add actions for zizmor and scorecard

Author: maxammann

.github/actions/scorecard-action/action.yml

@@ -0,0 +1,14 @@
+name: 'Scorecard Scan'
+description: 'Run OSSF scorecard'
+runs:
+  using: 'composite'
+  steps:
+    - name: "Run scorecard"
+      uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        publish_results: false
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      shell: bash

.github/actions/semgrep-action/action.yml

@@ -0,0 +1,47 @@
+name: 'Semgrep Scan'
+description: 'Run Semgrep scan with custom rules and output results'
+runs:
+  using: 'composite'
+  steps:
+    - name: "Fetch semgrep rules"
+      run: |
+        git clone https://github.com/trailofbits/semgrep-rules $HOME/semgrep-rules-tob
+        git clone https://github.com/semgrep/semgrep-rules $HOME/semgrep-rules
+        git -C $HOME/semgrep-rules reset --hard 518f71b883d431fa33268844b066033507e7c1b5
+        git -C $HOME/semgrep-rules-tob reset --hard 3b91c9b622b4a250b144a832ce73091b1f25e207
+        rm $HOME/semgrep-rules-tob/.github/workflows/update-semgrep-registry.yml
+        rm $HOME/semgrep-rules/.pre-commit-config.yaml
+        rm -rf $HOME/semgrep-rules-tob/.github
+        rm -rf $HOME/semgrep-rules/.github
+        rm -rf $HOME/semgrep-rules/stats
+      shell: bash
+    - name: "Setup git repo"
+      run: git config --global --add safe.directory $(pwd)
+      shell: bash
+    - name: "Run semgrep"
+      run: |
+        semgrep scan --config $HOME/semgrep-rules --config $HOME/semgrep-rules-tob \
+          --metrics=off --experimental \
+          --exclude-rule=third-party-action-not-pinned-to-commit-sha \
+          --exclude-rule=jsx-not-internationalized \
+          --severity=WARNING \
+          --severity=ERROR \
+          --exclude="*.html" --exclude="*.js" \
+          --baseline-commit=${{ github.event.pull_request.base.sha }} \
+          --json > /tmp/semgrep-results.json || true
+      shell: bash
+    - name: Show results in PR
+      run: |
+        /usr/bin/jq -r '.results[]
+          | . + {
+              severity: (
+                if .extra.severity == "WARNING" then "warning"
+                elif .extra.severity == "ERROR" then "error"
+                else "notice"
+                end
+              )
+            }
+          | "::\(.severity) file=\(.path),line=\(.start.line),col=\(.start.col),endLine=\(.end.line),endColumn=\(.end.col),title=\(.check_id)::\((.extra.message
+              | gsub("[^a-zA-Z0-9 .]"; "")
+          ))"' /tmp/semgrep-results.json
+      shell: bash

.github/actions/zizmor-action/action.yml

@@ -0,0 +1,19 @@
+name: 'Zizmor Scan'
+description: 'Install uv and run zizmor scan with custom config'
+runs:
+  using: 'composite'
+  steps:
+    - name: Install the latest version of uv
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41
+    - name: Run zizmor 🌈
+      run: |
+        cat <<EOF > zizmor.yml
+        rules:
+          unpinned-uses:
+            disable: true
+        EOF
+        uvx zizmor --format=github --config=zizmor.yml .
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      shell: bash
+

.github/workflows/security-default-branch.yml

@@ -4,6 +4,8 @@ on:
     secrets:
       DEPENDENCY_TRACK_AUTOMATION_API_KEY:
         required: true
+      GH_TOKEN:
+        required: true
   push:
     branches:
       - main
@@ -16,23 +18,53 @@ permissions:
 jobs:
   sbom-trivy:
     runs-on: ubuntu-latest
-
     container:
       image: aquasec/trivy:0.67.2
-
     steps:
       - run: trivy --version
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          persist-credentials: false
       - run: trivy fs --format cyclonedx --output /tmp/trivy-cyclonedx.json .
       - run: apk --no-cache add curl
       - run: |
           curl -X "POST" "https://dependency-track-sbom.corp.zoo.dev/api/v1/bom" \
                -H 'Content-Type: multipart/form-data' \
                 -H "X-Api-Key: ${{ secrets.DEPENDENCY_TRACK_AUTOMATION_API_KEY }}" \
                -F "autoCreate=true" \
-               -F "projectName=${{ github.repository }}" \
-               -F "projectVersion=${{ github.ref_name }}" \
+               -F "projectName=$PROJECT_NAME" \
+               -F "projectVersion=$PROJECT_VERSION" \
                -F "isLatest=$IS_LATEST" \
                -F "bom=@/tmp/trivy-cyclonedx.json"
+        env:
+          PROJECT_NAME: ${{ github.repository }}
+          PROJECT_VERSION: ${{ github.ref_name }}
+
+  semgrep:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: ./.github/actions/semgrep-action
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: ./.github/actions/zizmor-action
+
+  scorecard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: ./.github/actions/scorecard-action
+

