diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3bc62cf3..da7a9803 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,50 +9,50 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '30 16 * * 2' - -jobs: - analyze: - name: Analyze - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript-typescript', 'python' ] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. +#name: "CodeQL" +# +#on: +# push: +# branches: [ "main" ] +# pull_request: +# branches: [ "main" ] +# schedule: +# - cron: '30 16 * * 2' +# +#jobs: +# analyze: +# name: Analyze +# # Runner size impacts CodeQL analysis time. To learn more, please see: +# # - https://gh.io/recommended-hardware-resources-for-running-codeql +# # - https://gh.io/supported-runners-and-hardware-resources +# # - https://gh.io/using-larger-runners +# # Consider using larger runners for possible analysis time improvements. +# runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} +# timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} +# permissions: +# actions: read +# contents: read +# security-events: write +# +# strategy: +# fail-fast: false +# matrix: +# language: [ 'javascript-typescript', 'python' ] +# # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] +# # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both +# # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both +# # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support +# +# steps: +# - name: Checkout repository +# uses: actions/checkout@v4 +# +# # Initializes the CodeQL tools for scanning. +# - name: Initialize CodeQL +# uses: github/codeql-action/init@v3 +# with: +# languages: ${{ matrix.language }} +# # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. @@ -62,8 +62,8 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 +# - name: Autobuild +# uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -75,7 +75,7 @@ jobs: # echo "Run, Build Application using script" # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" +# - name: Perform CodeQL Analysis +# uses: github/codeql-action/analyze@v3 +# with: +# category: "/language:${{matrix.language}}" diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 35166dbd..a22c81c9 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -3,32 +3,32 @@ # separate terms of service, privacy policy, and support # documentation. -name: DevSkim +#name: DevSkim -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '20 12 * * 5' +#on: +# push: +# branches: [ "main" ] +# pull_request: +# branches: [ "main" ] +# schedule: +# - cron: '20 12 * * 5' -jobs: - lint: - name: DevSkim - runs-on: ubuntu-20.04 - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v4 +# jobs: +# lint: +# name: DevSkim +# runs-on: ubuntu-20.04 +# permissions: +# actions: read +# contents: read +# security-events: write +# steps: +# - name: Checkout code +# uses: actions/checkout@v4 - - name: Run DevSkim scanner - uses: microsoft/DevSkim-Action@v1.0.11 +# - name: Run DevSkim scanner +# uses: microsoft/DevSkim-Action@v1.0.11 - - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: devskim-results.sarif \ No newline at end of file +# - name: Upload DevSkim scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v2 +# with: +# sarif_file: devskim-results.sarif \ No newline at end of file diff --git a/.github/workflows/kubescape.yml b/.github/workflows/kubescape.yml index b2b8493f..72262cf6 100644 --- a/.github/workflows/kubescape.yml +++ b/.github/workflows/kubescape.yml @@ -1,5 +1,8 @@ name: Kubescape scanning for misconfigurations on: [push, pull_request] +permissions: + security-events: write + contents: read jobs: kubescape: runs-on: ubuntu-latest