chore(deps): Update execution environments (patch) #850
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: 'KICS' | |
on: # yamllint disable-line rule:truthy | |
pull_request: | |
branches: | |
- 'main' | |
push: | |
branches: | |
- 'main' | |
workflow_dispatch: {} | |
schedule: | |
- cron: '43 18 * * 4' | |
permissions: 'read-all' | |
env: | |
# gitleaks image to use to check files prior to uploading them to prevent sensitive data being leaked | |
# yamllint disable rule:line-length | |
# renovate image dep: | |
gitleaks-image: 'ghcr.io/gitleaks/gitleaks:v8.19.2@sha256:7e84fe0c55c5e46b15d7137ee4531f286023dad3c696935758b010c4317ff69b' | |
# yamllint enable rule:line-length | |
jobs: | |
analysis: | |
name: 'KICS analysis' | |
runs-on: 'ubuntu-22.04' | |
permissions: | |
# Needed to upload the results to code-scanning dashboard. | |
security-events: 'write' | |
# Needed to publish results and get a badge (see publish_results below). | |
id-token: 'write' | |
# Uncomment the permissions below if installing in a private repository. | |
# contents: read | |
# actions: read | |
steps: | |
- name: 'Harden Runner' | |
uses: 'step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7' # v2.10.1 | |
with: | |
egress-policy: 'block' | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
ghcr.io:443 | |
github.com:443 | |
kics.io:443 | |
packages.wolfi.dev:443 | |
pkg-containers.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: 'Checkout the repository' | |
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # v4.1.7 | |
with: | |
persist-credentials: false | |
- name: 'Create results directory' | |
shell: 'bash' | |
run: | | |
# fail if: | |
# - a variable is unbound | |
# - any command fails | |
# - a command in a pipe fails | |
# - a command in a sub-shell fails | |
set -Eeuo pipefail | |
# enable debug if runner runs in debug | |
[[ "${{ runner.debug }}" -ne 1 ]] || { | |
echo "INFO: Enabling bash trace"; | |
set -x; | |
}; | |
mkdir -p results | |
- name: 'Run KICS scan' | |
uses: 'checkmarx/kics-github-action@530ac1f8efe6202b0f12c9a6e952597ae707b755' # v2.1.2 | |
with: | |
path: './' | |
output_path: 'results' | |
config_path: './kics.config' | |
output_formats: 'sarif' | |
- name: 'Scan results/resulits.sarif to ensure it contains no secrets' | |
shell: 'bash' | |
run: | | |
# fail if: | |
# - a variable is unbound | |
# - any command fails | |
# - a command in a pipe fails | |
# - a command in a sub-shell fails | |
set -Eeuo pipefail | |
# enable debug if runner runs in debug | |
[[ "${{ runner.debug }}" -ne 1 ]] || { | |
echo "INFO: Enabling bash trace"; | |
set -x; | |
}; | |
docker run -v ./results/results.sarif:/scan "${{ env.gitleaks-image }}" detect --source "/scan" --no-git || { | |
echo "ERROR: Secret found, failing workflow"; | |
exit 1; | |
}; | |
- name: 'Upload artifact' | |
uses: 'actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874' # v4.4.0 | |
with: | |
name: 'SARIF file' | |
path: 'results/results.sarif' | |
retention-days: 5 | |
- name: 'Upload to code-scanning' | |
uses: 'github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d' # v3.26.7 | |
with: | |
sarif_file: 'results/results.sarif' | |
... |