Skip to content

Commit

Permalink
update deps
Browse files Browse the repository at this point in the history
  • Loading branch information
@sverdlov93
sverdlov93 committed Jan 18, 2024
1 parent 048645c commit dc81bc4
Show file tree
Hide file tree
Showing 15 changed files with 319 additions and 123 deletions.
52 changes: 32 additions & 20 deletions .github/workflows/analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,43 @@
name: "Static Analysis"
on: ["push", "pull_request"]
name: Static Code Analysis
on:
push:
branches:
- "**"
tags-ignore:
- "**"
pull_request:
jobs:
Static-Check:
go-analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v3
- name: Install Go
uses: actions/setup-go@v3
- uses: actions/checkout@v4

- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: 1.20.x
cache: false

- name: Static Code Analysis
uses: dominikh/staticcheck-action@v1
uses: golangci/golangci-lint-action@v3
with:
install-go: false
args: |
--timeout 5m --out-${NO_FUTURE}format colored-line-number --enable gosec,errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars
Go-Sec:
bash-analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v3
- name: Install Go
uses: actions/setup-go@v3
- uses: actions/checkout@v4

- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
with:
go-version: 1.20.x
- name: Install gosec
run: curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
- name: Run gosec
# Temporary ignoring G301,G302,G306
run: gosec -exclude=G204,G301,G302,G304,G306 -exclude-dir=\.*test\.* ./...
ignore_paths: "*test*"

check-spelling:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Check spelling
uses: crate-ci/typos@master
10 changes: 5 additions & 5 deletions .github/workflows/cla.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,16 @@ jobs:
id: sign-or-recheck
with:
text: ${{ github.event.comment.body }}
regex: '\s*(I have read the CLA Document and I hereby sign the CLA)|(recheckcla)\s*'
regex: '\s*(I have read the CLA Document and I hereby sign the CLA)|(recheck)\s*'

- name: "CLA Assistant"
if: ${{ steps.sign-or-recheck.outputs.match != '' || github.event_name == 'pull_request_target' }}
# Alpha Release
uses: cla-assistant/github-action@v2.1.1-beta
uses: cla-assistant/github-action@v2.3.0
env:
# Generated and maintained by github
# Generated and maintained by GitHub
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# JFrog organization secret
# JFrog's organization secret
PERSONAL_ACCESS_TOKEN : ${{ secrets.CLA_SIGN_TOKEN }}
with:
path-to-signatures: 'signed_clas.json'
Expand Down
35 changes: 0 additions & 35 deletions .github/workflows/frogbot-fix-go.yml
View file

This file was deleted.

36 changes: 0 additions & 36 deletions .github/workflows/frogbot-scan-pr-go.yml
View file

This file was deleted.

119 changes: 119 additions & 0 deletions .github/workflows/frogbot-scan-pull-request.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
name: "Frogbot Scan Pull Request"
on:
pull_request_target:
types: [ opened, synchronize ]
permissions:
pull-requests: write
contents: read
jobs:
scan-pull-request:
runs-on: ubuntu-latest
# A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the
# "frogbot" GitHub environment can approve the pull request to be scanned.
environment: frogbot
steps:
- uses: jfrog/frogbot@v2
env:
JFROG_CLI_LOG_LEVEL: "DEBUG"
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.FROGBOT_URL }}

# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}

# [Mandatory]
# The GitHub token is automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# [Optional, default: https://api.github.com]
# API endpoint to GitHub
# JF_GIT_API_ENDPOINT: https://github.example.com

# [Optional]
# By default, the Frogbot workflows download the Frogbot executable as well as other tools
# needed from https://releases.jfrog.io
# If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
# executable to be downloaded from an Artifactory instance, which the machine has access to:
#
# 1. Login to the Artifactory UI, with a user who has admin credentials.
# 2. Create a Remote Repository with the following properties set.
# Under the 'Basic' tab:
# Package Type: Generic
# URL: https://releases.jfrog.io
# Under the 'Advanced' tab:
# Uncheck the 'Store Artifacts Locally' option
# 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
# JF_RELEASES_REPO: ""

# [Optional]
# Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
# SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
JF_SMTP_SERVER: ${{ secrets.JF_SMTP_SERVER }}

# [Mandatory if JF_SMTP_SERVER is set]
# The username required for authenticating with the SMTP server.
JF_SMTP_USER: ${{ secrets.JF_SMTP_USER }}

# [Mandatory if JF_SMTP_SERVER is set]
# The password associated with the username required for authentication with the SMTP server.
JF_SMTP_PASSWORD: ${{ secrets.JF_SMTP_PASSWORD }}

# [Optional]
# List of comma separated email addresses to receive email notifications about secrets
# detected during pull request scanning. The notification is also sent to the email set
# in the committer git profile regardless of whether this variable is set or not.
JF_EMAIL_RECEIVERS: "[email protected]"

##########################################################################
## If your project uses a 'frogbot-config.yml' file, you can define ##
## the following variables inside the file, instead of here. ##
##########################################################################

# [Mandatory if the two conditions below are met]
# 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies
# 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
#
# The command that installs the project dependencies (e.g "nuget restore")
# JF_INSTALL_DEPS_CMD: ""

# [Optional, default: "."]
# Relative path to the root of the project in the Git repository
# JF_WORKING_DIR: path/to/project/dir

# [Optional]
# Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
# JF_WATCHES: <watch-1>,<watch-2>...<watch-n>

# [Optional]
# JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
# JF_PROJECT: <project-key>

# [Optional, default: "FALSE"]
# Displays all existing vulnerabilities, including the ones that were added by the pull request.
# JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"

# [Optional, default: "TRUE"]
# Fails the Frogbot task if any security issue is found.
# JF_FAIL: "FALSE"

# [Optional]
# Frogbot will download the project dependencies if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""

# [Optional, Default: "FALSE"]
# If TRUE, Frogbot creates a single pull request with all the fixes.
# If false, Frogbot creates a separate pull request for each fix.
# JF_GIT_AGGREGATE_FIXES: "FALSE"

# [Optional, Default: "FALSE"]
# Handle vulnerabilities with fix versions only
# JF_FIXABLE_ONLY: "TRUE"

# [Optional]
# Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
# The following values are accepted: Low, Medium, High or Critical
# JF_MIN_SEVERITY: ""
Loading

0 comments on commit dc81bc4

Please sign in to comment.