.github/workflows/security-pr.yml

@@ -8,8 +8,8 @@ permissions:
 
 jobs:
   semgrep:
-    # Skip any PR created by dependabot to avoid permission issues:
-    if: (github.actor != 'dependabot[bot]')
+    ## Skip any PR created by dependabot to avoid permission issues:
+    #if: (github.actor != 'dependabot[bot]')
     name: semgrep-oss/scan
     runs-on: ubuntu-latest
     permissions:
@@ -24,47 +24,6 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - run: |
-          git clone https://github.com/trailofbits/semgrep-rules $HOME/semgrep-rules-tob
-          git clone https://github.com/semgrep/semgrep-rules $HOME/semgrep-rules
-          git -C $HOME/semgrep-rules reset --hard 518f71b883d431fa33268844b066033507e7c1b5
-          git -C $HOME/semgrep-rules-tob reset --hard 3b91c9b622b4a250b144a832ce73091b1f25e207
-          rm $HOME/semgrep-rules-tob/.github/workflows/update-semgrep-registry.yml
-          rm $HOME/semgrep-rules/.pre-commit-config.yaml
-          rm -rf $HOME/semgrep-rules-tob/.github
-          rm -rf $HOME/semgrep-rules/.github
-          rm -rf $HOME/semgrep-rules/stats
-      - run: git config --global --add safe.directory $(pwd)
-      - run: |
-          semgrep scan --config $HOME/semgrep-rules --config $HOME/semgrep-rules-tob \
-            --metrics=off --experimental \
-            --exclude-rule=third-party-action-not-pinned-to-commit-sha \
-            --exclude-rule=jsx-not-internationalized \
-            --severity=WARNING \
-            --severity=ERROR \
-            --exclude="*.html" --exclude="*.js" \
-            --baseline-commit=${{ github.event.pull_request.base.sha }} \
-            --json > /tmp/semgrep-results.json || true
-      - run: /usr/bin/jq --version
-      - name: Notice
-        shell: bash
-        run: |
-          /usr/bin/jq -r '.results[]
-            | . + {
-                severity: (
-                  if .extra.severity == "WARNING" then "warning"
-                  elif .extra.severity == "ERROR" then "error"
-                  else "notice"
-                  end
-                )
-              }
-            | "::\(.severity) file=\(.path),line=\(.start.line),col=\(.start.col),endLine=\(.end.line),endColumn=\(.end.col),title=\(.check_id)::\((.extra.message
-                | gsub("[^a-zA-Z0-9 .]"; "")
-            ))"' /tmp/semgrep-results.json
-  #    - name: Upload SARIF file
-  #      uses: github/codeql-action/upload-sarif@v2
-  #      with:
-  #        # Path to SARIF file relative to the root of the repository
-  #        sarif_file: /tmp/semgrep-results.sarif
-  #      if: always()
+          persist-credentials: false
+      - uses: ./.github/actions/semgrep-action
 

.github/workflows/security-testing-pr.yml

@@ -11,27 +11,13 @@ jobs:
     name: zizmor
     runs-on: ubuntu-latest
     permissions:
-      security-events: write # needed for SARIF uploads
       contents: read # only needed for private repos
       actions: read # only needed for private repos
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
+          fetch-depth: 0
           persist-credentials: false
-
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
-
-      - name: Run zizmor 🌈
-        run: |
-          cat <<EOF > zizmor.yml
-          rules:
-            unpinned-uses:
-              disable: true
-          EOF
-        
-          uvx zizmor --format=github --config=zizmor.yml .
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
+      - uses: ./.github/actions/zizmor-action
+        with: {}