From 26ee9a7a55d162eabacd2ba388c38d1d781ea368 Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Fri, 19 Jul 2024 09:04:38 -0400 Subject: [PATCH 1/6] Initial import of MegaLinter configuration --- .github/workflows/megalinter.yml | 98 +++++++++++++++++++ .gitleaks.toml | 21 +++++ .grype.yaml | 155 +++++++++++++++++++++++++++++++ .markdown-link-check.json | 10 ++ .markdownlint.yaml | 27 ++++++ .mega-linter.yml | 52 +++++++++++ .pre-commit-config.yaml | 43 +++++++++ .trufflehogignore | 1 + .yamllint.yaml | 10 ++ 9 files changed, 417 insertions(+) create mode 100644 .github/workflows/megalinter.yml create mode 100644 .gitleaks.toml create mode 100644 .grype.yaml create mode 100644 .markdown-link-check.json create mode 100644 .markdownlint.yaml create mode 100644 .mega-linter.yml create mode 100644 .pre-commit-config.yaml create mode 100644 .trufflehogignore create mode 100644 .yamllint.yaml diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml new file mode 100644 index 00000000..3b1bbf63 --- /dev/null +++ b/.github/workflows/megalinter.yml @@ -0,0 +1,98 @@ +--- +name: MegaLinter + +# yamllint disable-line rule:truthy +on: + # Triggers mega-linter when a pull_request event's activity type is opened, synchronize, or reopened by default. + pull_request: + branches: + - main + workflow_dispatch: + +permissions: + contents: write + issues: write + pull-requests: write + +env: + # Comment env block if you do not want to apply fixes + # Apply linter fixes configuration + APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) + APPLY_FIXES_EVENT: all # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) + APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +jobs: + build: + name: MegaLinter + runs-on: ubuntu-latest + permissions: write-all + steps: + # Git Checkout + - name: Checkout Code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + # MegaLinter + - name: MegaLinter + id: ml + uses: oxsecurity/megalinter/flavors/javascript@v7.13.0 + env: + VALIDATE_ALL_CODEBASE: true + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Upload MegaLinter artifacts + - name: Archive production artifacts + if: always() + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # pin@v3 + with: + name: MegaLinter reports + path: | + megalinter-reports + megalinter-reports/megalinter.log + + # Create pull request if applicable (for now works only on PR from same repository, not from forks) + - name: Create Pull Request with applied fixes + id: cpr + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # pin@v5 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + commit-message: "[MegaLinter] Apply linters automatic fixes" + title: "[MegaLinter] Apply linters automatic fixes" + labels: bot + - name: Create PR output + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + run: | + echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" + + # Push new commit if applicable (for now works only on PR from same repository, not from forks) + - name: Prepare commit + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + run: sudo chown -Rc $UID .git/ + - name: Commit and push applied linter fixes + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # pin@v5 + with: + branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} + commit_message: "[MegaLinter] Apply linters fixes" + commit_user_name: megalinter-bot + commit_user_email: nicolas.vuillamy@ox.security + + - name: Check to see if the SARIF a was generated + id: sarif_file_exists + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # pin@v2 + with: + files: "megalinter-reports/megalinter-report.sarif" + + - name: Upload MegaLinter scan results to GitHub Security tab + if: steps.sarif_file_exists.outputs.files_exists == 'true' + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # pin@v2 + with: + sarif_file: "megalinter-reports/megalinter-report.sarif" diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..6e3de8c9 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,21 @@ + +title = "gitleaks config" + +[extend] +# useDefault will extend the base configuration with the default gitleaks config: +# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml +useDefault = true + +[allowlist] + description = "Allowlisted files" + paths = [ + '''.automation/test''', + '''megalinter-reports''', + '''.github/linters''', + '''node_modules''', + '''.mypy_cache''', + '''(.*?)gitleaks\.toml$''', + '''(?i)(.*?)(png|jpeg|jpg|gif|doc|docx|pdf|bin|xls|xlsx|pyc|zip)$''', + '''(go.mod|go.sum)$'''] + + diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000..6b7d98fd --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,155 @@ +# enable/disable checking for application updates on startup +# same as GRYPE_CHECK_FOR_APP_UPDATE env var +# check-for-app-update: true + +# allows users to specify which image source should be used to generate the sbom +# valid values are: registry, docker, podman +# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var +# default-image-pull-source: "" + +# same as --name; set the name of the target being analyzed +# name: "" + +# upon scanning, if a severity is found at or above the given severity then the return code will be 1 +# default is unset which will skip this validation (options: negligible, low, medium, high, critical) +# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var +fail-on-severity: "high" + +# the output format of the vulnerability report (options: table, json, cyclonedx) +# same as -o ; GRYPE_OUTPUT env var +# output: "table" + +# suppress all output (except for the vulnerability list) +# same as -q ; GRYPE_QUIET env var +# quiet: false + +# write output report to a file (default is to write to stdout) +# same as --file; GRYPE_FILE env var +# file: "" + +# a list of globs to exclude from scanning, for example: +# exclude: +# - '/etc/**' +# - './out/**/*.json' +# same as --exclude ; GRYPE_EXCLUDE env var +exclude: + - './node_modules/**' + - './.git/**' + - './.github/**' + - './_site/**' + +# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64") +# same as --platform; GRYPE_PLATFORM env var +# platform: "" + +# If using SBOM input, automatically generate CPEs when packages have none +# add-cpes-if-none: false + +# Explicitly specify a linux distribution to use as : like alpine:3.10 +# distro: + +# external-sources: +# enable: false +# maven: +# search-upstream-by-sha1: true +# base-url: https://search.maven.org/solrsearch/select + +# db: + # check for database updates on execution + # same as GRYPE_DB_AUTO_UPDATE env var + # auto-update: true + + # location to write the vulnerability database cache + # same as GRYPE_DB_CACHE_DIR env var + # cache-dir: "$XDG_CACHE_HOME/grype/db" + + # URL of the vulnerability database + # same as GRYPE_DB_UPDATE_URL env var + # update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json" + + # it ensures db build is no older than the max-allowed-built-age + # set to false to disable check + # validate-age: true + + # Max allowed age for vulnerability database, + # age being the time since it was built + # Default max age is 120h (or five days) + # max-allowed-built-age: "120h" + +# search: + # the search space to look for packages (options: all-layers, squashed) + # same as -s ; GRYPE_SEARCH_SCOPE env var + # scope: "squashed" + + # search within archives that do contain a file index to search against (zip) + # note: for now this only applies to the java package cataloger + # same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var + # indexed-archives: true + + # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc) + # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed + # note: for now this only applies to the java package cataloger + # same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var + # unindexed-archives: false + +# options when pulling directly from a registry via the "registry:" scheme +# registry: + # skip TLS verification when communicating with the registry + # same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var + # insecure-skip-tls-verify: false + # use http instead of https when connecting to the registry + # same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var + # insecure-use-http: false + + # credentials for specific registries + # auth: + # - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) + # same as GRYPE_REGISTRY_AUTH_AUTHORITY env var + # authority: "" + # same as GRYPE_REGISTRY_AUTH_USERNAME env var + # username: "" + # same as GRYPE_REGISTRY_AUTH_PASSWORD env var + # password: "" + # note: token and username/password are mutually exclusive + # same as GRYPE_REGISTRY_AUTH_TOKEN env var + # token: "" + # - ... # note, more credentials can be provided via config file only + +# log: + # use structured logging + # same as GRYPE_LOG_STRUCTURED env var + # structured: false + + # the log level; note: detailed logging suppress the ETUI + # same as GRYPE_LOG_LEVEL env var + # Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging + # level: "error" + + # location to write the log file (default is not to have a log file) + # same as GRYPE_LOG_FILE env var + # file: "" + +# match: + # sets the matchers below to use cpes when trying to find + # vulnerability matches. The stock matcher is the default + # when no primary matcher can be identified + # java: + # using-cpes: true + # python: + # using-cpes: true + # javascript: + # using-cpes: true + # ruby: + # using-cpes: true + # dotnet: + # using-cpes: true + # golang: + # using-cpes: true + # stock: + # using-cpes: true + +ignore: + + # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail + # @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225 + - vulnerability: CVE-2018-20225 diff --git a/.markdown-link-check.json b/.markdown-link-check.json new file mode 100644 index 00000000..a7b4c243 --- /dev/null +++ b/.markdown-link-check.json @@ -0,0 +1,10 @@ +{ + "retryOn429": true, + "retryCount": 5, + "aliveStatusCodes": [200, 203], + "ignorePatterns": [ + { + "pattern": "^https?://github.com/ccsq-cqp/" + } + ] +} diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 00000000..456a141d --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,27 @@ +--- +blanks-around-fences: false +blanks-around-headings: false +blanks-around-lists: false +code-fence-style: false +emphasis-style: false +heading-start-left: false +hr-style: false +list-indent: false +list-marker-space: false +no-blanks-blockquote: false +no-hard-tabs: false +no-missing-space-atx: false +no-missing-space-closed-atx: false +no-multiple-blanks: false +no-multiple-space-atx: false +no-multiple-space-blockquote: false +no-multiple-space-closed-atx: false +no-trailing-spaces: false +ol-prefix: false +strong-style: false +ul-indent: false + +MD013: + line_length: 999 + heading_line_length: 999 + code_block_line_length: 999 diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 00000000..593ea1f9 --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,52 @@ +--- +# don't test the reports Mega-Linter created, docs, or test files +ADDITIONAL_EXCLUDED_DIRECTORIES: + [report, megalinter-reports, docs, node_modules,_site] + +# don't lint test files or documentation +FILTER_REGEX_EXCLUDE: (.venv/|/test/|\.test\.|_test\.|/docs/|/index.html|.github/.*\.html) + +# don't scan files listed in .gitignore (e.g., node_modules) +IGNORE_GITIGNORED_FILES: true + +# Disable devskim as it's reporting an error with no log message +DISABLE_LINTERS: + [ + REPOSITORY_DEVSKIM, + SPELL_MISSPELL, + SPELL_CSPELL, + SPELL_PROSELINT, + COPYPASTE_JSCPD, + BASH_EXEC, + ] + +# only scan new / updated files, not everything +VALIDATE_ALL_CODEBASE: true + +# don't print the alpaca -- it's cute, but we don't need it in the logs +PRINT_ALPACA: false + +# write a SARIF file +SARIF_REPORTER: true + +# don't fail on finding (yet) +DISABLE_ERRORS: true + +# use prettier for JavaScript code formatting +JAVASCRIPT_DEFAULT_STYLE: prettier + +# only scan the files in This commit, not the entire history of the repo +REPOSITORY_GITLEAKS_ARGUMENTS: --no-git + +# don't lint the generated code in the docs/ directory +REPOSITORY_DEVSKIM_ARGUMENTS: "--skip-git-ignored-files" + +# shfmt will.. +# - use multiples of 2 spaces for indenting +# - alllow binary operations to start new lines +# - indent switch case statements +# - place spaces around redirections +# - keep column alignment padding +BASH_SHFMT_ARGUMENTS: -i 2 -bn -ci -sr -kp + +REPOSITORY_TRUFFLEHOG_ARGUMENTS: "--exclude-paths=.trufflehogignore" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..471fe145 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,43 @@ +--- +# pre-commit is a linter runner and GitHub hook manager +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +# Run `pre-commit autoupdate` now and then, why don't ya? + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: c4a0b883114b00d8d76b479c820ce7950211c99b # frozen: v4.5.0 + hooks: + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: mixed-line-ending + args: ["--fix=lf"] + - id: end-of-file-fixer + exclude: \.idea$ + - id: check-added-large-files + args: ["--maxkb=2200"] + - id: check-merge-conflict + - id: