diff --git a/.github/workflows/test-fs-action-sarif.yaml b/.github/workflows/test-fs-action-sarif.yaml index ac4ce68..cb46772 100644 --- a/.github/workflows/test-fs-action-sarif.yaml +++ b/.github/workflows/test-fs-action-sarif.yaml @@ -3,31 +3,34 @@ name: Test Orca FS action - Sarif on: workflow_dispatch: +permissions: + contents: read + security-events: write + jobs: fs_scan_job: runs-on: ubuntu-latest permissions: security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 - name: Scan FS id: orcasecurity_fs_scan uses: ./ with: - api_token: - ${{ secrets.ORCA_SECURITY_API_TOKEN }} - project_key: - "default" - path: - "test" - format: - "sarif" - output: - "results/" + api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }} + project_key: "default" + path: "test" + format: "sarif" + output: "results/" console_output: "table" - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # ratchet:github/codeql-action/upload-sarif@v2 if: ${{ always() && steps.orcasecurity_fs_scan.outputs.exit_code != 1 }} with: - sarif_file: results/file_system.sarif \ No newline at end of file + sarif_file: results/file_system.sarif + + + + + diff --git a/.github/workflows/test-fs-action.yaml b/.github/workflows/test-fs-action.yaml index 513ee3a..fd0fd80 100644 --- a/.github/workflows/test-fs-action.yaml +++ b/.github/workflows/test-fs-action.yaml @@ -3,27 +3,30 @@ name: Test Orca FS action on: workflow_dispatch: +permissions: + contents: read + jobs: fs_scan_job: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 - name: Scan FS uses: ./ with: - api_token: - ${{ secrets.ORCA_SECURITY_API_TOKEN }} - project_key: - "default" - path: - "test" - format: - "json" - output: - "results/" + api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }} + project_key: "default" + path: "test" + format: "json" + output: "results/" console_output: "table" - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # ratchet:actions/upload-artifact@v3 if: always() with: name: orca-results path: results/ + + + + + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..6e0e2b2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ + +## Reporting a Vulnerability + +At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately. + +To report a security issue, please email us at address `disclosure@orca.security` + +--- +**Important:** + + 1. Please **do not** create a Github issue for security vulnerabilities. + 2. Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure. + 3. Please include the following details in your report: + - Description of the vulnerability + - Steps to reproduce the vulnerability + - Any additional information or context that might be helpful + +--- + +> Submission of reports by any means is subject to Orca's [Vulnerability Disclosure Policy](https://trustcenter.orca.security/?itemUid=ff1626be-71c0-4468-b93c-82fe08aac01f&source=documents_card). Please make sure to read and accept before submitting your report.