Skip to content

Commit be058bf

Browse files
maxammannmaxammann
committed
add specialized workflows
1 parent 2ec0930 commit be058bf

File tree

3 files changed

+42
-12
lines changed

3 files changed

+42
-12
lines changed

.github/workflows/security-default-branch.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
on:
2+
push:
3+
branches:
4+
- main
5+
6+
name: Security
7+
8+
jobs:
9+
sbom-trivy:
10+
runs-on: ubuntu-latest
11+
12+
container:
13+
image: aquasec/trivy:0.67.2
14+
15+
steps:
16+
- run: trivy --version
17+
- uses: actions/checkout@v3
18+
with:
19+
fetch-depth: 0
20+
- run: trivy fs --format cyclonedx --output /tmp/trivy-cyclonedx.json .
21+
- run: apk --no-cache add curl
22+
- run: |
23+
curl -X "POST" "https://dependency-track-sbom.corp.zoo.dev/api/v1/bom" \
24+
-H 'Content-Type: multipart/form-data' \
25+
-H "X-Api-Key: ${{ secrets.DEPENDENCY_TRACK_AUTOMATION_API_KEY }}" \
26+
-F "autoCreate=true" \
27+
-F "projectName=${{ github.repository }}" \
28+
-F "projectVersion=main" \
29+
-F "isLatest=$IS_LATEST" \
30+
-F "bom=@/tmp/trivy-cyclonedx.json"

.github/workflows/semgrep.yml renamed to .github/workflows/security-pr.yml

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
on:
22
pull_request:
33

4-
name: Semgrep scan
4+
name: Security
55

66
jobs:
77
semgrep:
@@ -18,20 +18,19 @@ jobs:
1818
image: semgrep/semgrep
1919

2020
steps:
21-
- run: /usr/bin/jq --version
2221
- uses: actions/checkout@v3
2322
with:
2423
fetch-depth: 0
2524
- run: |
26-
git clone https://github.com/trailofbits/semgrep-rules $HOME/semgrep-rules-tob
27-
git clone https://github.com/semgrep/semgrep-rules $HOME/semgrep-rules
28-
git -C $HOME/semgrep-rules reset --hard 518f71b883d431fa33268844b066033507e7c1b5
29-
git -C $HOME/semgrep-rules-tob reset --hard 3b91c9b622b4a250b144a832ce73091b1f25e207
30-
rm $HOME/semgrep-rules-tob/.github/workflows/update-semgrep-registry.yml
31-
rm $HOME/semgrep-rules/.pre-commit-config.yaml
32-
rm -rf $HOME/semgrep-rules-tob/.github
33-
rm -rf $HOME/semgrep-rules/.github
34-
rm -rf $HOME/semgrep-rules/stats
25+
git clone https://github.com/trailofbits/semgrep-rules $HOME/semgrep-rules-tob
26+
git clone https://github.com/semgrep/semgrep-rules $HOME/semgrep-rules
27+
git -C $HOME/semgrep-rules reset --hard 518f71b883d431fa33268844b066033507e7c1b5
28+
git -C $HOME/semgrep-rules-tob reset --hard 3b91c9b622b4a250b144a832ce73091b1f25e207
29+
rm $HOME/semgrep-rules-tob/.github/workflows/update-semgrep-registry.yml
30+
rm $HOME/semgrep-rules/.pre-commit-config.yaml
31+
rm -rf $HOME/semgrep-rules-tob/.github
32+
rm -rf $HOME/semgrep-rules/.github
33+
rm -rf $HOME/semgrep-rules/stats
3534
- run: git config --global --add safe.directory $(pwd)
3635
- run: |
3736
semgrep scan --config $HOME/semgrep-rules --config $HOME/semgrep-rules-tob \
@@ -43,6 +42,7 @@ jobs:
4342
--exclude="*.html" --exclude="*.js" \
4443
--baseline-commit=${{ github.event.pull_request.base.sha }} \
4544
--json > /tmp/semgrep-results.json || true
45+
- run: /usr/bin/jq --version
4646
- name: Notice
4747
shell: bash
4848
run: |
@@ -65,4 +65,3 @@ jobs:
6565
# sarif_file: /tmp/semgrep-results.sarif
6666
# if: always()
6767

68-

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
.idea

0 commit comments

Comments
 (0)