detect-private-key + - id: check-yaml + files: \.ya?ml$ + - id: check-json + files: \.json$ + - id: check-xml + files: \.xml$ + + # So we allow this hook to pass if there are no creds + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: c4a0b883114b00d8d76b479c820ce7950211c99b # frozen: v4.5.0 + hooks: + - id: detect-aws-credentials + args: [--allow-missing-credentials] + + # Scan for secrets + - repo: https://github.com/zricethezav/gitleaks + rev: e815c559e3ac76227e8e7463cf3a6598b715687b # frozen: v8.18.1 + hooks: + - id: gitleaks-docker + name: Detect hardcoded secrets + description: Detect hardcoded secrets using Gitleaks + language: docker_image + entry: zricethezav/gitleaks:v8.15.0 protect --verbose --redact --staged diff --git a/.trufflehogignore b/.trufflehogignore new file mode 100644 index 00000000..6b8710a7 --- /dev/null +++ b/.trufflehogignore @@ -0,0 +1 @@ +.git diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 00000000..30fb4bae --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,10 @@ +--- +extends: default + +ignore-from-file: [".gitignore"] + +rules: + comments: + min-spaces-from-content: 1 + line-length: + max: 999 From 9f6edc9562e35a7b704eaba7d7fead95698e6b6b Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Fri, 19 Jul 2024 09:10:39 -0400 Subject: [PATCH 2/6] Don't ingest the MegaLinter reports --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 939ce5cf..8e263226 100644 --- a/.gitignore +++ b/.gitignore @@ -120,3 +120,6 @@ web_modules/ _site public node_modules + +megalinter-reports +reports From a8b71882847b2235c2030f79772b9c11c834627f Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Fri, 19 Jul 2024 09:13:56 -0400 Subject: [PATCH 3/6] Don't push fixes....yet --- .github/workflows/megalinter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml index 3b1bbf63..44662663 100644 --- a/.github/workflows/megalinter.yml +++ b/.github/workflows/megalinter.yml @@ -17,7 +17,7 @@ permissions: env: # Comment env block if you do not want to apply fixes # Apply linter fixes configuration - APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) + APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) APPLY_FIXES_EVENT: all # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) From 9e0b6f16e6758828dbba3208d0193d04a2cc4f13 Mon Sep 17 00:00:00 2001 From: Wes Dean <87149725+wesley-dean-gsa@users.noreply.github.com> Date: Fri, 19 Jul 2024 09:32:47 -0400 Subject: [PATCH 4/6] Update .mega-linter.yml --- .mega-linter.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.mega-linter.yml b/.mega-linter.yml index 593ea1f9..b442c93d 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -1,7 +1,12 @@ --- # don't test the reports Mega-Linter created, docs, or test files -ADDITIONAL_EXCLUDED_DIRECTORIES: - [report, megalinter-reports, docs, node_modules,_site] +ADDITIONAL_EXCLUDED_DIRECTORIES: [ + report, + megalinter-reports, + docs, + node_modules, + _site, +] # don't lint test files or documentation FILTER_REGEX_EXCLUDE: (.venv/|/test/|\.test\.|_test\.|/docs/|/index.html|.github/.*\.html) From 1039a3ce0c1788f6c406f69d0bd8632b390d6bc5 Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Mon, 29 Jul 2024 16:32:25 -0400 Subject: [PATCH 5/6] Fix tidy errors, pin actions --- .github/workflows/megalinter.yml | 11 +-- .github/workflows/pa11y.yml | 13 +-- .github/workflows/scorecard.yml | 18 ++-- .github/workflows/test.yml | 15 ++-- .grype.yaml | 143 +------------------------------ .markdown-link-check.json | 2 +- 6 files changed, 35 insertions(+), 167 deletions(-) diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml index 44662663..879b8f93 100644 --- a/.github/workflows/megalinter.yml +++ b/.github/workflows/megalinter.yml @@ -9,6 +9,7 @@ on: - main workflow_dispatch: + permissions: contents: write issues: write @@ -41,7 +42,7 @@ jobs: # MegaLinter - name: MegaLinter id: ml - uses: oxsecurity/megalinter/flavors/javascript@v7.13.0 + uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # pin@v7.13.0 env: VALIDATE_ALL_CODEBASE: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -49,7 +50,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts if: always() - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # pin@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 with: name: MegaLinter reports path: | @@ -60,7 +61,7 @@ jobs: - name: Create Pull Request with applied fixes id: cpr