Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,6 +25,22 @@ jobs: | |
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| # Scan the Dockerfile with KICS to check for security issues. | ||
| - name: Docker Scan | ||
| uses: Checkmarx/[email protected] | ||
|
Check warning on line 30 in .github/workflows/validate.yml
|
||
| with: | ||
| path: . | ||
| fail_on: high,medium | ||
| output_path: results | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| # Upload the results of the KICS scan as a build artifact. | ||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
|
Check warning on line 40 in .github/workflows/validate.yml
|
||
| with: | ||
| sarif_file: results-dir/results.sarif | ||
|
|
||
| test: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,3 +6,6 @@ | |
| # Environments | ||
| venv/ | ||
| virtualenv/ | ||
|
|
||
| # Security Artifacts | ||
| results.json | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Contribution Guide | ||
|
|
||
| Contributions in the form of issues and pull requests are welcome. Please read the following guidelines before contributing. | ||
|
|
||
| ## Pre-commit Hooks | ||
|
|
||
| This project uses [pre-commit](https://pre-commit.com/) to run a series of checks before committing code. To install the pre-commit hooks, run the following command: | ||
|
|
||
| ```bash | ||
| pre-commit install | ||
| ``` | ||
|
|
||
| Run the following command to run the pre-commit hooks on all files: | ||
|
|
||
| ```bash | ||
| pre-commit run --all-files | ||
| ``` | ||
|
|
||
| ## Security Testing | ||
|
|
||
| This project uses [KICS](https://docs.kics.io/latest/getting-started/) to scan for security issues in the infrastructure such as the `Dockerfile`. To run the scan, run the following command: | ||
|
|
||
| ```bash | ||
| docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/" | ||
| ``` | ||
|
|
||
| This will generate a `results.json` file as well as print the contents to the console. Any findings above a `low` severity should be addressed before committing code as they will fail the CI pipeline. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters