-
Notifications
You must be signed in to change notification settings - Fork 65
89 lines (79 loc) · 2.62 KB
/
analysis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Copyright 2020 Wayback Archiver. All rights reserved.
# Use of this source code is governed by the GNU GPL v3
# license that can be found in the LICENSE file.
name: "Analysis"
on:
push:
branches:
- main
- develop
pull_request:
branches: [ main ]
schedule:
- cron: '33 23 * * 4'
# Declare default permissions as read only.
permissions: read-all
jobs:
scorecards:
name: Scorecards
uses: wabarc/.github/.github/workflows/reusable-scorecards.yml@main
if: |
github.event_name == 'pull_request' ||
github.ref == 'refs/heads/main'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Used to receive a badge. (Upcoming feature)
id-token: write
actions: read
contents: read
codeql:
name: CodeQL
permissions:
security-events: write
actions: read
contents: read
strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
# Learn more:
# https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
uses: wabarc/.github/.github/workflows/reusable-codeql.yml@main
with:
language: ${{ matrix.language }}
config-file: './.github/codeql/codeql-config.yml'
egress-policy: audit
nancy:
name: Sonatype Nancy
uses: wabarc/.github/.github/workflows/reusable-nancy.yml@main
semgrep:
name: Semgrep Scan
if: github.actor != 'dependabot[bot]'
uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read
fossa:
if: github.event_name != 'pull_request'
name: FOSSA
uses: wabarc/.github/.github/workflows/reusable-fossa.yml@main
secrets:
fossa-apikey: ${{ secrets.FOSSA_APIKEY }}
dependency-review:
name: Dependency Review
uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main
trivy:
name: Trivy
uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
#actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
with:
scan-type: 'fs'
sarif: 'filesystem.sarif'
egress-policy: audit