |
|||
|
|||
If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. |
|||
|
|||
**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** |
|||
|
|||
Instead, please send an email to opensource-security[@]github.com. |
|||
|
|||
Please include as much of the information listed below as you can to help us better understand and resolve the issue: |
|||
|
|||
* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) |
|||
* Full paths of source file(s) related to the manifestation of the issue |
|||
* The location of the affected source code (tag/branch/commit or direct URL) |
|||
* Any special configuration required to reproduce the issue |
|||
* Step-by-step instructions to reproduce the issue |
|||
* Proof-of-concept or exploit code (if possible) |
|||
* Impact of the issue, including how an attacker might exploit the issue |
|||
|
|||
This information will help us triage your report more quickly. |
|||
|
|||
## Policy |
|||
|
|||
See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) |
|||
Loading…
Reference in new issue