if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # pin@v5 + uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" @@ -87,12 +88,12 @@ jobs: - name: Check to see if the SARIF a was generated id: sarif_file_exists - uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # pin@v2 + uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2 with: files: "megalinter-reports/megalinter-report.sarif" - name: Upload MegaLinter scan results to GitHub Security tab if: steps.sarif_file_exists.outputs.files_exists == 'true' - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # pin@v2 + uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2 with: sarif_file: "megalinter-reports/megalinter-report.sarif" diff --git a/.github/workflows/pa11y.yml b/.github/workflows/pa11y.yml index 0f86dfeb..a9fc7c46 100644 --- a/.github/workflows/pa11y.yml +++ b/.github/workflows/pa11y.yml @@ -1,16 +1,19 @@ +--- name: Pa11y Testing -on: [pull_request] +# yamllint disable-line rule:truthy +on: [ pull_request ] jobs: build: runs-on: ubuntu-latest - + steps: - - uses: actions/checkout@v3 - + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + - name: Use Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3 with: node-version: '17.x' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 48fe6e47..b1c7577d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,18 +1,22 @@ +--- # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security + +# yamllint disable-line rule:truthy on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See + branch_protection_rule: # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '43 7 * * 3' push: - branches: [ "main" ] + branches: + - "main" # Declare default permissions as read only. permissions: read-all @@ -32,12 +36,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0 with: results_file: results.sarif results_format: sarif @@ -59,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4.3.4 with: name: SARIF file path: results.sarif @@ -67,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # pin@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 300f0774..91b72554 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,18 +2,19 @@ name: Build and Test # yamllint disable-line rule:truthy -on: +on: pull_request: + jobs: build: runs-on: ubuntu-latest - + steps: - - uses: actions/checkout@v3 - + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + - name: Use Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3 with: node-version: '17.x' @@ -23,5 +24,5 @@ jobs: - name: Build site run: npm run build - # - name: Run tests - # run: npm run test +# - name: Run tests +# run: npm run test diff --git a/.grype.yaml b/.grype.yaml index 6b7d98fd..3c442f39 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,153 +1,12 @@ -# enable/disable checking for application updates on startup -# same as GRYPE_CHECK_FOR_APP_UPDATE env var -# check-for-app-update: true - -# allows users to specify which image source should be used to generate the sbom -# valid values are: registry, docker, podman -# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var -# default-image-pull-source: "" - -# same as --name; set the name of the target being analyzed -# name: "" - -# upon scanning, if a severity is found at or above the given severity then the return code will be 1 -# default is unset which will skip this validation (options: negligible, low, medium, high, critical) -# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var +--- fail-on-severity: "high" -# the output format of the vulnerability report (options: table, json, cyclonedx) -# same as -o ; GRYPE_OUTPUT env var -# output: "table" - -# suppress all output (except for the vulnerability list) -# same as -q ; GRYPE_QUIET env var -# quiet: false - -# write output report to a file (default is to write to stdout) -# same as --file; GRYPE_FILE env var -# file: "" - -# a list of globs to exclude from scanning, for example: -# exclude: -# - '/etc/**' -# - './out/**/*.json' -# same as --exclude ; GRYPE_EXCLUDE env var exclude: - './node_modules/**' - './.git/**' - './.github/**' - './_site/**' -# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64") -# same as --platform; GRYPE_PLATFORM env var -# platform: "" - -# If using SBOM input, automatically generate CPEs when packages have none -# add-cpes-if-none: false - -# Explicitly specify a linux distribution to use as : like alpine:3.10 -# distro: - -# external-sources: -# enable: false -# maven: -# search-upstream-by-sha1: true -# base-url: https://search.maven.org/solrsearch/select - -# db: - # check for database updates on execution - # same as GRYPE_DB_AUTO_UPDATE env var - # auto-update: true - - # location to write the vulnerability database cache - # same as GRYPE_DB_CACHE_DIR env var - # cache-dir: "$XDG_CACHE_HOME/grype/db" - - # URL of the vulnerability database - # same as GRYPE_DB_UPDATE_URL env var - # update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json" - - # it ensures db build is no older than the max-allowed-built-age - # set to false to disable check - # validate-age: true - - # Max allowed age for vulnerability database, - # age being the time since it was built - # Default max age is 120h (or five days) - # max-allowed-built-age: "120h" - -# search: - # the search space to look for packages (options: all-layers, squashed) - # same as -s ; GRYPE_SEARCH_SCOPE env var - # scope: "squashed" - - # search within archives that do contain a file index to search against (zip) - # note: for now this only applies to the java package cataloger - # same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var - # indexed-archives: true - - # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc) - # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed - # note: for now this only applies to the java package cataloger - # same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var - # unindexed-archives: false - -# options when pulling directly from a registry via the "registry:" scheme -# registry: - # skip TLS verification when communicating with the registry - # same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var - # insecure-skip-tls-verify: false - # use http instead of https when connecting to the registry - # same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var - # insecure-use-http: false - - # credentials for specific registries - # auth: - # - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) - # same as GRYPE_REGISTRY_AUTH_AUTHORITY env var - # authority: "" - # same as GRYPE_REGISTRY_AUTH_USERNAME env var - # username: "" - # same as GRYPE_REGISTRY_AUTH_PASSWORD env var - # password: "" - # note: token and username/password are mutually exclusive - # same as GRYPE_REGISTRY_AUTH_TOKEN env var - # token: "" - # - ... # note, more credentials can be provided via config file only - -# log: - # use structured logging - # same as GRYPE_LOG_STRUCTURED env var - # structured: false - - # the log level; note: detailed logging suppress the ETUI - # same as GRYPE_LOG_LEVEL env var - # Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging - # level: "error" - - # location to write the log file (default is not to have a log file) - # same as GRYPE_LOG_FILE env var - # file: "" - -# match: - # sets the matchers below to use cpes when trying to find - # vulnerability matches. The stock matcher is the default - # when no primary matcher can be identified - # java: - # using-cpes: true - # python: - # using-cpes: true - # javascript: - # using-cpes: true - # ruby: - # using-cpes: true - # dotnet: - # using-cpes: true - # golang: - # using-cpes: true - # stock: - # using-cpes: true - ignore: # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail diff --git a/.markdown-link-check.json b/.markdown-link-check.json index a7b4c243..afee61b2 100644 --- a/.markdown-link-check.json +++ b/.markdown-link-check.json @@ -4,7 +4,7 @@ "aliveStatusCodes": [200, 203], "ignorePatterns": [ { - "pattern": "^https?://github.com/ccsq-cqp/" + "pattern": "^https?://github.com/" } ] } From 8db3d45381696c69ccb49a93c0b5ff2b2495b55c Mon Sep 17 00:00:00 2001 From: Wes Dean <87149725+wesley-dean-gsa@users.noreply.github.com> Date: Wed, 31 Jul 2024 09:31:38 -0400 Subject: [PATCH 6/6] Update pa11y.yml Fix the Pa11y permissions concern. --- .github/workflows/pa11y.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/pa11y.yml b/.github/workflows/pa11y.yml index a9fc7c46..dbab91ec 100644 --- a/.github/workflows/pa11y.yml +++ b/.github/workflows/pa11y.yml @@ -4,6 +4,15 @@ name: Pa11y Testing # yamllint disable-line rule:truthy on: [ pull_request ] +permissions: + contents: write + issues: write + pull-requests: write + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + jobs: build: runs-on: ubuntu-latest