From 5367d210cb5b79dfd50b710ce36382e352145dc1 Mon Sep 17 00:00:00 2001 From: Petr Ruzicka Date: Sun, 11 Feb 2024 06:05:20 +0100 Subject: [PATCH] feat(gh): add default GitHub repo files (#147) --- .checkov.yml | 3 +++ .github/workflows/mega-linter.yml | 1 + .github/workflows/vuepress-build.yml | 2 +- .gitignore | 8 ++++++++ .lycheeignore | 2 +- .mega-linter.yml | 6 ++---- .mlc_config.json | 5 ++++- .trivyignore.yaml | 16 ++++++++++------ 8 files changed, 30 insertions(+), 13 deletions(-) create mode 100644 .checkov.yml diff --git a/.checkov.yml b/.checkov.yml new file mode 100644 index 0000000..f7e2b0f --- /dev/null +++ b/.checkov.yml @@ -0,0 +1,3 @@ +skip-check: + # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty + - CKV_GHA_7 diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 58bde51..e6aab5f 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -33,6 +33,7 @@ jobs: # Extract: ```bash ... ``` sed -n "/^ \`\`\`\(bash\|shell\)$/,/^ \`\`\`$/p" "${FILE}" | sed '/^ ```*/d; s/^ //' >> README.sh done + ls -la README.sh chmod a+x README.sh - name: 💡 MegaLinter diff --git a/.github/workflows/vuepress-build.yml b/.github/workflows/vuepress-build.yml index 44b6bfc..f675737 100644 --- a/.github/workflows/vuepress-build.yml +++ b/.github/workflows/vuepress-build.yml @@ -43,7 +43,7 @@ jobs: with: url: ${{ steps.pages.outputs.base_url }} pages_path: . - cmd_params: '--exclude=(mylabs.dev) --buffer-size=8192 --max-connections-per-host=5 --color=always --rate-limit=5 --header="User-Agent:Mozilla" --skip-tls-verification' + cmd_params: '--exclude=(mylabs.dev|localhost) --buffer-size=8192 --max-connections-per-host=5 --color=always --rate-limit=5 --header="User-Agent:Mozilla" --skip-tls-verification' - name: Deploy uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 diff --git a/.gitignore b/.gitignore index 8baa4bf..6b47d60 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,11 @@ README.sh # demo-magic.sh script demo-magic.sh + +# Terraform files +.terraform* +*.tfstate* +crash.log + +# nohup output +nohup.out diff --git a/.lycheeignore b/.lycheeignore index 09f9664..44bd86f 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -1 +1 @@ -.*.mylabs.dev +mylabs.dev diff --git a/.mega-linter.yml b/.mega-linter.yml index a768b6b..24bf598 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -1,7 +1,7 @@ # Configuration file for MegaLinter # See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation -BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects +BASH_SHFMT_ARGUMENTS: --case-indent --indent 2 --space-redirects DISABLE_LINTERS: - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead @@ -26,9 +26,7 @@ PRINT_ALPACA: false # Disable creating report directory REPORT_OUTPUT_FOLDER: none -# Issue: https://github.com/bridgecrewio/checkov/issues/3839 -# The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty -REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7 +REPOSITORY_CHECKOV_ARGUMENTS: --quiet # Do not leave debug code in production, Insecure URL REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138 diff --git a/.mlc_config.json b/.mlc_config.json index 76c045d..06247a4 100644 --- a/.mlc_config.json +++ b/.mlc_config.json @@ -1,7 +1,10 @@ { "ignorePatterns": [ { - "pattern": "(https|http)://.*mylabs.dev" + "pattern": "(http|https)://.*mylabs.dev" + }, + { + "pattern": "(http|https)://localhost" } ] } diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 30a04d0..f8e349e 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -1,13 +1,17 @@ vulnerabilities: - # │ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │ + # │ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │ - id: CVE-2020-28469 - # │ json5 │ CVE-2022-46175 │ HIGH │ fixed │ 0.5.1 │ 2.2.2, 1.0.2 │ json5: Prototype Pollution in JSON5 via Parse Method │ + # │ json5 │ CVE-2022-46175 │ HIGH │ fixed │ 0.5.1 │ 2.2.2, 1.0.2 │ json5: Prototype Pollution in JSON5 via Parse Method │ - id: CVE-2022-46175 - # │ loader-utils │ CVE-2022-37601 │ CRITICAL │ fixed │ 0.2.17 │ 2.0.3, 1.4.1 │ loader-utils: prototype pollution in function parseQuery in │ + # │ loader-utils │ CVE-2022-37601 │ CRITICAL │ fixed │ 0.2.17 │ 2.0.3, 1.4.1 │ loader-utils: prototype pollution in function parseQuery in │ - id: CVE-2022-37601 - # │ node-forge │ CVE-2022-24771 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification leniency in checking │ + # │ node-forge │ CVE-2022-24771 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification leniency in checking │ - id: CVE-2022-24771 - # │ node-forge │ CVE-2022-24772 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification failing to check tailing │ + # │ node-forge │ CVE-2022-24772 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification failing to check tailing │ - id: CVE-2022-24772 - # │ nth-check │ CVE-2021-3803 │ HIGH │ fixed │ 1.0.2 │ 2.0.1 │ inefficient regular expression complexity │ + # │ nth-check │ CVE-2021-3803 │ HIGH │ fixed │ 1.0.2 │ 2.0.1 │ inefficient regular expression complexity │ - id: CVE-2021-3803 + # | ip │ CVE-2023-42282 │ HIGH │ affected │ 1.1.8 │ │ An issue in NPM IP Package v.1.1.8 and before allows an │ + - id: CVE-2023-42282 + # │ normalize-url │ CVE-2021-33502 │ HIGH │ fixed │ 4.5.0 │ 4.5.1, 5.3.1, 6.0.1 │ ReDoS for data URLs │ + - id: CVE-2021-33502