Initial commit

.github/dependabot.yaml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"

.github/workflows/naming.yaml

@@ -0,0 +1,28 @@
+name: 'Naming'
+on: pull_request
+
+jobs:
+  check-branch-name:
+    name: Branch-Name
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Check that branch starts with a ticket number
+      # e.g. PAY-123-some_branch_name
+      # master and develop are the only 2 exceptions
+      # see: https://github.com/marketplace/actions/branch-name-rules
+      - uses: deepakputhraya/action-branch-name@master
+        with:
+          regex: '^[A-Z]+-[0-9]+-.*$'
+          ignore: master,develop
+  check-pr-title:
+    name: PR-Title
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Check that PR title starts with a ticket number
+      # e.g. PAY-123: some commit message
+      # see: https://github.com/marketplace/actions/check-pull-request-title
+      - uses: Slashgear/[email protected]
+        with:
+          regexp: '^[A-Z]+-[0-9]+:.*$'

.github/workflows/notification.yaml

@@ -0,0 +1,25 @@
+name: Notification
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  slack:
+    name: Ready For Review
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: kv109/[email protected]
+      env:
+        SLACK_CHANNEL: tech-reviews
+        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_TECH_REVIEWS }}
+        PR_APPROVED_FORMAT: |
+          :verified: *${{ github.event.repository.name }}* pull request *approved* by { review.user.login }: <{ pull_request.html_url }|{ pull_request.title }>
+        PR_READY_FOR_REVIEW_FORMAT: |
+          :github: *${{ github.event.repository.name }}* pull request *opened* by { pull_request.user.login }: <{ pull_request.html_url }|{ pull_request.title }>
+        PR_REJECTED_FORMAT: |
+          :warning: *${{ github.event.repository.name }}* pull request *rejected* by { review.user.login }: <{ pull_request.html_url }|{ pull_request.title }>
+        PR_COMMENTED_FORMAT: |
+          :paperclip: *${{ github.event.repository.name }}* pull request *commented* by { review.user.login }: <{ pull_request.html_url }|{ pull_request.title }>

.github/workflows/semgrep.yaml

@@ -0,0 +1,57 @@
+name: Semgrep
+
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request: {}
+
+  # Scan all files on branches, block on any issues
+  push:
+    branches: ["master", "main"]
+
+  # Schedule this job to run at a certain time, using cron syntax
+  # Note that * is a special character in YAML so you have to quote this string
+  # schedule:
+  #   - cron: '30 0 1,15 * *' # scheduled for 00:30 UTC on both the 1st and 15th of the month
+
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@v3
+
+      - run: semgrep ci
+        # run: semgrep scan --sarif --output=semgrep.sarif
+        env:
+          # more rules at semgrep.dev/explore
+          SEMGREP_RULES: >-
+            .semgrep
+            p/security-audit
+            p/secrets
+            p/supply-chain
+            p/owasp-top-ten
+            p/ci
+            p/r2c-ci
+            p/docker
+            p/dockerfile
+            p/golang
+            p/semgrep-go-correctness
+            p/insecure-transport
+            p/javascript
+            p/kubernetes
+            p/terraform
+          SEMGREP_SEND_METRICS: 0
+          SEMGREP_TIMEOUT: 1800
+          #SEMGREP_BASELINE_REF: master
+
+      # Upload findings to GitHub Advanced Security Dashboard
+      # - name: Upload SARIF file for GitHub Advanced Security Dashboard
+      #   uses: github/codeql-action/upload-sarif@v1
+      #   with:
+      #     sarif_file: semgrep.sarif
+      #   if: always()

.github/workflows/trivy.yaml

@@ -0,0 +1,25 @@
+name: Trivy
+
+on:
+  pull_request: {}
+  push:
+    branches: ["master", "main"]
+
+jobs:
+  build:
+    name: Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner (filesystem)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          scan-ref: '.'
+          hide-progress: false
+          ignore-unfixed: true
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+

.gitignore

@@ -0,0 +1,2 @@
+.idea/
+.DS_Store

README.md

@@ -0,0 +1,19 @@
+# Payrails Template Repository
+
+[![Semgrep Badge](https://github.com/payrails/template-repository/actions/workflows/semgrep.yaml/badge.svg?branch=master)](https://github.com/payrails/template-repository/actions/workflows/semgrep.yaml)
+
+### Features
+
+...
+
+### Getting Started
+
+...
+
+### Reporting Vulnerabilities
+
+...
+
+### Contributing
+
+...