selcukhaltas
2 years ago
committed by
GitHub
2 changed files with 77 additions and 31 deletions
@ -0,0 +1,77 @@ |
|||||
|
# This workflow uses actions that are not certified by GitHub. |
||||
|
# They are provided by a third-party and are governed by |
||||
|
# separate terms of service, privacy policy, and support |
||||
|
# documentation. |
||||
|
|
||||
|
name: Synopsys Intelligent Security Scan |
||||
|
|
||||
|
on: |
||||
|
push: |
||||
|
branches: [ "patch-1" ] |
||||
|
pull_request: |
||||
|
# The branches below must be a subset of the branches above |
||||
|
branches: [ "patch-1" ] |
||||
|
schedule: |
||||
|
- cron: '25 9 * * 1' |
||||
|
|
||||
|
jobs: |
||||
|
analyze: |
||||
|
name: Analyze |
||||
|
runs-on: ubuntu-latest |
||||
|
permissions: |
||||
|
actions: read |
||||
|
contents: read |
||||
|
security-events: write |
||||
|
|
||||
|
steps: |
||||
|
- name: Checkout repository |
||||
|
uses: actions/checkout@v3 |
||||
|
|
||||
|
- name: Synopsys Intelligent Security Scan |
||||
|
id: prescription |
||||
|
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 |
||||
|
with: |
||||
|
ioServerUrl: ${{secrets.IO_SERVER_URL}} |
||||
|
ioServerToken: ${{secrets.IO_SERVER_TOKEN}} |
||||
|
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} |
||||
|
additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} |
||||
|
stage: "IO" |
||||
|
|
||||
|
# Please note that the ID in previous step was set to prescription |
||||
|
# in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN |
||||
|
# is defined in settings |
||||
|
- name: Static Analysis with Polaris |
||||
|
if: ${{steps.prescription.outputs.sastScan == 'true' }} |
||||
|
run: | |
||||
|
export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} |
||||
|
export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} |
||||
|
wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip |
||||
|
unzip -j polaris_cli-linux64.zip -d /tmp |
||||
|
/tmp/polaris analyze -w |
||||
|
|
||||
|
# Please note that the ID in previous step was set to prescription |
||||
|
# in order for this logic to work |
||||
|
- name: Software Composition Analysis with Black Duck |
||||
|
if: ${{steps.prescription.outputs.scaScan == 'true' }} |
||||
|
uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 |
||||
|
with: |
||||
|
args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' |
||||
|
|
||||
|
- name: Synopsys Intelligent Security Scan |
||||
|
if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} |
||||
|
uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 |
||||
|
with: |
||||
|
ioServerUrl: ${{secrets.IO_SERVER_URL}} |
||||
|
ioServerToken: ${{secrets.IO_SERVER_TOKEN}} |
||||
|
workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} |
||||
|
additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} |
||||
|
--polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} |
||||
|
--blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} |
||||
|
stage: "WORKFLOW" |
||||
|
|
||||
|
- name: Upload SARIF file |
||||
|
if: ${{steps.prescription.outputs.sastScan == 'true' }} |
||||
|
uses: github/codeql-action/upload-sarif@v2 |
||||
|
with: |
||||
|
# Path to SARIF file relative to the root of the repository |
||||
|
sarif_file: workflowengine-results.sarif.json |
@ -1,31 +0,0 @@ |
|||||
Thanks for helping make GitHub safe for everyone. |
|
||||
|
|
||||
## Security |
|
||||
|
|
||||
GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). |
|
||||
|
|
||||
Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. |
|
||||
|
|
||||
## Reporting Security Issues |
|
||||
|
|
||||
If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. |
|
||||
|
|
||||
**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** |
|
||||
|
|
||||
Instead, please send an email to opensource-security[@]github.com. |
|
||||
|
|
||||
Please include as much of the information listed below as you can to help us better understand and resolve the issue: |
|
||||
|
|
||||
* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) |
|
||||
* Full paths of source file(s) related to the manifestation of the issue |
|
||||
* The location of the affected source code (tag/branch/commit or direct URL) |
|
||||
* Any special configuration required to reproduce the issue |
|
||||
* Step-by-step instructions to reproduce the issue |
|
||||
* Proof-of-concept or exploit code (if possible) |
|
||||
* Impact of the issue, including how an attacker might exploit the issue |
|
||||
|
|
||||
This information will help us triage your report more quickly. |
|
||||
|
|
||||
## Policy |
|
||||
|
|
||||
See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) |
|
Loading…
Reference in new issue