Skip to content

chore(deps): Update sscheib/ansible-role-file_deployment-jekyll to v24.12.25 #1621

chore(deps): Update sscheib/ansible-role-file_deployment-jekyll to v24.12.25

chore(deps): Update sscheib/ansible-role-file_deployment-jekyll to v24.12.25 #1621

Workflow file for this run

---
name: 'KICS'
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- 'main'
push:
branches:
- 'main'
workflow_dispatch: {}
schedule:
- cron: '43 18 * * 4'
permissions: 'read-all'
env:
# gitleaks image to use to check files prior to uploading them to prevent sensitive data being leaked
# yamllint disable rule:line-length
# renovate image dep:
gitleaks-image: 'ghcr.io/gitleaks/gitleaks:v8.22.0@sha256:9c008fc701d3a0a2a15b77a7677b940e2e5942e8af8cc2a0b6e078c4365c3c86'
# yamllint enable rule:line-length
jobs:
analysis:
name: 'KICS analysis'
runs-on: 'ubuntu-24.04'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: 'write'
# Needed to publish results and get a badge (see publish_results below).
id-token: 'write'
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f' # v2.10.2
with:
egress-policy: 'block'
disable-sudo: true
allowed-endpoints: >
api.github.com:443
ghcr.io:443
github.com:443
kics.io:443
packages.wolfi.dev:443
pkg-containers.githubusercontent.com:443
registry.npmjs.org:443
- name: 'Checkout the repository'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # v4.2.2
with:
persist-credentials: false
- name: 'Create results directory'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
mkdir -p results
- name: 'Run KICS scan'
uses: 'checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16' # v2.1.3
with:
path: './'
output_path: 'results'
config_path: './kics.config'
output_formats: 'sarif'
- name: 'Scan results/resulits.sarif to ensure it contains no secrets'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
docker run -v ./results/results.sarif:/scan "${{ env.gitleaks-image }}" detect --source "/scan" --no-git || {
echo "ERROR: Secret found, failing workflow";
exit 1;
};
- name: 'Upload artifact'
uses: 'actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b' # v4.5.0
with:
name: 'SARIF file'
path: 'results/results.sarif'
retention-days: 5
- name: 'Upload to code-scanning'
uses: 'github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169' # v3.28.0
with:
sarif_file: 'results/results.sarif'
...