diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml index 44662663..879b8f93 100644 --- a/.github/workflows/megalinter.yml +++ b/.github/workflows/megalinter.yml @@ -9,6 +9,7 @@ on: - main workflow_dispatch: + permissions: contents: write issues: write @@ -41,7 +42,7 @@ jobs: # MegaLinter - name: MegaLinter id: ml - uses: oxsecurity/megalinter/flavors/javascript@v7.13.0 + uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # pin@v7.13.0 env: VALIDATE_ALL_CODEBASE: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -49,7 +50,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts if: always() - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # pin@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 with: name: MegaLinter reports path: | @@ -60,7 +61,7 @@ jobs: - name: Create Pull Request with applied fixes id: cpr if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # pin@v5 + uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" @@ -87,12 +88,12 @@ jobs: - name: Check to see if the SARIF a was generated id: sarif_file_exists - uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # pin@v2 + uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2 with: files: "megalinter-reports/megalinter-report.sarif" - name: Upload MegaLinter scan results to GitHub Security tab if: steps.sarif_file_exists.outputs.files_exists == 'true' - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # pin@v2 + uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2 with: sarif_file: "megalinter-reports/megalinter-report.sarif" diff --git a/.github/workflows/pa11y.yml b/.github/workflows/pa11y.yml index 0f86dfeb..a9fc7c46 100644 --- a/.github/workflows/pa11y.yml +++ b/.github/workflows/pa11y.yml @@ -1,16 +1,19 @@ +--- name: Pa11y Testing -on: [pull_request] +# yamllint disable-line rule:truthy +on: [ pull_request ] jobs: build: runs-on: ubuntu-latest - + steps: - - uses: actions/checkout@v3 - + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + - name: Use Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3 with: node-version: '17.x' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 48fe6e47..b1c7577d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,18 +1,22 @@ +--- # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security + +# yamllint disable-line rule:truthy on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See + branch_protection_rule: # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '43 7 * * 3' push: - branches: [ "main" ] + branches: + - "main" # Declare default permissions as read only. permissions: read-all @@ -32,12 +36,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0 with: results_file: results.sarif results_format: sarif @@ -59,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4.3.4 with: name: SARIF file path: results.sarif @@ -67,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # pin@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 300f0774..91b72554 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,18 +2,19 @@ name: Build and Test # yamllint disable-line rule:truthy -on: +on: pull_request: + jobs: build: runs-on: ubuntu-latest - + steps: - - uses: actions/checkout@v3 - + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + - name: Use Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3 with: node-version: '17.x' @@ -23,5 +24,5 @@ jobs: - name: Build site run: npm run build - # - name: Run tests - # run: npm run test +# - name: Run tests +# run: npm run test diff --git a/.grype.yaml b/.grype.yaml index 6b7d98fd..3c442f39 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,153 +1,12 @@ -# enable/disable checking for application updates on startup -# same as GRYPE_CHECK_FOR_APP_UPDATE env var -# check-for-app-update: true - -# allows users to specify which image source should be used to generate the sbom -# valid values are: registry, docker, podman -# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var -# default-image-pull-source: "" - -# same as --name; set the name of the target being analyzed -# name: "" - -# upon scanning, if a severity is found at or above the given severity then the return code will be 1 -# default is unset which will skip this validation (options: negligible, low, medium, high, critical) -# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var +--- fail-on-severity: "high" -# the output format of the vulnerability report (options: table, json, cyclonedx) -# same as -o ; GRYPE_OUTPUT env var -# output: "table" - -# suppress all output (except for the vulnerability list) -# same as -q ; GRYPE_QUIET env var -# quiet: false - -# write output report to a file (default is to write to stdout) -# same as --file; GRYPE_FILE env var -# file: "" - -# a list of globs to exclude from scanning, for example: -# exclude: -# - '/etc/**' -# - './out/**/*.json' -# same as --exclude ; GRYPE_EXCLUDE env var exclude: - './node_modules/**' - './.git/**' - './.github/**' - './_site/**' -# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64") -# same as --platform; GRYPE_PLATFORM env var -# platform: "" - -# If using SBOM input, automatically generate CPEs when packages have none -# add-cpes-if-none: false - -# Explicitly specify a linux distribution to use as : like alpine:3.10 -# distro: - -# external-sources: -# enable: false -# maven: -# search-upstream-by-sha1: true -# base-url: https://search.maven.org/solrsearch/select - -# db: - # check for database updates on execution - # same as GRYPE_DB_AUTO_UPDATE env var - # auto-update: true - - # location to write the vulnerability database cache - # same as GRYPE_DB_CACHE_DIR env var - # cache-dir: "$XDG_CACHE_HOME/grype/db" - - # URL of the vulnerability database - # same as GRYPE_DB_UPDATE_URL env var - # update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json" - - # it ensures db build is no older than the max-allowed-built-age - # set to false to disable check - # validate-age: true - - # Max allowed age for vulnerability database, - # age being the time since it was built - # Default max age is 120h (or five days) - # max-allowed-built-age: "120h" - -# search: - # the search space to look for packages (options: all-layers, squashed) - # same as -s ; GRYPE_SEARCH_SCOPE env var - # scope: "squashed" - - # search within archives that do contain a file index to search against (zip) - # note: for now this only applies to the java package cataloger - # same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var - # indexed-archives: true - - # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc) - # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed - # note: for now this only applies to the java package cataloger - # same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var - # unindexed-archives: false - -# options when pulling directly from a registry via the "registry:" scheme -# registry: - # skip TLS verification when communicating with the registry - # same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var - # insecure-skip-tls-verify: false - # use http instead of https when connecting to the registry - # same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var - # insecure-use-http: false - - # credentials for specific registries - # auth: - # - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) - # same as GRYPE_REGISTRY_AUTH_AUTHORITY env var - # authority: "" - # same as GRYPE_REGISTRY_AUTH_USERNAME env var - # username: "" - # same as GRYPE_REGISTRY_AUTH_PASSWORD env var - # password: "" - # note: token and username/password are mutually exclusive - # same as GRYPE_REGISTRY_AUTH_TOKEN env var - # token: "" - # - ... # note, more credentials can be provided via config file only - -# log: - # use structured logging - # same as GRYPE_LOG_STRUCTURED env var - # structured: false - - # the log level; note: detailed logging suppress the ETUI - # same as GRYPE_LOG_LEVEL env var - # Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging - # level: "error" - - # location to write the log file (default is not to have a log file) - # same as GRYPE_LOG_FILE env var - # file: "" - -# match: - # sets the matchers below to use cpes when trying to find - # vulnerability matches. The stock matcher is the default - # when no primary matcher can be identified - # java: - # using-cpes: true - # python: - # using-cpes: true - # javascript: - # using-cpes: true - # ruby: - # using-cpes: true - # dotnet: - # using-cpes: true - # golang: - # using-cpes: true - # stock: - # using-cpes: true - ignore: # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail diff --git a/.markdown-link-check.json b/.markdown-link-check.json index a7b4c243..afee61b2 100644 --- a/.markdown-link-check.json +++ b/.markdown-link-check.json @@ -4,7 +4,7 @@ "aliveStatusCodes": [200, 203], "ignorePatterns": [ { - "pattern": "^https?://github.com/ccsq-cqp/" + "pattern": "^https?://github.com/" } ] }