diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 07b55f3..f936377 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -21,6 +21,10 @@ jobs: security-events: write actions: read + # checkout@v4 and upload-sarif@v3 use Node.js 20; allow until updated + env: + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true + steps: - name: Checkout code uses: actions/checkout@v4 @@ -31,7 +35,10 @@ jobs: directory-to-scan: . should-scan-archives: false output-filename: devskim-results.sarif - output-directory: ${{ github.workspace }} + # Use '.' so the entrypoint resolves to /github/workspace/devskim-results.sarif + # inside the container (passing ${{ github.workspace }} causes it to + # prepend /github/workspace to the runner absolute path, creating a bad path) + output-directory: '.' - name: Upload SARIF to Code Scanning uses: github/codeql-action/upload-sarif@v3 diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..97e1594 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,36 @@ +name: CG Gitleaks Secret Scan + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '23 9 * * 5' + workflow_dispatch: + +permissions: + contents: read + +jobs: + gitleaks: + runs-on: ubuntu-latest + + permissions: + contents: read + # Allow the action to annotate pull requests with any findings + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full history so Gitleaks can scan every commit for secrets + fetch-depth: 0 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GITLEAKS_LICENSE is only required for GitHub Organization accounts. + # This repository lives under a personal account, so none is needed. diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml deleted file mode 100644 index d664deb..0000000 --- a/.github/workflows/xanitizer.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: CG Xanitizer Security Analysis - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - schedule: - - cron: '41 8 * * 5' - workflow_dispatch: - -# Minimal repo-wide permissions -permissions: - contents: read - -jobs: - xanitizer: - # If you need Windows, switch to a matrix as shown in step 2 above. - runs-on: ubuntu-latest - - # Give code-scanning write access - permissions: - contents: read - security-events: write - actions: read - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - # — Java build (uncomment only if you use Java) — - - name: Setup JDK 11 - uses: actions/setup-java@v4 - with: - java-version: 11 - distribution: temurin - - - name: Compile Java - if: hashFiles('pom.xml') != '' || hashFiles('build.gradle') != '' - run: mvn -B compile - - # — JavaScript build (uncomment only if you use JS) — - - name: Install JS deps - if: hashFiles('package.json') != '' - run: npm install - - - name: Run Xanitizer - uses: RIGS-IT/xanitizer-action@v1 - with: - license: ${{ secrets.XANITIZER_LICENSE }} - - - name: Archive Xanitizer reports - uses: actions/upload-artifact@v4 - with: - name: xanitizer-reports - path: | - *-Findings-List.pdf - *-Findings-List.sarif - - - name: Upload SARIF to Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - # Point to workspace root; upload-sarif finds all *.sarif files there - sarif_file: ‘.’