From 538d7457575bda66e820a77a50a44ac1983f810e Mon Sep 17 00:00:00 2001 From: catborise Date: Wed, 14 Oct 2020 16:15:28 +0300 Subject: [PATCH 1/2] add code analysis for security --- .github/workflows/codeql-analysis.yml | 70 +++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..937aa06f --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL" + +on: + push: + branches: [master] + pull_request: + branches-ignore: [master] + schedule: + - cron: '0 21 * * 3' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below list + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] + language: ['javascript', 'python'] + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 \ No newline at end of file From e792f08e55c90778e5236a63a291c419589484f7 Mon Sep 17 00:00:00 2001 From: catborise Date: Wed, 14 Oct 2020 16:21:05 +0300 Subject: [PATCH 2/2] fix superlinter dependencies & others --- .github/workflows/linter.yml | 53 +++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 8182f1ac..01ceee7e 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -1,34 +1,56 @@ -# This is a basic workflow to help you get started with Actions +########################### +########################### +## Linter GitHub Actions ## +########################### +########################### -name: linter +name: Lint Code Base -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the master branch +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +############################# +# Start the job on all push # +############################# on: push: - branches: [ '*' ] + branches: [master] pull_request: - branches: [ master ] + branches-ignore: [master] + -# A workflow run is made up of one or more jobs that can run sequentially or in parallel +############### +# Set the Job # +############### jobs: - # This workflow contains a single job called "build" build: - # The type of runner that the job will run on + name: Lint Code Base + # Set the agent to run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job + ################## + # Load all steps # + ################### steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@master + ########################## + # Checkout the code base # + ########################## + - name: Checkout Code + uses: actions/checkout@v2 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + - name: Set up Python uses: actions/setup-python@v2 with: python-version: '3.x' - - name: install libvirt-dev + - name: Install Required packages run: | - sudo apt-get install -y libvirt-dev + sudo apt-get install -y libvirt-dev python3-lxml zlib1g-dev libxslt1-dev - name: Install dependencies run: | python3 -m pip install --upgrade pip @@ -39,8 +61,8 @@ jobs: - name: Lint Code Base uses: docker://github/super-linter:latest env: - FILTER_REGEX_EXCLUDE: .*[static|scss]/.* DEFAULT_BRANCH: master + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_ANSIBLE: false VALIDATE_CLOJURE: false VALIDATE_COFFEE: false @@ -55,5 +77,4 @@ jobs: VALIDATE_RUBY: false VALIDATE_TSX: false VALIDATE_TERRAFORM: false -