From 43043ef2d1ab6583df6c9c7508c85bb9156bda58 Mon Sep 17 00:00:00 2001 From: Ben Manes Date: Sun, 24 Mar 2024 12:52:51 -0700 Subject: [PATCH] add actionlint and trivy analyzers --- .github/actions/run-gradle/action.yml | 3 +- .github/workflows/actionlint.yml | 24 ++++++++++++++++ .github/workflows/scorecards-analysis.yml | 2 +- .github/workflows/spelling.yml | 28 +++++++++++++------ .github/workflows/trivy.yml | 34 +++++++++++++++++++++++ gradle/libs.versions.toml | 4 +-- 6 files changed, 83 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/actionlint.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/actions/run-gradle/action.yml b/.github/actions/run-gradle/action.yml index 40e08b461f..4c60cd5cab 100644 --- a/.github/actions/run-gradle/action.yml +++ b/.github/actions/run-gradle/action.yml @@ -2,7 +2,7 @@ name: Run Gradle description: Sets up Gradle JDKs and runs Gradle inputs: arguments: - required: true + required: false description: Gradle arguments java: required: true @@ -83,6 +83,7 @@ runs: gradle-home-cache-cleanup: true gradle-home-cache-strict-match: true - name: Run ${{ inputs.arguments }} + if: ${{ env.arguments != '' }} env: JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }} ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: 'false' diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 0000000000..98a887f426 --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,24 @@ +name: actionlint +permissions: read-all +on: [ push, pull_request ] + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: actionlint + uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.43.0 + env: + SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 5c927b9cc7..4ee6d80da0 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -29,13 +29,13 @@ jobs: api.osv.dev:443 api.securityscorecards.dev:443 bestpractices.coreinfrastructure.org:443 - bestpractices.dev:443 fulcio.sigstore.dev:443 github.com:443 oss-fuzz-build-logs.storage.googleapis.com:443 rekor.sigstore.dev:443 sigstore-tuf-root.storage.googleapis.com:443 tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index a1a3cce3ba..1c15f4cd9a 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -3,8 +3,25 @@ permissions: read-all on: [ push, pull_request ] jobs: - spellcheck: - name: Check spelling + misspell: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Misspell + uses: reviewdog/action-misspell@32cdac969bc45951d79b89420a60c9b0102cf6ed # v1.16.0 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + typos: runs-on: ubuntu-latest steps: - name: Harden Runner @@ -15,11 +32,6 @@ jobs: allowed-endpoints: > github.com:443 objects.githubusercontent.com:443 - raw.githubusercontent.com:443 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Install - run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b . - - name: Spell Check with Misspell - run: ./misspell -error . - - name: Spell Check with Typos + - name: Typos uses: crate-ci/typos@bcafd462cb07ef7ba57e34abf458fe20767e808b # v1.19.0 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..cacebc5a4f --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,34 @@ +name: trivy +permissions: read-all +on: [ push, pull_request ] + +jobs: + trivy: + runs-on: ubuntu-20.04 + permissions: + checks: write + actions: read + contents: read + security-events: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + ghcr.io:443 + github.com:443 + pkg-containers.githubusercontent.com:443 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: trivy-results.sarif diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index d940a94bb0..6ffc2c83da 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,5 +1,5 @@ [versions] -asm = "9.6" +asm = "9.7" auto-value = "1.10.4" awaitility = "4.2.1" bcel = "6.8.2" @@ -33,7 +33,7 @@ felix-framework = "7.0.5" felix-scr = "2.2.10" findsecbugs = "1.13.0" flip-tables = "1.1.1" -forbidden-apis = "3.6" +forbidden-apis = "3.7" google-java-format = "1.21.0" guava = "33.1.0-jre" guice = "6.0.0"